Conversation
Signed-off-by: anil <epipav@gmail.com>
![github-license-compliance[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
Adds a new Temporal worker that enriches stored vulnerabilities with CVSS/severity data from the NVD API, including persistence of enrichment attempts in a dedicated DB log table.
Changes:
- Introduces a new Temporal workflow + activity to fetch NVD CVE details and update
vulnerabilitiesrecords. - Adds a daily Temporal Schedule to run the enrichment on the
vulnerability-enrichmenttask queue. - Adds a new
vulnerability_enrichment_logstable migration and wires the worker into the pnpm workspace.
Reviewed changes
Copilot reviewed 12 out of 13 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| workers/temporal/vulnerability_enrichment_worker/tsconfig.json | Adds TS config for the new worker package |
| workers/temporal/vulnerability_enrichment_worker/src/workflows/enrichVulnerabilities.ts | Workflow that batches enrichment and continues-as-new |
| workers/temporal/vulnerability_enrichment_worker/src/workflows.ts | Workflow export barrel |
| workers/temporal/vulnerability_enrichment_worker/src/types.ts | Shared types + CVSS→severity helper |
| workers/temporal/vulnerability_enrichment_worker/src/schedules/scheduleEnrichVulnerabilities.ts | Registers a daily Temporal Schedule |
| workers/temporal/vulnerability_enrichment_worker/src/repo/index.ts | DB queries/updates + enrichment log insert |
| workers/temporal/vulnerability_enrichment_worker/src/main.ts | Worker bootstrap and schedule registration |
| workers/temporal/vulnerability_enrichment_worker/src/activities/index.ts | NVD API calls, parsing, DB updates, and logging |
| workers/temporal/vulnerability_enrichment_worker/src/activities.ts | Activity export barrel |
| workers/temporal/vulnerability_enrichment_worker/package.json | New package definition and scripts |
| workers/temporal/vulnerability_enrichment_worker/Dockerfile | Container build for the new worker |
| pnpm-lock.yaml | Lockfile updates to include the new worker and dependency graph changes |
| database/migrations/V1774000000__addVulnerabilityEnrichmentLogs.sql | Migration for enrichment logging table + indexes |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| } else { | ||
| throw new Error(err as string); |
There was a problem hiding this comment.
throw new Error(err as string) will typically lose the original error type/stack and often produces an unhelpful message (e.g. "[object Object]"). Prefer rethrowing the original error when it’s already an Error, or wrapping via new Error(String(err), { cause: err }) to preserve context.
| } else { | |
| throw new Error(err as string); | |
| } else if (err instanceof Error) { | |
| throw err; | |
| } else { | |
| throw new Error(String(err), { cause: err as unknown }); |
| export async function updateVulnerabilitiesByCveId( | ||
| store: DbStore, | ||
| cveId: string, | ||
| cvssScore: number, | ||
| severity: string, | ||
| ): Promise<number> { |
There was a problem hiding this comment.
severity is typed as string but is cast to vulnerability_severity in SQL. To prevent invalid values reaching the database at compile time, consider typing this parameter as VulnerabilitySeverity (from types.ts) instead of string.
| FROM node:24-alpine AS builder | ||
|
|
||
| RUN apk add --no-cache python3 make g++ |
There was a problem hiding this comment.
The builder stage uses node:24-alpine while the runtime stage uses node:20-bookworm-slim. Copying node_modules across both a different libc (musl vs glibc) and a different Node major version can break native/binary dependencies (Temporal SDK pulls in native components). Consider using the same base (and Node major) for both stages, or reinstalling production deps in the runner stage instead of copying from Alpine.
| FROM node:24-alpine AS builder | |
| RUN apk add --no-cache python3 make g++ | |
| FROM node:20-bookworm-slim AS builder | |
| RUN apt-get update && apt-get install -y python3 make g++ --no-install-recommends && rm -rf /var/lib/apt/lists/* |
| const { enrichCveBatch } = proxyActivities<typeof activities>({ | ||
| startToCloseTimeout: "10 minutes", | ||
| heartbeatTimeout: "2 minutes", |
There was a problem hiding this comment.
The activity startToCloseTimeout is fixed at 10 minutes, but the activity can do up to batchSize sequential HTTP calls (each with timeout: 30000 plus a 700ms delay). With the current default/scheduled batchSize: 50, the worst-case runtime can exceed 10 minutes and cause repeated activity timeouts/retries. Consider increasing the timeout, reducing the default batch size, or making the timeout/batch size relationship explicit/configurable.
Signed-off-by: anilb <epipav@gmail.com>
Signed-off-by: anilb <epipav@gmail.com>
No description provided.