fix: handle of NULL for groups

[RostyslavKachan]

RHINENG-23541

Secure Coding Practices Checklist GitHub Link

• https://github.com/RedHatInsights/secure-coding-checklist

Secure Coding Checklist

• Input Validation
• Output Encoding
• Authentication and Password Management
• Session Management
• Access Control
• Cryptographic Practices
• Error Handling and Logging
• Data Protection
• Communication Security
• System Configuration
• Database Security
• File Management
• Memory Management
• General Coding Practices

Summary by Sourcery

Bug Fixes:

• Treat NULL system group sets as empty JSON arrays in inventory_group for Cyndi-based queries to prevent null-handling issues.

[github-actions]

SC Environment Impact Assessment

Overall Impact: ⚪ NONE

No SC Environment-specific impacts detected in this PR.

What was checked

This PR was automatically scanned for:

• Database migrations
• ClowdApp configuration changes
• Kessel integration changes
• AWS service integrations (S3, RDS, ElastiCache)
• Kafka topic changes
• Secrets management changes
• External dependencies

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Normalize NULL system group values to an empty JSONB array ('[]') when reading from SystemGroupSet in CVE and system queries, ensuring consistent inventory_group data under the CYNDI_REPLICATION_REPLACEMENT feature flag.

ER diagram for SystemGroupSet and InventoryHosts groups normalization

erDiagram
    INVENTORY_HOSTS {
        uuid id
        jsonb groups
        timestamp updated
        uuid insights_id
    }

    SYSTEM_GROUP_SET {
        uuid id
        jsonb groups  "nullable"
    }

    QUERY_RESULT {
        jsonb inventory_group  "never NULL when CYNDI_REPLICATION_REPLACEMENT is enabled"
    }

    INVENTORY_HOSTS ||--o{ SYSTEM_GROUP_SET : has_group_set
    SYSTEM_GROUP_SET ||--o{ QUERY_RESULT : provides_normalized_groups
    INVENTORY_HOSTS ||--o{ QUERY_RESULT : contributes_host_fields

Loading

File-Level Changes

Change	Details	Files
Ensure inventory_group is never NULL when using SystemGroupSet groups, normalizing NULL to an empty JSONB array via a CASE expression in all relevant queries.	Wrap SystemGroupSet.groups in a CASE expression that substitutes NULL values with SQL("'[]'::jsonb") and aliases the result as inventory_group Apply this CASE-based normalization in all CVE-related full and id queries that reference SystemGroupSet.groups under the CYNDI_REPLICATION_REPLACEMENT feature flag Apply the same CASE-based normalization in system handler queries that reference SystemGroupSet.groups under the CYNDI_REPLICATION_REPLACEMENT feature flag, leaving InventoryHosts.groups path unchanged	manager/cve_handler.py manager/system_handler.py

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• The Case(None, ((SystemGroupSet.groups.is_null(True), SQL("'[]'::jsonb")),), SystemGroupSet.groups) expression is duplicated in multiple queries; consider extracting this into a small helper or constant to reduce repetition and keep the inventory_group handling consistent across call sites.
• Instead of manually building JSONB with SQL("'[]'::jsonb"), consider using a higher-level construct (e.g., fn.CAST('[]', 'jsonb') or a framework-native JSON/JSONB literal) if available, to avoid raw SQL and make the intent clearer.
• Double-check whether SystemGroupSet.groups.is_null(True) is the idiomatic way in this query builder to express IS NULL; if there is a clearer or more conventional null-check helper, using it would improve readability.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `Case(None, ((SystemGroupSet.groups.is_null(True), SQL("'[]'::jsonb")),), SystemGroupSet.groups)` expression is duplicated in multiple queries; consider extracting this into a small helper or constant to reduce repetition and keep the `inventory_group` handling consistent across call sites.
- Instead of manually building JSONB with `SQL("'[]'::jsonb")`, consider using a higher-level construct (e.g., `fn.CAST('[]', 'jsonb')` or a framework-native JSON/JSONB literal) if available, to avoid raw SQL and make the intent clearer.
- Double-check whether `SystemGroupSet.groups.is_null(True)` is the idiomatic way in this query builder to express `IS NULL`; if there is a clearer or more conventional null-check helper, using it would improve readability.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[jdobes]

This is exact case for coalesce, it'll be shorter and more readable.

[jdobes]

Is the SQL("'[]'::jsonb") needed? I think on other places we have only '[]' in coalesce and it works.

https://github.com/RedHatInsights/vulnerability-engine/blob/master/manager/vulnerabilities_handler.py#L191