chore: replace old queries due to cyndi migration(tag fiels)

[RostyslavKachan]

RHINENG-23542

Secure Coding Practices Checklist GitHub Link

• https://github.com/RedHatInsights/secure-coding-checklist

Secure Coding Checklist

• Input Validation
• Output Encoding
• Authentication and Password Management
• Session Management
• Access Control
• Cryptographic Practices
• Error Handling and Logging
• Data Protection
• Communication Security
• System Configuration
• Database Security
• File Management
• Memory Management
• General Coding Practices

Summary by Sourcery

Update system and CVE queries to use the new SystemTagSet tags source when the Cyndi replication replacement feature flag is enabled.

Enhancements:

• Switch tag selection in CVE and system queries to conditionally read from SystemTagSet with a fallback to InventoryHosts based on the Cyndi replication replacement feature flag.
• Adjust tag filtering logic to operate on SystemTagSet when the Cyndi replication replacement feature flag is enabled.
• Extend the Cyndi join helper to left-join SystemTagSet for tag data when using the new replication path.

[sourcery-ai]

Reviewer's Guide

This PR updates CVE and system queries to use the new Cyndi-backed SystemTagSet tags (with a feature flag fallback to InventoryHosts.tags), and wires tag-based filters and joins to the new tag source when the CYNDI_REPLICATION_REPLACEMENT Unleash flag is enabled.

Updated class diagram for query models and handlers using SystemTagSet

classDiagram
  class UNLEASH {
    +is_enabled(flag_name)
  }

  class CYNDI_REPLICATION_REPLACEMENT

  class InventoryHosts {
    +tags
    +updated
    +insights_id
  }

  class SystemTagSet {
    +tags
  }

  class SystemPlatform {
    +culled_timestamp
    +cve_count_cache
    +opt_out
    +host_type
    +display_name
    +last_upload
    +stale
  }

  class SystemGroupSet {
    +groups
  }

  class SystemVulnerabilities {
    +status_id
    +rule_id
    +mitigation_reason
    +remediation_type_id
  }

  class InsightsRule {
    +description
    +reason
    +resolution
    +reboot_required
    +resolution_text
    +kbase_node_id
    +more_info_text
  }

  class CveHandler {
    -_full_query(rh_account_id, synopsis, parsed_args, filters, remediation_filter)
    -_unpatched_full_query(rh_account_id, synopsis, parsed_args, filters)
    -_id_query(rh_account_id, synopsis, parsed_args, filters, remediation_filter)
    -_unpatched_id_query(rh_account_id, synopsis, parsed_args, filters)
  }

  class SystemHandler {
    -_full_query(rh_account_id)
    +handle_get(kwargs)
  }

  class Filters {
    -_filter_system_by_tags(query, args, kwargs)
  }

  class BaseManager {
    +cyndi_join(query)
  }

  UNLEASH --> CYNDI_REPLICATION_REPLACEMENT : checks

  CveHandler --> InventoryHosts : selects
  CveHandler --> SystemTagSet : selects when flag enabled
  CveHandler --> SystemPlatform : joins
  CveHandler --> SystemVulnerabilities : joins
  CveHandler --> InsightsRule : joins

  SystemHandler --> InventoryHosts : selects
  SystemHandler --> SystemTagSet : selects when flag enabled
  SystemHandler --> SystemPlatform : joins

  Filters --> InventoryHosts : tags filter when flag disabled
  Filters --> SystemTagSet : tags filter when flag enabled

  BaseManager --> SystemPlatform : switch for joins
  BaseManager --> SystemGroupSet : joins when flag enabled
  BaseManager --> SystemTagSet : joins when flag enabled
  BaseManager --> InventoryHosts : legacy tag source when flag disabled

Loading

Flow diagram for tag source selection via CYNDI_REPLICATION_REPLACEMENT

flowchart TD
  A["Build query needing tags"] --> B["Check UNLEASH.is_enabled(CYNDI_REPLICATION_REPLACEMENT)"]
  B -->|"true"| C["Use SystemTagSet.tags with COALESCE(SystemTagSet.tags, '[]') as tags"]
  B -->|"false"| D["Use InventoryHosts.tags as tags"]
  C --> E["Return query with tags column from SystemTagSet"]
  D --> E["Return query with tags column from InventoryHosts"]

Loading

Flow diagram for tag filtering with CYNDI_REPLICATION_REPLACEMENT

flowchart TD
  A["_filter_system_by_tags called"] --> B["Are tags provided in args?"]
  B -->|"no"| G["Return original query"]
  B -->|"yes"| C["Iterate over each tag in args['tags']"]
  C --> D["Check UNLEASH.is_enabled(CYNDI_REPLICATION_REPLACEMENT)"]
  D -->|"true"| E["Add where(SystemTagSet.tags.contains([tag]))"]
  D -->|"false"| F["Add where(InventoryHosts.tags.contains([tag]))"]
  E --> H["Next tag or finish"]
  F --> H["Next tag or finish"]
  H --> I["Return filtered query"]

Loading

Flow diagram for cyndi_join behavior with CYNDI_REPLICATION_REPLACEMENT

flowchart TD
  A["cyndi_join(query)"] --> B["Check UNLEASH.is_enabled(CYNDI_REPLICATION_REPLACEMENT)"]
  B -->|"true"| C["query.switch(SystemPlatform).join(SystemGroupSet, LEFT_OUTER)"]
  C --> D["query.switch(SystemPlatform).join(SystemTagSet, LEFT_OUTER)"]
  D --> E["filter_allowed_groups(query, SystemGroupSet.groups)"]
  E --> F["filter_kessel_workspace_opt_out(query, SystemGroupSet.groups)"]
  F --> G["Return joined query (Cyndi-backed groups and tags)"]
  B -->|"false"| H["Legacy join path using InventoryHosts.tags (unchanged by this PR)"]
  H --> I["Return legacy joined query"]

Loading

File-Level Changes

Change	Details	Files
Gate tag selection in CVE queries on the CYNDI_REPLICATION_REPLACEMENT flag, preferring SystemTagSet.tags with a JSON-safe default when enabled.	Wrap the tags column in CVE full and ID queries with a conditional expression that uses SystemTagSet.tags when the Unleash flag is on and InventoryHosts.tags otherwise. Apply fn.COALESCE to SystemTagSet.tags with a default of "[]" and alias the result as "tags" to keep the selected column name stable. Ensure both patched and unpatched variants of CVE queries use the same tag-selection logic for consistency.	manager/cve_handler.py
Update system queries and handlers to read tags from SystemTagSet when CYNDI_REPLICATION_REPLACEMENT is enabled, preserving the existing API surface.	Replace direct selection of InventoryHosts.tags in system full queries and GET handlers with a conditional expression that switches to SystemTagSet.tags behind the Unleash flag. Use fn.COALESCE on SystemTagSet.tags with default "[]" and alias as "tags" to keep downstream consumers unchanged. Maintain InventoryHosts.tags as the tag source when the feature flag is disabled to support rollback.	manager/system_handler.py
Align tag-based filtering and joins with the new SystemTagSet when the CYNDI_REPLICATION_REPLACEMENT flag is active.	Change the tag filter helper to apply contains() against SystemTagSet.tags instead of InventoryHosts.tags when the Unleash flag is enabled, while keeping the old behavior under the flag-off path. Extend cyndi_join to LEFT OUTER JOIN SystemTagSet from SystemPlatform when CYNDI_REPLICATION_REPLACEMENT is enabled so that SystemTagSet.tags is available to upstream queries. Preserve existing InventoryHosts.tags-based behavior in both filtering and joins when the feature flag is turned off.	manager/filters.py manager/base.py

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[github-actions]

SC Environment Impact Assessment

Overall Impact: 🟢 LOW

View full report

Summary

• Total Issues: 3
• 🟢 Low: 3

Detailed Findings

🟢 LOW Impact

Feature flag change detected

• File: manager/cve_handler.py
• Category: feature_flags
• Details:
  • Found UNLEASH in manager/cve_handler.py at line 271
  • Found UNLEASH in manager/cve_handler.py at line 349
  • Found UNLEASH in manager/cve_handler.py at line 412
  • Found UNLEASH in manager/cve_handler.py at line 473
• Recommendation: Verify feature flags are properly configured for SC Environment. Test bypass options for services not available in SC Environment.

Feature flag change detected

• File: manager/filters.py
• Category: feature_flags
• Details:
  • Found UNLEASH in manager/filters.py at line 357
  • Found UNLEASH in manager/filters.py at line 425
  • Found UNLEASH in manager/filters.py at line 579
  • Found UNLEASH in manager/filters.py at line 584
  • Found UNLEASH in manager/filters.py at line 607
• Recommendation: Verify feature flags are properly configured for SC Environment. Test bypass options for services not available in SC Environment.

Feature flag change detected

• File: manager/system_handler.py
• Category: feature_flags
• Details:
  • Found UNLEASH in manager/system_handler.py at line 529
  • Found UNLEASH in manager/system_handler.py at line 839
• Recommendation: Verify feature flags are properly configured for SC Environment. Test bypass options for services not available in SC Environment.

Required Actions

• Review all findings above
• Verify SC Environment compatibility for all detected changes
• Update deployment documentation if needed
• Coordinate with ROSA Core team or deployment timeline

---

This assessment was automatically generated. Please review carefully and consult with the ROSA Core team for critical/high impact changes.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The conditional selection between SystemTagSet.tags and InventoryHosts.tags is duplicated in multiple queries; consider extracting a small helper (or column expression factory) to centralize this logic and avoid divergence in future changes.
• Now that SystemTagSet is used in filters and selects, double-check that every query path using SystemTagSet.tags always goes through cyndi_join (or otherwise joins SystemTagSet) to prevent runtime errors from missing joins.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The conditional selection between `SystemTagSet.tags` and `InventoryHosts.tags` is duplicated in multiple queries; consider extracting a small helper (or column expression factory) to centralize this logic and avoid divergence in future changes.
- Now that `SystemTagSet` is used in filters and selects, double-check that every query path using `SystemTagSet.tags` always goes through `cyndi_join` (or otherwise joins `SystemTagSet`) to prevent runtime errors from missing joins.

## Individual Comments

### Comment 1
<location path="manager/filters.py" line_range="358-357" />
<code_context>

     if UNLEASH.is_enabled(CYNDI_REPLICATION_REPLACEMENT):
         query = (query.switch(SystemPlatform).join(SystemGroupSet, JOIN.LEFT_OUTER))
+        query = (query.switch(SystemPlatform).join(SystemTagSet, JOIN.LEFT_OUTER))
</code_context>
<issue_to_address>
**suggestion (performance):** Move the feature-flag check outside the tag loop to avoid repeated evaluation.

`UNLEASH.is_enabled(CYNDI_REPLICATION_REPLACEMENT)` is currently evaluated once per tag in `args["tags"]`, which can cause many redundant feature-flag checks for large tag lists. Compute a single `use_system_tag_set` (or similar) boolean before the loop and branch on it once, then apply the `contains` condition inside the loop using the selected column.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[jdobes]

Now without the condition, what's a purpose of oneline function? just join it directly