Update groovy tests to work with ImageV2

charmik-redhat · claude · charmik-redhat · commit 5ed9a178aaa4 · 2026-04-13T15:55:22.000-07:00
Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/qa-tests-backend/src/main/groovy/util/Helpers.groovy b/qa-tests-backend/src/main/groovy/util/Helpers.groovy
@@ -1,7 +1,9 @@
 package util
 
+import java.nio.ByteBuffer
 import java.nio.file.Path
 import java.nio.file.Paths
+import java.security.MessageDigest
 import java.text.SimpleDateFormat
 
 import groovy.transform.CompileDynamic
@@ -194,6 +196,42 @@ class Helpers {
         return false
     }
 
+    // Mirrors Go's pkg/uuid.NewV5FromNonUUIDs: SHA-256 the namespace string to derive
+    // a UUID namespace, then produce a standard UUIDv5 (SHA-1) from that namespace and name.
+    static String newV5FromNonUUIDs(String ns, String name) {
+        byte[] sha256 = MessageDigest.getInstance("SHA-256").digest(ns.getBytes("UTF-8"))
+        long msb = ByteBuffer.wrap(sha256, 0, 8).getLong()
+        long lsb = ByteBuffer.wrap(sha256, 8, 8).getLong()
+        UUID nsUUID = new UUID(msb, lsb)
+
+        MessageDigest sha1 = MessageDigest.getInstance("SHA-1")
+        sha1.update(uuidToBytes(nsUUID))
+        sha1.update(name.getBytes("UTF-8"))
+        byte[] hash = sha1.digest()
+
+        hash[6] = (byte) ((hash[6] & 0x0F) | 0x50) // version 5
+        hash[8] = (byte) ((hash[8] & 0x3F) | 0x80) // variant RFC 4122
+        long msbResult = ByteBuffer.wrap(hash, 0, 8).getLong()
+        long lsbResult = ByteBuffer.wrap(hash, 8, 8).getLong()
+        return new UUID(msbResult, lsbResult).toString()
+    }
+
+    private static byte[] uuidToBytes(UUID uuid) {
+        ByteBuffer bb = ByteBuffer.allocate(16)
+        bb.putLong(uuid.getMostSignificantBits())
+        bb.putLong(uuid.getLeastSignificantBits())
+        return bb.array()
+    }
+
+    // Mirrors Go's pkg/images/utils.NewImageV2ID: generates a deterministic UUIDv5
+    // from the image full name and digest.
+    static String generateImageV2ID(String fullName, String digest) {
+        if (!fullName || !digest) {
+            return ""
+        }
+        return newV5FromNonUUIDs(fullName, digest)
+    }
+
     private static final Set<String> VOLATILE_ANNOTATIONS_TO_IGNORE = [
         "machineconfiguration.openshift.io/lastSyncedControllerConfigResourceVersion"
     ].toSet()
diff --git a/qa-tests-backend/src/test/groovy/AdmissionControllerTest.groovy b/qa-tests-backend/src/test/groovy/AdmissionControllerTest.groovy
@@ -83,7 +83,8 @@ class AdmissionControllerTest extends BaseSpecification {
         // Pre-scan the image so Central has cached scan results for CVE-based policy evaluation.
         ImageService.scanImage(SCAN_INLINE_IMAGE_NAME_WITH_SHA)
 
-        ImageOuterClass.Image image = ImageService.getImage(SCAN_INLINE_IMAGE_SHA, false)
+        def imageId = flattenImageDataEnabled ? TEST_IMAGE_V2_ID : SCAN_INLINE_IMAGE_SHA
+        ImageOuterClass.Image image = ImageService.getImage(imageId, false)
         assert image
         assert !image.getNotesList().contains(ImageOuterClass.Image.Note.MISSING_METADATA)
 
diff --git a/qa-tests-backend/src/test/groovy/BaseSpecification.groovy b/qa-tests-backend/src/test/groovy/BaseSpecification.groovy
@@ -48,6 +48,8 @@ class BaseSpecification extends Specification {
     static final String TEST_IMAGE = "quay.io/rhacs-eng/qa-multi-arch:nginx-2.0.3@$TEST_IMAGE_SHA"
     static final String TEST_IMAGE_NAME_WITH_SHA = TEST_IMAGE
     static final String TEST_IMAGE_SHA = "sha256:ebecc1ad41054eaef19ef9c84e0d95551dfbdebbf0875fd407aee697e4be3860"
+    // UUIDv5 of TEST_IMAGE (full name) and TEST_IMAGE_SHA (digest), used as image ID when FlattenImageData is enabled.
+    static final String TEST_IMAGE_V2_ID = Helpers.generateImageV2ID(TEST_IMAGE, TEST_IMAGE_SHA)
 
     static final String RUN_ID
 
@@ -75,6 +77,7 @@ class BaseSpecification extends Specification {
     public static String coreImageIntegrationId = null
 
     public static boolean scannerV4Enabled = false
+    public static boolean flattenImageDataEnabled = false
 
     private static synchronizedGlobalSetup() {
         synchronized(BaseSpecification) {
@@ -134,6 +137,9 @@ class BaseSpecification extends Specification {
         scannerV4Enabled = FeatureFlagService.isFeatureFlagEnabled("ROX_SCANNER_V4")
         LOG.info "Scanner V4 enabled: ${scannerV4Enabled}"
 
+        flattenImageDataEnabled = Env.get("ROX_FLATTEN_IMAGE_DATA") == "true"
+        LOG.info "Flatten Image Data enabled: ${flattenImageDataEnabled}"
+
         if (ClusterService.isOpenShift4()) {
             assert Env.mustGetOrchestratorType() == OrchestratorTypes.OPENSHIFT,
                     "Set CLUSTER=OPENSHIFT when testing OpenShift"
diff --git a/qa-tests-backend/src/test/groovy/CSVTest.groovy b/qa-tests-backend/src/test/groovy/CSVTest.groovy
@@ -134,6 +134,19 @@ class CSVTest extends BaseSpecification {
         return "CVE Type:IMAGE_CVE+"
     }
 
+    def getTestImageId() {
+        return flattenImageDataEnabled ? TEST_IMAGE_V2_ID : TEST_IMAGE_SHA
+    }
+
+    def getDeploymentUid() {
+        return CVE_DEPLOYMENT.deploymentUid
+    }
+
+    def getFixableCvesInImageQuery() {
+        def imageFilter = flattenImageDataEnabled ? "Image ID" : "Image Sha"
+        return "${imageFilter}:${getTestImageId()}+Fixable:true"
+    }
+
     Map<String, Object> payload(String id) {
         def pagination = new Pagination(0, 0, new SortOption("cvss", true))
         return [
@@ -227,10 +240,9 @@ class CSVTest extends BaseSpecification {
         where:
         "Data is"
 
-        description                        | id                           | query
-        "FIXABLE_CVES_IN_IMAGE_QUERY"      | TEST_IMAGE_SHA               | "Image Sha:${TEST_IMAGE_SHA}+Fixable:true"
-        "FIXABLE_CVES_IN_DEPLOYMENT_QUERY" | CVE_DEPLOYMENT.deploymentUid |
-                "Deployment ID:${CVE_DEPLOYMENT.deploymentUid}+Fixable:true"
+        description                        | id                 | query
+        "FIXABLE_CVES_IN_IMAGE_QUERY"      | getTestImageId()   | getFixableCvesInImageQuery()
+        "FIXABLE_CVES_IN_DEPLOYMENT_QUERY" | getDeploymentUid() | "Deployment ID:${getDeploymentUid()}+Fixable:true"
     }
 
     @EqualsAndHashCode(includeFields = true)
diff --git a/qa-tests-backend/src/test/groovy/GlobalSearch.groovy b/qa-tests-backend/src/test/groovy/GlobalSearch.groovy
@@ -34,6 +34,10 @@ class GlobalSearch extends BaseSpecification {
                                      SearchServiceOuterClass.SearchCategory.NAMESPACES,
                                      SearchServiceOuterClass.SearchCategory.IMAGES,
                                      SearchServiceOuterClass.SearchCategory.DEPLOYMENTS)
+        if (flattenImageDataEnabled) {
+            EXPECTED_DEPLOYMENT_CATEGORIES.add(SearchServiceOuterClass.SearchCategory.IMAGES_V2)
+            EXPECTED_IMAGE_CATEGORIES.add(SearchServiceOuterClass.SearchCategory.IMAGES_V2)
+        }
 
         orchestrator.createDeployment(DEPLOYMENT)
         assert Services.waitForDeployment(DEPLOYMENT)
diff --git a/qa-tests-backend/src/test/groovy/ImageManagementTest.groovy b/qa-tests-backend/src/test/groovy/ImageManagementTest.groovy
@@ -218,7 +218,8 @@ class ImageManagementTest extends BaseSpecification {
         then:
         "Assert that riskScore is non-zero"
         withRetry(10, 3) {
-            def image = ImageService.getImage(TEST_IMAGE_SHA)
+            def imageId = flattenImageDataEnabled ? TEST_IMAGE_V2_ID : TEST_IMAGE_SHA
+            def image = ImageService.getImage(imageId)
             assert image != null && image.riskScore != 0
         }
     }
@@ -241,7 +242,8 @@ class ImageManagementTest extends BaseSpecification {
         then:
         "Assert that riskScore is non-zero"
         withRetry(10, 3) {
-            def image = ImageService.getImage(TEST_IMAGE_SHA)
+            def imageId = flattenImageDataEnabled ? TEST_IMAGE_V2_ID : TEST_IMAGE_SHA
+            def image = ImageService.getImage(imageId)
             assert image != null && image.riskScore != 0
         }
 
diff --git a/qa-tests-backend/src/test/groovy/SACTest.groovy b/qa-tests-backend/src/test/groovy/SACTest.groovy
@@ -404,7 +404,7 @@ class SACTest extends BaseSpecification {
         tokenName                | category     | numResults
         NOACCESSTOKEN            | "Cluster"    | 0
         "searchDeploymentsToken" | "Deployment" | 1
-        "searchImagesToken"      | "Image"      | 1
+        "searchImagesToken"      | "Image"      | (flattenImageDataEnabled ? 2 : 1)
     }
 
     @Unroll
diff --git a/qa-tests-backend/src/test/groovy/UpgradesTest.groovy b/qa-tests-backend/src/test/groovy/UpgradesTest.groovy
@@ -1,3 +1,5 @@
+import static util.Helpers.evaluateWithRetry
+
 import com.google.protobuf.util.JsonFormat
 import groovy.io.FileType
 import io.grpc.StatusRuntimeException
@@ -84,8 +86,17 @@ class UpgradesTest extends BaseSpecification {
         def nodes = NodeService.getNodes()
         assert nodes.size() != 0
         "Image API returns non-zero values on upgrade"
-        def images = ImageService.getImages()
-        assert images.size() != 0
+        if (flattenImageDataEnabled) {
+            // When FlattenImageData is enabled, the reprocessor moves images from the
+            // images table to images_v2 after upgrade, which may take some time.
+            evaluateWithRetry(30, 10) {
+                def images = ImageService.getImages()
+                assert images.size() != 0
+            }
+        } else {
+            def images = ImageService.getImages()
+            assert images.size() != 0
+        }
     }
 
     @Unroll
@@ -101,8 +112,20 @@ class UpgradesTest extends BaseSpecification {
         then:
         "Check that we got the correct number of #resourceType from GraphQL "
         assert resultRet.getValue() != null
-        def items = resultRet.getValue()[resourceType]
-        assert items.size() >= minResults
+        if (flattenImageDataEnabled) {
+            // When FlattenImageData is enabled, the reprocessor moves images from the
+            // images table to images_v2 after upgrade, which may take some time.
+            evaluateWithRetry(30, 10) {
+                def retryResultRet = gqlService.Call(getQuery(resourceType), [ query: searchQuery ])
+                assert retryResultRet.getCode() == 200
+                assert retryResultRet.getValue() != null
+                def retryItems = retryResultRet.getValue()[resourceType]
+                assert retryItems.size() >= minResults
+            }
+        } else {
+            def items = resultRet.getValue()[resourceType]
+            assert items.size() >= minResults
+        }
 
         where:
         "Data Inputs Are:"
diff --git a/qa-tests-backend/src/test/groovy/VulnMgmtTest.groovy b/qa-tests-backend/src/test/groovy/VulnMgmtTest.groovy
@@ -3,6 +3,7 @@ import io.stackrox.proto.storage.Cve.VulnerabilitySeverity
 import org.junit.Assume
 import services.GraphQLService
 import services.ImageService
+import util.Helpers
 
 import spock.lang.Tag
 import spock.lang.Unroll
@@ -29,6 +30,9 @@ class VulnMgmtTest extends BaseSpecification {
     static final private String UBUNTU_IMAGE =
             "quay.io/rhacs-eng/qa:ubuntu-22.04-amd64"
 
+    static final private MODERATE = VulnerabilitySeverity.MODERATE_VULNERABILITY_SEVERITY
+    static final private LOW = VulnerabilitySeverity.LOW_VULNERABILITY_SEVERITY
+
     private static final EMBEDDED_IMAGE_QUERY = """
     query getImage(\$id: ID!, \$query: String) {
       result: fullImage(id: \$id) {
@@ -187,14 +191,14 @@ query getComponentId(\$imageId: ID!, \$componentQuery: String) {
         Assume.assumeFalse(scannerV4Enabled)
 
         expect:
-        verifySeveritiesAndCvss(imageDigest, component, cve, severity, cvss)
+        verifySeveritiesAndCvss(imageDigest, imageName, component, cve, severity, cvss)
 
         where:
         "Data inputs are: "
 
-        imageDigest              | component | cve              | severity                                        | cvss
-        RHEL_IMAGE_LEGACY_DIGEST | "glib2"   | "CVE-2019-13012" | VulnerabilitySeverity.LOW_VULNERABILITY_SEVERITY | 4.4
-        UBUNTU_IMAGE_DIGEST      | "gnupg2"  | "CVE-2022-3219"  | VulnerabilitySeverity.LOW_VULNERABILITY_SEVERITY | 3.3
+        imageDigest               | imageName           | component | cve              | severity | cvss
+        RHEL_IMAGE_LEGACY_DIGEST  | RHEL_IMAGE_LEGACY   | "glib2"   | "CVE-2019-13012" | LOW      | 4.4
+        UBUNTU_IMAGE_DIGEST       | UBUNTU_IMAGE        | "gnupg2"  | "CVE-2022-3219"  | LOW      | 3.3
     }
 
     @Unroll
@@ -203,27 +207,28 @@ query getComponentId(\$imageId: ID!, \$componentQuery: String) {
         Assume.assumeTrue(scannerV4Enabled)
 
         expect:
-        verifySeveritiesAndCvss(imageDigest, component, cve, severity, cvss)
+        verifySeveritiesAndCvss(imageDigest, imageName, component, cve, severity, cvss)
 
         where:
         "Data inputs are: "
 
-        imageDigest         | component | cve              | severity                                             | cvss
-        RHEL_IMAGE_DIGEST   | "python3" | "CVE-2025-11468" | VulnerabilitySeverity.MODERATE_VULNERABILITY_SEVERITY | 4.5
-        UBUNTU_IMAGE_DIGEST | "gpgv"    | "CVE-2022-3219"  | VulnerabilitySeverity.LOW_VULNERABILITY_SEVERITY      | 3.3
+        imageDigest         | imageName    | component | cve              | severity | cvss
+        RHEL_IMAGE_DIGEST   | RHEL_IMAGE   | "python3" | "CVE-2025-11468" | MODERATE | 4.5
+        UBUNTU_IMAGE_DIGEST | UBUNTU_IMAGE | "gpgv"    | "CVE-2022-3219"  | LOW      | 3.3
     }
 
-    private void verifySeveritiesAndCvss(String imageDigest, String component, String cve,
+    private void verifySeveritiesAndCvss(String imageDigest, String imageName, String component, String cve,
                                           VulnerabilitySeverity severity, double cvss) {
         def gqlService = new GraphQLService()
 
         def query = "CVE:${cve}"
+        def imageId = flattenImageDataEnabled ? Helpers.generateImageV2ID(imageName, imageDigest) : imageDigest
 
         // Fetch the component ID dynamically since IDs now include image ID and index
-        def componentID = getComponentIDForImage(gqlService, imageDigest, component)
+        def componentID = getComponentIDForImage(gqlService, imageId, component)
 
         def embeddedImageRes = gqlService.Call(getEmbeddedImageQuery(),
-                [id: imageDigest, query: query])
+                [id: imageId, query: query])
 
         // Expanded instead of using hasErrors() for easier debugging if there are errors
         // as the test framework will actually print out the errors now
@@ -235,12 +240,12 @@ query getComponentId(\$imageId: ID!, \$componentQuery: String) {
         def embeddedImageResVuln = embeddedImageRes.value.result.scan.imageComponents[0].imageVulnerabilities[0]
 
         def topLevelImageRes = gqlService.Call(getTopLevelImageQuery(),
-                [id: imageDigest, query: query])
+                [id: imageId, query: query])
         assert topLevelImageRes.hasNoErrors()
         def topLevelImageResVuln = topLevelImageRes.value.result.vulns[0]
 
         def fixableCVEImageRes = gqlService.Call(getImageFixableCVEQuery(),
-                [id: imageDigest, vulnQuery: query, scopeQuery: "Image SHA:${imageDigest}"])
+                [id: imageId, vulnQuery: query, scopeQuery: "Image SHA:${imageDigest}"])
         assert fixableCVEImageRes.hasNoErrors()
         def fixableCVEImageResVuln = fixableCVEImageRes.value.result.vulnerabilities[0]
 

Original file line number	Diff line number	Diff line change
`@@ -218,7 +218,8 @@ class ImageManagementTest extends BaseSpecification {`
`218`	`218`	`then:`
`219`	`219`	`"Assert that riskScore is non-zero"`
`220`	`220`	`withRetry(10, 3) {`
`221`		`- def image = ImageService.getImage(TEST_IMAGE_SHA)`
	`221`	`+ def imageId = flattenImageDataEnabled ? TEST_IMAGE_V2_ID : TEST_IMAGE_SHA`
	`222`	`+ def image = ImageService.getImage(imageId)`
`222`	`223`	`assert image != null && image.riskScore != 0`
`223`	`224`	`}`
`224`	`225`	`}`
`@@ -241,7 +242,8 @@ class ImageManagementTest extends BaseSpecification {`
`241`	`242`	`then:`
`242`	`243`	`"Assert that riskScore is non-zero"`
`243`	`244`	`withRetry(10, 3) {`
`244`		`- def image = ImageService.getImage(TEST_IMAGE_SHA)`
	`245`	`+ def imageId = flattenImageDataEnabled ? TEST_IMAGE_V2_ID : TEST_IMAGE_SHA`
	`246`	`+ def image = ImageService.getImage(imageId)`
`245`	`247`	`assert image != null && image.riskScore != 0`
`246`	`248`	`}`
`247`	`249`
Original file line number	Diff line number	Diff line change
`@@ -404,7 +404,7 @@ class SACTest extends BaseSpecification {`
`404`	`404`	`tokenName \| category \| numResults`
`405`	`405`	`NOACCESSTOKEN \| "Cluster" \| 0`
`406`	`406`	`"searchDeploymentsToken" \| "Deployment" \| 1`
`407`		`- "searchImagesToken" \| "Image" \| 1`
	`407`	`+ "searchImagesToken" \| "Image" \| (flattenImageDataEnabled ? 2 : 1)`
`408`	`408`	`}`
`409`	`409`
`410`	`410`	`@Unroll`