fix(api): bound attack paths normalized-list child IDs#11960
Conversation
|
✅ No Conflicts No conflict markers, and the branch merges cleanly into its base. |
|
✅ All required changelog fragments are present. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthroughAttack Path scans now hash normalized list value keys when generating child node identifiers. New tests verify bounded IDs, preservation of raw values in child properties, and identifier changes when identity components differ. The changelog documents the Neo4j and Neptune behavior. ChangesAttack Path child identifier sizing
Estimated code review effort: 2 (Simple) | ~10 minutes Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR fixes a graph-sync failure mode in Attack Paths by bounding normalized-list child node _provider_element_id values so they can’t exceed Neo4j RANGE index key size limits, while keeping IDs deterministic and consistent across Neo4j and Neptune sinks.
Changes:
- Update normalized-list child IDs to use a SHA-256 digest of the existing deterministic
value_key(while retaining provider ID and child label as scopes). - Preserve the full original normalized-list value in the child node properties (
props.value). - Add regression tests covering large values, determinism, identity scoping, and relationship endpoints; add an API changelog fragment.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| api/src/backend/tasks/jobs/attack_paths/sync.py | Hashes value_key when building normalized-list child node IDs to keep identifiers bounded/deterministic. |
| api/src/backend/tasks/tests/test_attack_paths_scan.py | Adds regression tests validating hashed child IDs, preserved values, determinism, and relationship wiring. |
| api/changelog.d/attack-paths-child-id-size.fixed.md | Documents the fix preventing Neo4j RANGE index key size failures during Attack Paths sync. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
🔒 Container Security ScanImage: ✅ No Vulnerabilities DetectedThe container image passed all security checks. No known CVEs were found.📋 Resources:
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #11960 +/- ##
=======================================
Coverage 93.93% 93.93%
=======================================
Files 266 266
Lines 39613 39634 +21
=======================================
+ Hits 37209 37230 +21
Misses 2404 2404
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
Context
Attack Paths materializes configured list properties as child nodes. Their
_provider_element_idpreviously included the complete normalized value.Large values could exceed Neo4j's RANGE index key size limit and cause graph synchronization to fail. The generated identifier is shared by the Neo4j and Neptune sinks, so it must remain deterministic and bounded.
Description
value_keywith SHA-256 when generating normalized-list child IDsNo new dependencies are required.
Steps to review
_build_child_id()intasks/jobs/attack_paths/sync.py.cd api uv run pytest src/backend/tasks/tests/test_attack_paths_scan.py -k TestBuildChildIdprovider_element_id.Checklist
API
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Summary by CodeRabbit
Bug Fixes
Tests