database: update vulnerabilities only when necessary

database/pgsql/vulnerability.go

@@ -116,14 +116,19 @@ func (pgSQL *pgSQL) insertVulnerability(vulnerability database.Vulnerability) er
 	} else {
 		newFixedInFeatureVersions, updatedFixedInFeatureVersions = diffFixedIn(vulnerability,
 			existingVulnerability)
+
+		if vulnerability.Description == existingVulnerability.Description &&
+			vulnerability.Link == existingVulnerability.Link &&
+			vulnerability.Severity == existingVulnerability.Severity &&
+			len(newFixedInFeatureVersions) == 0 &&
+			len(updatedFixedInFeatureVersions) == 0 {
+
+			// Nothing to do.
+			return nil
+		}
 	}
 
-	if len(newFixedInFeatureVersions) == 0 && len(updatedFixedInFeatureVersions) == 0 {
-		// Nothing to do.
-		return nil
-	}
-
-	// Insert or find the new Feature.
+	// Insert or find the new Features.
 	// We already have the Feature IDs in updatedFixedInFeatureVersions because diffFixedIn fills them
 	// in using the existing vulnerability's FixedIn FeatureVersions. Note that even if FixedIn
 	// is type FeatureVersion, the actual stored ID in these structs are the Feature IDs.
@@ -166,11 +171,15 @@ func (pgSQL *pgSQL) insertVulnerability(vulnerability database.Vulnerability) er
 		}
 	} else {
 		// Update vulnerability
-		_, err = tx.Exec(getQuery("u_vulnerability"), existingVulnerability.ID,
-			vulnerability.Description, vulnerability.Link, &vulnerability.Severity)
-		if err != nil {
-			tx.Rollback()
-			return handleError("u_vulnerability", err)
+		if vulnerability.Description != existingVulnerability.Description ||
+			vulnerability.Link != existingVulnerability.Link ||
+			vulnerability.Severity != existingVulnerability.Severity {
+			_, err = tx.Exec(getQuery("u_vulnerability"), existingVulnerability.ID,
+				vulnerability.Description, vulnerability.Link, &vulnerability.Severity)
+			if err != nil {
+				tx.Rollback()
+				return handleError("u_vulnerability", err)
+			}
 		}
 
 		vulnerability.ID = existingVulnerability.ID
@@ -205,11 +214,25 @@ func diffFixedIn(vulnerability, existingVulnerability database.Vulnerability) (n
 		existingFixedInNameSlice)
 
 	for _, nan := range newFixedInName {
-		newFixedIn = append(newFixedIn, vulnerabilityFixedInNameMap[nan])
+		fv := vulnerabilityFixedInNameMap[nan]
+		if fv.Version == types.MinVersion {
+			// We don't want to mark a Feature as fixed in MinVersion. MinVersion only makes sense when a
+			// Feature is already marked as fixed in some version, in which case we would be in the
+			// "updatedFixedInFeatureVersions" loop and removes the fixed in mark.
+			continue
+		}
+
+		newFixedIn = append(newFixedIn, fv)
 	}
 	for _, nan := range updatedFixedInName {
 		fv := existingFixedInMapNameMap[nan]
 		fv.Version = vulnerabilityFixedInNameMap[nan].Version
+		if existingFixedInMapNameMap[nan].Version == fv.Version {
+			// Versions are actually the same!
+			// Even though they appear in both lists, it's not an update.
+			continue
+		}
+
 		updatedFixedIn = append(updatedFixedIn, fv)
 	}
 
@@ -233,13 +256,6 @@ func (pgSQL *pgSQL) updateVulnerabilityFeatureVersions(tx *sql.Tx, vulnerability
 	var fixedInID int
 
 	for _, fv := range newFixedInFeatureVersions {
-		if fv.Version == types.MinVersion {
-			// We don't want to mark a Feature as fixed in MinVersion. MinVersion only makes sense when a
-			// Feature is already marked as fixed in some version, in which case we would be in the
-			// "updatedFixedInFeatureVersions" loop and removes the fixed in mark.
-			continue
-		}
-
 		// Insert Vulnerability_FixedIn_Feature.
 		err := tx.QueryRow(getQuery("i_vulnerability_fixedin_feature"), vulnerability.ID, fv.Feature.ID,
 			&fv.Version).Scan(&fixedInID)