From 83920517795d8fef94729e7b3e56c3b163fd1abb Mon Sep 17 00:00:00 2001
From: Ian Littman <iansltx@gmail.com>
Date: Tue, 22 Apr 2025 09:07:18 -0400
Subject: [PATCH] Don't update updated_at on OS vulnerabilities when nothing
 changed in the result (#28429)

For #28368.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
---
 .../mysql/operating_system_vulnerabilities.go          | 10 ++++++++--
 .../mysql/operating_system_vulnerabilities_test.go     |  3 +++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/server/datastore/mysql/operating_system_vulnerabilities.go b/server/datastore/mysql/operating_system_vulnerabilities.go
index 177a059fcc..c9846d8354 100644
--- a/server/datastore/mysql/operating_system_vulnerabilities.go
+++ b/server/datastore/mysql/operating_system_vulnerabilities.go
@@ -113,10 +113,16 @@ func (ds *Datastore) InsertOSVulnerability(ctx context.Context, v fleet.OSVulner
 			operating_system_id = VALUES(operating_system_id),
 			source = VALUES(source),
 			resolved_in_version = VALUES(resolved_in_version),
-			updated_at = ?
+			updated_at = IF(
+				  VALUES(operating_system_id) = operating_system_id AND
+				  VALUES(source) = source
+				  AND VALUES(resolved_in_version) = resolved_in_version,
+			  updated_at,
+			  NOW()
+		  )
 	`
 
-	args = append(args, v.OSID, v.CVE, s, v.ResolvedInVersion, time.Now().UTC())
+	args = append(args, v.OSID, v.CVE, s, v.ResolvedInVersion)
 
 	res, err := ds.writer(ctx).ExecContext(ctx, sqlStmt, args...)
 	if err != nil {
diff --git a/server/datastore/mysql/operating_system_vulnerabilities_test.go b/server/datastore/mysql/operating_system_vulnerabilities_test.go
index 0b477091cb..ee7a82624e 100644
--- a/server/datastore/mysql/operating_system_vulnerabilities_test.go
+++ b/server/datastore/mysql/operating_system_vulnerabilities_test.go
@@ -239,6 +239,9 @@ func testInsertOSVulnerability(t *testing.T, ds *Datastore) {
 	require.NoError(t, err)
 	assert.True(t, didInsertOrUpdate)
 
+	// make sure updated_at doesn't change on the next upsert call, as fields won't change
+	time.Sleep(1 * time.Second)
+
 	// Inserting the exact same vulnerability again should not insert and not update
 	didInsertOrUpdate, err = ds.InsertOSVulnerability(ctx, vulnsUpdate, fleet.MSRCSource)
 	require.NoError(t, err)