From 1fcb59cbd0a4e5c440dddd975c55178d2375c38f Mon Sep 17 00:00:00 2001 From: toharris-rh Date: Wed, 17 Jun 2026 17:22:04 -0700 Subject: [PATCH] fix: pause 60s in send_cve_to_snow before querying Lightspeed insights-client uploads the new vulnerability state to console.redhat.com, but Lightspeed needs ~60s to ingest it and surface the CVE in the vulnerability API. Without the pause the CVE demo workflow queries before the CVE is visible, returning stale results and sending the wrong CVE (or nothing) to ServiceNow. Adds an ansible.builtin.pause as the first task in send_cve_to_snow.yml, before any Lightspeed API calls. Closes #145. Co-Authored-By: Claude Sonnet 4.6 (1M context) --- CHANGELOG.md | 8 ++++++++ playbooks/servicenow/send_cve_to_snow.yml | 9 +++++++++ 2 files changed, 17 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8fc3525..610bb9c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,14 @@ Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). ## [Unreleased] +### Fixed (2026-06-17) + +- **Race condition in SNow CVE Demo workflow** — `send_cve_to_snow.yml` now + pauses 60 seconds at the start to allow Lightspeed to ingest the vulnerability + state uploaded by `insights-client` before querying the vulnerability API. + Without the delay the CVE query returned stale results and missed the newly + introduced CVE. Closes #145. + ### Changed (2026-06-16) - **Architecture diagram tweaks** — reduced RHEL host stack to a single host in diff --git a/playbooks/servicenow/send_cve_to_snow.yml b/playbooks/servicenow/send_cve_to_snow.yml index 51139d4..3beacba 100644 --- a/playbooks/servicenow/send_cve_to_snow.yml +++ b/playbooks/servicenow/send_cve_to_snow.yml @@ -43,6 +43,15 @@ target_fqdn: "" tasks: + # ── Allow Lightspeed to process the new vulnerability state ─────────────── + # insights-client (run in the previous workflow step) uploads host state to + # console.redhat.com, but Lightspeed needs ~60s to ingest it and surface the + # CVE in the vulnerability API. Without this pause the query returns stale + # results and misses the newly introduced CVE. + - name: Wait 60 s for Lightspeed to ingest the new vulnerability state + ansible.builtin.pause: + seconds: 60 + # ── Resolve host from AAP inventory if not provided ─────────────────────── - name: Acquire AAP token for inventory lookup when: target_fqdn | length == 0