Skip to content

Only include sbom_occurrences with CVS enabled

What does this MR do and why?

Filter the list of sbom_occurrences to ignore any occurrences where the associated project does not have continuous vulnerability scanning enabled.

This MR is targeting the same branch as Add setting for enabling Continuous Vulnerabili... (!131305 - merged).

Query plans

The query plan is from executing:

batch_num = 1
Sbom::PossiblyAffectedOccurrencesFinder.new(package_name: 'semver', purl_type: 'npm').execute_in_batches(of: 100) do |batch|
  puts "Batch #{batch_num} "
  batch.each_with_index do |sbom_occurrence, idx|
    puts "  Record #{idx+1}"
    possibly_affected_component = Gitlab::VulnerabilityScanning::PossiblyAffectedComponent.from_sbom_occurrence(sbom_occurrence)
    possibly_affected_component.name
    possibly_affected_component.version
    possibly_affected_component.purl_type
    possibly_affected_component.source
    possibly_affected_component.pipeline
    possibly_affected_component.project
  end
  batch_num += 1
  break if batch_num == 3
end

Which introduces this query:

SELECT "sbom_occurrences".*
FROM "sbom_occurrences"
INNER JOIN "projects" ON "projects"."id" = "sbom_occurrences"."project_id"
INNER JOIN "project_security_settings" ON "project_security_settings"."project_id" = "projects"."id"
WHERE "sbom_occurrences"."component_id" = 1629
AND "sbom_occurrences"."id" >= 3439634
AND "sbom_occurrences"."id" < 4872581
AND "sbom_occurrences"."component_version_id" IS NOT NULL
AND (project_security_settings.continuous_vulnerability_scans_enabled = true)

However, since this MR relies on Add setting for enabling Continuous Vulnerabili... (!131305 - merged) which introduces the project_security_settings.continuous_vulnerability_scans_enabled column, I wasn't able to create a database plan in production that uses this new column. Instead, I used the existing project_security_settings.auto_fix_dependency_scanning column.

Click to expand query plan after this change
  1. Same as old query before this change

  2. Same as old query before this change

  3. Same as old query before this change

  4. https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/22095/commands/71448

    • Before:

      SELECT "sbom_occurrences".*
      FROM "sbom_occurrences"
      WHERE "sbom_occurrences"."component_id" = 1629
      AND "sbom_occurrences"."id" >= 3439634
      AND "sbom_occurrences"."id" < 4872581
      AND "sbom_occurrences"."component_version_id" IS NOT NULL
      Time: 80.739 ms
        - planning: 1.829 ms
        - execution: 78.910 ms
          - I/O read: 77.674 ms
          - I/O write: 0.000 ms
      
      Shared buffers:
        - hits: 22 (~176.00 KiB) from the buffer pool
        - reads: 46 (~368.00 KiB) from the OS file cache, including disk I/O
        - dirtied: 0
        - writes: 0
    • After:

      SELECT "sbom_occurrences".*
      FROM "sbom_occurrences"
      INNER JOIN "projects" ON "projects"."id" = "sbom_occurrences"."project_id"
      INNER JOIN "project_security_settings" ON "project_security_settings"."project_id" = "projects"."id"
      WHERE "sbom_occurrences"."component_id" = 1629
      AND "sbom_occurrences"."id" >= 3439634
      AND "sbom_occurrences"."id" < 4872581
      AND "sbom_occurrences"."component_version_id" IS NOT NULL
      AND (project_security_settings.auto_fix_dependency_scanning = true)
      Time: 328.798 ms
        - planning: 2.564 ms
        - execution: 326.234 ms
          - I/O read: 320.073 ms
          - I/O write: 0.000 ms
      
      Shared buffers:
        - hits: 685 (~5.40 MiB) from the buffer pool
        - reads: 231 (~1.80 MiB) from the OS file cache, including disk I/O
        - dirtied: 6 (~48.00 KiB)
        - writes: 0     
  5. Same as old query before this change

  6. Same as old query before this change

  7. Same as old query before this change

  8. Same as old query before this change

https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/22095/commands/71448

Click to expand query plans before this change
  1. https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/22185/commands/71681
  2. https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/22185/commands/71682
  3. https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/22185/commands/71683
  4. https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/22185/commands/71684
  5. https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/22185/commands/71685
  6. https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/22185/commands/71686
  7. https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/22185/commands/71687
  8. https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/22185/commands/71688

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #424629 (closed)

Edited by Adam Cohen

Merge request reports

Loading