Add sorting to `Sbom::DependenciesFinder`

Why are we doing this work

In order to have dependencies from the database achieve parity with the existing dependency list, we need to update Sbom::DependenciesFinder so that it can sort dependencies in the same way as Security::DependencyListService

Example params from Security::DependencyListService are:

{
  sort: 'asc', # 'asc' or 'desc',
  sort_by: 'name' # 'name', 'packager' or 'severity'
}

Relevant links

Non-functional requirements

  • Documentation:
  • Feature flag:
  • Performance:
  • Testing:

Implementation plan

  1. Add sort params to Resolvers::Sbom::DependenciesResolver
  2. Have Sbom::DependenciesFinder sort the records based on the params provided

Verification steps

  1. Select a testing project with vulnerabilities like this project.
  2. Perform the following query via graphql explorer:
query {
  project(fullPath:"gitlab-org/govern/threat-insights-demos/vulnerabilities-verification"){
    dependencies(sort: NAME_DESC, first: 5){
      nodes{
        name
        version
        packager
      }
    }
  }
}
  1. Expected response:
{
  "data": {
    "project": {
      "dependencies": {
        "nodes": [
          {
            "name": "zeitwerk",
            "version": "2.6.6",
            "packager": "bundler"
          },
          {
            "name": "yard",
            "version": "0.9.26",
            "packager": "bundler"
          },
          {
            "name": "yajl-ruby",
            "version": "1.4.3",
            "packager": "bundler"
          },
          {
            "name": "xpath",
            "version": "3.2.0",
            "packager": "bundler"
          },
          {
            "name": "xml-simple",
            "version": "1.1.9",
            "packager": "bundler"
          }
        ]
      }
    }
  }
}
  1. Change sort to other values:
query {
  project(fullPath:"gitlab-org/govern/threat-insights-demos/vulnerabilities-verification"){
    dependencies(sort: NAME_ASC, first: 5){
      nodes{
        name
        version
        packager
      }
    }
  }
}
  1. Expected response:
{
  "data": {
    "project": {
      "dependencies": {
        "nodes": [
          {
            "name": "CFPropertyList",
            "version": "3.0.5",
            "packager": "bundler"
          },
          {
            "name": "RedCloth",
            "version": "4.3.2",
            "packager": "bundler"
          },
          {
            "name": "acme-client",
            "version": "2.0.11",
            "packager": "bundler"
          },
          {
            "name": "actioncable",
            "version": "6.1.7.2",
            "packager": "bundler"
          },
          {
            "name": "actionmailbox",
            "version": "6.1.7.2",
            "packager": "bundler"
          }
        ]
      }
    }
  }
}
Edited by Zamir Martins