Sort dependencies by license

Review changes
Download
Patches
Plain diff

Merged Sort dependencies by license

mokhax/422086/sort-by-spdx-id into master

Overview 51
Commits 32
Pipelines 34
Changes 13

1 unresolved thread

Merged mo khan requested to merge mokhax/422086/sort-by-spdx-id into master 1 year ago

Overview 51
Commits 32
Pipelines 34
Changes -

1 unresolved thread

What does this MR do and why?

This change is gated by the group_level_licenses feature flag. This change adds an option to sort dependencies, on the group dependency list, by SPDX identifier. The sbom_occurrences.licenses column is a jsonb column with a schema that resembles the following:

[
  {
    "url": "https://spdx.org/licenses/Apache-2.0.html",
    "name": "Apache 2.0",
    "spdx_identifier": "Apache-2.0"
  },
  {
    "url": "https://spdx.org/licenses/Artistic-2.0.html",
    "name": "Artistic-2.0",
    "spdx_identifier": "Artistic-2.0"
  },
  {
    "url": "https://spdx.org/licenses/BSD-3-Clause.html",
    "name": "New BSD",
    "spdx_identifier": "BSD-3-Clause"
  },
  {
    "url": "https://spdx.org/licenses/GPL-3.0.html",
    "name": "GPLv3",
    "spdx_identifier": "GPL-3.0"
  }
]

The change in this MR attempts to add support for sorting Sbom::Occurence records by licenses. The # of elements in the sbom_occurrences.licenses column can be between 0-N with no upper bound at this time.

The change in this MR attempts to sort records by the first detected license then by the second detected license.

Related to:

Add `&sort_by=license` query string parameter t... (#422086 - closed) • mo khan • 16.4 • At risk
Add sort-by-license to group-level dependencies... (!130280 - merged) • David Pisek • 16.4

Sort by licenses ascending:

SELECT
  sbom_occurrences.*,
  agg_occurrences.occurrence_count,
  agg_occurrences.project_count
FROM
  sbom_occurrences
  INNER JOIN (
    SELECT
      component_id,
      COUNT(DISTINCT id) AS occurrence_count,
      COUNT(DISTINCT project_id) AS project_count
    FROM
      sbom_occurrences
    WHERE
      project_id IN (
        SELECT
          "projects"."id"
        FROM
          "projects"
        WHERE
          "projects"."namespace_id" IN (
            SELECT
              namespaces.traversal_ids[array_length(namespaces.traversal_ids, 1)] AS id
            FROM
              "namespaces"
            WHERE
              "namespaces"."type" = 'Group'
              AND (traversal_ids @> ('{9970}'))))
        GROUP BY
          component_id) agg_occurrences ON sbom_occurrences.component_id = agg_occurrences.component_id
WHERE
  "sbom_occurrences"."project_id" IN (
    SELECT
      "projects"."id"
    FROM
      "projects"
    WHERE
      "projects"."namespace_id" IN (
        SELECT
          namespaces.traversal_ids[array_length(namespaces.traversal_ids, 1)] AS id
        FROM
          "namespaces"
        WHERE
          "namespaces"."type" = 'Group'
          AND (traversal_ids @> ('{9970}'))))
  ORDER BY
    licenses #> '{0,spdx_identifier}' ASC,
    licenses #> '{1,spdx_identifier}' ASC
  LIMIT 20 OFFSET 0

https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/21933/commands/71064

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited 1 year ago by mo khan

Merge request reports

0 Assignees

0 Reviewers

Request review from

Labels

None

Select labels

Manage project labels

Milestone

None

Time tracking

No estimate or time spent

0 Participants

Compare

Sort dependencies by license

What does this MR do and why?

MR acceptance checklist

Merge request reports

There are no changes yet