Skip to content

Add project level filter for dependency list

Aditya Tiwari requested to merge 460427-exclude-registry-project-level into master

What does this MR do and why?

Add project level filter for dependency list

As part of the Epic GitLab Container Registry: Continuous Vulnerability Scanning, a new source_type: container_scanning_for_registry has been added to SBOM::Occurence(Dependency). This MR establishes a default filter for the GraphQL endpoint, ensuring that the API endpoint returns a dependency list where records created with the newly introduced source_type do not appear on the GitLab Dependency List page.

Notes:

  1. To preserve the existing functionality, a default filter is utilized on the endpoint.
  2. GraphQL enum does not accept nil as a value, so the nil_source string is used to identify sources with nil.

DB query

Query

## @collection.filter_by_source_types(params\[:source_types\]).explain =\> EXPLAIN for: SELECT "sbom_occurrences".\* FROM "sbom_occurrences" LEFT OUTER JOIN "sbom_sources" ON "sbom_sources"."id" = "sbom_occurrences"."source_id" WHERE "sbom_occurrences"."project_id" = 1036 AND ("sbom_sources"."source_type" = 1 OR "sbom_sources"."source_type" IS NULL) /_application:test,correlation_id:dbd0a59059d3819efa325c8b78d06ddc,db_config_name:main,line:(pry):2:in \`filter_by_source_types'_/ QUERY PLAN

Nested Loop Left Join (cost=0.29..4.33 rows=1 width=319) Filter: ((sbom_sources.source_type = 1) OR (sbom_sources.source_type IS NULL)) -\> Index Scan using idx_sbom_occurrences_on_project_id_and_source_id on sbom_occurrences (cost=0.14..2.16 rows=1 width=319) Index Cond: (project_id = 1036) -\> Index Scan using sbom_sources_pkey on sbom_sources (cost=0.14..2.16 rows=1 width=10) Index Cond: (id = sbom_occurrences.source_id) (6 rows)

https://console.postgres.ai/gitlab/gitlab-production-main/sessions/28273/commands/88245

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Create a project with the following sbom

    gl-sbom-report.cdx__4_.json

  2. Create project with following yml

    stages:
    - build
    
    manual-sbom-upload:
      stage: build
      script:
        - echo "hello, world!"
      artifacts:
        paths:
          - "**/gl-sbom-*.cdx.json"
        reports:
          cyclonedx: "**/gl-sbom-*.cdx.json"         
    
  3. Visit the dependency list page and ensure that no dependencies are displayed. Switching to the master branch of the same project will then show the dependencies.

Related to

#460427 (closed)

Edited by Aditya Tiwari

Merge request reports

Loading