Skip to content

Implement limited count for vulnerability severity counts

Bala Kumar requested to merge 438303-new-api-for-vulnerability-severities into master

What does this MR do and why?

  • Adds limitedVulnerabilitySeverityCounts field to project, groups and instanceSecurityDashboard GraphQL API.

  • We have performance concerns doing full count operation so limiting the counting operation on DB to 1001 records for each severity type. For context see discussion #432715 (comment 1742125731)

  • Aim is to use the new GraphQL API on the UI. UI work is tracked in #463387.

Related to #438303

Database

Default dashboard report filter

API Before (vulnerabilitySeveritiesCount) After (limitedVulnerabilitySeverityCounts)
Project https://console.postgres.ai/gitlab/gitlab-production-main/sessions/28708/commands/89483 https://console.postgres.ai/gitlab/gitlab-production-main/sessions/28708/commands/89485
Group https://console.postgres.ai/gitlab/gitlab-production-main/sessions/28708/commands/89487 https://console.postgres.ai/gitlab/gitlab-production-main/sessions/28708/commands/89491
Instance security dashboard https://console.postgres.ai/gitlab/gitlab-production-main/sessions/28708/commands/89468 https://console.postgres.ai/gitlab/gitlab-production-main/sessions/28708/commands/89481

Another filter

API Before (vulnerabilitySeveritiesCount) After (limitedVulnerabilitySeverityCounts)
Project https://console.postgres.ai/gitlab/gitlab-production-main/sessions/28708/commands/89498 https://console.postgres.ai/gitlab/gitlab-production-main/sessions/28708/commands/89500
Group https://console.postgres.ai/gitlab/gitlab-production-main/sessions/28708/commands/89496 https://console.postgres.ai/gitlab/gitlab-production-main/sessions/28708/commands/89494
Instance security dashboard https://console.postgres.ai/gitlab/gitlab-production-main/sessions/28708/commands/89502 https://console.postgres.ai/gitlab/gitlab-production-main/sessions/28708/commands/89504

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

vulnerabilitySeveritiesCount limitedVulnerabilitySeverityCounts
Screenshot_2024-05-31_at_10.21.46_AM Screenshot_2024-05-31_at_2.34.21_AM
Screenshot_2024-05-31_at_10.21.53_AM Screenshot_2024-05-31_at_2.35.02_AM
Screenshot_2024-05-31_at_10.22.00_AM Screenshot_2024-05-31_at_2.35.46_AM

How to set up and validate locally

  1. Import project from https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/438303-limit-vulnerabiility-severity-counts into local and run the pipeline on the main branch. This will populate the vulnerabilities, this project has 1100 vulnerabilities (low: 1045 and critical: 55).
  2. Run the GraphQL queries for project.limitedVulnerabilitySeveritycounts, group.limitedVulnerabilitySeveritycounts and instanceSecurityDashboard.limitedVulnerabilitySeveritycounts and we should observe that maximum count returned does not exceed 1001 as shown in screenshots above.
query {
  project(fullPath: "bala-test-group/438303-limit-vulnerabiility-severity-counts") {
    limitedVulnerabilitySeverityCounts(state: [DETECTED]) {
      critical
      high
      info
      low
      medium
      unknown
    }
  }
}
query {
  group(fullPath: "bala-test-group") {
    limitedVulnerabilitySeverityCounts(state: [DETECTED]) {
      critical
      high
      info
      low
      medium
      unknown
    }
  }
}

query {
  instanceSecurityDashboard {
    limitedVulnerabilitySeverityCounts(state: [DETECTED]) {
      critical
      high
      info
      low
      medium
      unknown
    }
  }
}

Related to #438303

Edited by Bala Kumar

Merge request reports