fix: Drop Sbom::Occurrence#visible_to scope to resolve occurrence->projects cross-join

Lucas Charlesrequested to merge
477112-remove-x-join-from-dependencies-finder-move-to-callsite into master

What does this MR do and why?

Drop cross-join by removing Sbom::Occurrence#visible_to scope in favor of limiting Explore::DependenciesController to admins only.

This effectively drops the visible_to usage within the Sbom::DependenciesFinder which was only used when dependable.is_a?(Organization)

See FAQ on parent epic for details on sec-decomposition effort.

Relates to Resolve vulnerability cross join issues in Sbom... (#477112 - closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Database review query plans

Before

Previous Sbom::Occurrence.visible_to scope

https://console.postgres.ai/gitlab/gitlab-production-main/sessions/32913/commands/101458

SELECT "sbom_occurrences".*
FROM "sbom_occurrences"
INNER JOIN "projects" ON "sbom_occurrences"."project_id" = "projects"."id"
INNER JOIN
    "projects" AS "projects_sbom_occurrences"
    ON "sbom_occurrences"."project_id" = "projects_sbom_occurrences"."id"
INNER JOIN
    "project_authorizations"
    ON "projects_sbom_occurrences"."id" = "project_authorizations"."project_id"
WHERE
    "projects"."organization_id" = 1645
    AND "projects"."archived" = FALSE
    AND "project_authorizations"."user_id" = 401232

After

Closes to #477112 (closed)

Edited by Lucas Charles

Merge request reports