Add VulnerabilityReadsFinder to speed up API responses (!76220) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

~~⚠ This MR is dependent on !75546 (merged) and !75441 (merged), only after the background migrations are finished, this could be merged~~

Addresses #335503 (closed)

We have been getting time-out errors while loading the project and group vulnerability report page which have a large number of vulnerabilities. This is because we store a lot of information(eg: title, description html) in the vulnerabilities table which makes the filtering time consuming. As a part of &6903 (closed), we created a vulnerability_reads table with denormalized data to improve the performance of filtering vulnerabilities.

This MR introduces a new finder that uses vulnerability_reads table to query vulnerability data. vulnerability_reads table has the required indices to speed up the filtering of vulnerability data. This will replace the Security::VulnerabilitiesFinder in few places where reading from vulnerability_reads will improve the performance.

The finder is added behind feature flag: vulnerability_reads_table

⚠ Deviations from existing finder:

The new finder does not support these scenarios:

Filtering by cluster_id: We store the cluster_id of a kubernetes cluster which is integrated to GitLab through certificate, it was deprecated in %14.5. Since the new table (vulnerability_reads) is introduced %14.8, we decided not to handle the filtering in the new table: !76220 (comment 859085751)
Sorting by state and report_type: We are planning to remove the sorting by state and report_type functionality as it is not being used much: !76220 (comment 862464790) Follow-up issues: #354504 (closed) and #354503 (closed)

Graphql Query

In order to test this MR, enabling vulnerability_reads_table feature flag on project and executing these 2 graphql queries would work:

Project.vulnerabilities

query

query {
  project(fullPath:"gitlab-org/gitlab") {
    vulnerabilities(reportType:[SAST,SECRET_DETECTION,CONTAINER_SCANNING,DAST,DEPENDENCY_SCANNING,COVERAGE_FUZZING,API_FUZZING], state:[DETECTED,CONFIRMED], sort:severity_desc){
      nodes {
        id
        severity
      }
    }
  }
}

Query analysis for gitlab-org/gitlab project

`vulnerability_reads` table

EXPLAIN SELECT * FROM "vulnerability_reads" WHERE "project_id" = 278964 AND "report_type" IN (2, 3, 1, 0, 4, 5, 6) AND "state" IN (1, 4) ORDER BY "severity" DESC, "vulnerability_id" DESC LIMIT 20

console.postgres.ai: 33.381 ms

`vulnerabilities` table

EXPLAIN SELECT * FROM "vulnerabilities" WHERE "project_id" = 278964 AND "report_type" IN (2, 3, 1, 0, 4, 5, 6) AND "state" IN (1, 4) ORDER BY "severity" DESC, "id" DESC LIMIT 20

console.postgres.ai: 29.852 ms

Group.vulnerabilities

Query

query {
  group(fullPath:"gitlab-org") {
    vulnerabilities(reportType:[SAST,SECRET_DETECTION,CONTAINER_SCANNING,DAST,DEPENDENCY_SCANNING,COVERAGE_FUZZING,API_FUZZING], state:[DETECTED,CONFIRMED], sort:severity_desc){
      nodes {
        id
        severity
      }
    }
  }
}

Query analysis for gitlab-org namespace

`vulnerability_reads` table

EXPLAIN SELECT * FROM "vulnerability_reads" WHERE "project_id" IN (SELECT "projects"."id" FROM "projects" WHERE "projects"."namespace_id" IN (SELECT "namespaces"."id" FROM "namespaces" WHERE "namespaces"."type" = 'Group' AND (traversal_ids @> ('{9970}'))) AND "projects"."archived" = FALSE AND "projects"."pending_delete" = FALSE) AND "report_type" IN (2, 3, 1, 0, 4, 5, 6) AND "state" IN (1, 4) ORDER BY "severity" DESC, "vulnerability_id" DESC LIMIT 20

console.postgres.ai: 305.076 ms

`vulnerabilities` table

EXPLAIN SELECT * FROM "vulnerabilities" WHERE "project_id" IN (SELECT "projects"."id" FROM "projects" WHERE "projects"."namespace_id" IN (SELECT "namespaces"."id" FROM "namespaces" WHERE "namespaces"."type" = 'Group' AND (traversal_ids @> ('{9970}'))) AND "projects"."archived" = FALSE AND "projects"."pending_delete" = FALSE) AND "report_type" IN (2, 3, 1, 0, 4, 5, 6) AND "state" IN (1, 4) ORDER BY "severity" DESC, "id" DESC LIMIT 20

console.postgres.ai: 759.789 ms

Project.vulnerabilitySeveritiesCount

Query

query {
  project(fullPath:"gitlab-org/gitlab") {
    vulnerabilitySeveritiesCount(reportType:[SAST,SECRET_DETECTION,CONTAINER_SCANNING,DAST,DEPENDENCY_SCANNING,COVERAGE_FUZZING,API_FUZZING], state:[DETECTED,CONFIRMED]){
      high
      medium
      low
      critical
    }
  }
}

Query analysis for gitlab-org/gitlab project

`vulnerability_reads` table

EXPLAIN SELECT COUNT(*) AS count_all, "severity" AS vulnerabilities_severity FROM "vulnerability_reads" WHERE "project_id" = 278964 AND "report_type" IN (2, 3, 1, 0, 4, 5, 6) AND "state" IN (1, 4) GROUP BY "severity" ORDER BY "severity" DESC

console.postgres.ai: 20.582 ms

`vulnerabilities` table

EXPLAIN SELECT COUNT(*) AS count_all, "severity" AS vulnerabilities_severity FROM "vulnerabilities" WHERE "project_id" = 278964 AND "report_type" IN (2, 3, 1, 0, 4, 5, 6) AND "state" IN (1, 4) GROUP BY "severity" ORDER BY "severity" DESC

console.postgres.ai: 30.324 ms

Group.vulnerabilitySeveritiesCount

Query

query {
  group(fullPath:"gitlab-org") {
    vulnerabilitySeveritiesCount(reportType:[SAST,SECRET_DETECTION,CONTAINER_SCANNING,DAST,DEPENDENCY_SCANNING,COVERAGE_FUZZING,API_FUZZING], state:[DETECTED,CONFIRMED]){
      high
      medium
      low
      critical
    }
  }
}

Query analysis for gitlab-org namespace

`vulnerability_reads` table

EXPLAIN SELECT COUNT(*) AS count_all, "severity" AS vulnerabilities_severity FROM "vulnerability_reads" WHERE "project_id" IN (SELECT "projects"."id" FROM "projects" WHERE "projects"."namespace_id" IN (SELECT "namespaces"."id" FROM "namespaces" WHERE "namespaces"."type" = 'Group' AND (traversal_ids @> ('{9970}'))) AND "projects"."archived" = FALSE AND "projects"."pending_delete" = FALSE) AND "report_type" IN (2, 3, 1, 0, 4, 5, 6) AND "state" IN (1, 4) GROUP BY "severity" ORDER BY "severity" DESC

console.postgres.ai: 315.843 ms

`vulnerabilities` table

EXPLAIN SELECT COUNT(*) AS count_all, "severity" AS vulnerabilities_severity FROM "vulnerabilities" WHERE "project_id" IN (SELECT "projects"."id" FROM "projects" WHERE "projects"."namespace_id" IN (SELECT "namespaces"."id" FROM "namespaces" WHERE "namespaces"."type" = 'Group' AND (traversal_ids @> ('{9970}'))) AND "projects"."archived" = FALSE AND "projects"."pending_delete" = FALSE) AND "report_type" IN (2, 3, 1, 0, 4, 5, 6) AND "state" IN (1, 4) GROUP BY "severity" ORDER BY "severity" DESC

console.postgres.ai: 600.092 ms

Database

Scopes

order_severity_asc:

SELECT * FROM "vulnerability_reads" WHERE "project_id" = 278964 ORDER BY "severity" ASC, "vulnerability_id" DESC LIMIT 20

Add VulnerabilityReadsFinder to speed up API responses

What does this MR do and why?

⚠ Deviations from existing finder:

Graphql Query

Project.vulnerabilities

Query analysis for gitlab-org/gitlab project

vulnerability_reads table

vulnerabilities table

Group.vulnerabilities

Query analysis for gitlab-org namespace

vulnerability_reads table

vulnerabilities table

Project.vulnerabilitySeveritiesCount

Query analysis for gitlab-org/gitlab project

vulnerability_reads table

vulnerabilities table

Group.vulnerabilitySeveritiesCount

Query analysis for gitlab-org namespace

vulnerability_reads table

vulnerabilities table

Database

Scopes

order_severity_asc:

order_severity_desc:

order_detected_at_asc:

order_detected_at_desc:

by_scanner_ids:

for_projects:

grouped_by_severity:

with_report_types:

with_severities:

with_states:

with_container_image:

with_cluster_agent_ids:

with_resolution:

with_issues:

with_scanner_external_ids:

MR acceptance checklist

Merge request reports

`vulnerability_reads` table

`vulnerabilities` table

`vulnerability_reads` table

`vulnerabilities` table

`vulnerability_reads` table

`vulnerabilities` table

`vulnerability_reads` table

`vulnerabilities` table