Add project level filter for dependency list
What does this MR do and why?
Add project level filter for dependency list
As part of the Epic GitLab Container Registry: Continuous Vulnerability Scanning, a new source_type: container_scanning_for_registry
has been added to SBOM::Occurence(Dependency). This MR establishes a default filter for the GraphQL endpoint, ensuring that the API endpoint returns a dependency list where records created with the newly introduced source_type do not appear on the GitLab Dependency List page.
Notes:
- To preserve the existing functionality, a default filter is utilized on the endpoint.
- GraphQL enum does not accept
nil
as a value, so thenil_source
string is used to identify sources with nil.
DB query
Query
## @collection.filter_by_source_types(params\[:source_types\]).explain =\> EXPLAIN for: SELECT "sbom_occurrences".\* FROM "sbom_occurrences" LEFT OUTER JOIN "sbom_sources" ON "sbom_sources"."id" = "sbom_occurrences"."source_id" WHERE "sbom_occurrences"."project_id" = 1036 AND ("sbom_sources"."source_type" = 1 OR "sbom_sources"."source_type" IS NULL) /_application:test,correlation_id:dbd0a59059d3819efa325c8b78d06ddc,db_config_name:main,line:(pry):2:in \`filter_by_source_types'_/ QUERY PLAN
Nested Loop Left Join (cost=0.29..4.33 rows=1 width=319) Filter: ((sbom_sources.source_type = 1) OR (sbom_sources.source_type IS NULL)) -\> Index Scan using idx_sbom_occurrences_on_project_id_and_source_id on sbom_occurrences (cost=0.14..2.16 rows=1 width=319) Index Cond: (project_id = 1036) -\> Index Scan using sbom_sources_pkey on sbom_sources (cost=0.14..2.16 rows=1 width=10) Index Cond: (id = sbom_occurrences.source_id) (6 rows)
https://console.postgres.ai/gitlab/gitlab-production-main/sessions/28273/commands/88245
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
-
Create a project with the following sbom
-
Create project with following yml
stages: - build manual-sbom-upload: stage: build script: - echo "hello, world!" artifacts: paths: - "**/gl-sbom-*.cdx.json" reports: cyclonedx: "**/gl-sbom-*.cdx.json"
-
Visit the dependency list page and ensure that no dependencies are displayed. Switching to the master branch of the same project will then show the dependencies.
Related to
Merge request reports
Activity
changed milestone to %17.1
assigned to @atiwari71
- A deleted user
added database databasereview pending documentation labels
4 Warnings ⚠ d85f30fb: The commit subject must contain at least 3 words. For more information, take a look at our Commit message guidelines. ⚠ 1a21c3e4: The commit subject must contain at least 3 words. For more information, take a look at our Commit message guidelines. ⚠ 1ee6a237: The commit subject must contain at least 3 words. For more information, take a look at our Commit message guidelines. ⚠ 96bcc9f4: The commit subject must contain at least 3 words. For more information, take a look at our Commit message guidelines. 1 Message 📖 This merge request adds or changes documentation files. A review from the Technical Writing team before you merge is recommended. Reviews can happen after you merge. Documentation review
The following files require a review from a technical writer:
-
doc/api/graphql/reference/index.md
(Link to current live version)
The review does not need to block merging this merge request. See the:
-
Metadata for the
*.md
files that you've changed. The first few lines of each*.md
file identify the stage and group most closely associated with your docs change. - The Technical Writer assigned for that stage and group.
- Documentation workflows for information on when to assign a merge request for review.
Reviewer roulette
Category Reviewer Maintainer backend @joseph
(UTC+0, 5.5 hours behind author)
@rutgerwessels
(UTC+2, 3.5 hours behind author)
database @jdrpereira
(UTC+1, 4.5 hours behind author)
@OmarQunsulGitlab
(UTC+2, 3.5 hours behind author)
Please check reviewer's status!
Please refer to documentation page for guidance on how you can benefit from the Reviewer Roulette, or use the GitLab Review Workload Dashboard to find other available reviewers.
If needed, you can retry the
🔁 danger-review
job that generated this comment.Generated by
🚫 DangerEdited by Ghost User-
removed databasereview pending label
added 1449 commits
-
48dccbf4...d0645604 - 1448 commits from branch
443821-set-report-type-to-registry
- fe830290 - Add project level filter
-
48dccbf4...d0645604 - 1448 commits from branch
- A deleted user
added databasereview pending label
added pipelinetier-1 label