-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dashboard Data - Last 10 SBOMs Barchart #952
Comments
More details here: https://issues.redhat.com/browse/TC-1130 |
Originally taken from https://docs.google.com/document/d/1PDTyvNlbzofq3_WaVFTkZY9JfGV4gz0qjctXhcPYfdw/edit?tab=t.0#heading=h.ijubi174bpxp The process for generating the count of vulnerabilities (what the UI current code has) for a single SBOM can be summarized as: RequirementGiven an SBOM the final goal is to be able to count how many vulnerabilities it has classified by severity. For instance:
To generate the previous table some calculations can be done in the client/UI and others in the backend. We need to design and decide exactly which calculations are done on the client/UI side and which ones in the backend side. Current implementation (what the UI has)Given a single SBOM:
[
{
"identifier": "Advisory1",
"status": [
{
"vulnerability_id": "CVE-1",
"status": "affected"
},
{
"vulnerability_id": "CVE-2",
"status": "not_affected"
}
]
},
{
"identifier": "Advisory2",
"status": [
{
"vulnerability_id": "CVE-2",
"status": "affected"
},
{
"vulnerability_id": "CVE-3",
"status": "fixed|known_not_affected"
}
]
}
]
[
{
"vulnerability_id": "CVE-1",
"status": "affected"
},
{
"vulnerability_id": "CVE-2",
"status": "not_affected"
},
{
"vulnerability_id": "CVE-2",
"status": "affected"
},
{
"vulnerability_id": "CVE-3",
"status": "fixed|known_not_affected"
}
]
[
{
"vulnerability_id": "CVE-1",
"status": "affected"
},
{
"vulnerability_id": "CVE-2",
"status": "affected"
}
]
[
{
"vulnerability_id": "CVE-1",
"status": "affected",
"severity": "critical"
},
{
"vulnerability_id": "CVE-2",
"status": "affected",
"severity": "critical"
}
]
|
An update @jcrossley3 I could suggest tackling this in 2 steps:
so instead of the current response: [
{
"identifier": "Advisory1",
"status": [
{
"vulnerability_id": "CVE-1",
"status": "affected"
},
{
"vulnerability_id": "CVE-2",
"status": "not_affected"
}
]
},
{
"identifier": "Advisory2",
"status": [
{
"vulnerability_id": "CVE-2",
"status": "affected"
},
{
"vulnerability_id": "CVE-3",
"status": "fixed|known_not_affected"
}
]
}
] to become: [
{
"identifier": "Advisory1",
"status": [
{
"vulnerability": {
// THE WHOLE VULNERABILITY OBJECT THAT COMES WITH /api/v1/vulnerability/{id}
},
"status": "affected"
},
{
"vulnerability": {
// THE WHOLE VULNERABILITY OBJECT THAT COMES WITH /api/v1/vulnerability/{id}
},
"status": "not_affected"
}
]
},
{
"identifier": "Advisory2",
"status": [
{
"vulnerability": {
// THE WHOLE VULNERABILITY OBJECT THAT COMES WITH /api/v1/vulnerability/{id}
},
"status": "affected"
},
{
"vulnerability": {
// THE WHOLE VULNERABILITY OBJECT THAT COMES WITH /api/v1/vulnerability/{id}
},
"status": "fixed|known_not_affected"
}
]
}
]
The first step would allow me to move the dashboard on the UI while still applying the logic for dealing with multiple advisories in the UI. But we could have some to have things moving :) |
So I tried in #1005 to implement this, but I think it will just make things worse. As VulnerabilityDetails will try to fetch and return a lot of unnecessary data. The call like
is now super-slow for me. I think we would ideally return VulnerabilitySummary here, but that needs a bit more changes to fetch for a single vulnerability |
@dejanb thanks I agree with you, I tested your PR and I got the same experience. I ignore the internals of the backend but what you are suggesting seems very reasonable, to use VulnerabilitySummary to avoid unnecessary data and not to make the request very slow. |
The image below is how V1 looks like in regards of the Dashboard. In the left center part there is BarChart that renders the last 10 SBOMs ingested in the system. Each bar renders the number of vulnerabilities that each SBOM has
Here are some things I'd like to have (we can separate each task on its own issue if that works too):
published
but as far as I understand that will sort by the date in which the SBOM was published which does not necessarily match the date in which it has been ingested into the system./api/v1/sbom?sort=published:asc
I need something else./api/v1/sbom?limit=10&offset=0&sort=published:asc
/api/v1/sbom/{id}/advisory
. So this endpoint is called 10 times. This endpoint returns a list of advisories associated to each SBOM; each advisory will have a list of Vulnerability IDs (it can be from 0 to hundreds)/api/v1/vulnerability/{id}
hundred times.The final math of calls for
/api/v1/vulnerability/{id}
will be =10SBOM multiplied by #Advisories multiplied by #Vulnerabilities
. This can easily explode from hundreds to thousands. This is not going to scale.The text was updated successfully, but these errors were encountered: