perf: fetch_sbom_details optimize CPE-based query (TC-3139) #2076

mrizzi · 2025-10-31T13:39:15Z

Optimize CPE-based vulnerability query with CTEs and index

Refactor the product_advisory_info_sql() function to use Common Table Expressions (CTEs) and split OR conditions into UNION queries for performance improvement.

The original query had a performance issue caused by an OR condition in the JOIN clause:

  FROM sbom_package_purl_ref spr
  JOIN qualified_purl qp ON spr.qualified_purl_id = qp.id
  JOIN versioned_purl vp ON qp.versioned_purl_id = vp.id
  JOIN base_purl bp ON vp.base_purl_id = bp.id
  JOIN product_status ps ON ps.package = bp.name
                         OR ps.package = CONCAT(bp.namespace, '/', bp.name)

The OR condition in a JOIN generates a big Cartesian product intermediate result set whose cardinality slows down the performance.

The change here is splitting the OR into UNION, i.e. creating two separate queries and combines them with UNION.
Using CTEs also allowed for some pre-filtering, e.g. in sbom_purls the packages are pre-filtered to be only the ones with the SBOM.

Also added the index product_status_package_idx (on product_status.package) to support some join conditions, e.g. ps.package = sp.name.

The final result is the query's execution time move from ~3 minutes to ~0.5 sec.

Relates to https://issues.redhat.com/browse/TC-3139

Summary by Sourcery

Optimize the CPE-based vulnerability query by refactoring it with Common Table Expressions and splitting OR conditions into UNIONs, and support the changes by adding a new index to speed up package lookups

Enhancements:

Refactor product_advisory_info_sql to use CTEs for pre-filtering and union-based joins to eliminate OR conditions
Split OR join into two match queries combined via UNION to leverage indexes and reduce Cartesian products
Add sbom_purls CTE to pre-filter packages by SBOM and avoid repeated scans

Build:

Add migration to create and drop product_status_package_idx on product_status.package

Signed-off-by: mrizzi <[email protected]> Assisted-by: Claude Code

sourcery-ai · 2025-10-31T13:39:22Z

Reviewer's Guide

The PR refactors the product_advisory_info_sql function to leverage CTEs for pre-filtering and replaces the costly OR-based JOIN with two UNIONed match branches, and introduces a new database migration to add an index on product_status.package to accelerate those joins.

Entity relationship diagram for product_status and related tables after index addition

erDiagram
    PRODUCT_STATUS {
        string id
        string package
        string advisory_id
        string vulnerability_id
        string status_id
        string context_cpe_id
    }
    SBOM_PACKAGE_PURL_REF {
        string qualified_purl_id
        string sbom_id
        string node_id
    }
    QUALIFIED_PURL {
        string id
        string versioned_purl_id
    }
    VERSIONED_PURL {
        string id
        string base_purl_id
    }
    BASE_PURL {
        string id
        string name
        string namespace
    }
    PRODUCT_STATUS ||--o| ADVISORY : "advisory_id"
    PRODUCT_STATUS ||--o| VULNERABILITY : "vulnerability_id"
    PRODUCT_STATUS ||--o| STATUS : "status_id"
    PRODUCT_STATUS ||--o| CPE : "context_cpe_id"
    PRODUCT_STATUS ||--o| PRODUCT_STATUS_PACKAGE_IDX : "package (indexed)"
    SBOM_PACKAGE_PURL_REF ||--o| QUALIFIED_PURL : "qualified_purl_id"
    QUALIFIED_PURL ||--o| VERSIONED_PURL : "versioned_purl_id"
    VERSIONED_PURL ||--o| BASE_PURL : "base_purl_id"
    BASE_PURL {
        string name
        string namespace
    }

Class diagram for migration adding product_status.package index

classDiagram
    class Migration {
        +up(manager: SchemaManager) Result<(), DbErr>
        +down(manager: SchemaManager) Result<(), DbErr>
    }
    class Indexes {
        +ProductStatusPackageIdx
    }
    class ProductStatus {
        +Table
        +Package
    }
    Migration --> Indexes
    Migration --> ProductStatus

Flow diagram for optimized product_advisory_info_sql query logic

flowchart TD
    A["Start: Input sbom_id"] --> B["Compute related_nodes (CTE)"]
    B --> C["Compute sbom_cpes (CTE)"]
    C --> D["Compute filtered_cpes (CTE)"]
    D --> E["Compute generalized_cpes (CTE)"]
    E --> F["Compute allowed_cpe_ids (CTE)"]
    F --> G["Pre-filter sbom_purls (CTE)"]
    G --> H["product_status_matches_name (CTE): JOIN on package = name"]
    G --> I["product_status_matches_namespace (CTE): JOIN on package = namespace/name"]
    H --> J["all_matches (UNION)"]
    I --> J
    J --> K["Final SELECT with joins to advisory, vulnerability, status, etc."]

File-Level Changes

Change	Details	Files
Refactor product advisory query to use CTEs and UNION to eliminate OR joins and pre-filter datasets	Added CTEs for related nodes, filtered/generalized CPEs, allowed CPEs, and SBOM packages Split the OR-based JOIN into two separate CTEs (name match and namespace match) and unified them with UNION Updated the final SELECT to join via the new all_matches CTE and adjusted downstream joins Replaced format! string building with a raw SQL literal for readability	`modules/fundamental/src/sbom/model/raw_sql.rs`
Add migration to index product_status.package for optimized joins	Created m0001190_optimize_product_advisory_query migration to create/drop product_status_package_idx Registered the new migration in migration/src/lib.rs Defined Iden enums for the index and ProductStatus table	`migration/src/m0001190_optimize_product_advisory_query.rs` `migration/src/lib.rs`

Possibly linked issues

#Performance: Improve vulnerability correlation logic for SBOMs: The PR significantly improves vulnerability correlation performance by optimizing complex database queries identified as bottlenecks in the issue, specifically by refactoring the product_advisory_info_sql function.

Tips and commands

Interacting with Sourcery

Trigger a new review: Comment @sourcery-ai review on the pull request.
Continue discussions: Reply directly to Sourcery's review comments.
Generate a GitHub issue from a review comment: Ask Sourcery to create an
issue from a review comment by replying to it. You can also reply to a
review comment with @sourcery-ai issue to create an issue from it.
Generate a pull request title: Write @sourcery-ai anywhere in the pull
request title to generate a title at any time. You can also comment
@sourcery-ai title on the pull request to (re-)generate the title at any time.
Generate a pull request summary: Write @sourcery-ai summary anywhere in
the pull request body to generate a PR summary at any time exactly where you
want it. You can also comment @sourcery-ai summary on the pull request to
(re-)generate the summary at any time.
Generate reviewer's guide: Comment @sourcery-ai guide on the pull
request to (re-)generate the reviewer's guide at any time.
Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
pull request to resolve all Sourcery comments. Useful if you've already
addressed all the comments and don't want to see them anymore.
Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
request to dismiss all existing Sourcery reviews. Especially useful if you
want to start fresh with a new review - don't forget to comment
@sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

Enable or disable review features such as the Sourcery-generated pull request
summary, the reviewer's guide, and others.
Change the review language.
Add, remove or edit custom review instructions.
Adjust other review settings.

Getting Help

Contact our support team for questions or feedback.
Visit our documentation for detailed guides and information.
Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

sourcery-ai

Hey there - I've reviewed your changes and they look great!

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

codecov · 2025-10-31T13:57:09Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.17%. Comparing base (390833b) to head (1854d02).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2076      +/-   ##
==========================================
+ Coverage   68.02%   68.17%   +0.14%     
==========================================
  Files         367      368       +1     
  Lines       20590    20680      +90     
  Branches    20590    20680      +90     
==========================================
+ Hits        14006    14098      +92     
+ Misses       5747     5741       -6     
- Partials      837      841       +4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

dejanb

Looks great. Thanks for looking into this.

I hope we can tackle purl_statuses table next and somehow again extract this CPE filtering logic into a single "function".

Should we run scale tests to confirm the improvements?

mrizzi · 2025-11-03T11:09:56Z

Looks great. Thanks for looking into this.

I hope we can tackle purl_statuses table next and somehow again extract this CPE filtering logic into a single "function".

I had an initial look but there's more work involved to improve that one.

Should we run scale tests to confirm the improvements?

Well, the performance was that bad that the scale test for the sbom/{sbom_id}/advisory endpoint has been "disabled" commenting https://github.com/guacsec/trustify-scale-test-runs/blob/f1b02a3462d1006f8b6c8a7f009ff5a7e788ee47/scenarios/full-20250604.json5#L10

dejanb · 2025-11-03T11:11:45Z

Yeah, are we able to uncomment them now?

mrizzi · 2025-11-03T11:29:11Z

/scale-test

github-actions · 2025-11-03T11:29:22Z

🛠️ Scale test has started! Follow the progress here: Workflow Run

github-actions · 2025-11-03T12:23:06Z

Goose Report

Goose Attack Report

Plan Overview

Action	Started	Stopped	Elapsed	Users
Increasing	25-11-03 12:17:33	25-11-03 12:17:40	00:00:07	0 → 7
Maintaining	25-11-03 12:17:40	25-11-03 12:22:40	00:05:00	7
Decreasing	25-11-03 12:22:40	25-11-03 12:23:03	00:00:23	0 ← 7

Request Metrics

Method	Name	# Requests	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
DELETE	delete_sbom_from_pool_sequential[100 SBOMs]	36 (0)	1298.00 (-97.50)	239 (+56)	4308 (+1473)	0.12 (+0.00)	0.00 (+0.00)
GET	get_advisory_by_doc_id	35 (-10)	16.77 (-3.90)	3 (0)	84 (+17)	0.12 (-0.03)	0.00 (+0.00)
GET	get_analysis_latest_cpe	40 (-5)	281.00 (+40.44)	106 (+11)	595 (+120)	0.13 (-0.02)	0.00 (+0.00)
GET	get_analysis_status	40 (-5)	13.32 (+2.08)	1 (0)	89 (+32)	0.13 (-0.02)	0.00 (+0.00)
GET	get_purl_details[b00df2ca-df21-5…874-304e9c54e2bd]	36 (-9)	722.97 (-86.58)	63 (-98)	1574 (-49)	0.12 (-0.03)	0.00 (+0.00)
GET	get_sbom[sha256:720e4451…a939656247164447]	40 (-5)	1650.10 (-146.99)	553 (+55)	4766 (+449)	0.13 (-0.02)	0.00 (+0.00)
GET	get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	40 (-5)	8206.00 (-91.78)	5334 (+2317)	12621 (-2197)	0.13 (-0.02)	0.00 (+0.00)
GET	list_advisory	35 (-10)	520.57 (+57.66)	140 (+35)	1006 (+174)	0.12 (-0.03)	0.00 (+0.00)
GET	list_advisory_paginated	35 (-10)	420.37 (-24.27)	145 (+38)	636 (-417)	0.12 (-0.03)	0.00 (+0.00)
GET	list_importer	36 (-10)	5.58 (-0.59)	1 (0)	51 (+3)	0.12 (-0.03)	0.00 (+0.00)
GET	list_organizations	35 (-10)	14.23 (-2.30)	2 (+1)	53 (-3)	0.12 (-0.03)	0.00 (+0.00)
GET	list_packages	36 (-10)	386.50 (-11.13)	145 (+24)	621 (-133)	0.12 (-0.03)	0.00 (+0.00)
GET	list_packages_paginated	36 (-10)	367.00 (+35.87)	105 (-18)	575 (-4)	0.12 (-0.03)	0.00 (+0.00)
GET	list_products	40 (-8)	23.90 (+11.84)	4 (+1)	77 (+20)	0.13 (-0.03)	0.00 (+0.00)
GET	list_sboms	40 (-8)	1465.25 (-205.46)	590 (+280)	3438 (-54)	0.13 (-0.03)	0.00 (+0.00)
GET	list_sboms_paginated	40 (-5)	4395.23 (+118.11)	393 (-400)	15730 (+3120)	0.13 (-0.02)	0.00 (+0.00)
GET	list_vulnerabilities	35 (-11)	313.14 (-38.94)	66 (-9)	647 (-121)	0.12 (-0.04)	0.00 (+0.00)
GET	list_vulnerabilities_paginated	36 (-10)	248.22 (+59.96)	40 (-24)	679 (+283)	0.12 (-0.03)	0.00 (+0.00)
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	40 (-5)	37.25 (+9.32)	4 (0)	197 (-58)	0.13 (-0.02)	0.00 (+0.00)
GET	search_advisory	35 (-11)	942.51 (-57.86)	171 (+9)	1886 (-707)	0.12 (-0.04)	0.00 (+0.00)
GET	search_exact_purl	40 (-8)	40.10 (+4.10)	4 (0)	127 (+60)	0.13 (-0.03)	0.00 (+0.00)
GET	search_licenses	2 (0)	59762.50 (+9353.00)	56893 (+15942)	62632 (+2764)	0.01 (+0.00)	0.00 (+0.00)
GET	search_purls	40 (-10)	18017.05 (+6251.33)	7343 (+5342)	25411 (-6090)	0.13 (-0.03)	0.00 (+0.00)
GET	search_purls_by_license	1 (0)	123865.00 (-47031.00)	123865 (-47031)	123865 (-47031)	0.00 (+0.00)	0.00 (+0.00)
GET	search_sboms_by_license	2 (+1)	41150.50 (-19529.50)	30076 (-30604)	52225 (-8455)	0.01 (+0.00)	0.00 (+0.00)
POST	get_recommendations[pkg:rpm/redhat/…[email protected]]	35 (-10)	74.43 (+31.90)	7 (0)	205 (+24)	0.12 (-0.03)	0.00 (+0.00)
POST	post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	37 (-8)	487.59 (+57.28)	67 (-34)	1219 (+211)	0.12 (-0.03)	0.00 (+0.00)
	Aggregated	903 (-192)	2102.42 (+351.15)	1 (0)	123865 (-47031)	3.01 (-0.64)	0.00 (+0.00)

Response Time Metrics

Method	Name	50%ile (ms)	60%ile (ms)	70%ile (ms)	80%ile (ms)	90%ile (ms)	95%ile (ms)	99%ile (ms)	100%ile (ms)
DELETE	delete_sbom_from_pool_sequential[100 SBOMs]	1,000 (0)	1,000 (-1,000)	1,000 (-1,000)	2,000 (0)	2,000 (-835)	3,000 (+165)	4,000 (+1,165)	4,000 (+1,165)
GET	get_advisory_by_doc_id	7 (-2)	10 (0)	14 (-4)	26 (-25)	52 (-7)	56 (-8)	84 (+17)	84 (+17)
GET	get_analysis_latest_cpe	220 (+10)	250 (+20)	310 (+20)	400 (+80)	480 (+80)	500 (+80)	595 (+120)	595 (+120)
GET	get_analysis_status	4 (0)	5 (+1)	7 (+2)	15 (+7)	48 (-4)	58 (+3)	89 (+32)	89 (+32)
GET	get_purl_details[b00df2ca-df21-5…874-304e9c54e2bd]	700 (0)	900 (+100)	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (-623)	1,574 (-49)	1,574 (-49)
GET	get_sbom[sha256:720e4451…a939656247164447]	1,000 (-1,000)	1,000 (-1,000)	2,000 (0)	3,000 (+1,000)	3,000 (0)	4,000 (+1,000)	4,766 (+766)	4,766 (+766)
GET	get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	8,000 (+1,000)	8,000 (0)	9,000 (0)	9,000 (-1,000)	11,000 (-2,000)	12,000 (-2,000)	12,621 (-2,197)	12,621 (-2,197)
GET	list_advisory	600 (+130)	600 (+100)	700 (+100)	700 (+100)	700 (0)	800 (+100)	1,000 (+200)	1,000 (+200)
GET	list_advisory_paginated	430 (-50)	480 (-20)	500 (0)	500 (-100)	600 (-100)	600 (-100)	600 (-400)	600 (-400)
GET	list_importer	3 (0)	3 (0)	4 (0)	6 (+1)	9 (-1)	17 (-21)	51 (+3)	51 (+3)
GET	list_organizations	5 (-1)	6 (-2)	12 (-21)	34 (-7)	46 (+1)	47 (-2)	53 (-3)	53 (-3)
GET	list_packages	410 (0)	440 (-30)	470 (-20)	500 (-100)	500 (-100)	600 (0)	600 (-154)	600 (-154)
GET	list_packages_paginated	400 (+70)	420 (+30)	470 (+70)	490 (+70)	500 (+10)	575 (+75)	575 (-4)	575 (-4)
GET	list_products	9 (+2)	12 (+4)	36 (+26)	50 (+38)	54 (+35)	71 (+17)	77 (+20)	77 (+20)
GET	list_sboms	1,000 (0)	1,000 (-1,000)	2,000 (0)	3,000 (0)	3,000 (0)	3,000 (0)	3,000 (0)	3,000 (0)
GET	list_sboms_paginated	4,000 (0)	6,000 (+1,000)	6,000 (0)	7,000 (+1,000)	8,000 (+1,000)	9,000 (-2,000)	15,730 (+3,120)	15,730 (+3,120)
GET	list_vulnerabilities	250 (-50)	270 (-120)	480 (-20)	500 (0)	500 (-100)	500 (-200)	600 (-168)	600 (-168)
GET	list_vulnerabilities_paginated	260 (+70)	270 (+60)	270 (+50)	300 (+50)	360 (+70)	600 (+290)	679 (+283)	679 (+283)
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	14 (+1)	18 (+2)	51 (+25)	69 (+37)	80 (+13)	120 (+44)	197 (-58)	197 (-58)
GET	search_advisory	800 (-100)	1,000 (0)	1,000 (0)	1,000 (0)	1,886 (-114)	1,886 (-114)	1,886 (-707)	1,886 (-707)
GET	search_exact_purl	25 (-26)	54 (+1)	56 (+2)	59 (+4)	120 (+61)	120 (+59)	127 (+60)	127 (+60)
GET	search_licenses	57,000 (+16,000)	57,000 (+16,000)	57,000 (+16,000)	62,632 (+2,764)	62,632 (+2,764)	62,632 (+2,764)	62,632 (+2,764)	62,632 (+2,764)
GET	search_purls	18,000 (+7,000)	19,000 (+7,000)	23,000 (+9,000)	23,000 (+7,000)	25,000 (+3,000)	25,000 (+1,000)	25,000 (-6,501)	25,000 (-6,501)
GET	search_purls_by_license	123,865 (-47,031)	123,865 (-47,031)	123,865 (-47,031)	123,865 (-47,031)	123,865 (-47,031)	123,865 (-47,031)	123,865 (-47,031)	123,865 (-47,031)
GET	search_sboms_by_license	30,076 (-30,604)	30,076 (-30,604)	30,076 (-30,604)	52,000 (-8,680)	52,000 (-8,680)	52,000 (-8,680)	52,000 (-8,680)	52,000 (-8,680)
POST	get_recommendations[pkg:rpm/redhat/…[email protected]]	60 (+44)	82 (+29)	100 (+41)	130 (+62)	180 (+93)	190 (+80)	205 (+25)	205 (+25)
POST	post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	340 (-30)	470 (+60)	700 (+210)	900 (+300)	900 (+100)	1,000 (+100)	1,000 (0)	1,000 (0)
	Aggregated	300 (0)	490 (+10)	700 (0)	1,000 (0)	7,000 (+2,000)	12,000 (+4,000)	25,000 (+7,000)	123,865 (-47,031)

Status Code Metrics

Method	Name	Status Codes
DELETE	delete_sbom_from_pool_sequential[100 SBOMs]	36 [200]
GET	get_advisory_by_doc_id	35 [200]
GET	get_analysis_latest_cpe	40 [200]
GET	get_analysis_status	40 [200]
GET	get_purl_details[b00df2ca-df21-5…874-304e9c54e2bd]	36 [200]
GET	get_sbom[sha256:720e4451…a939656247164447]	40 [200]
GET	get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	40 [200]
GET	list_advisory	35 [200]
GET	list_advisory_paginated	35 [200]
GET	list_importer	36 [200]
GET	list_organizations	35 [200]
GET	list_packages	36 [200]
GET	list_packages_paginated	36 [200]
GET	list_products	40 [200]
GET	list_sboms	40 [200]
GET	list_sboms_paginated	40 [200]
GET	list_vulnerabilities	35 [200]
GET	list_vulnerabilities_paginated	36 [200]
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	40 [200]
GET	search_advisory	35 [200]
GET	search_exact_purl	40 [200]
GET	search_licenses	2 [200]
GET	search_purls	40 [200]
GET	search_purls_by_license	1 [200]
GET	search_sboms_by_license	2 [200]
POST	get_recommendations[pkg:rpm/redhat/…[email protected]]	35 [200]
POST	post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	37 [200]
	Aggregated	903 [200]

Transaction Metrics

Transaction	# Times Run	# Fails	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
WebsiteUser
0.0 logon	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.1 website_index	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.2 website_openapi	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.3 website_sboms	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.4 website_packages	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.5 website_advisories	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.6 website_importers	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
RestAPIUser
1.0 logon	35 (-10)	0 (0)	15.03 (+0.30)	7 (+1)	33 (+4)	0.12 (-0.03)	0.00 (+0.00)
1.1 list_organizations	35 (-10)	0 (0)	14.31 (-2.33)	2 (+1)	53 (-4)	0.12 (-0.03)	0.00 (+0.00)
1.2 list_advisory	35 (-10)	0 (0)	520.69 (+57.73)	140 (+35)	1006 (+174)	0.12 (-0.03)	0.00 (+0.00)
1.3 list_advisory_paginated	35 (-10)	0 (0)	420.43 (-24.24)	145 (+38)	636 (-417)	0.12 (-0.03)	0.00 (+0.00)
1.4 get_advisory_by_doc_id	35 (-10)	0 (0)	16.80 (-3.89)	3 (0)	84 (+17)	0.12 (-0.03)	0.00 (+0.00)
1.5 search_advisory	35 (-11)	0 (0)	942.57 (-57.91)	171 (+9)	1886 (-709)	0.12 (-0.04)	0.00 (+0.00)
1.6 list_vulnerabilities	35 (-11)	0 (0)	313.17 (-38.92)	66 (-9)	647 (-121)	0.12 (-0.04)	0.00 (+0.00)
1.7 list_vulnerabilities_paginated	36 (-10)	0 (0)	248.28 (+60.02)	40 (-24)	679 (+283)	0.12 (-0.03)	0.00 (+0.00)
1.8 list_importer	36 (-10)	0 (0)	5.61 (-0.58)	1 (0)	51 (+3)	0.12 (-0.03)	0.00 (+0.00)
1.9 list_packages	36 (-10)	0 (0)	386.61 (-11.02)	145 (+24)	621 (-133)	0.12 (-0.03)	0.00 (+0.00)
1.10 list_packages_paginated	36 (-10)	0 (0)	367.06 (+35.82)	105 (-18)	575 (-4)	0.12 (-0.03)	0.00 (+0.00)
1.11 search_purls	40 (-10)	0 (0)	18017.05 (+6251.33)	7343 (+5342)	25411 (-6090)	0.13 (-0.03)	0.00 (+0.00)
1.12 search_exact_purl	40 (-8)	0 (0)	40.17 (+4.15)	4 (0)	127 (+59)	0.13 (-0.03)	0.00 (+0.00)
1.13 list_products	40 (-8)	0 (0)	23.90 (+11.77)	4 (+1)	77 (+20)	0.13 (-0.03)	0.00 (+0.00)
1.14 list_sboms	40 (-8)	0 (0)	1465.28 (-205.47)	590 (+280)	3438 (-54)	0.13 (-0.03)	0.00 (+0.00)
1.15 list_sboms_paginated	40 (-5)	0 (0)	4395.27 (+118.05)	393 (-400)	15730 (+3120)	0.13 (-0.02)	0.00 (+0.00)
1.16 get_analysis_status	40 (-5)	0 (0)	13.35 (+2.02)	1 (0)	89 (+32)	0.13 (-0.02)	0.00 (+0.00)
1.17 get_analysis_latest_cpe	40 (-5)	0 (0)	281.00 (+40.36)	106 (+11)	595 (+120)	0.13 (-0.02)	0.00 (+0.00)
1.18 get_sbom[sha256:720e4451…a939656247164447]	40 (-5)	0 (0)	1650.18 (-146.94)	553 (+55)	4766 (+449)	0.13 (-0.02)	0.00 (+0.00)
1.19 sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	40 (-5)	0 (0)	37.28 (+9.32)	4 (0)	197 (-58)	0.13 (-0.02)	0.00 (+0.00)
1.20 get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	40 (-5)	0 (0)	8206.05 (-91.84)	5334 (+2317)	12621 (-2197)	0.13 (-0.02)	0.00 (+0.00)
1.21 post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	37 (-8)	0 (0)	487.68 (+57.21)	67 (-34)	1219 (+211)	0.12 (-0.03)	0.00 (+0.00)
1.22 get_purl_details[b00df2ca-df21-5…874-304e9c54e2bd]	36 (-9)	0 (0)	723.06 (-86.54)	63 (-98)	1574 (-49)	0.12 (-0.03)	0.00 (+0.00)
1.23 get_recommendations[pkg:rpm/redhat/…[email protected]]	35 (-10)	0 (0)	74.49 (+31.91)	7 (0)	205 (+24)	0.12 (-0.03)	0.00 (+0.00)
RestAPIUserSlow
2.0 logon	1 (0)	0 (0)	8.00 (-5.00)	8 (-5)	8 (-5)	0.00 (+0.00)	0.00 (+0.00)
2.1 search_licenses	2 (0)	0 (0)	59762.50 (+9352.50)	56893 (+15942)	62632 (+2763)	0.01 (+0.00)	0.00 (+0.00)
2.2 search_sboms_by_license	2 (+1)	0 (0)	41150.50 (-19529.50)	30076 (-30604)	52225 (-8455)	0.01 (+0.00)	0.00 (+0.00)
2.3 search_purls_by_license	1 (0)	0 (0)	123865.00 (-47031.00)	123865 (-47031)	123865 (-47031)	0.00 (+0.00)	0.00 (+0.00)
RestAPIUserDelete
3.0 logon	36 (0)	0 (0)	10.31 (-0.53)	6 (0)	18 (-6)	0.12 (+0.00)	0.00 (+0.00)
3.1 delete_sbom_from_pool_sequential[100 SBOMs]	36 (0)	0 (0)	1298.22 (-97.33)	239 (+56)	4308 (+1472)	0.12 (+0.00)	0.00 (+0.00)
Aggregated	975 (-202)	0 (0)	1947.17 (+317.90)	1 (0)	123865 (-47031)	3.25 (-0.67)	0.00 (+0.00)

Scenario Metrics

Transaction	# Users	# Times Run	Average (ms)	Min (ms)	Max (ms)	Scenarios/s	Iterations
WebsiteUser	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
RestAPIUser	5 (0)	35 (-10)	38657.86 (+5553.57)	29469 (+11108)	50592 (-250)	0.12 (-0.03)	7.00 (-2.00)
RestAPIUserSlow	1 (0)	1 (0)	238733.00 (-52723.00)	238733 (-52723)	238733 (-52723)	0.00 (+0.00)	1.00 (+0.00)
RestAPIUserDelete	1 (0)	36 (0)	8347.67 (-49.03)	6955 (+388)	11927 (+1593)	0.12 (+0.00)	36.00 (+0.00)
Aggregated	7 (0)	72 (-10)	26281.58 (+873.90)	6955 (+388)	238733 (-52723)	0.24 (-0.03)	44.00 (-2.00)

📄 Full Report (Go to "Artifacts" and download report)

mrizzi · 2025-11-03T15:29:00Z

Yeah, are we able to uncomment them now?

Done in guacsec/trustify-scale-test-runs#28

mrizzi · 2025-11-03T15:47:30Z

/scale-test

github-actions · 2025-11-03T15:47:54Z

🛠️ Scale test has started! Follow the progress here: Workflow Run

github-actions · 2025-11-03T16:39:36Z

Goose Report

Goose Attack Report

Plan Overview

Action	Started	Stopped	Elapsed	Users
Increasing	25-11-03 16:33:37	25-11-03 16:33:44	00:00:07	0 → 7
Maintaining	25-11-03 16:33:44	25-11-03 16:38:44	00:05:00	7
Decreasing	25-11-03 16:38:44	25-11-03 16:39:32	00:00:48	0 ← 7

Request Metrics

Method	Name	# Requests	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
DELETE	delete_sbom_from_pool_sequential[100 SBOMs]	36 (0)	1530.19 (+134.69)	265 (+82)	2979 (+144)	0.12 (+0.00)	0.00 (+0.00)
GET	get_advisory_by_doc_id	15 (-30)	24.27 (+3.60)	3 (0)	72 (+5)	0.05 (-0.10)	0.00 (+0.00)
GET	get_analysis_latest_cpe	20 (-25)	219.70 (-20.86)	83 (-12)	400 (-75)	0.07 (-0.08)	0.00 (+0.00)
GET	get_analysis_status	20 (-25)	7.50 (-3.74)	1 (0)	46 (-11)	0.07 (-0.08)	0.00 (+0.00)
GET	get_purl_details[b00df2ca-df21-5…874-304e9c54e2bd]	15 (-30)	588.27 (-221.29)	101 (-60)	1272 (-351)	0.05 (-0.10)	0.00 (+0.00)
GET	get_sbom[sha256:720e4451…a939656247164447]	20 (-25)	1140.00 (-657.09)	529 (+31)	2030 (-2287)	0.07 (-0.08)	0.00 (+0.00)
GET	get_sbom_advisories[sha256:87fd06bc…9d7b8304c0d2d9b2]	20	51607.45	44399	56289	0.07	0.00
GET	get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	15 (-30)	7859.07 (-438.71)	2662 (-355)	12892 (-1926)	0.05 (-0.10)	0.00 (+0.00)
GET	list_advisory	15 (-30)	506.20 (+43.29)	157 (+52)	911 (+79)	0.05 (-0.10)	0.00 (+0.00)
GET	list_advisory_paginated	15 (-30)	468.47 (+23.82)	181 (+74)	992 (-61)	0.05 (-0.10)	0.00 (+0.00)
GET	list_importer	16 (-30)	3.12 (-3.05)	1 (0)	7 (-41)	0.05 (-0.10)	0.00 (+0.00)
GET	list_organizations	15 (-30)	13.87 (-2.67)	1 (0)	52 (-4)	0.05 (-0.10)	0.00 (+0.00)
GET	list_packages	16 (-30)	379.94 (-17.69)	110 (-11)	588 (-166)	0.05 (-0.10)	0.00 (+0.00)
GET	list_packages_paginated	16 (-30)	377.12 (+45.99)	186 (+63)	632 (+53)	0.05 (-0.10)	0.00 (+0.00)
GET	list_products	20 (-28)	15.25 (+3.19)	4 (+1)	46 (-11)	0.07 (-0.09)	0.00 (+0.00)
GET	list_sboms	20 (-28)	1037.15 (-633.56)	538 (+228)	2104 (-1388)	0.07 (-0.09)	0.00 (+0.00)
GET	list_sboms_paginated	20 (-25)	3523.80 (-753.31)	497 (-296)	7774 (-4836)	0.07 (-0.08)	0.00 (+0.00)
GET	list_vulnerabilities	16 (-30)	330.56 (-21.52)	144 (+69)	569 (-199)	0.05 (-0.10)	0.00 (+0.00)
GET	list_vulnerabilities_paginated	16 (-30)	186.81 (-1.45)	70 (+6)	305 (-91)	0.05 (-0.10)	0.00 (+0.00)
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	15 (-30)	26.73 (-1.20)	5 (+1)	63 (-192)	0.05 (-0.10)	0.00 (+0.00)
GET	search_advisory	16 (-30)	1167.44 (+167.07)	220 (+58)	1915 (-678)	0.05 (-0.10)	0.00 (+0.00)
GET	search_exact_purl	20 (-28)	15.80 (-20.20)	6 (+2)	26 (-41)	0.07 (-0.09)	0.00 (+0.00)
GET	search_licenses	2 (0)	77292.00 (+26882.50)	74389 (+33438)	80195 (+20327)	0.01 (+0.00)	0.00 (+0.00)
GET	search_purls	20 (-30)	20173.35 (+8407.63)	8564 (+6563)	29674 (-1827)	0.07 (-0.10)	0.00 (+0.00)
GET	search_purls_by_license	1 (0)	142991.00 (-27905.00)	142991 (-27905)	142991 (-27905)	0.00 (+0.00)	0.00 (+0.00)
GET	search_sboms_by_license	1 (0)	52152.00 (-8528.00)	52152 (-8528)	52152 (-8528)	0.00 (+0.00)	0.00 (+0.00)
POST	get_recommendations[pkg:rpm/redhat/…[email protected]]	15 (-30)	72.40 (+29.87)	8 (+1)	189 (+8)	0.05 (-0.10)	0.00 (+0.00)
POST	post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	15 (-30)	435.13 (+4.82)	125 (+24)	875 (-133)	0.05 (-0.10)	0.00 (+0.00)
	Aggregated	451 (-644)	4764.19 (+3012.91)	1 (0)	142991 (-27905)	1.50 (-2.15)	0.00 (+0.00)

Response Time Metrics

Method	Name	50%ile (ms)	60%ile (ms)	70%ile (ms)	80%ile (ms)	90%ile (ms)	95%ile (ms)	99%ile (ms)	100%ile (ms)
DELETE	delete_sbom_from_pool_sequential[100 SBOMs]	1,000 (0)	2,000 (0)	2,000 (0)	2,000 (0)	2,000 (-835)	2,979 (+144)	2,979 (+144)	2,979 (+144)
GET	get_advisory_by_doc_id	9 (0)	11 (+1)	43 (+25)	44 (-7)	66 (+7)	66 (+2)	72 (+5)	72 (+5)
GET	get_analysis_latest_cpe	210 (0)	220 (-10)	270 (-20)	290 (-30)	310 (-90)	310 (-110)	400 (-75)	400 (-75)
GET	get_analysis_status	3 (-1)	4 (0)	4 (-1)	10 (+2)	11 (-41)	32 (-23)	46 (-11)	46 (-11)
GET	get_purl_details[b00df2ca-df21-5…874-304e9c54e2bd]	500 (-200)	500 (-300)	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (-623)	1,000 (-623)	1,000 (-623)
GET	get_sbom[sha256:720e4451…a939656247164447]	1,000 (-1,000)	1,000 (-1,000)	2,000 (0)	2,000 (0)	2,000 (-1,000)	2,000 (-1,000)	2,000 (-2,000)	2,000 (-2,000)
GET	get_sbom_advisories[sha256:87fd06bc…9d7b8304c0d2d9b2]	52,000	53,000	53,000	54,000	56,000	56,000	56,000	56,000
GET	get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	7,000 (0)	8,000 (0)	9,000 (0)	9,000 (-1,000)	12,000 (-1,000)	12,000 (-2,000)	12,892 (-1,926)	12,892 (-1,926)
GET	list_advisory	490 (+20)	500 (0)	600 (0)	600 (0)	900 (+200)	900 (+200)	900 (+100)	900 (+100)
GET	list_advisory_paginated	420 (-60)	500 (0)	500 (0)	600 (0)	800 (+100)	800 (+100)	992 (-8)	992 (-8)
GET	list_importer	3 (0)	3 (0)	3 (-1)	4 (-1)	5 (-5)	5 (-33)	7 (-41)	7 (-41)
GET	list_organizations	3 (-3)	4 (-4)	9 (-24)	33 (-8)	46 (+1)	46 (-3)	52 (-4)	52 (-4)
GET	list_packages	400 (-10)	480 (+10)	490 (0)	490 (-110)	500 (-100)	500 (-100)	588 (-166)	588 (-166)
GET	list_packages_paginated	380 (+50)	420 (+30)	420 (+20)	480 (+60)	500 (+10)	600 (+100)	600 (+21)	600 (+21)
GET	list_products	7 (0)	8 (0)	12 (+2)	23 (+11)	42 (+23)	43 (-11)	46 (-11)	46 (-11)
GET	list_sboms	800 (-200)	900 (-1,100)	1,000 (-1,000)	2,000 (-1,000)	2,000 (-1,000)	2,000 (-1,000)	2,000 (-1,000)	2,000 (-1,000)
GET	list_sboms_paginated	2,000 (-2,000)	3,000 (-2,000)	6,000 (0)	7,000 (+1,000)	7,000 (0)	7,000 (-4,000)	7,774 (-4,836)	7,774 (-4,836)
GET	list_vulnerabilities	340 (+40)	360 (-30)	400 (-100)	490 (-10)	500 (-100)	500 (-200)	569 (-199)	569 (-199)
GET	list_vulnerabilities_paginated	220 (+30)	230 (+20)	240 (+20)	240 (-10)	240 (-50)	300 (-10)	305 (-91)	305 (-91)
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	18 (+5)	18 (+2)	48 (+22)	48 (+16)	60 (-7)	60 (-16)	63 (-192)	63 (-192)
GET	search_advisory	1,000 (+100)	1,000 (0)	1,915 (+915)	1,915 (+915)	1,915 (-85)	1,915 (-85)	1,915 (-678)	1,915 (-678)
GET	search_exact_purl	16 (-35)	18 (-35)	19 (-35)	24 (-31)	25 (-34)	26 (-35)	26 (-41)	26 (-41)
GET	search_licenses	74,389 (+33,389)	74,389 (+33,389)	74,389 (+33,389)	80,000 (+20,132)	80,000 (+20,132)	80,000 (+20,132)	80,000 (+20,132)	80,000 (+20,132)
GET	search_purls	21,000 (+10,000)	21,000 (+9,000)	22,000 (+8,000)	23,000 (+7,000)	24,000 (+2,000)	24,000 (0)	29,674 (-1,827)	29,674 (-1,827)
GET	search_purls_by_license	142,991 (-27,905)	142,991 (-27,905)	142,991 (-27,905)	142,991 (-27,905)	142,991 (-27,905)	142,991 (-27,905)	142,991 (-27,905)	142,991 (-27,905)
GET	search_sboms_by_license	52,152 (-8,528)	52,152 (-8,528)	52,152 (-8,528)	52,152 (-8,528)	52,152 (-8,528)	52,152 (-8,528)	52,152 (-8,528)	52,152 (-8,528)
POST	get_recommendations[pkg:rpm/redhat/…[email protected]]	64 (+48)	88 (+35)	110 (+51)	110 (+42)	130 (+43)	130 (+20)	189 (+9)	189 (+9)
POST	post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	310 (-60)	380 (-30)	500 (+10)	700 (+100)	800 (0)	800 (-100)	875 (-125)	875 (-125)
	Aggregated	400 (+100)	600 (+120)	1,000 (+300)	2,000 (+1,000)	11,000 (+6,000)	44,000 (+36,000)	56,000 (+38,000)	142,991 (-27,905)

Status Code Metrics

Method	Name	Status Codes
DELETE	delete_sbom_from_pool_sequential[100 SBOMs]	36 [200]
GET	get_advisory_by_doc_id	15 [200]
GET	get_analysis_latest_cpe	20 [200]
GET	get_analysis_status	20 [200]
GET	get_purl_details[b00df2ca-df21-5…874-304e9c54e2bd]	15 [200]
GET	get_sbom[sha256:720e4451…a939656247164447]	20 [200]
GET	get_sbom_advisories[sha256:87fd06bc…9d7b8304c0d2d9b2]	20 [200]
GET	get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	15 [200]
GET	list_advisory	15 [200]
GET	list_advisory_paginated	15 [200]
GET	list_importer	16 [200]
GET	list_organizations	15 [200]
GET	list_packages	16 [200]
GET	list_packages_paginated	16 [200]
GET	list_products	20 [200]
GET	list_sboms	20 [200]
GET	list_sboms_paginated	20 [200]
GET	list_vulnerabilities	16 [200]
GET	list_vulnerabilities_paginated	16 [200]
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	15 [200]
GET	search_advisory	16 [200]
GET	search_exact_purl	20 [200]
GET	search_licenses	2 [200]
GET	search_purls	20 [200]
GET	search_purls_by_license	1 [200]
GET	search_sboms_by_license	1 [200]
POST	get_recommendations[pkg:rpm/redhat/…[email protected]]	15 [200]
POST	post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	15 [200]
	Aggregated	451 [200]

Transaction Metrics

Transaction	# Times Run	# Fails	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
WebsiteUser
0.0 logon	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.1 website_index	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.2 website_openapi	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.3 website_sboms	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.4 website_packages	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.5 website_advisories	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.6 website_importers	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
RestAPIUser
1.0 logon	15 (-30)	0 (0)	12.73 (-2.00)	6 (0)	19 (-10)	0.05 (-0.10)	0.00 (+0.00)
1.1 list_organizations	15 (-30)	0 (0)	14.20 (-2.44)	1 (0)	52 (-5)	0.05 (-0.10)	0.00 (+0.00)
1.2 list_advisory	15 (-30)	0 (0)	506.27 (+43.31)	157 (+52)	911 (+79)	0.05 (-0.10)	0.00 (+0.00)
1.3 list_advisory_paginated	15 (-30)	0 (0)	468.53 (+23.87)	181 (+74)	992 (-61)	0.05 (-0.10)	0.00 (+0.00)
1.4 get_advisory_by_doc_id	15 (-30)	0 (0)	24.33 (+3.64)	3 (0)	72 (+5)	0.05 (-0.10)	0.00 (+0.00)
1.5 search_advisory	16 (-30)	0 (0)	1167.50 (+167.02)	220 (+58)	1915 (-680)	0.05 (-0.10)	0.00 (+0.00)
1.6 list_vulnerabilities	16 (-30)	0 (0)	330.56 (-21.52)	144 (+69)	569 (-199)	0.05 (-0.10)	0.00 (+0.00)
1.7 list_vulnerabilities_paginated	16 (-30)	0 (0)	186.88 (-1.39)	70 (+6)	305 (-91)	0.05 (-0.10)	0.00 (+0.00)
1.8 list_importer	16 (-30)	0 (0)	3.19 (-3.01)	1 (0)	7 (-41)	0.05 (-0.10)	0.00 (+0.00)
1.9 list_packages	16 (-30)	0 (0)	380.00 (-17.63)	110 (-11)	588 (-166)	0.05 (-0.10)	0.00 (+0.00)
1.10 list_packages_paginated	16 (-30)	0 (0)	377.12 (+45.89)	186 (+63)	632 (+53)	0.05 (-0.10)	0.00 (+0.00)
1.11 search_purls	20 (-30)	0 (0)	20173.35 (+8407.63)	8564 (+6563)	29674 (-1827)	0.07 (-0.10)	0.00 (+0.00)
1.12 search_exact_purl	20 (-28)	0 (0)	15.85 (-20.17)	6 (+2)	26 (-42)	0.07 (-0.09)	0.00 (+0.00)
1.13 list_products	20 (-28)	0 (0)	15.30 (+3.18)	4 (+1)	46 (-11)	0.07 (-0.09)	0.00 (+0.00)
1.14 list_sboms	20 (-28)	0 (0)	1037.15 (-633.60)	538 (+228)	2104 (-1388)	0.07 (-0.09)	0.00 (+0.00)
1.15 list_sboms_paginated	20 (-25)	0 (0)	3523.80 (-753.42)	497 (-296)	7774 (-4836)	0.07 (-0.08)	0.00 (+0.00)
1.16 get_analysis_status	20 (-25)	0 (0)	7.55 (-3.78)	1 (0)	46 (-11)	0.07 (-0.08)	0.00 (+0.00)
1.17 get_analysis_latest_cpe	20 (-25)	0 (0)	219.75 (-20.89)	83 (-12)	400 (-75)	0.07 (-0.08)	0.00 (+0.00)
1.18 get_sbom[sha256:720e4451…a939656247164447]	20 (-25)	0 (0)	1140.05 (-657.06)	529 (+31)	2030 (-2287)	0.07 (-0.08)	0.00 (+0.00)
1.19 get_sbom_advisories[sha256:87fd06bc…9d7b8304c0d2d9b2]	20	0	51607.70	44399	56289	0.07	0.00
1.20 sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	15	0	26.73	5	63	0.05	0.00
1.21 get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	15	0	7859.07	2662	12892	0.05	0.00
1.22 post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	15	0	435.13	125	875	0.05	0.00
1.23 get_purl_details[b00df2ca-df21-5…874-304e9c54e2bd]	15	0	588.27	101	1272	0.05	0.00
1.24 get_recommendations[pkg:rpm/redhat/…[email protected]]	15	0	72.53	8	190	0.05	0.00
RestAPIUserSlow
2.0 logon	1 (0)	0 (0)	7.00 (-6.00)	7 (-6)	7 (-6)	0.00 (+0.00)	0.00 (+0.00)
2.1 search_licenses	2 (0)	0 (0)	77292.50 (+26882.50)	74389 (+33438)	80196 (+20327)	0.01 (+0.00)	0.00 (+0.00)
2.2 search_sboms_by_license	1 (0)	0 (0)	52152.00 (-8528.00)	52152 (-8528)	52152 (-8528)	0.00 (+0.00)	0.00 (+0.00)
2.3 search_purls_by_license	1 (0)	0 (0)	142991.00 (-27905.00)	142991 (-27905)	142991 (-27905)	0.00 (+0.00)	0.00 (+0.00)
RestAPIUserDelete
3.0 logon	35 (-1)	0 (0)	8.94 (-1.89)	6 (0)	17 (-7)	0.12 (-0.00)	0.00 (+0.00)
3.1 delete_sbom_from_pool_sequential[100 SBOMs]	36 (0)	0 (0)	1530.36 (+134.81)	265 (+82)	2980 (+144)	0.12 (+0.00)	0.00 (+0.00)
Aggregated	502 (-675)	0 (0)	4280.18 (+2650.91)	1 (0)	142991 (-27905)	1.67 (-2.25)	0.00 (+0.00)

Scenario Metrics

Transaction	# Users	# Times Run	Average (ms)	Min (ms)	Max (ms)	Scenarios/s	Iterations
WebsiteUser	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
RestAPIUser	5 (0)	15 (-30)	88395.07 (+55290.78)	72027 (+53666)	98868 (+48026)	0.05 (-0.10)	3.00 (-6.00)
RestAPIUserSlow	1 (0)	1 (0)	275348.00 (-16108.00)	275348 (-16108)	275348 (-16108)	0.00 (+0.00)	1.00 (+0.00)
RestAPIUserDelete	1 (0)	35 (-1)	8454.51 (+57.82)	6827 (+260)	10668 (+334)	0.12 (-0.00)	35.00 (-1.00)
Aggregated	7 (0)	51 (-31)	37199.65 (+11791.96)	6827 (+260)	275348 (-16108)	0.17 (-0.10)	39.00 (-7.00)

📄 Full Report (Go to "Artifacts" and download report)

perf: fetch_sbom_details optimize CPE-based query (TC-3139)

1854d02

Signed-off-by: mrizzi <[email protected]> Assisted-by: Claude Code

mrizzi requested a review from dejanb October 31, 2025 13:39

sourcery-ai bot reviewed Oct 31, 2025

View reviewed changes

dejanb approved these changes Nov 3, 2025

View reviewed changes

mrizzi mentioned this pull request Nov 3, 2025

feat: enable get_sbom_advisories (TC-3139) guacsec/trustify-scale-test-runs#28

Merged

perf: fetch_sbom_details optimize CPE-based query (TC-3139) #2076

Are you sure you want to change the base?

perf: fetch_sbom_details optimize CPE-based query (TC-3139) #2076

Uh oh!

Conversation

mrizzi commented Oct 31, 2025 • edited by sourcery-ai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Optimize CPE-based vulnerability query with CTEs and index

Summary by Sourcery

Uh oh!

sourcery-ai bot commented Oct 31, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviewer's Guide

Entity relationship diagram for product_status and related tables after index addition

Class diagram for migration adding product_status.package index

Flow diagram for optimized product_advisory_info_sql query logic

File-Level Changes

Possibly linked issues

Interacting with Sourcery

Customizing Your Experience

Getting Help

Uh oh!

sourcery-ai bot left a comment

Choose a reason for hiding this comment

Uh oh!

codecov bot commented Oct 31, 2025

Codecov Report

Uh oh!

dejanb left a comment

Choose a reason for hiding this comment

Uh oh!

mrizzi commented Nov 3, 2025

Uh oh!

dejanb commented Nov 3, 2025

Uh oh!

mrizzi commented Nov 3, 2025

Uh oh!

github-actions bot commented Nov 3, 2025

Uh oh!

github-actions bot commented Nov 3, 2025

Goose Attack Report

Plan Overview

Request Metrics

Response Time Metrics

Status Code Metrics

Transaction Metrics

Scenario Metrics

Uh oh!

mrizzi commented Nov 3, 2025

Uh oh!

mrizzi commented Nov 3, 2025

Uh oh!

github-actions bot commented Nov 3, 2025

Uh oh!

github-actions bot commented Nov 3, 2025

Goose Attack Report

Plan Overview

Request Metrics

Response Time Metrics

Status Code Metrics

Transaction Metrics

Scenario Metrics

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

mrizzi commented Oct 31, 2025 •

edited by sourcery-ai bot

Loading

sourcery-ai bot commented Oct 31, 2025 •

edited

Loading