Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/api/v1/vulnerability/component/{uuid} endpoint performs horribly for large portfolios #1424

Closed
2 tasks done
nscuro opened this issue Jul 31, 2024 · 1 comment · Fixed by DependencyTrack/hyades-apiserver#886
Closed
2 tasks done

/api/v1/vulnerability/component/{uuid} endpoint performs horribly for large portfolios #1424

nscuro opened this issue Jul 31, 2024 · 1 comment · Fixed by DependencyTrack/hyades-apiserver#886
Assignees
@sahibamittal
Labels
defect Something isn't working p2 Non-critical bugs, and features that help organizations to identify and reduce risk performance size/M Medium effort

Comments

@nscuro
Copy link
Member

nscuro commented Jul 31, 2024

Current Behavior

The /api/v1/vulnerability/component/{uuid} REST API endpoint takes extremely long to respond in large (>10k projects) portfolios (occasionally >30sec).

The persistence logic for serving the endpoint is here: https://github.com/DependencyTrack/hyades-apiserver/blob/c55d7158f881b4e8a24bfa5f2f30032b5dd654d4/src/main/java/org/dependencytrack/persistence/VulnerabilityQueryManager.java#L351-L381

I suspect that collecting the projects affected by each vulnerability one-by-one, in a for loop, is the culprit. By the looks of it, it could be a single SQL query, which would perform a lot better.

Steps to Reproduce

Expected Behavior

/api/v1/vulnerability/component/{uuid} endpoint should be responsive.

Hyades Version

5.6.0-SNAPSHOT

Repository Type

Hyades apiserver

Browser

N/A

Checklist
@nscuro nscuro added defect Something isn't working p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/M Medium effort performance labels Jul 31, 2024
@nscuro
Copy link
Member Author

nscuro commented Jul 31, 2024

Actually similarly bad query patterns can be seen for /api/v1/vulnerability/project/<uuid> as well: https://github.com/DependencyTrack/hyades-apiserver/blob/c55d7158f881b4e8a24bfa5f2f30032b5dd654d4/src/main/java/org/dependencytrack/persistence/VulnerabilityQueryManager.java#L463-L480

@sahibamittal sahibamittal self-assigned this Aug 14, 2024
@sahibamittal sahibamittal mentioned this issue Sep 3, 2024
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sahibamittal sahibamittal

Labels
defect Something isn't working p2 Non-critical bugs, and features that help organizations to identify and reduce risk performance size/M Medium effort
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Improve Vulnerability query endpoints performance DependencyTrack/hyades-apiserver
2 participants
@nscuro @sahibamittal