-
-
Notifications
You must be signed in to change notification settings - Fork 542
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue/2323: Filter portfolio metrics in portfolio access control mode to match team's accesses #2326
base: master
Are you sure you want to change the base?
Issue/2323: Filter portfolio metrics in portfolio access control mode to match team's accesses #2326
Conversation
Signed-off-by: Steve Springett <steve@springett.us> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
Bumps [dessant/lock-threads](https://github.com/dessant/lock-threads) from 3 to 4. - [Release notes](https://github.com/dessant/lock-threads/releases) - [Changelog](https://github.com/dessant/lock-threads/blob/master/CHANGELOG.md) - [Commits](dessant/lock-threads@v3...v4) --- updated-dependencies: - dependency-name: dessant/lock-threads dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
Bumps [actions/setup-java](https://github.com/actions/setup-java) from 3.6.0 to 3.7.0. - [Release notes](https://github.com/actions/setup-java/releases) - [Commits](actions/setup-java@v3.6.0...v3.7.0) --- updated-dependencies: - dependency-name: actions/setup-java dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
Signed-off-by: nscuro <nscuro@protonmail.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
This reverts commit d9c1db6. Signed-off-by: nscuro <nscuro@protonmail.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
Signed-off-by: Omer Levi Hevroni <omer@goledge.com> Signed-off-by: Omer Levi Hevroni <omer@goledge.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
…pendencyTrack#2242) When deleting a custom license, every policy condition with the license as value will also be deleted. Signed-off-by: RBickert <rbt@mm-software.com> Signed-off-by: RBickert <rbt@mm-software.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
* Add commenter to `PROJECT_AUDIT_CHANGE` emails Signed-off-by: RBickert <rbt@mm-software.com> * Only display commenter if not null Signed-off-by: RBickert <rbt@mm-software.com> Signed-off-by: RBickert <rbt@mm-software.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
…2214) * Enable to set undefined license for license policy Signed-off-by: RBickert <rbt@mm-software.com> * Change `undefinedLicense` to `unresolved` Signed-off-by: RBickert <rbt@mm-software.com> Signed-off-by: RBickert <rbt@mm-software.com> Closes DependencyTrack#1518 Signed-off-by: mulder999 <nospam099-github@yahoo.com>
Closes DependencyTrack#2195 Signed-off-by: nscuro <nscuro@protonmail.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
Signed-off-by: nscuro <nscuro@protonmail.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
Accommodate for changes in package names as outlined in https://github.com/PebbleTemplates/pebble/releases/tag/3.2.0 Signed-off-by: nscuro <nscuro@protonmail.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
Signed-off-by: nscuro <nscuro@protonmail.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
Signed-off-by: nscuro <nscuro@protonmail.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
Signed-off-by: nscuro <nscuro@protonmail.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
…dencyTrack#2200) * Fix: Restoring lucene index build during startup by having a dedicated listener A REST API is also exposed to allow index rebuild through the GUI. See DependencyTrack#2104 Automatic periodic consistency check with database are performed if enabled Signed-off-by: Alioune SY <sy_alioune@yahoo.fr> * Fix: Restoring lucene index build during startup by having a dedicated listener Takint into account review comments Signed-off-by: Alioune SY <sy_alioune@yahoo.fr> * Fix: Restoring lucene index build during startup by having a dedicated listener Fixing unit tests. Signed-off-by: Alioune SY <sy_alioune@yahoo.fr> Signed-off-by: Alioune SY <sy_alioune@yahoo.fr> Fixes DependencyTrack#2104 Signed-off-by: mulder999 <nospam099-github@yahoo.com>
…l with no namespace DependencyTrack#2231 Signed-off-by: syalioune <sy_alioune@yahoo.fr> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
See DependencyTrack#1200 Signed-off-by: syalioune <sy_alioune@yahoo.fr> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
* first example first example Signed-off-by: JoergBruenner <joerg.bruenner@gmx.net> * polished up Signed-off-by: JoergBruenner <joerg.bruenner@gmx.net> * Update docs/_docs/usage/usecases.md Co-authored-by: valentijnscholten <valentijnscholten@gmail.com> Signed-off-by: JoergBruenner <joerg.bruenner@gmx.net> Signed-off-by: JoergBruenner <joerg.bruenner@gmx.net> Co-authored-by: valentijnscholten <valentijnscholten@gmail.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
…ncyTrack#2256) * grafana: total heap size and 100% cpu lines Signed-off-by: Valentijn Scholten <valentijnscholten@gmail.com> * grafana: total heap size and 100% cpu lines Signed-off-by: Valentijn Scholten <valentijnscholten@gmail.com> * grafana: add summary row around top level panels Signed-off-by: Valentijn Scholten <valentijnscholten@gmail.com> Signed-off-by: Valentijn Scholten <valentijnscholten@gmail.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
Signed-off-by: Edouard Shaar <edouard.shaar@gsoft.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
* Add parsing logic for Snyk API errors Also move tests for SnykParser into their own class instead of keeping them in SnykAnalysisTaskTest. Signed-off-by: nscuro <nscuro@protonmail.com> * Use the actually useful error fields in Snyk responses Signed-off-by: nscuro <nscuro@protonmail.com> * Improve Snyk analyzer; Add tests; Fix various bugs Signed-off-by: nscuro <nscuro@protonmail.com> * Reword Snyk rate limiting config keys Signed-off-by: nscuro <nscuro@protonmail.com> * Fix SnykParserTest Signed-off-by: nscuro <nscuro@protonmail.com> * Use retries instead of client-side rate limiting when rate limited by the Snyk API Addresses DependencyTrack#2248 Signed-off-by: nscuro <nscuro@protonmail.com> * Disable implicit retry behavior on all exceptions Signed-off-by: nscuro <nscuro@protonmail.com> * Update Snyk config keys documentation Signed-off-by: nscuro <nscuro@protonmail.com> * Report sunset API version only once per analysis Also send a notification instead of just logging it Signed-off-by: nscuro <nscuro@protonmail.com> * Add ability to use multiple Snyk tokens in round-robin Signed-off-by: nscuro <nscuro@protonmail.com> * Update Snyk docs Signed-off-by: nscuro <nscuro@protonmail.com> * Update default Snyk API version to 2022-11-14 Signed-off-by: nscuro <nscuro@protonmail.com> * Fix visibility of index field Signed-off-by: nscuro <nscuro@protonmail.com> * Update Snyk configuration screenshot Signed-off-by: nscuro <nscuro@protonmail.com> Signed-off-by: nscuro <nscuro@protonmail.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
… and vulnerable_software should be possible See DependencyTrack#1929 (comment) Signed-off-by: Alioune SY <sy_alioune@yahoo.fr> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
…ncyTrack#2189) * Add method to return expanded dependency graph Adds a new API method, which returns a list of components that are needed to display a dependency graph that is expanded to every occurrence of a specified component. Adds new transitive attributes to the component and project class, which are needed to correctly display and expand the resulting dependency graph. Signed-off-by: RBickert <rbt@mm-software.com> * Return empty list instead of HTTP conflict Signed-off-by: RBickert <rbt@mm-software.com> * Return empty list instead of HTTP conflict Signed-off-by: RBickert <rbt@mm-software.com> * Fix root components not being found Signed-off-by: RBickert <rbt@mm-software.com> * Change UUID in query to parameter Signed-off-by: RBickert <rbt@mm-software.com> * Add tests for `getDependencyGraphForComponent` Change `Component.expand` to `Component.expandDependencyGraph` Remove string concatenation in `getDependencyGraphForComponent` and `getParentDependency` in `ComponentQueryManager` Signed-off-by: RBickert <rbt@mm-software.com> Signed-off-by: RBickert <rbt@mm-software.com> Closes DependencyTrack#1997 Signed-off-by: mulder999 <nospam099-github@yahoo.com>
By creating a temporary PMF based on the same properties as the `PersistenceFactoryInitializer`, the `UpgradeInitializer` would create *two* connection pools of `10` (per default) connections each, for the duration of its execution. Because upgrades are executed in serial, connection pooling is not beneficial. Creating temporary connection pools is a wasteful operation and should be avoided. Partially addresses DependencyTrack#1935 Signed-off-by: nscuro <nscuro@protonmail.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
Signed-off-by: nscuro <nscuro@protonmail.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
Closes DependencyTrack#2228 Signed-off-by: nscuro <nscuro@protonmail.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
Bumps [jetty-maven-plugin](https://github.com/eclipse/jetty.project) from 10.0.12 to 10.0.13. - [Release notes](https://github.com/eclipse/jetty.project/releases) - [Commits](jetty/jetty.project@jetty-10.0.12...jetty-10.0.13) --- updated-dependencies: - dependency-name: org.eclipse.jetty:jetty-maven-plugin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
Bumps [actions/setup-java](https://github.com/actions/setup-java) from 3.6.0 to 3.8.0. - [Release notes](https://github.com/actions/setup-java/releases) - [Commits](actions/setup-java@v3.6.0...v3.8.0) --- updated-dependencies: - dependency-name: actions/setup-java dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
Bumps debian from bullseye-20221114-slim to bullseye-20221205-slim. --- updated-dependencies: - dependency-name: debian dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: mulder999 <nospam099-github@yahoo.com>
cbc1d67
to
8f566a7
Compare
Looks smart as it avoids having to do a complexer query to get exactly the latest metrics for each project in one go. |
Sweet. Thanks @valentijnscholten for all the comments. Let me know if you see anything else. |
Signed-off-by: mulder999 <nospam099-github@yahoo.com>
Signed-off-by: mulder999 <nospam099-github@yahoo.com>
Thinking out loud here. Could/should it be a background job that gathers the metrics for each users? In Defect Dojo we had these type of metrics all calculated on the fly (by the DB) and that performed quite well even for 1M vulnerabilties. |
Adding metrics computation should be ultra fast indeed. I tend to believe building and maintaining any sort of long term cache would not be useful for this usage. However a short term cache (redis alike) when the user is currently connected and navigating back and force could be useful to avoid repeating same query over and over. |
I fear that would not scale well. Metrics are already one of the main bottlenecks we have when it comes to exhausting the thread pool.
Would you be willing to share some more insights, or links to where this is done in DD? Maybe there are some improvements we can make to the data model so it performs better for these ad-hoc queries.
The "ultra fast" part we'd have to test. But agreed, caching would be a good way to optimize. Even such short-term storage could be realized using the database, we don't necessarily have to introduce a dependency on a 3rd party cache. |
The thing in the datamodel that does look weird to me is the alias part, that's gonna give a bit of trouble I think for some usecases. I think it doesn't lend itself very well to let the database handle the counting (and other queries that need to deduplicate aliases, etc). From a vulnerability record you can't easily get all its ids/aliases as you have to do a lot of comparisons in code (or queries): If the aliases table was more like a join table to map vuln_ids onto vulnerabilities and with Don't have an ER modeling tool handy, but the idea is to make vulnerabilities unique. And have multiple aliases attached to the vulnerability. So if a vulnerability has multiple aliases, you have multiple records. The Just thinking out loud here, so don't pick on the details :-) About DD: DD has a datamodel similar to the above where a unique vulnerability is one database records with multiple aliase records (ids) attached to it in a separate table. The queries in DT would look quite similar, just count a bunch of vulnerabilities and group them by project and maybe severity. Even with 10000 projects and 1M vulnerabilities it should be quite fast. Unless there's something very different from the DD case. In DD permissions are more complex and involve some more joining for users that are not superusers/admins. Similar to the ACL part in DT. |
@valentijnscholten join tables with foreign keys were specifically not chosen as a design pattern due to the performance impact they will have. |
I am not convinced doing counting and alias handling in code and doing 1+N queries or N * M queries is going to be faster than 1 or 2 extra joins. There's also great benefit in simpler code and simpler queries. |
|
@valentijnscholten its been some time since this PR has been updated. Can this PR be closed? |
This is not my PR. |
I understand @valentijnscholten. You were very active in this PR and was not sure if there were other conversations happening behind the scenes with @mulder999. @mulder999 please let me know if you will be updating this PR or if I should close it. |
Hi @melba-lopez, thanks for asking. The PR was complete but did not reach community consensus. Would be happy to solve conflicts if it has any chance to be considered for merge in the trunk. |
…ug/2323_filterMetricsByAcl Signed-off-by: mulder999 <nospam099-github@yahoo.com>
Signed-off-by: mulder999 <nospam099-github@yahoo.com>
@melba-lopez PR has been updated. Anything else needed to remove the "pending more information" tag ? |
@nscuro @stevespringett i know there were several discussions previously about how this may not work for DT. Can you chime in and let us know if there is anything else you would like to modify? |
…tricsByAcl Signed-off-by: mulder999 <nospam099-github@yahoo.com>
@melba-lopez @nscuro @stevespringett The feature is complete and can now also conveniently be enabled from the web interface (default setting: disabled). |
Description
Filter portfolio metrics in portfolio access control mode to match team's accesses
Addressed Issue
Fixes #2323
Additional Details
Sum in real time the matching project's metrics
Checklist
This PR introduces changes to the database model, and I have added corresponding update logicThis PR introduces new or alters existing behavior, and I have updated the documentation accordingly