-
-
Notifications
You must be signed in to change notification settings - Fork 554
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue 2255: create endpoint to fetch many components and services #2623
Conversation
src/main/java/org/dependencytrack/resources/v1/DependencyGraphResource.java
Outdated
Show resolved
Hide resolved
src/main/java/org/dependencytrack/resources/v1/DependencyGraphResource.java
Outdated
Show resolved
Hide resolved
src/main/java/org/dependencytrack/resources/v1/vo/DependencyGraphRequest.java
Outdated
Show resolved
Hide resolved
0cd0103
to
2ae1cd4
Compare
I think it's good to fix/improve this usecase, thanks for the PR. I do think however there should be a way to specify a project as a parameter. Currently a list of uuids is required. For a project with 1000 components, this would be ~36kB of data being submitted to the server. And a 36kB SQL query being generated. Retrieving all components/services for a project at once is the primary usecase, so an efficient implementation of that should be present. |
If I ever understand correctly, would you like me to make an endpoint that allows you to return all the services and components of a project at once? However, if I ever understood correctly, I'm okay with implementing an endpoint that meets your request. |
I guess I meant all the direct dependencies, I think that's what currently being retrieved one-by-one? |
Ok so if I pass the parent's UUID and return all the dependencies in one endpoint it's ok? |
49faee0
to
f28850e
Compare
@valentijnscholten I updated the behavior. Now, it's a GET request with UUID in the path. You can give a project or component UUID. |
src/main/java/org/dependencytrack/resources/v1/DependencyGraphResource.java
Show resolved
Hide resolved
cf63d66
to
a88c464
Compare
438a0a3
to
8c2dad3
Compare
Thanks for the PR @nathan-mittelette! Just wondering, did you test this with projects that were experiencing problems with the current implementation? How much of a difference does this make? As the amount of data returned per component is not changed, I assume we're potentially still serving "too much" for the intended purpose of the new endpoints: Rendering the dependency graph. Perhaps we can make it perform even better by utilizing fetch groups or result classes (projections) to only query and serve the data required for the use case. |
8c2dad3
to
68ab5ff
Compare
I just compare with the old implementation and it makes a huge difference. The fact that the old implementation does one request per child-dependency, you sometimes have a large number of requests sent to the backend. Even if the request is light, a backend can't handle easily a lot of requests at the same time. With the new implementation, it's really faster and light for the backend. It now does fewer requests to the database and only has one connection to handle. I do some adjustments thanks to your feedback about fetch groups and projections. I choose to implement projections to have only one object that can handle both |
* @author Nathan Mittelette <mittelette.nathan@gmail.com> | ||
* @since 4.9.0 | ||
*/ | ||
public final class DependencyGraphResponse implements Serializable { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: You can replace this class with a record
. DataNucleus should be smart enough to use the record
constructor when populating results.
That sounds great @nathan-mittelette! RE: A minor optimization could be to de-duplicate SELECT "REPOSITORY_TYPE", "NAMESPACE", "NAME", "LATEST_VERSION"
FROM "REPOSITORY_META_COMPONENT"
WHERE
("REPOSITORY_TYPE" = :type1 AND "NAMESPACE" = :namespace1 AND "NAME" = :name1)
OR ("REPOSITORY_TYPE" = :type2 AND "NAMESPACE" = :namespace2 AND "NAME" = :name2)
OR ... You could then correlate results from each batch with By de-duplicating, you'd avoid querying the same metadata more than once, if the same component exists multiple times in a project, but with different versions. |
68ab5ff
to
9b222cd
Compare
I updated the PR with some changes :
I also add a |
9b222cd
to
d95bda1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your contributions @nathan-mittelette !!
@nscuro not sure why sonatype is flagging this lift as @nathan-mittelette actually sent command to sonatype to ignore this issue. |
@nathan-mittelette there's now a branch conflict. Can you fix? |
d95bda1
to
d394357
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, some final nitpicks left. Functionality-wise, I tested it and it works great!
@nathan-mittelette, could you please also update the description of this PR, so that users discovering it via our change logs get an accurate description of how the final implementation looks like?
src/main/java/org/dependencytrack/resources/v1/DependencyGraphResource.java
Outdated
Show resolved
Hide resolved
src/main/java/org/dependencytrack/resources/v1/DependencyGraphResource.java
Outdated
Show resolved
Hide resolved
d394357
to
ceb6ea6
Compare
src/main/java/org/dependencytrack/resources/v1/DependencyGraphResource.java
Show resolved
Hide resolved
src/main/java/org/dependencytrack/resources/v1/DependencyGraphResource.java
Show resolved
Hide resolved
src/main/java/org/dependencytrack/resources/v1/DependencyGraphResource.java
Outdated
Show resolved
Hide resolved
src/main/java/org/dependencytrack/resources/v1/DependencyGraphResource.java
Outdated
Show resolved
Hide resolved
🛠 Lift Auto-fixSome of the Lift findings in this PR can be automatically fixed. You can download and apply these changes in your local project directory of your branch to review the suggestions before committing.1 # Download the patch
curl https://lift.sonatype.com/api/patch/github.com/DependencyTrack/dependency-track/2623.diff -o lift-autofixes.diff
# Apply the patch with git
git apply lift-autofixes.diff
# Review the changes
git diff Want it all in a single command? Open a terminal in your project's directory and copy and paste the following command: curl https://lift.sonatype.com/api/patch/github.com/DependencyTrack/dependency-track/2623.diff | git apply Once you're satisfied, commit and push your changes in your project. Footnotes |
Signed-off-by: Nathan Mittelette <mittelette.nathan@gmail.com>
Signed-off-by: Nathan Mittelette <mittelette.nathan@gmail.com>
ceb6ea6
to
a8c46a0
Compare
hi @nathan-mittelette. Can you check the 2 sonatype bugs identified |
@melba-lopez This is what I explain under the sonartype comments
|
@melba-lopez @nathan-mittelette Yeah, this particular "finding" is popping up from time to time, but we can't ignore this particular case in Lift without ingoring all resource leak findings... No tool is perfect :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @nathan-mittelette, much appreciated!
Description
In this PR I create two new endpoints
GET /api/v1/dependencyGraph/project/{uuid}/directDependencies
andGET /api/v1/dependencyGraph/component/{uuid}/directDependencies
.The purpose of this endpoint it's to avoid the frontend from doing multiple requests to the backend to fetch each node of the Dependency Graph. With this endpoint, you can get all directDependencies of a project or a component by providing his UUID.
Addressed Issue
fixes #2255
Additional Details
The frontend changes are available in this PR : DependencyTrack/frontend#455
Checklist