Skip to content

perf: use pre-fetched advisory severity summary on SBOM list [Backport release/0.5.z]#1152

Merged
ctron merged 1 commit into
guacsec:release/0.5.zfrom
ctron:backport-1127-to-release/0.5.z
Jul 9, 2026
Merged

perf: use pre-fetched advisory severity summary on SBOM list [Backport release/0.5.z]#1152
ctron merged 1 commit into
guacsec:release/0.5.zfrom
ctron:backport-1127-to-release/0.5.z

Conversation

@ctron

@ctron ctron commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

Cherry-picked from fb9c2cf

Summary by Sourcery

Improve SBOM list performance by switching vulnerability display to use pre-fetched advisory severity summaries passed through the SBOM query and context, rather than fetching vulnerabilities individually for each SBOM row.

Enhancements:

  • Use pre-fetched advisory severity summaries on the SBOM list instead of per-row vulnerability fetching to improve performance
  • Propagate advisory summary data through SBOM search context, provider, and table to drive vulnerability displays
  • Relax VulnerabilityGallery props to support partial severity maps and safely handle missing values

…#1127)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
(cherry picked from commit fb9c2cf)
@sourcery-ai

sourcery-ai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Reviewer's Guide

This PR refactors the SBOM list vulnerabilities column to use pre-fetched advisory severity summaries from the SBOM list query instead of per-row fetching, and makes the vulnerability gallery tolerant of missing severity values. It also threads an advisories option through the SBOM query and context.

Sequence diagram for SBOM list advisories prefetch flow

sequenceDiagram
  participant SbomTable
  participant SbomSearchProvider
  participant useFetchSBOMs
  participant listSboms

  SbomTable->>SbomSearchProvider: render SbomTable
  SbomSearchProvider->>useFetchSBOMs: useFetchSBOMs(params, labels, disableQuery=false, advisories=true)
  useFetchSBOMs->>listSboms: listSboms({ requestParams: { ... , advisories:true } })
  listSboms-->>useFetchSBOMs: SBOM list with item.advisories
  useFetchSBOMs-->>SbomSearchProvider: data
  SbomSearchProvider-->>SbomTable: items with advisories
  SbomTable->>SBOMVulnerabilities: SBOMVulnerabilities(advisories=item.advisories)
  SBOMVulnerabilities->>VulnerabilityGallery: VulnerabilityGallery(severities=advisories)
Loading

File-Level Changes

Change Details Files
SBOM vulnerabilities cell now renders from pre-fetched advisories instead of performing its own vulnerabilities query.
  • Replaces sbomId prop with optional advisories prop on SBOMVulnerabilities component.
  • Removes useVulnerabilitiesOfSbom and loading/error UI from the vulnerabilities cell.
  • Passes advisories directly into VulnerabilityGallery, defaulting to an empty object when undefined.
  • Updates SBOM table to pass item.advisories into the vulnerabilities cell.
client/src/app/pages/sbom-list/components/SbomVulnerabilities.tsx
client/src/app/pages/sbom-list/sbom-table.tsx
VulnerabilityGallery component is updated to accept partial severities and safely handle undefined values when computing the total.
  • Changes severities prop type to Partial<{ [key in ExtendedSeverity]: number }>.
  • Adjusts severity total reducer to treat undefined entries as zero.
client/src/app/components/VulnerabilityGallery.tsx
SBOM list query and context are extended to request and expose advisory data for use in the table.
  • Adds RequestedFieldHashMapHashMap type import and optional advisories field to SBOM search context.
  • Extends useFetchSBOMs hook signature with an advisories flag and includes it in the query key and request params.
  • Updates SBOM provider to call useFetchSBOMs with explicit advisories flags to enable fetching advisory summaries.
client/src/app/pages/sbom-list/sbom-context.ts
client/src/app/queries/sboms.ts
client/src/app/pages/sbom-list/sbom-provider.tsx

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've reviewed your changes and they look great!


Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@ctron ctron requested a review from carlosthe19916 July 9, 2026 13:29
@codecov

codecov Bot commented Jul 9, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 0% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 51.26%. Comparing base (967d6a8) to head (3fccb2e).

Files with missing lines Patch % Lines
client/src/app/components/VulnerabilityGallery.tsx 0.00% 2 Missing ⚠️
...pages/sbom-list/components/SbomVulnerabilities.tsx 0.00% 1 Missing ⚠️
client/src/app/queries/sboms.ts 0.00% 1 Missing ⚠️
Additional details and impacted files
@@                Coverage Diff                @@
##           release/0.5.z    #1152      +/-   ##
=================================================
- Coverage          51.30%   51.26%   -0.04%     
=================================================
  Files                256      256              
  Lines               5518     5516       -2     
  Branches            1668     1671       +3     
=================================================
- Hits                2831     2828       -3     
- Misses              2422     2423       +1     
  Partials             265      265              
Flag Coverage Δ
unit 6.58% <0.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@ctron ctron merged commit d29b837 into guacsec:release/0.5.z Jul 9, 2026
17 checks passed
@github-project-automation github-project-automation Bot moved this to Done in Trustify Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

2 participants