search

DependencyTrack / hyades

Incubating project for decoupling responsibilities from Dependency-Track's monolithic API server into separate, scalable services.
https://dependencytrack.github.io/hyades/latest
Apache License 2.0
58 stars 18 forks source link

`/api/v1/vulnerability/source/{source}/vuln/{vuln}` returns all vulnerable components #1539

Open nscuro opened 1 day ago

nscuro commented 1 day ago

Current Behavior

The /api/v1/vulnerability/source/{source}/vuln/{vuln} endpoint returns all components affected by the given vulnerability. This works fine for a small number of affected components, but really starts breaking down once hundreds or thousands of components are affected.

Note that this endpoint is used by the frontend when viewing vulnerability details. The sheer volume of data being loaded can cause browser sluggishness, and pages take unreasonably long to load.

Since components is just a field of the vulnerability object, pagination can't be used to combat this issue.

Steps to Reproduce

  1. Have a vulnerability that affects >= 100 components
  2. View the vulnerability in the frontend
  3. Observe long load times

Expected Behavior

The endpoint should only return vulnerability information, not all affected components. There are separate endpoints to acquire this information, where pagination can be used.

Hyades Version

5.6.0-SNAPSHOT

Repository Type

Hyades apiserver

Browser

N/A

Checklist

nscuro commented 1 day ago

Appears to be a leftover from the < 4.x days where global components where a thing.

Another shortcoming of the existing logic is that portfolio access control is not applied to those components, so the endpoint will show components the user shouldn't have access to.