Add CSAF GC test and simplify SBOM GC test

[jcrossley3]

Also deleted some superfluous code, i.e. no advisories ingested so none need to be deleted in the now-renamed gc_purls_from_sbom test.

Summary by Sourcery

Add a new test for reproducing garbage collection behavior with a single CSAF document and clean up the existing SBOM-based GC test.

Enhancements:

• Rename existing gc_purls test to gc_purls_from_sbom for clarity
• Remove superfluous advisory deletion logic from the SBOM GC test helper

Tests:

• Add gc_purls_from_single_csaf test to ingest a single CSAF JSON and assert PURL counts and GC results
• Simplify delete_sbom helper by removing advisory cleanup

[sourcery-ai]

Reviewer's Guide

Renamed the existing garbage-collection test to focus on SBOMs, removed unnecessary advisory-deletion logic, and added a new test to reproduce issue #1977 by verifying purl GC behavior after ingesting a single CSAF document.

File-Level Changes

Change	Details	Files
Rename garbage-collection test and remove superfluous advisory deletion	Renamed gc_purls to gc_purls_from_sbom Deleted advisory cleanup code in helper function Updated calls to use the simplified delete_sbom helper	modules/fundamental/src/purl/service/test.rs
Add new test to reproduce issue #1977 with single CSAF ingestion	Defined gc_purls_from_single_csaf test with context and attributes Ingested a CSAF document and asserted purl counts before and after Invoked gc_purls and asserted zero garbage-collected purls	modules/fundamental/src/purl/service/test.rs

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location> `modules/fundamental/src/purl/service/test.rs:820` </location>
<code_context>
+    );
+
+    // should any packages be garbage collected? I honestly don't know.
+    assert_eq!(0, purl_service.gc_purls(&ctx.db).await?);
+
+    Ok(())
</code_context>

<issue_to_address>
**question (testing):** Clarify the expected behavior for garbage collection after CSAF ingestion.

Please update the test description or comments to clearly state the expected outcome. If there are cases where packages should be garbage collected after CSAF ingestion, consider adding a corresponding test.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[helio-frota]

this change makes the test to pass:
( PR sent #1984 )

➜  trustify git:(1977) ✗ git diff
diff --git a/modules/fundamental/src/purl/service/gc_purls.sql b/modules/fundamental/src/purl/service/gc_purls.sql
index 4a8703a2..7bc6d692 100644
--- a/modules/fundamental/src/purl/service/gc_purls.sql
+++ b/modules/fundamental/src/purl/service/gc_purls.sql
@@ -1,9 +1,18 @@
 WITH
     alive_qualified_purl AS (
+     (
         SELECT DISTINCT t2.id, t2.versioned_purl_id
         FROM sbom_package_purl_ref AS t1
                  INNER JOIN qualified_purl AS t2
                             ON t2.id = t1.qualified_purl_id
+    )
+    UNION
+    (
+       SELECT t1.id, t1.versioned_purl_id
+       FROM qualified_purl AS t1
+       INNER JOIN versioned_purl AS t2 ON t2.id = t1.versioned_purl_id
+       INNER JOIN purl_status AS t3 ON t2.base_purl_id = t3.base_purl_id
+    )
     ),
     alive_versioned_purl AS (
         SELECT DISTINCT t2.id, t2.base_purl_id

➜  trustify git:(1977) ✗ cargo nextest run gc_purls_from_single_csaf
   Compiling trustify-module-fundamental v0.3.6 (/home/heliofrota/Desktop/tc/trustify/modules/fundamental)
    Finished `test` profile [unoptimized + debuginfo] target(s) in 21.85s
────────────
 Nextest run ID a38d5869-c649-4f1a-9a64-609f0a3845f0 with nextest profile: default
    Starting 1 test across 35 binaries (478 tests skipped)
        PASS [   2.891s] trustify-module-fundamental purl::service::test::gc_purls_from_single_csaf
────────────
     Summary [   2.923s] 1 test run: 1 passed, 478 skipped

it works fine for an empty / small database , unfortunately we can not merge the PR atm

[jcrossley3]

Great! Please add a call to PurlService::gc_purls() in https://github.com/guacsec/trustify-scale-testing so we can get a sense of the perf impact triggered by a /scale-test comment.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.72%. Comparing base (3818788) to head (ce00ed9).
⚠️ Report is 18 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1980      +/-   ##
==========================================
- Coverage   67.84%   67.72%   -0.12%     
==========================================
  Files         353      355       +2     
  Lines       19683    19801     +118     
  Branches    19683    19801     +118     
==========================================
+ Hits        13354    13411      +57     
- Misses       5551     5614      +63     
+ Partials      778      776       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[helio-frota]

trustify-scale-testing calls trustify endpoints, I'm not sure if I understood well, for this we would need to create a new endpoint in trustify just to call PurlService::gc_purls() ?

Also the impact is based on the database size, please see some comments here
#1984 (comment) seconds
#1984 (comment) minutes

Then may end up with an illusion that the performance good or acceptable 👍

[jcrossley3]

trustify-scale-testing calls trustify endpoints, I'm not sure if I understood well, for this we would need to create a new endpoint in trustify just to call PurlService::gc_purls() ?

Good idea. Let's add an endpoint, /api/v2/purl/gc, under the "purl" tag. I'm sure QE would appreciate that now that the default period is longer. That might even obviate exposing TRUSTD_GC_FREQ in the helm chart.

[helio-frota]

/scale-test

[github-actions]

🛠️ Scale test has started! Follow the progress here: Workflow Run

[github-actions]

Goose Report

Goose Attack Report

Plan Overview

Action	Started	Stopped	Elapsed	Users
Increasing	25-09-26 21:28:57	25-09-26 21:29:02	00:00:05	0 → 5
Maintaining	25-09-26 21:29:02	25-09-26 21:34:02	00:05:00	5
Decreasing	25-09-26 21:34:02	25-09-26 21:34:03	00:00:01	0 ← 5

Request Metrics

Method	Name	# Requests	# Fails	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
GET	get_advisory_by_doc_id	100 (+20)	0	11.87 (+0.39)	3 (+1)	69 (+2)	0.33 (+0.07)	0.00 (+0.00)
GET	get_analysis_latest_cpe	102 (+19)	0	120.41 (-58.52)	38 (+1)	388 (-103)	0.34 (+0.06)	0.00 (+0.00)
GET	get_analysis_status	103 (+20)	0	7.11 (-0.99)	1 (0)	57 (+1)	0.34 (+0.07)	0.00 (+0.00)
GET	get_purl_details[b00df2ca-df21-5…874-304e9c54e2bd]	100 (+20)	0	368.09 (-586.08)	129 (-109)	672 (-929)	0.33 (+0.07)	0.00 (+0.00)
GET	get_purl_gc	102	102	1.39	1	6	0.34	0.34
GET	get_sbom[sha256:720e4451…a939656247164447]	102 (+19)	0	733.47 (-577.02)	228 (-73)	2006 (-1301)	0.34 (+0.06)	0.00 (+0.00)
GET	get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	102 (+19)	0	792.12 (-34.48)	388 (+108)	1191 (-181)	0.34 (+0.06)	0.00 (+0.00)
GET	list_advisory	100 (+20)	0	496.52 (+55.71)	232 (+134)	965 (+228)	0.33 (+0.07)	0.00 (+0.00)
GET	list_advisory_paginated	100 (+20)	0	425.74 (+48.82)	118 (+24)	1560 (+1026)	0.33 (+0.07)	0.00 (+0.00)
GET	list_importer	100 (+20)	0	2.21 (-0.64)	1 (0)	7 (-44)	0.33 (+0.07)	0.00 (+0.00)
GET	list_organizations	100 (+20)	0	10.83 (+2.20)	1 (0)	50 (+3)	0.33 (+0.07)	0.00 (+0.00)
GET	list_packages	100 (+20)	0	491.16 (+63.32)	223 (+143)	942 (-7)	0.33 (+0.07)	0.00 (+0.00)
GET	list_packages_paginated	100 (+20)	0	375.03 (+13.59)	94 (-6)	589 (-301)	0.33 (+0.07)	0.00 (+0.00)
GET	list_products	105 (+20)	0	8.93 (+1.62)	2 (0)	58 (+6)	0.35 (+0.07)	0.00 (+0.00)
GET	list_sboms	105 (+20)	0	1264.40 (-82.04)	618 (+81)	2017 (-271)	0.35 (+0.07)	0.00 (+0.00)
GET	list_sboms_paginated	105 (+20)	0	1558.03 (-1698.98)	508 (+35)	3640 (-3048)	0.35 (+0.07)	0.00 (+0.00)
GET	list_vulnerabilities	100 (+20)	0	285.84 (-7.61)	93 (+47)	604 (+2)	0.33 (+0.07)	0.00 (+0.00)
GET	list_vulnerabilities_paginated	100 (+20)	0	194.12 (+7.64)	104 (+66)	286 (-94)	0.33 (+0.07)	0.00 (+0.00)
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	102 (+19)	0	58.83 (-14.89)	11 (+3)	188 (-142)	0.34 (+0.06)	0.00 (+0.00)
GET	search_advisory	100 (+20)	0	989.25 (+249.61)	279 (+156)	2032 (-70)	0.33 (+0.07)	0.00 (+0.00)
GET	search_exact_purl	105 (+20)	0	11.49 (+2.52)	2 (+1)	57 (-12)	0.35 (+0.07)	0.00 (+0.00)
GET	search_purls	105 (+20)	0	5848.11 (-774.36)	873 (-1557)	7195 (-2324)	0.35 (+0.07)	0.00 (+0.00)
POST	post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	100 (+20)	0	580.26 (-86.49)	224 (+77)	1360 (-89)	0.33 (+0.07)	0.00 (+0.00)
	Aggregated	2338 (+538)	102	646.03 (-194.11)	1 (0)	7195 (-2324)	7.79 (+1.79)	0.34 (+0.34)

Response Time Metrics

Method	Name	50%ile (ms)	60%ile (ms)	70%ile (ms)	80%ile (ms)	90%ile (ms)	95%ile (ms)	99%ile (ms)	100%ile (ms)
GET	get_advisory_by_doc_id	6 (0)	7 (+1)	8 (+1)	13 (+2)	36 (0)	50 (+1)	53 (-5)	69 (+2)
GET	get_analysis_latest_cpe	100 (-80)	110 (-80)	130 (-80)	180 (-40)	180 (-120)	190 (-190)	270 (-200)	388 (-102)
GET	get_analysis_status	3 (0)	3 (0)	4 (0)	5 (0)	10 (-36)	51 (+1)	53 (-2)	57 (+1)
GET	get_purl_details[b00df2ca-df21-5…874-304e9c54e2bd]	380 (-520)	400 (-600)	410 (-590)	430 (-570)	460 (-540)	490 (-1,111)	500 (-1,101)	672 (-929)
GET	get_purl_gc	1	1	1	2	3	3	5	6
GET	get_sbom[sha256:720e4451…a939656247164447]	440 (-460)	500 (-500)	900 (-1,100)	1,000 (-1,000)	2,000 (-1,000)	2,000 (-1,000)	2,000 (-1,000)	2,000 (-1,000)
GET	get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	800 (0)	900 (0)	900 (0)	900 (-100)	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)
GET	list_advisory	490 (+60)	500 (+50)	500 (+10)	600 (+100)	600 (0)	700 (+100)	965 (+265)	965 (+265)
GET	list_advisory_paginated	420 (+30)	440 (+30)	470 (+40)	490 (+30)	500 (0)	500 (0)	600 (+100)	1,560 (+1,060)
GET	list_importer	2 (0)	2 (0)	2 (0)	3 (0)	4 (0)	5 (-1)	6 (-4)	7 (-44)
GET	list_organizations	4 (0)	6 (+2)	8 (+2)	12 (+4)	36 (-2)	45 (+3)	49 (+5)	50 (+3)
GET	list_packages	450 (+20)	470 (+40)	490 (+30)	600 (+120)	700 (-100)	800 (-100)	900 (0)	900 (0)
GET	list_packages_paginated	400 (+20)	420 (+20)	420 (0)	460 (-10)	480 (-10)	490 (-310)	500 (-390)	589 (-301)
GET	list_products	5 (0)	6 (0)	7 (-1)	9 (0)	11 (-1)	48 (+33)	56 (+5)	58 (+6)
GET	list_sboms	1,000 (0)	1,000 (0)	1,000 (-1,000)	1,000 (-1,000)	2,000 (0)	2,000 (0)	2,000 (0)	2,000 (0)
GET	list_sboms_paginated	2,000 (-1,000)	2,000 (-1,000)	2,000 (-2,000)	2,000 (-3,000)	2,000 (-3,000)	2,000 (-4,000)	3,000 (-3,688)	3,640 (-3,048)
GET	list_vulnerabilities	300 (-30)	310 (-40)	320 (-50)	340 (-50)	390 (-10)	420 (-20)	600 (0)	600 (0)
GET	list_vulnerabilities_paginated	200 (+10)	200 (0)	210 (+10)	210 (-10)	230 (-30)	240 (-30)	280 (-90)	286 (-94)
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	46 (-26)	63 (-17)	71 (-13)	92 (-6)	130 (-20)	170 (-10)	188 (-2)	188 (-142)
GET	search_advisory	900 (+300)	1,000 (+400)	1,000 (+300)	1,000 (0)	2,000 (+1,000)	2,000 (0)	2,000 (0)	2,000 (0)
GET	search_exact_purl	5 (+1)	5 (0)	6 (0)	9 (+1)	48 (+32)	52 (-1)	56 (-10)	57 (-12)
GET	search_purls	6,000 (-1,000)	6,000 (-1,000)	6,000 (-1,000)	6,000 (-1,000)	7,000 (-1,000)	7,000 (-2,000)	7,000 (-2,519)	7,000 (-2,519)
POST	post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	500 (-100)	600 (-100)	700 (-100)	800 (-100)	900 (-100)	1,000 (0)	1,000 (0)	1,000 (0)
	Aggregated	310 (-30)	410 (-30)	490 (-110)	800 (-200)	1,000 (-1,000)	2,000 (-3,000)	6,000 (-1,000)	7,000 (-2,519)

Status Code Metrics

Method	Name	Status Codes
GET	get_advisory_by_doc_id	100 [200]
GET	get_analysis_latest_cpe	102 [200]
GET	get_analysis_status	103 [200]
GET	get_purl_details[b00df2ca-df21-5…874-304e9c54e2bd]	100 [200]
GET	get_purl_gc	102 [400]
GET	get_sbom[sha256:720e4451…a939656247164447]	102 [200]
GET	get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	102 [200]
GET	list_advisory	100 [200]
GET	list_advisory_paginated	100 [200]
GET	list_importer	100 [200]
GET	list_organizations	100 [200]
GET	list_packages	100 [200]
GET	list_packages_paginated	100 [200]
GET	list_products	105 [200]
GET	list_sboms	105 [200]
GET	list_sboms_paginated	105 [200]
GET	list_vulnerabilities	100 [200]
GET	list_vulnerabilities_paginated	100 [200]
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	102 [200]
GET	search_advisory	100 [200]
GET	search_exact_purl	105 [200]
GET	search_purls	105 [200]
POST	post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	100 [200]
	Aggregated	2,236 [200], 102 [400]

Transaction Metrics

Transaction	# Times Run	# Fails	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
WebsiteUser
0.0 logon	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.1 website_index	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.2 website_openapi	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.3 website_sboms	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.4 website_packages	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.5 website_advisories	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.6 website_importers	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
RestAPIUser
1.0 logon	100 (+20)	0 (0)	15.30 (+1.44)	9 (+2)	37 (+16)	0.33 (+0.07)	0.00 (+0.00)
1.1 list_organizations	100 (+20)	0 (0)	10.96 (+2.12)	1 (0)	50 (+3)	0.33 (+0.07)	0.00 (+0.00)
1.2 list_advisory	100 (+20)	0 (0)	496.61 (+55.77)	232 (+134)	965 (+228)	0.33 (+0.07)	0.00 (+0.00)
1.3 list_advisory_paginated	100 (+20)	0 (0)	425.86 (+48.90)	118 (+24)	1560 (+1026)	0.33 (+0.07)	0.00 (+0.00)
1.4 get_advisory_by_doc_id	100 (+20)	0 (0)	11.90 (+0.39)	3 (+1)	69 (+2)	0.33 (+0.07)	0.00 (+0.00)
1.5 search_advisory	100 (+20)	0 (0)	989.29 (+249.60)	279 (+156)	2032 (-70)	0.33 (+0.07)	0.00 (+0.00)
1.6 list_vulnerabilities	100 (+20)	0 (0)	285.89 (-7.61)	93 (+47)	604 (+2)	0.33 (+0.07)	0.00 (+0.00)
1.7 list_vulnerabilities_paginated	100 (+20)	0 (0)	194.17 (+7.65)	104 (+66)	286 (-94)	0.33 (+0.07)	0.00 (+0.00)
1.8 list_importer	100 (+20)	0 (0)	2.28 (-0.58)	1 (0)	7 (-44)	0.33 (+0.07)	0.00 (+0.00)
1.9 list_packages	100 (+20)	0 (0)	491.22 (+63.37)	223 (+143)	942 (-7)	0.33 (+0.07)	0.00 (+0.00)
1.10 list_packages_paginated	100 (+20)	0 (0)	375.08 (+13.55)	94 (-6)	589 (-301)	0.33 (+0.07)	0.00 (+0.00)
1.11 search_purls	105 (+20)	0 (0)	5848.16 (-774.37)	873 (-1557)	7195 (-2324)	0.35 (+0.07)	0.00 (+0.00)
1.12 search_exact_purl	105 (+20)	0 (0)	11.50 (+2.47)	2 (0)	57 (-12)	0.35 (+0.07)	0.00 (+0.00)
1.13 list_products	105 (+20)	0 (0)	8.95 (+1.60)	2 (0)	58 (+6)	0.35 (+0.07)	0.00 (+0.00)
1.14 list_sboms	105 (+20)	0 (0)	1264.43 (-82.02)	618 (+81)	2017 (-271)	0.35 (+0.07)	0.00 (+0.00)
1.15 list_sboms_paginated	105 (+20)	0 (0)	1558.06 (-1699.04)	508 (+35)	3640 (-3048)	0.35 (+0.07)	0.00 (+0.00)
1.16 get_analysis_status	103 (+20)	0 (0)	7.16 (-0.99)	1 (0)	57 (+1)	0.34 (+0.07)	0.00 (+0.00)
1.17 get_analysis_latest_cpe	102 (+19)	0 (0)	120.44 (-58.52)	38 (+1)	388 (-103)	0.34 (+0.06)	0.00 (+0.00)
1.18 get_purl_gc	102	0	1.46	1	6	0.34	0.00
1.19 get_sbom[sha256:720e4451…a939656247164447]	102	0	733.55	228	2007	0.34	0.00
1.20 sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	102	0	58.93	11	188	0.34	0.00
1.21 get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	102	0	792.23	388	1191	0.34	0.00
1.22 post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	100	0	580.32	224	1360	0.33	0.00
1.23 get_purl_details[b00df2ca-df21-5…874-304e9c54e2bd]	100	0	368.14	129	672	0.33	0.00
Aggregated	2438 (+558)	0 (0)	619.53 (-184.86)	1 (0)	7195 (-2324)	8.13 (+1.86)	0.00 (+0.00)

Scenario Metrics

Transaction	# Users	# Times Run	Average (ms)	Min (ms)	Max (ms)	Scenarios/s	Iterations
WebsiteUser	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
RestAPIUser	5 (0)	100 (+20)	14809.69 (-2731.51)	7476 (+336)	19310 (-5060)	0.33 (+0.07)	20.00 (+4.00)
Aggregated	5 (0)	100 (+20)	14809.69 (-2731.51)	7476 (+336)	19310 (-5060)	0.33 (+0.07)	20.00 (+4.00)

Error Metrics

Method	Name	#	Error
GET	get_purl_gc	102	400 Bad Request: get_purl_gc

📄 Full Report (Go to "Artifacts" and download report)

[helio-frota]

/scale-test

[github-actions]

🛠️ Scale test has started! Follow the progress here: Workflow Run

[ctron]

trustify-scale-testing calls trustify endpoints, I'm not sure if I understood well, for this we would need to create a new endpoint in trustify just to call PurlService::gc_purls() ?

Good idea. Let's add an endpoint, /api/v2/purl/gc, under the "purl" tag. I'm sure QE would appreciate that now that the default period is longer. That might even obviate exposing TRUSTD_GC_FREQ in the helm chart.

That might actually be dangerous. As we know it has side effects. This might be good way for a DoS.

[helio-frota]

scale test is failing with

 init-keycloak Error manifest for bitnami/keycloak:24.0.4 not found: manifest unknown: manifest unknown
 replay-dump  Interrupted
 keycloak  Interrupted
 postgres  Interrupted
 Error response from daemon: manifest for bitnami/keycloak:24.0.4 not found: manifest unknown: manifest unknown

[helio-frota]

That might actually be dangerous. As we know it has side effects. This might be good way for a DoS.

➕

Then may end up with an illusion that the performance good or acceptable

let's revert then?

[ctron]

That might actually be dangerous. As we know it has side effects. This might be good way for a DoS.

➕

Then may end up with an illusion that the performance good or acceptable

let's revert then?

Having tests is fine. Exposing the GC on an HTTP endpoint I think is not.

[helio-frota]

yeah sorry I forgot to add the link #1996 👍
this current PR here is good and also contains the fix 👍

[helio-frota]

/scale-test

[github-actions]

🛠️ Scale test has started! Follow the progress here: Workflow Run

[github-actions]

Goose Report

Goose Attack Report

Plan Overview

Action	Started	Stopped	Elapsed	Users
Increasing	25-10-06 09:51:20	25-10-06 09:51:25	00:00:05	0 → 5
Maintaining	25-10-06 09:51:25	25-10-06 09:56:26	00:05:01	5
Decreasing	25-10-06 09:56:26	25-10-06 09:56:26	00:00:00	0 ← 5

Request Metrics

Method	Name	# Requests	# Fails	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
GET	get_advisory_by_doc_id	85 (-30)	0	8.72 (-5.26)	3 (0)	57 (-7)	0.28 (-0.10)	0.00 (+0.00)
GET	get_analysis_latest_cpe	85 (-35)	0	135.65 (-2.47)	21 (-14)	303 (-50)	0.28 (-0.12)	0.00 (+0.00)
GET	get_analysis_status	85 (-35)	0	7.18 (+1.33)	1 (0)	54 (-1)	0.28 (-0.12)	0.00 (+0.00)
GET	get_purl_details[b00df2ca-df21-5…874-304e9c54e2bd]	85 (-34)	0	399.92 (-333.06)	159 (-185)	785 (-447)	0.28 (-0.11)	0.00 (+0.00)
GET	get_purl_gc	85 (-35)	85	1.22 (+0.11)	1 (0)	6 (0)	0.28 (-0.12)	0.28 (-0.12)
GET	get_sbom[sha256:720e4451…a939656247164447]	85 (-35)	0	745.34 (+38.60)	203 (-30)	1928 (+222)	0.28 (-0.12)	0.00 (+0.00)
GET	get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	85 (-35)	0	784.53 (+5.90)	389 (-13)	1125 (+8)	0.28 (-0.12)	0.00 (+0.00)
GET	list_advisory	85 (-34)	0	529.52 (+64.80)	319 (+21)	940 (+25)	0.28 (-0.11)	0.00 (+0.00)
GET	list_advisory_paginated	85 (-33)	0	423.76 (-17.77)	178 (-45)	693 (-575)	0.28 (-0.11)	0.00 (+0.00)
GET	list_importer	84 (-31)	0	4.24 (+0.13)	1 (0)	50 (-4)	0.28 (-0.10)	0.00 (+0.00)
GET	list_organizations	85 (-34)	0	9.60 (+1.88)	1 (0)	49 (+1)	0.28 (-0.11)	0.00 (+0.00)
GET	list_packages	84 (-31)	0	452.61 (-13.31)	97 (-11)	929 (-133)	0.28 (-0.10)	0.00 (+0.00)
GET	list_packages_paginated	83 (-32)	0	386.73 (-18.54)	104 (+2)	656 (-19)	0.28 (-0.11)	0.00 (+0.00)
GET	list_products	85 (-35)	0	6.36 (+1.64)	4 (+2)	12 (+3)	0.28 (-0.12)	0.00 (+0.00)
GET	list_sboms	85 (-35)	0	975.71 (-40.77)	573 (+86)	1681 (+258)	0.28 (-0.12)	0.00 (+0.00)
GET	list_sboms_paginated	85 (-35)	0	1399.38 (+44.93)	448 (+19)	3305 (+202)	0.28 (-0.12)	0.00 (+0.00)
GET	list_vulnerabilities	84 (-31)	0	221.49 (+6.52)	99 (+44)	336 (-22)	0.28 (-0.10)	0.00 (+0.00)
GET	list_vulnerabilities_paginated	84 (-31)	0	178.65 (+0.57)	75 (+36)	269 (-40)	0.28 (-0.10)	0.00 (+0.00)
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	85 (-35)	0	58.41 (+2.90)	9 (+1)	192 (+16)	0.28 (-0.12)	0.00 (+0.00)
GET	search_advisory	85 (-30)	0	921.60 (-159.79)	348 (+66)	1927 (-568)	0.28 (-0.10)	0.00 (+0.00)
GET	search_exact_purl	85 (-35)	0	9.14 (+2.83)	4 (+2)	48 (-5)	0.28 (-0.12)	0.00 (+0.00)
GET	search_purls	85 (-35)	0	9650.56 (+5480.44)	4895 (+2609)	12700 (+6699)	0.28 (-0.12)	0.00 (+0.00)
POST	post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	85 (-35)	0	505.52 (+49.82)	247 (+65)	964 (+61)	0.28 (-0.12)	0.00 (+0.00)
	Aggregated	1949 (-771)	85	776.15 (+220.77)	1 (0)	12700 (+6699)	6.50 (-2.57)	0.28 (-0.12)

Response Time Metrics

Method	Name	50%ile (ms)	60%ile (ms)	70%ile (ms)	80%ile (ms)	90%ile (ms)	95%ile (ms)	99%ile (ms)	100%ile (ms)
GET	get_advisory_by_doc_id	6 (-1)	7 (-1)	8 (-3)	9 (-8)	14 (-35)	18 (-37)	55 (-7)	57 (-7)
GET	get_analysis_latest_cpe	110 (-10)	140 (0)	180 (+10)	190 (0)	260 (+60)	260 (+60)	300 (+30)	300 (-50)
GET	get_analysis_status	2 (0)	3 (0)	3 (0)	4 (0)	31 (+25)	49 (+3)	54 (+1)	54 (-1)
GET	get_purl_details[b00df2ca-df21-5…874-304e9c54e2bd]	410 (-290)	420 (-380)	470 (-330)	480 (-420)	500 (-500)	600 (-400)	785 (-215)	785 (-215)
GET	get_purl_gc	1 (0)	1 (0)	1 (0)	2 (+1)	2 (0)	3 (0)	5 (+1)	6 (0)
GET	get_sbom[sha256:720e4451…a939656247164447]	600 (0)	600 (-100)	800 (+100)	1,000 (0)	1,000 (0)	1,928 (+222)	1,928 (+222)	1,928 (+222)
GET	get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	800 (0)	800 (0)	900 (0)	900 (0)	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)
GET	list_advisory	490 (+40)	500 (+30)	600 (+120)	600 (+100)	700 (+100)	800 (+100)	800 (-100)	900 (0)
GET	list_advisory_paginated	410 (0)	450 (+20)	470 (0)	480 (-10)	500 (0)	600 (-100)	693 (-307)	693 (-307)
GET	list_importer	3 (+1)	3 (+1)	3 (+1)	4 (+1)	6 (+1)	9 (+3)	45 (-3)	50 (-4)
GET	list_organizations	4 (+1)	4 (0)	6 (+1)	14 (+6)	32 (+8)	37 (-1)	43 (-5)	49 (+1)
GET	list_packages	420 (-50)	450 (-30)	480 (-20)	500 (0)	700 (+100)	800 (0)	900 (-100)	900 (-100)
GET	list_packages_paginated	400 (-10)	410 (-20)	430 (-40)	490 (-10)	500 (0)	600 (0)	600 (0)	656 (-19)
GET	list_products	6 (+1)	6 (+1)	7 (+2)	8 (+2)	9 (+3)	10 (+3)	11 (+2)	12 (+3)
GET	list_sboms	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)	1,681 (+681)	1,681 (+681)
GET	list_sboms_paginated	1,000 (0)	1,000 (0)	1,000 (-1,000)	2,000 (0)	2,000 (0)	2,000 (-1,000)	3,000 (0)	3,000 (0)
GET	list_vulnerabilities	210 (0)	220 (0)	240 (0)	260 (-10)	310 (+20)	320 (+20)	330 (0)	336 (-22)
GET	list_vulnerabilities_paginated	190 (+10)	190 (0)	200 (+10)	200 (-10)	220 (-40)	250 (-30)	260 (-49)	269 (-40)
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	50 (+1)	63 (-4)	69 (-5)	80 (-14)	100 (-10)	160 (+40)	190 (+20)	190 (+14)
GET	search_advisory	800 (-100)	1,000 (0)	1,000 (0)	1,000 (-1,000)	1,927 (-73)	1,927 (-73)	1,927 (-73)	1,927 (-73)
GET	search_exact_purl	7 (+2)	7 (+2)	7 (+2)	7 (+1)	9 (+3)	46 (+39)	48 (-4)	48 (-5)
GET	search_purls	11,000 (+7,000)	11,000 (+7,000)	11,000 (+6,000)	11,000 (+6,000)	11,000 (+6,000)	12,000 (+7,000)	12,700 (+6,700)	12,700 (+6,700)
POST	post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	500 (+80)	500 (+40)	600 (+100)	700 (+100)	700 (0)	900 (+100)	964 (+64)	964 (+64)
	Aggregated	290 (-10)	410 (-10)	500 (0)	700 (-100)	1,000 (0)	2,000 (0)	11,000 (+6,000)	12,700 (+6,700)

Status Code Metrics

Method	Name	Status Codes
GET	get_advisory_by_doc_id	85 [200]
GET	get_analysis_latest_cpe	85 [200]
GET	get_analysis_status	85 [200]
GET	get_purl_details[b00df2ca-df21-5…874-304e9c54e2bd]	85 [200]
GET	get_purl_gc	85 [400]
GET	get_sbom[sha256:720e4451…a939656247164447]	85 [200]
GET	get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	85 [200]
GET	list_advisory	85 [200]
GET	list_advisory_paginated	85 [200]
GET	list_importer	84 [200]
GET	list_organizations	85 [200]
GET	list_packages	84 [200]
GET	list_packages_paginated	83 [200]
GET	list_products	85 [200]
GET	list_sboms	85 [200]
GET	list_sboms_paginated	85 [200]
GET	list_vulnerabilities	84 [200]
GET	list_vulnerabilities_paginated	84 [200]
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	85 [200]
GET	search_advisory	85 [200]
GET	search_exact_purl	85 [200]
GET	search_purls	85 [200]
POST	post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	85 [200]
	Aggregated	1,864 [200], 85 [400]

Transaction Metrics

Transaction	# Times Run	# Fails	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
WebsiteUser
0.0 logon	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.1 website_index	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.2 website_openapi	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.3 website_sboms	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.4 website_packages	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.5 website_advisories	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.6 website_importers	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
RestAPIUser
1.0 logon	85 (-34)	0 (0)	14.15 (+1.11)	8 (+1)	25 (+1)	0.28 (-0.11)	0.00 (+0.00)
1.1 list_organizations	85 (-34)	0 (0)	9.76 (+1.92)	1 (0)	52 (+4)	0.28 (-0.11)	0.00 (+0.00)
1.2 list_advisory	85 (-34)	0 (0)	529.59 (+64.82)	319 (+21)	940 (+25)	0.28 (-0.11)	0.00 (+0.00)
1.3 list_advisory_paginated	85 (-33)	0 (0)	423.81 (-17.76)	178 (-45)	693 (-575)	0.28 (-0.11)	0.00 (+0.00)
1.4 get_advisory_by_doc_id	85 (-30)	0 (0)	8.74 (-5.26)	3 (0)	57 (-7)	0.28 (-0.10)	0.00 (+0.00)
1.5 search_advisory	85 (-30)	0 (0)	921.67 (-159.76)	348 (+66)	1927 (-568)	0.28 (-0.10)	0.00 (+0.00)
1.6 list_vulnerabilities	84 (-31)	0 (0)	221.55 (+6.54)	99 (+44)	336 (-22)	0.28 (-0.10)	0.00 (+0.00)
1.7 list_vulnerabilities_paginated	84 (-31)	0 (0)	178.69 (+0.53)	75 (+36)	269 (-40)	0.28 (-0.10)	0.00 (+0.00)
1.8 list_importer	84 (-31)	0 (0)	4.30 (+0.15)	1 (0)	50 (-4)	0.28 (-0.10)	0.00 (+0.00)
1.9 list_packages	84 (-31)	0 (0)	452.64 (-13.31)	97 (-11)	929 (-133)	0.28 (-0.10)	0.00 (+0.00)
1.10 list_packages_paginated	83 (-32)	0 (0)	386.80 (-18.58)	104 (+2)	656 (-19)	0.28 (-0.11)	0.00 (+0.00)
1.11 search_purls	85 (-35)	0 (0)	9650.61 (+5480.47)	4895 (+2609)	12700 (+6699)	0.28 (-0.12)	0.00 (+0.00)
1.12 search_exact_purl	85 (-35)	0 (0)	9.19 (+2.85)	4 (+2)	48 (-5)	0.28 (-0.12)	0.00 (+0.00)
1.13 list_products	85 (-35)	0 (0)	6.42 (+1.67)	4 (+2)	12 (+3)	0.28 (-0.12)	0.00 (+0.00)
1.14 list_sboms	85 (-35)	0 (0)	975.76 (-40.78)	573 (+86)	1681 (+258)	0.28 (-0.12)	0.00 (+0.00)
1.15 list_sboms_paginated	85 (-35)	0 (0)	1399.47 (+44.95)	448 (+19)	3305 (+202)	0.28 (-0.12)	0.00 (+0.00)
1.16 get_analysis_status	85 (-35)	0 (0)	7.21 (+1.31)	1 (0)	54 (-1)	0.28 (-0.12)	0.00 (+0.00)
1.17 get_analysis_latest_cpe	85 (-35)	0 (0)	135.68 (-2.47)	21 (-14)	303 (-50)	0.28 (-0.12)	0.00 (+0.00)
1.18 get_purl_gc	85 (-35)	0 (0)	1.27 (+0.10)	1 (0)	6 (0)	0.28 (-0.12)	0.00 (+0.00)
1.19 get_sbom[sha256:720e4451…a939656247164447]	85 (-35)	0 (0)	745.36 (+38.60)	203 (-30)	1928 (+222)	0.28 (-0.12)	0.00 (+0.00)
1.20 sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	85 (-35)	0 (0)	58.47 (+2.86)	9 (+1)	192 (+16)	0.28 (-0.12)	0.00 (+0.00)
1.21 get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	85 (-35)	0 (0)	784.56 (+5.86)	389 (-13)	1126 (+9)	0.28 (-0.12)	0.00 (+0.00)
1.22 post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	85 (-35)	0 (0)	505.54 (+49.77)	247 (+65)	964 (+61)	0.28 (-0.12)	0.00 (+0.00)
1.23 get_purl_details[b00df2ca-df21-5…874-304e9c54e2bd]	85 (-34)	0 (0)	399.94 (-333.09)	159 (-185)	785 (-447)	0.28 (-0.11)	0.00 (+0.00)
Aggregated	2034 (-805)	0 (0)	743.71 (+211.62)	1 (0)	12700 (+6699)	6.78 (-2.68)	0.00 (+0.00)

Scenario Metrics

Transaction	# Users	# Times Run	Average (ms)	Min (ms)	Max (ms)	Scenarios/s	Iterations
WebsiteUser	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
RestAPIUser	5 (0)	85 (-34)	17672.34 (+5049.69)	8945 (+2550)	24981 (+8271)	0.28 (-0.11)	17.00 (-6.80)
Aggregated	5 (0)	85 (-34)	17672.34 (+5049.69)	8945 (+2550)	24981 (+8271)	0.28 (-0.11)	17.00 (-6.80)

Error Metrics

Method	Name	#	Error
GET	get_purl_gc	85	400 Bad Request: get_purl_gc

📄 Full Report (Go to "Artifacts" and download report)