refactor: prelculate advisory and vulnerability average scores and severities

[dejanb]

This commit introduces pre-calculated averages for scores and severities. The averages are pre-calculated during ingestion. The change simplifies querying significantly (along with performances) as there's no need to do recalculation on every query and often in the loop for a large number of entities.

1. It add average rows in the vulnerability and advisory tables
2. It defines two PLPGSQL functions that can be used to pre-calculate one or all entries
3. Modifies queries and services to remove query-time calculations

Ingestion

Currently, there's a trigger that will update advisory and vulnerability each time the cvss3 score is inserted. Volume of data here is not that big ~50K even for the load dataset. Updating all entries takes locally around 10 sec
My main concern was if this will impact the ingestion. In the little testing that I have done, I didn't see any changes in ingestion time during this change.
In theory we can move this to the application logic and recalculate all after ingestion, but I wound't like to do it if it is not necessary.

Querying

I ran load test locally and things looks promising in general

I saw even better improvements on the most problematic advisory endpoint in the previous runs. And although I didn't run the latest version of the scale tests that test sbom/advisory endpoint, manually testing shows at least 50% performance improvements.

Let's see what the automated load testing will show.

There's still more things to change here as some of the queries are still can be improved.

[ctron]

As I just added a bunch of tests to the scale test, could you re-run that again, with a recent checkout of the scale-testing repository?

[JimFuller-RedHat]

before I review this - I just want to state that adding triggers at this stage is risky ... event driven handling in databases introduces a next level of complexity - would rather avoid that. Is there any way to do this on ingestion instead of using triggers ?

[jcrossley3]

I vote for doing this at ingestion rather than a trigger, too.

[jcrossley3]

This is actually a bug: #1374

Can we just change these to Options in AdvisoryVulnerabilityHead and kill 2 birds with 1 stone? 😄

[dejanb]

Yes. It bothered me as well, but didn't want to change API on my own. I can include it as well.

[jcrossley3]

Not sure when this is getting merged, so went ahead and pushed #1591

[dejanb]

@JimFuller-RedHat @jcrossley3 Yeah, trigger was the easiest way to get things going. I will rework it to do it from the code.

[dejanb]

As I just added a bunch of tests to the scale test, could you re-run that again, with a recent checkout of the scale-testing repository?

@ctron I had some issues running the latest changes in scale-testing, both errors for the analysis tests and querying the database for large sboms. So, I reverted to the old one, just to get the first feeling of the performance. It'd be good to be able to run the action against PR as we discussed before.

[ctron]

As I just added a bunch of tests to the scale test, could you re-run that again, with a recent checkout of the scale-testing repository?

@ctron I had some issues running the latest changes in scale-testing, both errors for the analysis tests and querying the database for large sboms. So, I reverted to the old one, just to get the first feeling of the performance. It'd be good to be able to run the action against PR as we discussed before.

What errors did you encounter?

[dejanb]

@ctron: I got

Error: error returned from database: column "num" does not exist

Caused by:
    column "num" does not exist

But I didn't look too much into it, so I might be doing something weird.
Another nit: having DATABASE_URL to be mandatory (even for trying to get --help) is a counter-intuitive

[ctron]

@ctron: I got

Error: error returned from database: column "num" does not exist

Caused by:
    column "num" does not exist

Ah, you might want to try latest main for that.

But I didn't look too much into it, so I might be doing something weird. Another nit: having DATABASE_URL to be mandatory (even for trying to get --help) is a counter-intuitive

Yea, that's a problem I'm not sure we can easily solve. Goose uses it's own argument system. That's why we rely on env-vars for rest. --help comes from that arg system. So it's processes only after we processed our stuff. Not sure what's an easy way out of this.

We forked Goose already, maybe migrating to clap is an idea. But that's expensive.

[ctron]

/scale-test

[github-actions]

Goose Report

# Goose Attack Report

Plan Overview

Action	Started	Stopped	Elapsed	Users
Increasing	25-03-28 15:45:55	25-03-28 15:46:00	00:00:05	0 → 5
Maintaining	25-03-28 15:46:00	25-03-28 15:51:00	00:05:00	5
Decreasing	25-03-28 15:51:00	25-03-28 15:51:01	00:00:01	0 ← 5

Request Metrics

Method	Name	# Requests	# Fails	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
GET	get_advisory_by_doc_id	100 (-19)	0	14.02 (-1.06)	4 (0)	57 (-5)	0.33 (-0.06)	0.00 (+0.00)
GET	get_sbom[sha256:f293eb89…6720f692ec5f3081]	99	0	1654.37	500	3177	0.33	0.00
GET	list_advisory	100 (-20)	0	2699.47 (+136.20)	2044 (+380)	3461 (+94)	0.33 (-0.07)	0.00 (+0.00)
GET	list_advisory_paginated	100 (-19)	0	2682.59 (+257.21)	1730 (+445)	3558 (+347)	0.33 (-0.06)	0.00 (+0.00)
GET	list_importer	100 (-18)	0	4.34 (+0.65)	1 (0)	54 (+1)	0.33 (-0.06)	0.00 (+0.00)
GET	list_organizations	98 (-21)	0	18.11 (-1.26)	2 (+1)	55 (-11)	0.33 (-0.07)	0.00 (+0.00)
GET	list_packages	101 (-17)	0	412.50 (-2.27)	201 (+97)	678 (-41)	0.34 (-0.06)	0.00 (+0.00)
GET	list_packages_paginated	101 (-17)	0	436.13 (+11.77)	133 (+32)	676 (-6)	0.34 (-0.06)	0.00 (+0.00)
GET	list_products	101 (-19)	0	18.94 (+5.44)	3 (0)	62 (-2)	0.34 (-0.06)	0.00 (+0.00)
GET	list_sboms	101 (-19)	0	1514.03 (+126.40)	421 (-92)	2675 (+471)	0.34 (-0.06)	0.00 (+0.00)
GET	list_sboms_paginated	99 (-20)	0	1358.72 (+228.90)	270 (-25)	2604 (+316)	0.33 (-0.07)	0.00 (+0.00)
GET	list_vulnerabilities	100 (-20)	0	1038.94 (-6.35)	358 (+110)	1499 (+122)	0.33 (-0.07)	0.00 (+0.00)
GET	list_vulnerabilities_paginated	100 (-19)	0	861.95 (-7.73)	275 (+57)	1098 (-70)	0.33 (-0.06)	0.00 (+0.00)
GET	search_exact_packages	101 (-19)	0	9.45 (+0.42)	2 (0)	59 (+1)	0.34 (-0.06)	0.00 (+0.00)
GET	search_packages	102 (-18)	0	2335.29 (+1261.04)	1585 (+1082)	9742 (+1387)	0.34 (-0.06)	0.00 (+0.00)
	Aggregated	1503 (-285)	0	1004.59 (+161.84)	1 (0)	9742 (+1387)	5.01 (-0.95)	0.00 (+0.00)

Response Time Metrics

Method	Name	50%ile (ms)	60%ile (ms)	70%ile (ms)	80%ile (ms)	90%ile (ms)	95%ile (ms)	99%ile (ms)	100%ile (ms)
GET	get_advisory_by_doc_id	8 (0)	9 (+1)	11 (+1)	13 (-1)	47 (-7)	54 (-4)	57 (-4)	57 (-5)
GET	get_sbom[sha256:f293eb89…6720f692ec5f3081]	2,000	2,000	2,000	3,000	3,000	3,000	3,000	3,000
GET	list_advisory	3,000 (0)	3,000 (0)	3,000 (0)	3,000 (0)	3,000 (0)	3,000 (0)	3,000 (0)	3,000 (0)
GET	list_advisory_paginated	3,000 (+1,000)	3,000 (+1,000)	3,000 (0)	3,000 (0)	3,000 (0)	3,000 (0)	3,000 (0)	3,558 (+558)
GET	list_importer	3 (+1)	3 (+1)	4 (+1)	4 (+1)	5 (0)	7 (+1)	52 (-1)	54 (+1)
GET	list_organizations	6 (+1)	7 (0)	40 (-1)	46 (0)	50 (-1)	51 (-3)	54 (-5)	55 (-11)
GET	list_packages	400 (0)	420 (+10)	470 (+10)	480 (0)	500 (0)	600 (0)	600 (0)	678 (-22)
GET	list_packages_paginated	430 (+20)	460 (+30)	480 (+10)	500 (+10)	500 (0)	600 (0)	600 (-82)	676 (-6)
GET	list_products	7 (+1)	9 (+1)	11 (+2)	48 (+35)	56 (+3)	57 (+1)	62 (-1)	62 (-2)
GET	list_sboms	2,000 (+1,000)	2,000 (+1,000)	2,000 (0)	2,000 (0)	2,000 (0)	2,000 (0)	2,000 (0)	2,675 (+675)
GET	list_sboms_paginated	1,000 (0)	2,000 (+1,000)	2,000 (+1,000)	2,000 (0)	2,000 (0)	2,000 (0)	2,604 (+604)	2,604 (+604)
GET	list_vulnerabilities	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)
GET	list_vulnerabilities_paginated	800 (-100)	900 (0)	900 (0)	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)
GET	search_exact_packages	5 (0)	6 (+1)	7 (+1)	7 (0)	14 (+3)	49 (-5)	56 (-1)	59 (+1)
GET	search_packages	2,000 (+1,200)	2,000 (+1,200)	2,000 (+1,100)	2,000 (+1,000)	2,000 (+1,000)	3,000 (+1,000)	8,000 (+1,000)	9,742 (+1,742)
	Aggregated	700 (0)	1,000 (+100)	2,000 (+1,000)	2,000 (0)	3,000 (+1,000)	3,000 (0)	3,000 (0)	9,742 (+1,742)

Status Code Metrics

Method	Name	Status Codes
GET	get_advisory_by_doc_id	100 [200]
GET	get_sbom[sha256:f293eb89…6720f692ec5f3081]	99 [200]
GET	list_advisory	100 [200]
GET	list_advisory_paginated	100 [200]
GET	list_importer	100 [200]
GET	list_organizations	98 [200]
GET	list_packages	101 [200]
GET	list_packages_paginated	101 [200]
GET	list_products	101 [200]
GET	list_sboms	101 [200]
GET	list_sboms_paginated	99 [200]
GET	list_vulnerabilities	100 [200]
GET	list_vulnerabilities_paginated	100 [200]
GET	search_exact_packages	101 [200]
GET	search_packages	102 [200]
	Aggregated	1,503 [200]

Transaction Metrics

Transaction	# Times Run	# Fails	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
WebsiteUser
0.0 logon	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.1 website_index	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.2 website_openapi	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.3 website_sboms	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.4 website_packages	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.5 website_advisories	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.6 website_importers	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
RestAPIUser
1.0 logon	98 (-21)	0 (0)	13.87 (+0.84)	6 (0)	25 (+5)	0.33 (-0.07)	0.00 (+0.00)
1.1 list_organizations	98 (-21)	0 (0)	18.44 (-1.15)	2 (+1)	55 (-11)	0.33 (-0.07)	0.00 (+0.00)
1.2 list_advisory	100 (-20)	0 (0)	2699.55 (+136.12)	2044 (+380)	3462 (+95)	0.33 (-0.07)	0.00 (+0.00)
1.3 list_advisory_paginated	100 (-19)	0 (0)	2682.76 (+257.25)	1730 (+445)	3559 (+348)	0.33 (-0.06)	0.00 (+0.00)
1.4 get_advisory_by_doc_id	100 (-19)	0 (0)	14.11 (-1.02)	4 (0)	58 (-4)	0.33 (-0.06)	0.00 (+0.00)
1.5 list_vulnerabilities	100 (-20)	0 (0)	1039.16 (-6.21)	358 (+109)	1499 (+122)	0.33 (-0.07)	0.00 (+0.00)
1.6 list_vulnerabilities_paginated	100 (-19)	0 (0)	862.02 (-7.68)	275 (+57)	1098 (-70)	0.33 (-0.06)	0.00 (+0.00)
1.7 list_importer	100 (-18)	0 (0)	4.39 (+0.65)	1 (0)	54 (+1)	0.33 (-0.06)	0.00 (+0.00)
1.8 list_packages	101 (-17)	0 (0)	412.64 (-2.17)	201 (+97)	678 (-41)	0.34 (-0.06)	0.00 (+0.00)
1.9 list_packages_paginated	101 (-17)	0 (0)	436.21 (+11.73)	133 (+32)	676 (-6)	0.34 (-0.06)	0.00 (+0.00)
1.10 search_packages	102 (-18)	0 (0)	2335.37 (+1261.02)	1585 (+1082)	9742 (+1387)	0.34 (-0.06)	0.00 (+0.00)
1.11 search_exact_packages	101 (-19)	0 (0)	9.51 (+0.44)	2 (0)	59 (+1)	0.34 (-0.06)	0.00 (+0.00)
1.12 list_products	101 (-19)	0 (0)	19.01 (+5.44)	3 (0)	62 (-2)	0.34 (-0.06)	0.00 (+0.00)
1.13 list_sboms	101 (-19)	0 (0)	1514.14 (+126.43)	421 (-92)	2676 (+472)	0.34 (-0.06)	0.00 (+0.00)
1.14 list_sboms_paginated	99 (-20)	0 (0)	1358.81 (+228.87)	270 (-25)	2604 (+316)	0.33 (-0.07)	0.00 (+0.00)
1.15 get_sbom[sha256:f293eb89…6720f692ec5f3081]	99	0	1654.44	500	3177	0.33	0.00
Aggregated	1601 (-306)	0 (0)	943.10 (+152.93)	1 (0)	9742 (+1387)	5.34 (-1.02)	0.00 (+0.00)

Scenario Metrics

Transaction	# Users	# Times Run	Average (ms)	Min (ms)	Max (ms)	Scenarios/s	Iterations
WebsiteUser	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
RestAPIUser	5 (0)	98 (-21)	15012.19 (+2484.56)	11111 (+2380)	17820 (+2484)	0.33 (-0.07)	19.60 (-4.20)
Aggregated	5 (0)	98 (-21)	15012.19 (+2484.56)	11111 (+2380)	17820 (+2484)	0.33 (-0.07)	19.60 (-4.20)

📄 Full Report

[ctron]

/scale-test

[github-actions]

Goose Report

# Goose Attack Report

Plan Overview

Action	Started	Stopped	Elapsed	Users
Increasing	25-03-31 14:19:42	25-03-31 14:19:47	00:00:05	0 → 5
Maintaining	25-03-31 14:19:47	25-03-31 14:24:47	00:05:00	5
Decreasing	25-03-31 14:24:47	25-03-31 14:24:48	00:00:01	0 ← 5

Request Metrics

Method	Name	# Requests	# Fails	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
GET	get_advisory_by_doc_id	105 (-3)	0	14.35 (-1.14)	4 (0)	64 (0)	0.35 (-0.01)	0.00 (+0.00)
GET	get_sbom[sha256:f293eb89…6720f692ec5f3081]	106 (-1)	0	1109.79 (-117.79)	442 (-50)	2285 (-302)	0.35 (-0.00)	0.00 (+0.00)
GET	list_advisory	106 (0)	0	2551.37 (+11.47)	1229 (-587)	3350 (-282)	0.35 (+0.00)	0.00 (+0.00)
GET	list_advisory_paginated	106 (-2)	0	2558.02 (+145.02)	1400 (+204)	3110 (+7)	0.35 (-0.01)	0.00 (+0.00)
GET	list_importer	106 (-2)	0	2.66 (-2.55)	1 (0)	10 (-42)	0.35 (-0.01)	0.00 (+0.00)
GET	list_organizations	105 (0)	0	13.72 (-1.40)	1 (-1)	51 (-9)	0.35 (+0.00)	0.00 (+0.00)
GET	list_packages	106 (-2)	0	417.64 (+3.17)	116 (+16)	617 (-53)	0.35 (-0.01)	0.00 (+0.00)
GET	list_packages_paginated	106 (-1)	0	414.60 (+1.27)	110 (+7)	680 (+77)	0.35 (-0.00)	0.00 (+0.00)
GET	list_products	107 (-2)	0	9.59 (-5.62)	3 (0)	60 (+1)	0.36 (-0.01)	0.00 (+0.00)
GET	list_sboms	107 (-2)	0	1370.36 (-10.20)	567 (+70)	2186 (+88)	0.36 (-0.01)	0.00 (+0.00)
GET	list_sboms_paginated	106 (-3)	0	1085.62 (+36.66)	304 (+6)	2014 (-265)	0.35 (-0.01)	0.00 (+0.00)
GET	list_vulnerabilities	106 (-2)	0	1038.12 (+37.49)	326 (+28)	1577 (+33)	0.35 (-0.01)	0.00 (+0.00)
GET	list_vulnerabilities_paginated	106 (-2)	0	812.75 (+1.28)	283 (+61)	1015 (-110)	0.35 (-0.01)	0.00 (+0.00)
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	105 (0)	0	78.06 (+5.00)	11 (+1)	262 (+58)	0.35 (+0.00)	0.00 (+0.00)
GET	search_exact_purl	107 (-2)	0	10.13 (+1.85)	2 (0)	58 (+1)	0.36 (-0.01)	0.00 (+0.00)
GET	search_purls	108 (-1)	0	2648.44 (+83.47)	1691 (+8)	10675 (-3265)	0.36 (-0.00)	0.00 (+0.00)
	Aggregated	1698 (-25)	0	886.29 (+13.20)	1 (0)	10675 (-3265)	5.66 (-0.08)	0.00 (+0.00)

Response Time Metrics

Method	Name	50%ile (ms)	60%ile (ms)	70%ile (ms)	80%ile (ms)	90%ile (ms)	95%ile (ms)	99%ile (ms)	100%ile (ms)
GET	get_advisory_by_doc_id	7 (-1)	9 (0)	11 (+1)	13 (0)	52 (-3)	58 (0)	63 (0)	64 (0)
GET	get_sbom[sha256:f293eb89…6720f692ec5f3081]	1,000 (0)	1,000 (0)	1,000 (-1,000)	1,000 (-1,000)	2,000 (0)	2,000 (0)	2,000 (-587)	2,000 (-587)
GET	list_advisory	3,000 (0)	3,000 (0)	3,000 (0)	3,000 (0)	3,000 (0)	3,000 (0)	3,000 (0)	3,000 (-632)
GET	list_advisory_paginated	3,000 (+1,000)	3,000 (+1,000)	3,000 (0)	3,000 (0)	3,000 (0)	3,000 (0)	3,000 (0)	3,000 (0)
GET	list_importer	2 (0)	3 (0)	3 (0)	4 (0)	5 (0)	6 (-44)	7 (-45)	10 (-42)
GET	list_organizations	5 (0)	5 (-1)	7 (0)	42 (-2)	48 (+1)	49 (0)	51 (-1)	51 (-9)
GET	list_packages	410 (+10)	420 (+10)	460 (-10)	490 (-10)	500 (0)	500 (-100)	600 (0)	600 (-70)
GET	list_packages_paginated	400 (-10)	420 (0)	460 (0)	500 (+20)	500 (0)	600 (0)	600 (0)	680 (+80)
GET	list_products	7 (0)	7 (-1)	8 (-1)	10 (-5)	12 (-40)	54 (-2)	60 (+2)	60 (+1)
GET	list_sboms	1,000 (0)	1,000 (0)	2,000 (0)	2,000 (0)	2,000 (0)	2,000 (0)	2,000 (0)	2,000 (0)
GET	list_sboms_paginated	1,000 (0)	1,000 (0)	1,000 (0)	2,000 (0)	2,000 (0)	2,000 (0)	2,000 (0)	2,000 (0)
GET	list_vulnerabilities	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)	1,577 (+577)	1,577 (+33)
GET	list_vulnerabilities_paginated	800 (0)	800 (0)	900 (0)	900 (0)	1,000 (0)	1,000 (0)	1,000 (0)	1,000 (0)
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	65 (+7)	80 (+11)	110 (0)	130 (-30)	170 (0)	180 (0)	200 (+10)	260 (+60)
GET	search_exact_purl	5 (0)	6 (0)	7 (0)	8 (0)	18 (+7)	53 (+5)	57 (+5)	58 (+1)
GET	search_purls	2,000 (0)	2,000 (0)	2,000 (0)	2,000 (0)	5,000 (+3,000)	6,000 (+3,000)	8,000 (-5,000)	10,675 (-3,265)
	Aggregated	500 (0)	800 (-100)	1,000 (0)	2,000 (0)	2,000 (0)	3,000 (0)	3,000 (0)	10,675 (-3,265)

Status Code Metrics

Method	Name	Status Codes
GET	get_advisory_by_doc_id	105 [200]
GET	get_sbom[sha256:f293eb89…6720f692ec5f3081]	106 [200]
GET	list_advisory	106 [200]
GET	list_advisory_paginated	106 [200]
GET	list_importer	106 [200]
GET	list_organizations	105 [200]
GET	list_packages	106 [200]
GET	list_packages_paginated	106 [200]
GET	list_products	107 [200]
GET	list_sboms	107 [200]
GET	list_sboms_paginated	106 [200]
GET	list_vulnerabilities	106 [200]
GET	list_vulnerabilities_paginated	106 [200]
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	105 [200]
GET	search_exact_purl	107 [200]
GET	search_purls	108 [200]
	Aggregated	1,698 [200]

Transaction Metrics

Transaction	# Times Run	# Fails	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
WebsiteUser
0.0 logon	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.1 website_index	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.2 website_openapi	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.3 website_sboms	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.4 website_packages	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.5 website_advisories	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.6 website_importers	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
RestAPIUser
1.0 logon	105 (0)	0 (0)	13.89 (-0.14)	7 (+1)	21 (-8)	0.35 (+0.00)	0.00 (+0.00)
1.1 list_organizations	105 (0)	0 (0)	13.93 (-1.39)	1 (-1)	51 (-9)	0.35 (+0.00)	0.00 (+0.00)
1.2 list_advisory	106 (0)	0 (0)	2551.45 (+11.48)	1229 (-587)	3350 (-282)	0.35 (+0.00)	0.00 (+0.00)
1.3 list_advisory_paginated	106 (-2)	0 (0)	2558.12 (+145.03)	1400 (+204)	3110 (+7)	0.35 (-0.01)	0.00 (+0.00)
1.4 get_advisory_by_doc_id	105 (-3)	0 (0)	14.43 (-1.08)	4 (0)	64 (0)	0.35 (-0.01)	0.00 (+0.00)
1.5 list_vulnerabilities	106 (-2)	0 (0)	1038.20 (+37.54)	326 (+28)	1577 (+33)	0.35 (-0.01)	0.00 (+0.00)
1.6 list_vulnerabilities_paginated	106 (-2)	0 (0)	812.92 (+1.41)	283 (+60)	1015 (-110)	0.35 (-0.01)	0.00 (+0.00)
1.7 list_importer	106 (-2)	0 (0)	2.72 (-2.51)	1 (0)	10 (-42)	0.35 (-0.01)	0.00 (+0.00)
1.8 list_packages	106 (-2)	0 (0)	417.71 (+3.11)	116 (+16)	617 (-53)	0.35 (-0.01)	0.00 (+0.00)
1.9 list_packages_paginated	106 (-1)	0 (0)	414.69 (+1.26)	110 (+7)	681 (+78)	0.35 (-0.00)	0.00 (+0.00)
1.10 search_purls	108 (-1)	0 (0)	2648.55 (+83.50)	1691 (+8)	10675 (-3265)	0.36 (-0.00)	0.00 (+0.00)
1.11 search_exact_purl	107 (-2)	0 (0)	10.19 (+1.82)	2 (0)	58 (+1)	0.36 (-0.01)	0.00 (+0.00)
1.12 list_products	107 (-2)	0 (0)	9.65 (-5.66)	3 (0)	60 (+1)	0.36 (-0.01)	0.00 (+0.00)
1.13 list_sboms	107 (-2)	0 (0)	1370.44 (-10.20)	567 (+70)	2186 (+88)	0.36 (-0.01)	0.00 (+0.00)
1.14 list_sboms_paginated	106 (-3)	0 (0)	1085.75 (+36.75)	304 (+6)	2014 (-265)	0.35 (-0.01)	0.00 (+0.00)
1.15 get_sbom[sha256:f293eb89…6720f692ec5f3081]	106 (-1)	0 (0)	1109.92 (-117.83)	442 (-50)	2285 (-302)	0.35 (-0.00)	0.00 (+0.00)
1.16 sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	105 (0)	0 (0)	78.22 (+5.07)	11 (+1)	262 (+58)	0.35 (+0.00)	0.00 (+0.00)
Aggregated	1803 (-25)	0 (0)	834.67 (+11.73)	1 (0)	10675 (-3265)	6.01 (-0.08)	0.00 (+0.00)

Scenario Metrics

Transaction	# Users	# Times Run	Average (ms)	Min (ms)	Max (ms)	Scenarios/s	Iterations
WebsiteUser	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
RestAPIUser	5 (0)	105 (0)	14074.08 (+221.30)	10943 (-680)	17703 (-1986)	0.35 (+0.00)	21.00 (+0.00)
Aggregated	5 (0)	105 (0)	14074.08 (+221.30)	10943 (-680)	17703 (-1986)	0.35 (+0.00)	21.00 (+0.00)

📄 Full Report

[ctron]

/scale-test

[github-actions]

🛠️ Scale test has started! Follow the progress here: Workflow Run

[ctron]

/scale-test

[github-actions]

🛠️ Scale test has started! Follow the progress here: Workflow Run

[mrizzi]

/scale-test

[github-actions]

🛠️ Scale test has started! Follow the progress here: Workflow Run

[github-actions]

Goose Report

Goose Attack Report

Plan Overview

Action	Started	Stopped	Elapsed	Users
Increasing	25-04-11 10:23:29	25-04-11 10:23:34	00:00:05	0 → 5
Maintaining	25-04-11 10:23:34	25-04-11 10:28:34	00:05:00	5
Decreasing	25-04-11 10:28:34	25-04-11 10:28:47	00:00:13	0 ← 5

Request Metrics

Method	Name	# Requests	# Fails	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
GET	get_advisory_by_doc_id	56 (-45)	0	12.46 (-3.04)	3 (-1)	66 (0)	0.19 (-0.15)	0.00 (+0.00)
GET	get_sbom[sha256:f293eb89…6720f692ec5f3081]	55 (-45)	0	1027.67 (-185.75)	469 (+28)	1972 (-488)	0.18 (-0.15)	0.00 (+0.00)
GET	list_advisory	55 (-47)	0	519.02 (-2107.63)	339 (-1499)	1908 (-1500)	0.18 (-0.16)	0.00 (+0.00)
GET	list_advisory_paginated	56 (-46)	0	451.46 (-2139.59)	302 (-1474)	1342 (-2041)	0.19 (-0.15)	0.00 (+0.00)
GET	list_importer	55 (-44)	0	3.60 (-1.49)	1 (0)	47 (-9)	0.18 (-0.15)	0.00 (+0.00)
GET	list_organizations	55 (-45)	0	13.91 (-2.94)	2 (0)	51 (0)	0.18 (-0.15)	0.00 (+0.00)
GET	list_packages	55 (-44)	0	368.98 (-58.42)	123 (+19)	585 (-93)	0.18 (-0.15)	0.00 (+0.00)
GET	list_packages_paginated	55 (-44)	0	363.53 (-54.98)	108 (+9)	562 (-44)	0.18 (-0.15)	0.00 (+0.00)
GET	list_products	55 (-45)	0	13.33 (-2.33)	3 (0)	55 (-21)	0.18 (-0.15)	0.00 (+0.00)
GET	list_sboms	55 (-45)	0	564.85 (-664.71)	418 (-136)	675 (-1222)	0.18 (-0.15)	0.00 (+0.00)
GET	list_sboms_paginated	55 (-45)	0	590.87 (-398.88)	308 (+8)	1303 (-733)	0.18 (-0.15)	0.00 (+0.00)
GET	list_vulnerabilities	55 (-46)	0	694.89 (-339.87)	130 (-256)	2788 (+1212)	0.18 (-0.15)	0.00 (+0.00)
GET	list_vulnerabilities_paginated	55 (-45)	0	253.85 (-591.08)	77 (-157)	473 (-686)	0.18 (-0.15)	0.00 (+0.00)
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	55 (-45)	0	40.69 (-16.57)	12 (+1)	103 (-75)	0.18 (-0.15)	0.00 (+0.00)
GET	search_advisory	60 (-41)	0	17802.77 (+16683.29)	12957 (+12432)	23331 (+21630)	0.20 (-0.14)	0.00 (+0.00)
GET	search_exact_purl	55 (-45)	0	8.15 (-1.81)	2 (0)	48 (-13)	0.18 (-0.15)	0.00 (+0.00)
GET	search_purls	55 (-45)	0	4314.71 (+1963.49)	1494 (-129)	9325 (-3207)	0.18 (-0.15)	0.00 (+0.00)
	Aggregated	942 (-762)	0	1674.03 (+788.79)	1 (0)	23331 (+10799)	3.14 (-2.54)	0.00 (+0.00)

Response Time Metrics

Method	Name	50%ile (ms)	60%ile (ms)	70%ile (ms)	80%ile (ms)	90%ile (ms)	95%ile (ms)	99%ile (ms)	100%ile (ms)
GET	get_advisory_by_doc_id	6 (-2)	8 (-1)	9 (-1)	10 (-4)	35 (-18)	51 (-5)	55 (-8)	66 (0)
GET	get_sbom[sha256:f293eb89…6720f692ec5f3081]	900 (-100)	900 (-100)	1,000 (-1,000)	1,972 (-28)	1,972 (-28)	1,972 (-28)	1,972 (-28)	1,972 (-28)
GET	list_advisory	440 (-2,560)	480 (-2,520)	500 (-2,500)	500 (-2,500)	700 (-2,300)	800 (-2,200)	1,000 (-2,000)	1,908 (-1,092)
GET	list_advisory_paginated	400 (-2,600)	410 (-2,590)	450 (-2,550)	500 (-2,500)	600 (-2,400)	700 (-2,300)	1,000 (-2,000)	1,000 (-2,000)
GET	list_importer	2 (0)	3 (0)	3 (0)	4 (0)	6 (0)	6 (-7)	11 (-41)	47 (-9)
GET	list_organizations	4 (-2)	5 (-3)	7 (-3)	41 (-3)	45 (-2)	45 (-5)	46 (-5)	51 (0)
GET	list_packages	370 (-40)	390 (-30)	400 (-70)	420 (-70)	480 (-120)	585 (-15)	585 (-15)	585 (-93)
GET	list_packages_paginated	370 (-50)	390 (-40)	400 (-80)	410 (-90)	480 (-20)	490 (-110)	500 (-100)	562 (-38)
GET	list_products	8 (0)	9 (-1)	9 (-2)	11 (-4)	50 (-4)	53 (-4)	55 (-11)	55 (-21)
GET	list_sboms	600 (-400)	600 (-400)	600 (-400)	600 (-400)	675 (-1,222)	675 (-1,222)	675 (-1,222)	675 (-1,222)
GET	list_sboms_paginated	500 (-400)	600 (-400)	600 (-400)	800 (-200)	1,000 (-1,000)	1,000 (-1,000)	1,000 (-1,000)	1,000 (-1,000)
GET	list_vulnerabilities	600 (-400)	600 (-400)	700 (-300)	800 (-200)	1,000 (0)	2,000 (+1,000)	2,000 (+1,000)	2,788 (+1,212)
GET	list_vulnerabilities_paginated	250 (-550)	270 (-630)	290 (-610)	300 (-600)	370 (-630)	380 (-620)	470 (-530)	470 (-530)
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	27 (-4)	34 (-28)	60 (-8)	72 (-38)	83 (-47)	88 (-72)	92 (-78)	100 (-78)
GET	search_advisory	17,000 (+16,000)	18,000 (+17,000)	19,000 (+18,000)	20,000 (+19,000)	21,000 (+20,000)	23,000 (+22,000)	23,000 (+21,299)	23,000 (+21,299)
GET	search_exact_purl	5 (0)	5 (-1)	6 (0)	6 (-1)	12 (-6)	46 (-7)	47 (-10)	48 (-13)
GET	search_purls	2,000 (0)	2,000 (0)	8,000 (+6,000)	9,000 (+7,000)	9,000 (+7,000)	9,000 (+7,000)	9,000 (-1,000)	9,000 (-3,532)
	Aggregated	370 (-330)	420 (-480)	500 (-500)	700 (-1,300)	2,000 (0)	16,000 (+13,000)	21,000 (+18,000)	23,000 (+10,468)

Status Code Metrics

Method	Name	Status Codes
GET	get_advisory_by_doc_id	56 [200]
GET	get_sbom[sha256:f293eb89…6720f692ec5f3081]	55 [200]
GET	list_advisory	55 [200]
GET	list_advisory_paginated	56 [200]
GET	list_importer	55 [200]
GET	list_organizations	55 [200]
GET	list_packages	55 [200]
GET	list_packages_paginated	55 [200]
GET	list_products	55 [200]
GET	list_sboms	55 [200]
GET	list_sboms_paginated	55 [200]
GET	list_vulnerabilities	55 [200]
GET	list_vulnerabilities_paginated	55 [200]
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	55 [200]
GET	search_advisory	60 [200]
GET	search_exact_purl	55 [200]
GET	search_purls	55 [200]
	Aggregated	942 [200]

Transaction Metrics

Transaction	# Times Run	# Fails	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
WebsiteUser
0.0 logon	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.1 website_index	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.2 website_openapi	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.3 website_sboms	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.4 website_packages	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.5 website_advisories	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.6 website_importers	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
RestAPIUser
1.0 logon	55 (-45)	0 (0)	14.56 (+1.44)	7 (+1)	31 (+10)	0.18 (-0.15)	0.00 (+0.00)
1.1 list_organizations	55 (-45)	0 (0)	14.11 (-2.85)	2 (0)	51 (0)	0.18 (-0.15)	0.00 (+0.00)
1.2 list_advisory	55 (-47)	0 (0)	519.07 (-2107.83)	339 (-1499)	1908 (-1502)	0.18 (-0.16)	0.00 (+0.00)
1.3 list_advisory_paginated	56 (-46)	0 (0)	451.55 (-2139.60)	302 (-1474)	1342 (-2041)	0.19 (-0.15)	0.00 (+0.00)
1.4 get_advisory_by_doc_id	56 (-45)	0 (0)	12.55 (-3.00)	3 (-1)	66 (0)	0.19 (-0.15)	0.00 (+0.00)
1.5 search_advisory	60 (-41)	0 (0)	17802.83 (+16683.18)	12957 (+12432)	23331 (+21630)	0.20 (-0.14)	0.00 (+0.00)
1.6 list_vulnerabilities	55 (-46)	0 (0)	694.89 (-340.00)	130 (-256)	2788 (+1212)	0.18 (-0.15)	0.00 (+0.00)
1.7 list_vulnerabilities_paginated	55 (-45)	0 (0)	253.93 (-591.06)	77 (-157)	473 (-686)	0.18 (-0.15)	0.00 (+0.00)
1.8 list_importer	55 (-44)	0 (0)	3.64 (-1.52)	1 (0)	47 (-9)	0.18 (-0.15)	0.00 (+0.00)
1.9 list_packages	55 (-44)	0 (0)	369.02 (-58.46)	123 (+19)	585 (-93)	0.18 (-0.15)	0.00 (+0.00)
1.10 list_packages_paginated	55 (-44)	0 (0)	363.64 (-55.07)	108 (+9)	562 (-44)	0.18 (-0.15)	0.00 (+0.00)
1.11 search_purls	55 (-45)	0 (0)	4314.84 (+1963.51)	1494 (-129)	9325 (-3207)	0.18 (-0.15)	0.00 (+0.00)
1.12 search_exact_purl	55 (-45)	0 (0)	8.15 (-1.90)	2 (0)	48 (-13)	0.18 (-0.15)	0.00 (+0.00)
1.13 list_products	55 (-45)	0 (0)	13.36 (-2.38)	4 (+1)	55 (-21)	0.18 (-0.15)	0.00 (+0.00)
1.14 list_sboms	55 (-45)	0 (0)	564.89 (-664.81)	418 (-136)	675 (-1222)	0.18 (-0.15)	0.00 (+0.00)
1.15 list_sboms_paginated	55 (-45)	0 (0)	590.95 (-398.92)	308 (+8)	1303 (-733)	0.18 (-0.15)	0.00 (+0.00)
1.16 get_sbom[sha256:f293eb89…6720f692ec5f3081]	55 (-45)	0 (0)	1027.73 (-185.76)	469 (+28)	1972 (-488)	0.18 (-0.15)	0.00 (+0.00)
1.17 sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	55 (-45)	0 (0)	40.85 (-16.49)	12 (+1)	103 (-75)	0.18 (-0.15)	0.00 (+0.00)
Aggregated	997 (-807)	0 (0)	1581.68 (+745.51)	1 (0)	23331 (+10799)	3.32 (-2.69)	0.00 (+0.00)

Scenario Metrics

Transaction	# Users	# Times Run	Average (ms)	Min (ms)	Max (ms)	Scenarios/s	Iterations
WebsiteUser	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
RestAPIUser	5 (0)	55 (-45)	26773.64 (+11880.41)	22006 (+9488)	31175 (+12914)	0.18 (-0.15)	11.00 (-9.00)
Aggregated	5 (0)	55 (-45)	26773.64 (+11880.41)	22006 (+9488)	31175 (+12914)	0.18 (-0.15)	11.00 (-9.00)

📄 Full Report (Go to "Artifacts" and download report)