feat: license filter consistent for SBOM packages tab

[mrizzi]

Add SBOM package license filtering with expanded SPDX LicenseRef resolution to achieve consistency with license filtering approach used in SBOM and Packages lists.

The SBOM package license filter BEFORE this change looks like this when filtering licenses for gpl+

The SBOM package license filter WITH this change looks like this when filtering licenses for gpl+

Changes

• Enhanced license filtering and license expansion for SBOM packages:
  • Enables consistent license management across SBOM and package list endpoints, pretty clear from changes to current test
• Deprecated licenses_ref_mapping field across all license endpoints because not useful anymore:
  • Now returns always an empty array
  • Updated OpenAPI specification to reflect deprecation
  • Updated test expectations to expect empty licenses_ref_mapping
• Unified using shared PLSQL case_license_text_sbom_id function adding reusable get_case_license_text_sbom_id() helper function
• Replaced raw SQL UNION queries in license service with SeaORM-based implementation
• Updated test data to reflect expanded license expressions:
  • Increased recursion limit to 256 to parse entensive JSON expected results in test fetch_unique_licenses

Summary by Sourcery

Implement consistent license filtering for SBOM packages by expanding SPDX expressions, refactor the license service to use SeaORM and shared helpers, deprecate the licenses_ref_mapping field, and update tests and OpenAPI spec accordingly

New Features:

• Enable license filtering in the SBOM packages endpoint with expanded SPDX license expression resolution

Enhancements:

• Refactor license expansion and filtering logic to use SeaORM query builder and shared helper functions instead of raw SQL
• Deprecate and remove licenses_ref_mapping across SBOM and PURL endpoints, returning an empty array
• Unify use of the case_license_text_sbom_id PL/SQL function via a reusable helper
• Increase recursion limit to 256 to support deep JSON structures in license tests

Documentation:

• Mark licenses_ref_mapping as deprecated in the OpenAPI specification

Tests:

• Update fetch_unique_licenses and PURL endpoint tests to expect expanded license expressions and empty licenses_ref_mapping
• Add end-to-end tests for SBOM package license filtering covering exact matches, partial matches, combined filters, non-existent licenses, and pagination

[sourcery-ai]

Reviewer's Guide

Implements consistent license filtering for SBOM packages by adopting a SeaORM‐based approach with unified SPDX expression expansion, deprecating legacy mapping fields, and updating tests and the OpenAPI spec for expanded license expressions.

Entity relationship diagram for deprecated LicenseRefMapping and expanded license filtering

erDiagram
    SBOM_PACKAGE ||--o{ SBOM_PACKAGE_LICENSE : has
    SBOM_PACKAGE_LICENSE }o--|| LICENSE : references
    SBOM_PACKAGE_LICENSE }o--|| LICENSING_INFOS : references
    SBOM_PACKAGE_PURL_REF }o--|| SBOM_PACKAGE : references
    SBOM_PACKAGE_PURL_REF }o--|| LICENSE : references
    PURL_DETAILS {
      licenses LicenseInfo
      licenses_ref_mapping LicenseRefMapping [deprecated]
    }
    LICENSE {
      text string
      spdx_licenses string[]
    }
    LICENSING_INFOS {
      name string
      license_id string
      sbom_id uuid
    }

Loading

File-Level Changes

Change	Details	Files
Enhanced SBOM package license filtering implementation	Integrated apply_license_filtering into SbomService.fetch_sbom_packages Introduced create_sbom_package_license_filtering_base_query helper Adjusted SQL translator to bypass main filter and rely on subqueries Simplified package_from_row mapping to use empty license map Added fetch_sbom_packages_filter_by_license service tests	modules/fundamental/src/sbom/service/sbom.rs modules/fundamental/src/common/license_filtering.rs modules/fundamental/src/sbom/service/test.rs
Migrate license expansion logic to SeaORM in LicenseService	Removed raw SQL UNION queries fetching expanded licenses Built a SeaORM subquery selecting distinct expanded license expressions Applied get_case_license_text_sbom_id helper in query Selected license_name and license_id via Expr in the new SeaORM query	modules/fundamental/src/license/service/mod.rs modules/fundamental/src/common/license_filtering.rs
Deprecate licenses_ref_mapping across API and model	Marked licenses_ref_mapping as deprecated in PurlDetails Removed extraction and population of license_ref_mapping in PurlDetails Updated PURL and SBOM endpoint tests to expect empty mapping Annotated licenses_ref_mapping as deprecated in OpenAPI spec	modules/fundamental/src/purl/model/details/purl.rs modules/fundamental/src/purl/endpoints/test.rs modules/fundamental/src/sbom/endpoints/test.rs openapi.yaml
Expand license expression coverage and update test fixtures	Updated sbom endpoints tests with extensive SPDX expression expansions Increased Rust recursion_limit to support deep JSON parsing Refreshed expected license_results in purl endpoints tests Added new test entries for all-license-ids endpoint to cover combined expressions	modules/fundamental/src/sbom/endpoints/test.rs modules/fundamental/src/lib.rs modules/fundamental/src/purl/endpoints/test.rs

Possibly linked issues

• #SBOM's Licenses => licenses dissapear with filtering: The PR fixes the bug where licenses disappeared from SBOM packages when a license filter was applied, ensuring all licenses are consistently displayed.
• #Add a new field parsed_license_text to the license table.: The PR resolves custom license IDs to meaningful names in license expressions, directly fulfilling the issue's request for clearer license text.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• Review the decision to deprecate licenses_ref_mapping and always return an empty array—ensure no downstream clients still depend on that mapping or plan a migration path before removing it entirely.
• The added #![recursion_limit = "256"] may hide overly deep JSON structures; consider refactoring the parser or expected‐result definitions to avoid increasing the recursion limit.
• The SBOM and package license filtering functions share a lot of query building logic—consider extracting common parts to reduce duplication and make maintenance easier.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Review the decision to deprecate `licenses_ref_mapping` and always return an empty array—ensure no downstream clients still depend on that mapping or plan a migration path before removing it entirely.
- The added `#![recursion_limit = "256"]` may hide overly deep JSON structures; consider refactoring the parser or expected‐result definitions to avoid increasing the recursion limit.
- The SBOM and package license filtering functions share a lot of query building logic—consider extracting common parts to reduce duplication and make maintenance easier.

## Individual Comments

### Comment 1
<location> `modules/fundamental/src/sbom/service/test.rs:383-386` </location>
<code_context>
+    log::debug!("All packages count: {}", all_packages.total);
+    assert_eq!(all_packages.total, 5388, "Should have packages in the SBOM");
+
+    // Test 2: Filter by specific license that exists
+    let license_filtered = service
+        .fetch_sbom_packages(
+            sbom_id,
+            q("license=GPLv2 AND GPLv2+ AND CC-BY"),
+            Paginated::default(),
+            &ctx.db,
+        )
+        .await?;
+
+    log::debug!("License filtered packages: {license_filtered:#?}");
+    // Should find packages with this specific license
+    // This validates that the license filtering is applied correctly
+    assert_eq!(license_filtered.total, 14);
+
+    // Test 3: Filter by partial license match
</code_context>

<issue_to_address>
**suggestion (testing):** Consider adding assertions to check the actual package contents for license filtering.

Adding assertions for the license field values in the filtered packages will verify that the filter returns the correct data, not just the expected count.

```suggestion
    log::debug!("License filtered packages: {license_filtered:#?}");
    // Should find packages with this specific license
    // This validates that the license filtering is applied correctly
    assert_eq!(license_filtered.total, 14);

    // Assert that all returned packages have the expected license values
    let expected_licenses = ["GPLv2", "GPLv2+", "CC-BY"];
    for pkg in &license_filtered.packages {
        assert!(
            pkg.license.is_some(),
            "Package {:?} should have a license field",
            pkg
        );
        let license = pkg.license.as_ref().unwrap();
        assert!(
            expected_licenses.contains(&license.as_str()),
            "Package {:?} has unexpected license: {}",
            pkg,
            license
        );
    }
```
</issue_to_address>

### Comment 2
<location> `modules/fundamental/src/sbom/service/test.rs:431-451` </location>
<code_context>
+    // Should apply both license and name filters
+    assert_eq!(combined_filter.total, 11);
+
+    // Test 6: Pagination with license filtering
+    if partial_license_filtered.total > 1 {
+        let paginated = service
+            .fetch_sbom_packages(
+                sbom_id,
+                q("license~GPL"),
+                Paginated {
+                    offset: 0,
+                    limit: 1,
+                },
+                &ctx.db,
+            )
+            .await?;
+
+        log::debug!("Paginated license filtered packages: {paginated:#?}");
+        assert_eq!(paginated.items.len(), 1, "Should respect pagination limit");
+        assert_eq!(
+            paginated.total, partial_license_filtered.total,
+            "Total should match full query"
+        );
+    }
+
</code_context>

<issue_to_address>
**suggestion (testing):** Pagination logic is tested, but consider adding a test for offset > 0.

Adding a test with offset > 0 will help verify that items are correctly skipped during pagination.

```suggestion
    // Test 6: Pagination with license filtering
    if partial_license_filtered.total > 1 {
        // Fetch first item (offset 0)
        let paginated_first = service
            .fetch_sbom_packages(
                sbom_id,
                q("license~GPL"),
                Paginated {
                    offset: 0,
                    limit: 1,
                },
                &ctx.db,
            )
            .await?;

        log::debug!("Paginated license filtered packages (offset 0): {paginated_first:#?}");
        assert_eq!(paginated_first.items.len(), 1, "Should respect pagination limit");
        assert_eq!(
            paginated_first.total, partial_license_filtered.total,
            "Total should match full query"
        );

        // Fetch second item (offset 1)
        let paginated_second = service
            .fetch_sbom_packages(
                sbom_id,
                q("license~GPL"),
                Paginated {
                    offset: 1,
                    limit: 1,
                },
                &ctx.db,
            )
            .await?;

        log::debug!("Paginated license filtered packages (offset 1): {paginated_second:#?}");
        assert_eq!(paginated_second.items.len(), 1, "Should respect pagination limit for offset > 0");
        assert_eq!(
            paginated_second.total, partial_license_filtered.total,
            "Total should match full query for offset > 0"
        );
        assert_ne!(
            paginated_first.items[0], paginated_second.items[0],
            "Items at offset 0 and offset 1 should be different"
        );
    }
```
</issue_to_address>

### Comment 3
<location> `modules/fundamental/src/sbom/endpoints/test.rs:355` </location>
<code_context>
+        "license_id": "Zlib AND Sendmail AND LGPLv2+"
       }
     ]);
+    log::debug!("{:#}", json!(response));
     assert!(expected_result.contains_subset(response.clone()));
-    log::debug!("{response:#?}");
</code_context>

<issue_to_address>
**suggestion (testing):** Test expectations updated for expanded license expressions.

Consider adding assertions to ensure the response does not include unexpected licenses or that its length matches expectations, to better detect over-inclusion errors.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion (testing): Consider adding assertions to check the actual package contents for license filtering.

Adding assertions for the license field values in the filtered packages will verify that the filter returns the correct data, not just the expected count.

Suggested change

	log::debug!("License filtered packages: {license_filtered:#?}");
	// Should find packages with this specific license
	// This validates that the license filtering is applied correctly
	assert_eq!(license_filtered.total, 14);
	log::debug!("License filtered packages: {license_filtered:#?}");
	// Should find packages with this specific license
	// This validates that the license filtering is applied correctly
	assert_eq!(license_filtered.total, 14);
	// Assert that all returned packages have the expected license values
	let expected_licenses = ["GPLv2", "GPLv2+", "CC-BY"];
	for pkg in &license_filtered.packages {
	assert!(
	pkg.license.is_some(),
	"Package {:?} should have a license field",
	pkg
	);
	let license = pkg.license.as_ref().unwrap();
	assert!(
	expected_licenses.contains(&license.as_str()),
	"Package {:?} has unexpected license: {}",
	pkg,
	license
	);
	}

[sourcery-ai]

suggestion (testing): Pagination logic is tested, but consider adding a test for offset > 0.

Adding a test with offset > 0 will help verify that items are correctly skipped during pagination.

Suggested change

	// Test 6: Pagination with license filtering
	if partial_license_filtered.total > 1 {
	let paginated = service
	.fetch_sbom_packages(
	sbom_id,
	q("license~GPL"),
	Paginated {
	offset: 0,
	limit: 1,
	},
	&ctx.db,
	)
	.await?;
	log::debug!("Paginated license filtered packages: {paginated:#?}");
	assert_eq!(paginated.items.len(), 1, "Should respect pagination limit");
	assert_eq!(
	paginated.total, partial_license_filtered.total,
	"Total should match full query"
	);
	}
	// Test 6: Pagination with license filtering
	if partial_license_filtered.total > 1 {
	// Fetch first item (offset 0)
	let paginated_first = service
	.fetch_sbom_packages(
	sbom_id,
	q("license~GPL"),
	Paginated {
	offset: 0,
	limit: 1,
	},
	&ctx.db,
	)
	.await?;
	log::debug!("Paginated license filtered packages (offset 0): {paginated_first:#?}");
	assert_eq!(paginated_first.items.len(), 1, "Should respect pagination limit");
	assert_eq!(
	paginated_first.total, partial_license_filtered.total,
	"Total should match full query"
	);
	// Fetch second item (offset 1)
	let paginated_second = service
	.fetch_sbom_packages(
	sbom_id,
	q("license~GPL"),
	Paginated {
	offset: 1,
	limit: 1,
	},
	&ctx.db,
	)
	.await?;
	log::debug!("Paginated license filtered packages (offset 1): {paginated_second:#?}");
	assert_eq!(paginated_second.items.len(), 1, "Should respect pagination limit for offset > 0");
	assert_eq!(
	paginated_second.total, partial_license_filtered.total,
	"Total should match full query for offset > 0"
	);
	assert_ne!(
	paginated_first.items[0], paginated_second.items[0],
	"Items at offset 0 and offset 1 should be different"
	);
	}

[codecov]

Codecov Report

❌ Patch coverage is 97.10145% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.30%. Comparing base (2c357b0) to head (7d398f8).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
modules/fundamental/src/license/service/mod.rs	95.65%	0 Missing and 1 partial ⚠️
modules/fundamental/src/purl/model/details/purl.rs	94.11%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2011      +/-   ##
==========================================
+ Coverage   68.20%   68.30%   +0.10%     
==========================================
  Files         359      359              
  Lines       19947    19940       -7     
  Branches    19947    19940       -7     
==========================================
+ Hits        13604    13620      +16     
+ Misses       5561     5536      -25     
- Partials      782      784       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jcrossley3]

Is this really necessary? Seems like the result would be the same if you just eliminated the .translator(...) call entirely, no?

[mrizzi]

It is necessary otherwise the result, if eliminated, would be

Error: Query syntax error: 'license' is an invalid field. Try [cpe_id, group, id, license_id, license_type, name, namespace, node_id, qualified_purl_id, sbom_id, spdx_license_exceptions, spdx_licenses, text, type, version]

[jcrossley3]

I didn't understand your comment until I looked more deeply at the code and realized that #1987 kinda snuck by me because I don't love exposing Constraint in the query api. I'm more in the "tell don't ask" camp of api design. 🥲

I feel like the union of the spdx and cyclonedx queries is an expression that should be added here, thereby obviating the need for the translator. But I wouldn't want to take on that refactoring in this PR.

[mrizzi]

Basically this PR is all about ensuring consistency for the SBOM packages license filter with all the other filters by license.

[PhilipCattanach]

@jcrossley3 - Jim this is the last piece of the puzzle regarding the License Search changes. We had to make some compromises with the as we didn't want to change the data model in this release and introduce data migration challenges. Instead Marco did the best he could with the existing, flawed, data model (it should be SBOM specification agnostic, but isn't). So with that said, is there anything preventing this PR from getting merged?

[jcrossley3]

@jcrossley3 - Jim this is the last piece of the puzzle regarding the License Search changes. We had to make some compromises with the as we didn't want to change the data model in this release and introduce data migration challenges. Instead Marco did the best he could with the existing, flawed, data model (it should be SBOM specification agnostic, but isn't). So with that said, is there anything preventing this PR from getting merged?

Not to my knowledge. Merge away!

[trustify-ci-bot]

Successfully created backport PR for release/0.4.z:

• feat: license filter consistent for SBOM packages tab [Backport release/0.4.z] #2021

[mrizzi]

/scale-test

[github-actions]

🛠️ Scale test has started! Follow the progress here: Workflow Run

[github-actions]

Goose Report

Goose Attack Report

Plan Overview

Action	Started	Stopped	Elapsed	Users
Increasing	25-10-09 07:52:25	25-10-09 07:52:30	00:00:05	0 → 5
Maintaining	25-10-09 07:52:30	25-10-09 07:57:31	00:05:01	5
Decreasing	25-10-09 07:57:31	25-10-09 07:59:26	00:01:55	0 ← 5

Request Metrics

Method	Name	# Requests	# Fails	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
GET	get_analysis_latest_cpe	5 (0)	0	181.80 (+18.20)	107 (+12)	271 (+49)	0.02 (+0.00)	0.00 (+0.00)
GET	get_analysis_status	5 (0)	0	3.60 (+1.40)	3 (+2)	5 (0)	0.02 (+0.00)	0.00 (+0.00)
GET	get_purl_gc	5 (0)	0	97694.00 (+1661.40)	64987 (+3163)	106244 (+1632)	0.02 (+0.00)	0.00 (+0.00)
GET	get_sbom[sha256:720e4451…a939656247164447]	5 (0)	0	1052.80 (-514.00)	929 (-364)	1318 (-469)	0.02 (+0.00)	0.00 (+0.00)
GET	get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	5 (0)	5	300000.81 (+0.00)	300000 (0)	300001 (0)	0.02 (+0.00)	0.02 (+0.00)
GET	list_products	5 (0)	0	9.40 (+0.20)	9 (+1)	10 (0)	0.02 (+0.00)	0.00 (+0.00)
GET	list_sboms	5 (0)	0	585.20 (+0.80)	581 (0)	592 (+5)	0.02 (+0.00)	0.00 (+0.00)
GET	list_sboms_paginated	5 (0)	0	2092.00 (+34.80)	1994 (+12)	2204 (+12)	0.02 (+0.00)	0.00 (+0.00)
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	5 (0)	0	312.00 (+46.40)	93 (-8)	403 (-75)	0.02 (+0.00)	0.00 (+0.00)
GET	search_exact_purl	5 (0)	0	9.00 (+0.80)	7 (+2)	11 (0)	0.02 (+0.00)	0.00 (+0.00)
GET	search_purls	5 (0)	0	7137.20 (-51.00)	5162 (-123)	8810 (+1)	0.02 (+0.00)	0.00 (+0.00)
	Aggregated	55 (0)	5	37188.89 (+109.00)	3 (+2)	300001 (0)	0.18 (+0.00)	0.02 (+0.00)

Response Time Metrics

Method	Name	50%ile (ms)	60%ile (ms)	70%ile (ms)	80%ile (ms)	90%ile (ms)	95%ile (ms)	99%ile (ms)	100%ile (ms)
GET	get_analysis_latest_cpe	180 (0)	180 (0)	190 (-20)	190 (-20)	270 (+50)	270 (+50)	270 (+50)	270 (+50)
GET	get_analysis_status	3 (+1)	3 (+1)	4 (+2)	4 (+2)	5 (0)	5 (0)	5 (0)	5 (0)
GET	get_purl_gc	106,000 (+1,388)	106,000 (+1,388)	106,000 (+1,388)	106,000 (+1,388)	106,000 (+1,388)	106,000 (+1,388)	106,000 (+1,388)	106,000 (+1,388)
GET	get_sbom[sha256:720e4451…a939656247164447]	1,000 (-787)	1,000 (-787)	1,000 (-787)	1,000 (-787)	1,000 (-787)	1,000 (-787)	1,000 (-787)	1,000 (-787)
GET	get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	300,000 (0)	300,000 (0)	300,000 (0)	300,000 (0)	300,000 (0)	300,000 (0)	300,000 (0)	300,000 (0)
GET	list_products	9 (0)	9 (0)	10 (0)	10 (0)	10 (0)	10 (0)	10 (0)	10 (0)
GET	list_sboms	592 (+5)	592 (+5)	592 (+5)	592 (+5)	592 (+5)	592 (+5)	592 (+5)	592 (+5)
GET	list_sboms_paginated	2,000 (0)	2,000 (0)	2,000 (0)	2,000 (0)	2,000 (0)	2,000 (0)	2,000 (0)	2,000 (0)
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	370 (+160)	370 (+160)	380 (-40)	380 (-40)	400 (-78)	400 (-78)	400 (-78)	400 (-78)
GET	search_exact_purl	9 (0)	9 (0)	10 (0)	10 (0)	11 (0)	11 (0)	11 (0)	11 (0)
GET	search_purls	7,000 (0)	7,000 (0)	8,000 (0)	8,000 (0)	8,810 (+1)	8,810 (+1)	8,810 (+1)	8,810 (+1)
	Aggregated	600 (0)	1,000 (-1,000)	2,000 (0)	8,000 (0)	106,000 (+1,000)	300,000 (0)	300,000 (0)	300,000 (0)

Status Code Metrics

Method	Name	Status Codes
GET	get_analysis_latest_cpe	5 [200]
GET	get_analysis_status	5 [200]
GET	get_purl_gc	5 [200]
GET	get_sbom[sha256:720e4451…a939656247164447]	5 [200]
GET	get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	5 [0]
GET	list_products	5 [200]
GET	list_sboms	5 [200]
GET	list_sboms_paginated	5 [200]
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	5 [200]
GET	search_exact_purl	5 [200]
GET	search_purls	5 [200]
	Aggregated	50 [200], 5 [0]

Transaction Metrics

Transaction	# Times Run	# Fails	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
WebsiteUser
0.0 logon	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.1 website_index	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.2 website_openapi	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.3 website_sboms	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.4 website_packages	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.5 website_advisories	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.6 website_importers	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
RestAPIUser
1.0 logon	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
1.1 list_organizations	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
1.2 list_advisory	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
1.3 list_advisory_paginated	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
1.4 get_advisory_by_doc_id	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
1.5 search_advisory	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
1.6 list_vulnerabilities	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
1.7 list_vulnerabilities_paginated	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
1.8 list_importer	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
1.9 list_packages	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
1.10 list_packages_paginated	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
1.11 search_purls	5 (0)	0 (0)	7137.20 (-51.00)	5162 (-123)	8810 (+1)	0.02 (+0.00)	0.00 (+0.00)
1.12 search_exact_purl	5 (0)	0 (0)	9.40 (+1.20)	8 (+3)	11 (0)	0.02 (+0.00)	0.00 (+0.00)
1.13 list_products	5 (0)	0 (0)	9.40 (+0.20)	9 (+1)	10 (0)	0.02 (+0.00)	0.00 (+0.00)
1.14 list_sboms	5 (0)	0 (0)	585.40 (+1.00)	582 (+1)	592 (+5)	0.02 (+0.00)	0.00 (+0.00)
1.15 list_sboms_paginated	5 (0)	0 (0)	2092.00 (+34.80)	1994 (+12)	2204 (+12)	0.02 (+0.00)	0.00 (+0.00)
1.16 get_analysis_status	5 (0)	0 (0)	3.60 (+1.40)	3 (+2)	5 (0)	0.02 (+0.00)	0.00 (+0.00)
1.17 get_analysis_latest_cpe	5 (0)	0 (0)	182.00 (+18.40)	107 (+12)	271 (+49)	0.02 (+0.00)	0.00 (+0.00)
1.18 get_purl_gc	5 (0)	0 (0)	97694.00 (+1661.40)	64987 (+3163)	106244 (+1632)	0.02 (+0.00)	0.00 (+0.00)
1.19 get_sbom[sha256:720e4451…a939656247164447]	5 (0)	0 (0)	1053.20 (-513.60)	929 (-364)	1318 (-469)	0.02 (+0.00)	0.00 (+0.00)
1.20 sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	5 (0)	0 (0)	312.40 (+46.80)	94 (-7)	403 (-75)	0.02 (+0.00)	0.00 (+0.00)
1.21 get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	5 (0)	0 (0)	300000.81 (+0.00)	300000 (0)	300001 (0)	0.02 (+0.00)	0.00 (+0.00)
1.22 post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
1.23 get_purl_details[b00df2ca-df21-5…874-304e9c54e2bd]	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
Aggregated	55 (0)	0 (0)	37188.89 (+109.00)	3 (+2)	300001 (0)	0.18 (+0.00)	0.00 (+0.00)

Scenario Metrics

Transaction	# Users	# Times Run	Average (ms)	Min (ms)	Max (ms)	Scenarios/s	Iterations
WebsiteUser	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
RestAPIUser	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
Aggregated	0 (0)	0 (0)	NaN (NaN)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)

Error Metrics

Method	Name	#	Error
GET	get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	5 (0)	error sending request get_sbom_license_ids[urn:uuid:019731…104-331632a21144]: operation timed out

📄 Full Report (Go to "Artifacts" and download report)