Resolve cross-join in ProjectsGrades.grades_for with instance dashboard
Summary
The vulnerabilities/projects_grade.rb model has a scope to include projects which cannot be used when the tables are decomposed.
Further details
def self.grades_for(vulnerables, filter: nil, include_subgroups: false)
projects = vulnerables.map do |v|
collection = include_subgroups ? v.all_projects : v.projects
collection.non_archived
end
relation = ::Vulnerabilities::Statistic.for_project(projects.reduce(&:or))
relation = relation.by_grade(filter) if filter
relation = relation.allow_cross_joins_across_databases(url: 'https://gitlab.com/gitlab-org/gitlab/-/issues/503387')Proposal
2 options:
- Move the
users_security_dashboard_projectstable togitlab_sec. It then becomes possible to join it withvulnerability_statisticswithout causing a cross-database join. See !175602 (comment 2279123735) - Or, pluck the project IDs, and pass them to
Vulnerabilities::Statistic.for_project.
implementation for moving users_security_dashboard_projects to gitlab_sec
-
Set schema of users_security_dashboard_projectstogitlab_sec. -
DB migration: Remove foreign keys to project_idanduser_id. -
Declare project_idanduser_idas loose foreign key. -
Change the base class of InstanceSecurityDashboardtoGitlab::Database::SecApplicationRecord. -
Remove #project_ids_with_security_reports,#users_projects_with_security_reports, andVulnerableHelpers#as_vulnerable_project. -
Handle any other cross join issues that may arise as a result. -
Remove allow_cross_joins_across_databasesfromInstanceSecurityDashboard, solving the cross-join in.grades_for.
Verification
To be tested manually using the user/instance security dashboard page.
Edited by Fabien Catteau