AIBOM-CBOM

[desmax74]

AI label added when the CycloneDX 1.6 file contains "type": "machine-learning-model" on the components based on the spec https://cyclonedx.org/docs/1.6/json/#components_items_type

See: https://issues.redhat.com/browse/TC-1910

Summary by Sourcery

Add tests and fixtures to validate ingestion and analysis of AI BOM (AIBOM) CycloneDX SBOMs and ensure component group and version fields are correctly captured for SPDX and CycloneDX packages.

Tests:

• Introduce test_simple_analysis_aibom_cyclonedx_service to verify the analysis service correctly retrieves root traces and implicit relationships from AIBOM CycloneDX documents
• Add ingest_add_group_field_spdx and ingest_add_group_field_cyclonedx tests to confirm component_group and component_version fields are handled appropriately for SPDX and CycloneDX SBOMs
• Include multiple CycloneDX AIBOM JSON fixtures under etc/test-data to support AI model SBOM testing

Summary by Sourcery

Tag CycloneDX SBOMs with an AI label when machine-learning-model components are present and validate the ingestion with new tests and fixtures.

New Features:

• Add support to label CycloneDX SBOMs as AI when they include machine-learning-model components

Enhancements:

• Refactor CycloneDX loader to use a new extract_labels function for applying 'type' and conditional 'ai' labels

Tests:

• Add ingestion tests and JSON fixtures for Nvidia and IBM CycloneDX AI BOM scenarios

[sourcery-ai]

Reviewer's Guide

The CycloneDX SBOM loader has been refactored to centralize label extraction and extended to detect AI model components by adding an "ai" label; new integration tests and JSON fixtures have been added to validate ingestion of AIBOM CycloneDX documents.

Sequence diagram for ingesting an AIBOM CycloneDX SBOM

sequenceDiagram
    participant Test as "Test Function"
    participant Ingestor as "IngestorService"
    participant Loader as "CyclonedxLoader"
    participant Labels as "Labels"
    Test->>Ingestor: ingest(data, Format::CycloneDX, ...)
    Ingestor->>Loader: load(buffer)
    Loader->>Labels: extract_labels(components)
    Labels-->>Loader: labels (with "ai" if AI model found)
    Loader-->>Ingestor: processed SBOM with labels
    Ingestor-->>Test: ingestion result

Loading

Class diagram for CycloneDX SBOM loader label extraction changes

classDiagram
    class CyclonedxLoader {
        +load(buffer: &[u8])
    }
    class Labels {
        +add(key: &str, value: &str) Labels
    }
    class Component {
        +type_: String
    }
    CyclonedxLoader --> Labels
    CyclonedxLoader --> Component
    CyclonedxLoader : +extract_labels(components: Option<&Vec<Component>>) Labels
    Labels <.. extract_labels
    extract_labels --> Component
    extract_labels --> Labels

Loading

File-Level Changes

Change	Details	Files
Refactor CyclonedxLoader to externalize label extraction	Extract inline label building into a new extract_labels function Replace direct labels.add call with extract_labels invocation in load method	modules/ingestor/src/service/sbom/cyclonedx.rs
Add AI model detection and labeling	Detect components with type machine-learning-model in extract_labels Append ai=machine-learning-model label when such components exist	modules/ingestor/src/service/sbom/cyclonedx.rs
Introduce integration tests for AI BOM CycloneDX ingestion	Add ingest_ai_cyclonedx_nvidia and ingest_ai_cyclonedx_ibm tests Assert ingestion succeeds with correct type and ai labels	modules/ingestor/src/service/sbom/cyclonedx.rs
Add CycloneDX AI BOM JSON test fixtures	Introduce NVIDIA AIBOM fixture under etc/test-data/cyclonedx/ai Introduce IBM AIBOM fixture under etc/test-data/cyclonedx/ai	etc/test-data/cyclonedx/ai/nvidia_canary-1b-v2_aibom.json etc/test-data/cyclonedx/ai/ibm-granite_granite-docling-258M_aibom.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[helio-frota]

@desmax74 format : )

[dejanb]

Searching through all components to determine a label might become problematic for large sboms.

I would suggest that we try to figure out if we can determine what we need at this stage using metadata section of the SBOM. By looking into current examples we have, I think we can do it by either by examining the type of the metadata.component.type, which has value machine-learning-modell (I'm not sure if modell is a typo?).

Or in case like in the tests here, looking for the property typeOfModel which should indicate that we have a model.

Both of these information could indicate that ai is used in the sbom.

If we need to search for model in the components, I would propose that we do things like we do for others sbom entities: Create a Creator/Processor that will be called while iterating through components (in a single iteration per sbom) and extract necessary information. In the first iteration we can only add a label, but later on we can extract model card information and store it in the database.

[dejanb]

If we are going to switch to the current approach, here's some quick code improvements that avoid duplicate value assignments and improve performance as they exist the loop when the first model is encountered

diff --git a/modules/ingestor/src/service/sbom/cyclonedx.rs b/modules/ingestor/src/service/sbom/cyclonedx.rs
index 17343837..336ec036 100644
--- a/modules/ingestor/src/service/sbom/cyclonedx.rs
+++ b/modules/ingestor/src/service/sbom/cyclonedx.rs
@@ -30,7 +30,7 @@ impl<'g> CyclonedxLoader<'g> {
         let cdx: Box<serde_cyclonedx::cyclonedx::v_1_6::CycloneDx> = serde_json::from_slice(buffer)
             .map_err(|err| Error::UnsupportedFormat(format!("Failed to parse: {err}")))?;

-        let labels = labels_with_ai_type_check(cdx.components.clone());
+        let labels = extract_labels(cdx.components.as_ref());

         log::info!(
             "Storing - version: {:?}, serialNumber: {:?}",
@@ -76,22 +76,20 @@ impl<'g> CyclonedxLoader<'g> {
     }
 }

-fn labels_with_ai_type_check(components: Option<Vec<Component>>) -> Labels {
-    match components {
-        Some(vec) => {
-            for component in vec {
-                if component.type_ == "machine-learning-model" {
-                    return Labels::new()
-                        .add("type", "cyclonedx")
-                        .add("ai", "machine-learning-model");
-                }
-            }
-        }
-        None => {
-            return Labels::new().add("type", "cyclonedx");
+fn extract_labels(components: Option<&Vec<Component>>) -> Labels {
+    let mut labels = Labels::new().add("type", "cyclonedx");
+
+    // find if there are machine learning model components in the SBOM
+    if let Some(components) = components {
+        if components
+            .iter()
+            .any(|c| c.type_ == "machine-learning-model")
+        {
+            labels = labels.add("ai", "machine-learning-model");
         }
     }
-    Labels::new().add("type", "cyclonedx")
+
+    labels
 }

 #[cfg(test)]

Before approving this, let's test if there are ingestion performance degradation for cyclonedx. I'll try to find a good example.

[dejanb]

I don't think we have a good one in our examples yet, but this one with ~400 components can be a good start

https://github.com/guacsec/guac-data/blob/main/docs/cyclonedx/syft-cyclonedx-docker.io-library-postgres.latest.json

[ctron]

Just noticed this PR and how it works. There's another PR, which actually imports those properties: #1913

I use this as an example for currently ignored data.

[dejanb]

@ctron Thanks for the pointer. Unfortunately, it turns out that those properties are not reliable in identifying ai components in the sbom. I think searching through the components is the only way. The good news is that this process doesn't slow down ingestion process in the first tests.

The other option is to create a full AIModelProcessor and use in the Creator. The only issue is that the process would need to additionally update the SBOM as it is inserted before the creator is used. Although we will need to create a processor at the point when we start ingesting model data in the database, I think this sort of setting labels for the sbom based on the component search has it place and we can go with it for now.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• extract_labels currently creates a brand-new Labels object instead of augmenting the incoming labels—consider changing it to take and merge with the existing labels to preserve other metadata.
• The AI component type is hardcoded as "machine-learning-model"—it would be more future-proof to parameterize or extract this list into a constant or config so you can easily support additional AI types later.
• Add a negative test case for a CycloneDX SBOM without any ML components to assert that the "ai" label is only added when appropriate, preventing false positives.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- extract_labels currently creates a brand-new Labels object instead of augmenting the incoming labels—consider changing it to take and merge with the existing labels to preserve other metadata.
- The AI component type is hardcoded as "machine-learning-model"—it would be more future-proof to parameterize or extract this list into a constant or config so you can easily support additional AI types later.
- Add a negative test case for a CycloneDX SBOM without any ML components to assert that the "ai" label is only added when appropriate, preventing false positives.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[codecov]

Codecov Report

❌ Patch coverage is 95.83333% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 68.22%. Comparing base (e710813) to head (db54ccd).
⚠️ Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
modules/ingestor/src/service/sbom/cyclonedx.rs	95.83%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1991      +/-   ##
==========================================
- Coverage   68.43%   68.22%   -0.22%     
==========================================
  Files         359      359              
  Lines       19923    19947      +24     
  Branches    19923    19947      +24     
==========================================
- Hits        13634    13608      -26     
- Misses       5504     5559      +55     
+ Partials      785      780       -5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[mrizzi]

/scale-test

[github-actions]

🛠️ Scale test has started! Follow the progress here: Workflow Run

[github-actions]

Goose Report

Goose Attack Report

Plan Overview

Action	Started	Stopped	Elapsed	Users
Increasing	25-10-09 08:01:19	25-10-09 08:01:24	00:00:05	0 → 5
Maintaining	25-10-09 08:01:24	25-10-09 08:06:24	00:05:00	5
Decreasing	25-10-09 08:06:24	25-10-09 08:06:24	00:00:00	0 ← 5

Request Metrics

Method	Name	# Requests	# Fails	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
GET	get_advisory_by_doc_id	20	0	12.20	3	37	0.07	0.00
GET	get_analysis_latest_cpe	25 (+20)	0	166.00 (+2.40)	42 (-53)	350 (+128)	0.08 (+0.07)	0.00 (+0.00)
GET	get_analysis_status	25 (+20)	0	6.00 (+3.80)	1 (0)	42 (+37)	0.08 (+0.07)	0.00 (+0.00)
GET	get_purl_details[b00df2ca-df21-5…874-304e9c54e2bd]	25	0	929.36	666	1990	0.08	0.00
GET	get_purl_gc	25 (+20)	0	37244.96 (-58787.64)	8245 (-53579)	87559 (-17053)	0.08 (+0.07)	0.00 (+0.00)
GET	get_sbom[sha256:720e4451…a939656247164447]	25 (+20)	0	745.24 (-821.56)	221 (-1072)	1980 (+193)	0.08 (+0.07)	0.00 (+0.00)
GET	get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	25 (+20)	0	893.24 (-299107.56)	312 (-299688)	1622 (-298379)	0.08 (+0.07)	0.00 (-0.02)
GET	list_advisory	25	0	562.00	410	893	0.08	0.00
GET	list_advisory_paginated	25	0	469.28	378	654	0.08	0.00
GET	list_importer	20	0	5.20	1	54	0.07	0.00
GET	list_organizations	25	0	5.00	2	10	0.08	0.00
GET	list_packages	20	0	613.20	245	1197	0.07	0.00
GET	list_packages_paginated	20	0	404.40	223	1115	0.07	0.00
GET	list_products	25 (+20)	0	13.88 (+4.68)	2 (-6)	41 (+31)	0.08 (+0.07)	0.00 (+0.00)
GET	list_sboms	25 (+20)	0	1033.12 (+448.72)	519 (-62)	1423 (+836)	0.08 (+0.07)	0.00 (+0.00)
GET	list_sboms_paginated	25 (+20)	0	1085.80 (-971.40)	473 (-1509)	2719 (+527)	0.08 (+0.07)	0.00 (+0.00)
GET	list_vulnerabilities	20	0	423.80	240	1124	0.07	0.00
GET	list_vulnerabilities_paginated	20	0	258.55	152	1267	0.07	0.00
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	25 (+20)	0	89.16 (-176.44)	11 (-90)	1096 (+618)	0.08 (+0.07)	0.00 (+0.00)
GET	search_advisory	20	0	1073.55	463	1586	0.07	0.00
GET	search_exact_purl	25 (+20)	0	1225.56 (+1217.36)	9 (+4)	3757 (+3746)	0.08 (+0.07)	0.00 (+0.00)
GET	search_purls	25 (+20)	0	13118.00 (+5929.80)	3268 (-2017)	31577 (+22768)	0.08 (+0.07)	0.00 (+0.00)
POST	post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	25	0	685.12	244	4809	0.08	0.00
	Aggregated	540 (+485)	0	2801.13 (-34278.76)	1 (0)	87559 (-212442)	1.80 (+1.62)	0.00 (-0.02)

Response Time Metrics

Method	Name	50%ile (ms)	60%ile (ms)	70%ile (ms)	80%ile (ms)	90%ile (ms)	95%ile (ms)	99%ile (ms)	100%ile (ms)
GET	get_advisory_by_doc_id	9	10	11	14	22	35	37	37
GET	get_analysis_latest_cpe	160 (-20)	170 (-10)	180 (-30)	200 (-10)	280 (+60)	280 (+60)	350 (+130)	350 (+130)
GET	get_analysis_status	2 (0)	3 (+1)	5 (+3)	6 (+4)	19 (+14)	21 (+16)	42 (+37)	42 (+37)
GET	get_purl_details[b00df2ca-df21-5…874-304e9c54e2bd]	900	900	900	900	900	1,990	1,990	1,990
GET	get_purl_gc	28,000 (-76,612)	29,000 (-75,612)	29,000 (-75,612)	30,000 (-74,612)	87,559 (-17,053)	87,559 (-17,053)	87,559 (-17,053)	87,559 (-17,053)
GET	get_sbom[sha256:720e4451…a939656247164447]	500 (-1,287)	500 (-1,287)	700 (-1,087)	1,000 (-787)	1,980 (+193)	1,980 (+193)	1,980 (+193)	1,980 (+193)
GET	get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	800 (-299,200)	800 (-299,200)	1,000 (-299,000)	1,000 (-299,000)	1,000 (-299,000)	1,000 (-299,000)	1,622 (-298,378)	1,622 (-298,378)
GET	list_advisory	600	600	600	600	700	700	893	893
GET	list_advisory_paginated	460	470	490	500	600	600	654	654
GET	list_importer	3	3	3	3	4	6	54	54
GET	list_organizations	4	5	7	8	8	10	10	10
GET	list_packages	600	700	700	900	900	1,000	1,000	1,000
GET	list_packages_paginated	300	430	460	460	500	500	1,000	1,000
GET	list_products	11 (+2)	13 (+4)	15 (+5)	17 (+7)	25 (+15)	27 (+17)	41 (+31)	41 (+31)
GET	list_sboms	1,000 (+413)	1,000 (+413)	1,000 (+413)	1,000 (+413)	1,000 (+413)	1,000 (+413)	1,000 (+413)	1,000 (+413)
GET	list_sboms_paginated	900 (-1,100)	900 (-1,100)	1,000 (-1,000)	1,000 (-1,000)	2,000 (0)	2,000 (0)	2,719 (+719)	2,719 (+719)
GET	list_vulnerabilities	340	350	350	410	700	800	1,000	1,000
GET	list_vulnerabilities_paginated	190	200	200	200	380	380	1,000	1,000
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	29 (-181)	37 (-173)	82 (-338)	84 (-336)	96 (-382)	110 (-368)	1,000 (+522)	1,000 (+522)
GET	search_advisory	1,000	1,000	1,000	1,586	1,586	1,586	1,586	1,586
GET	search_exact_purl	270 (+261)	320 (+311)	3,000 (+2,990)	3,000 (+2,990)	3,757 (+3,746)	3,757 (+3,746)	3,757 (+3,746)	3,757 (+3,746)
GET	search_purls	12,000 (+5,000)	12,000 (+5,000)	13,000 (+5,000)	19,000 (+11,000)	19,000 (+10,191)	27,000 (+18,191)	31,577 (+22,768)	31,577 (+22,768)
POST	post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	500	500	500	600	600	2,000	4,809	4,809
	Aggregated	450 (-150)	500 (-1,500)	800 (-1,200)	1,000 (-7,000)	3,000 (-102,000)	19,000 (-281,000)	32,000 (-268,000)	87,559 (-212,441)

Status Code Metrics

Method	Name	Status Codes
GET	get_advisory_by_doc_id	20 [200]
GET	get_analysis_latest_cpe	25 [200]
GET	get_analysis_status	25 [200]
GET	get_purl_details[b00df2ca-df21-5…874-304e9c54e2bd]	25 [200]
GET	get_purl_gc	25 [200]
GET	get_sbom[sha256:720e4451…a939656247164447]	25 [200]
GET	get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	25 [200]
GET	list_advisory	25 [200]
GET	list_advisory_paginated	25 [200]
GET	list_importer	20 [200]
GET	list_organizations	25 [200]
GET	list_packages	20 [200]
GET	list_packages_paginated	20 [200]
GET	list_products	25 [200]
GET	list_sboms	25 [200]
GET	list_sboms_paginated	25 [200]
GET	list_vulnerabilities	20 [200]
GET	list_vulnerabilities_paginated	20 [200]
GET	sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	25 [200]
GET	search_advisory	20 [200]
GET	search_exact_purl	25 [200]
GET	search_purls	25 [200]
POST	post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	25 [200]
	Aggregated	540 [200]

Transaction Metrics

Transaction	# Times Run	# Fails	Average (ms)	Min (ms)	Max (ms)	RPS	Failures/s
WebsiteUser
0.0 logon	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.1 website_index	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.2 website_openapi	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.3 website_sboms	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.4 website_packages	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.5 website_advisories	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
0.6 website_importers	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
RestAPIUser
1.0 logon	25 (+25)	0 (0)	14.48 (+14.48)	8 (+8)	23 (+23)	0.08 (+0.08)	0.00 (+0.00)
1.1 list_organizations	25 (+25)	0 (0)	5.12 (+5.12)	3 (+3)	11 (+11)	0.08 (+0.08)	0.00 (+0.00)
1.2 list_advisory	25 (+25)	0 (0)	562.08 (+562.08)	410 (+410)	893 (+893)	0.08 (+0.08)	0.00 (+0.00)
1.3 list_advisory_paginated	25 (+25)	0 (0)	469.28 (+469.28)	378 (+378)	654 (+654)	0.08 (+0.08)	0.00 (+0.00)
1.4 get_advisory_by_doc_id	20 (+20)	0 (0)	12.30 (+12.30)	3 (+3)	37 (+37)	0.07 (+0.07)	0.00 (+0.00)
1.5 search_advisory	20 (+20)	0 (0)	1073.60 (+1073.60)	463 (+463)	1586 (+1586)	0.07 (+0.07)	0.00 (+0.00)
1.6 list_vulnerabilities	20 (+20)	0 (0)	423.85 (+423.85)	240 (+240)	1124 (+1124)	0.07 (+0.07)	0.00 (+0.00)
1.7 list_vulnerabilities_paginated	20 (+20)	0 (0)	258.60 (+258.60)	152 (+152)	1267 (+1267)	0.07 (+0.07)	0.00 (+0.00)
1.8 list_importer	20 (+20)	0 (0)	5.20 (+5.20)	1 (+1)	54 (+54)	0.07 (+0.07)	0.00 (+0.00)
1.9 list_packages	20 (+20)	0 (0)	613.25 (+613.25)	245 (+245)	1197 (+1197)	0.07 (+0.07)	0.00 (+0.00)
1.10 list_packages_paginated	20 (+20)	0 (0)	404.50 (+404.50)	223 (+223)	1115 (+1115)	0.07 (+0.07)	0.00 (+0.00)
1.11 search_purls	25 (+20)	0 (0)	13118.04 (+5929.84)	3268 (-2017)	31577 (+22768)	0.08 (+0.07)	0.00 (+0.00)
1.12 search_exact_purl	25 (+20)	0 (0)	1225.56 (+1217.36)	9 (+4)	3757 (+3746)	0.08 (+0.07)	0.00 (+0.00)
1.13 list_products	25 (+20)	0 (0)	13.96 (+4.76)	2 (-6)	41 (+31)	0.08 (+0.07)	0.00 (+0.00)
1.14 list_sboms	25 (+20)	0 (0)	1033.12 (+448.72)	519 (-62)	1423 (+836)	0.08 (+0.07)	0.00 (+0.00)
1.15 list_sboms_paginated	25 (+20)	0 (0)	1085.84 (-971.36)	473 (-1509)	2719 (+527)	0.08 (+0.07)	0.00 (+0.00)
1.16 get_analysis_status	25 (+20)	0 (0)	6.00 (+3.80)	1 (0)	42 (+37)	0.08 (+0.07)	0.00 (+0.00)
1.17 get_analysis_latest_cpe	25 (+20)	0 (0)	166.04 (+2.44)	42 (-53)	350 (+128)	0.08 (+0.07)	0.00 (+0.00)
1.18 get_purl_gc	25 (+20)	0 (0)	37245.00 (-58787.60)	8245 (-53579)	87559 (-17053)	0.08 (+0.07)	0.00 (+0.00)
1.19 get_sbom[sha256:720e4451…a939656247164447]	25 (+20)	0 (0)	745.28 (-821.52)	221 (-1072)	1980 (+193)	0.08 (+0.07)	0.00 (+0.00)
1.20 sbom_by_package[pkg:maven/io.qu…dhat.com%2fga%2f]	25 (+20)	0 (0)	89.28 (-176.32)	11 (-90)	1096 (+618)	0.08 (+0.07)	0.00 (+0.00)
1.21 get_sbom_license_ids[urn:uuid:019731…104-331632a21144]	25 (+20)	0 (0)	893.28 (-299107.53)	312 (-299688)	1622 (-298379)	0.08 (+0.07)	0.00 (+0.00)
1.22 post_vulnerability_analyze[pkg:rpm/redhat/…h=noarch&epoch=1]	25 (+25)	0 (0)	685.16 (+685.16)	244 (+244)	4810 (+4810)	0.08 (+0.08)	0.00 (+0.00)
1.23 get_purl_details[b00df2ca-df21-5…874-304e9c54e2bd]	25 (+25)	0 (0)	929.40 (+929.40)	666 (+666)	1990 (+1990)	0.08 (+0.08)	0.00 (+0.00)
Aggregated	565 (+510)	0 (0)	2677.19 (-34402.70)	1 (0)	87559 (-212442)	1.88 (+1.70)	0.00 (+0.00)

Scenario Metrics

Transaction	# Users	# Times Run	Average (ms)	Min (ms)	Max (ms)	Scenarios/s	Iterations
WebsiteUser	0 (0)	0 (0)	0.00 (+0.00)	0 (0)	0 (0)	0.00 (+0.00)	0.00 (+0.00)
RestAPIUser	5 (+5)	25 (+25)	60479.00 (+60479.00)	41786 (+41786)	105195 (+105195)	0.08 (+0.08)	5.00 (+5.00)
Aggregated	5 (+5)	25 (+25)	60479.00 (+NaN)	41786 (+41786)	105195 (+105195)	0.08 (+0.08)	5.00 (+5.00)

📄 Full Report (Go to "Artifacts" and download report)

[ctron]

/backport

[trustify-ci-bot]

Successfully created backport PR for release/0.4.z:

• AIBOM-CBOM [Backport release/0.4.z] #2031