SBOM Deletion Performance Tests #714

vobratil · 2025-09-09T13:31:28Z

A small set of performance tests that measure the response times on deletion of SBOMs. I also added some helper functions and request/response interceptors that are needed in order to measure the time between the moment request was sent and the moment response was received. The results are saved to a CSV file that should help us visualize how the response times change with more requests and compare pre and post fix behavior.

By default, only the parallel test is enabled.

Summary by Sourcery

Add performance testing for SBOM deletions by instrumenting HTTP fixtures to capture request durations, introducing a dedicated performance test, and updating documentation to explain running performance tests.

Enhancements:

Add Axios request and response interceptors to record request durations for performance measurement

Documentation:

Document running performance tests with --grep @performance in the e2e README

Tests:

Add a performance test measuring SBOM deletion response times

sourcery-ai · 2025-09-09T13:31:34Z

Reviewer's Guide

Add timing instrumentation to HTTP fixtures and introduce dedicated SBOM deletion performance tests, supported by new helper modules, refactored setup, and updated docs/config for performance test execution and report storage.

File-Level Changes

Change	Details	Files
Instrument HTTP fixtures to record request durations	Extend Axios types with startTime, endTime, and duration Add request interceptor to capture config.startTime Add response interceptor to calculate response.duration Merge auth interceptors under conditional initialization	`e2e/tests/api/fixtures.ts`
Add SBOM deletion performance test suite	Set up beforeEach to upload SBOMs and collect IDs Define sequential and parallel deletion tests with duration logging Implement afterEach cleanup to delete remaining SBOMs	`e2e/tests/api/features/performance.ts`
Introduce helper modules for upload, delete, and reporting	Create uploadSboms helper for batch SBOM uploads Create deleteSboms helper to fetch and delete existing SBOMs Create writeRequestDurationToFile helper to append timing data	`e2e/tests/api/helpers/upload.ts` `e2e/tests/api/helpers/delete.ts` `e2e/tests/api/helpers/report.ts`
Refactor global setup to use shared upload helper	Replace inline uploadSboms implementation with helper call Adjust asset path argument for SBOM uploads	`e2e/tests/api/dependencies/global.setup.ts`
Update documentation and configuration for performance tests	Document running performance tests via `--grep performance` Add REPORT_DIR env var and constant for report output	`e2e/README.md` `e2e/tests/common/constants.ts`

Tips and commands

Interacting with Sourcery

Trigger a new review: Comment @sourcery-ai review on the pull request.
Continue discussions: Reply directly to Sourcery's review comments.
Generate a GitHub issue from a review comment: Ask Sourcery to create an
issue from a review comment by replying to it. You can also reply to a
review comment with @sourcery-ai issue to create an issue from it.
Generate a pull request title: Write @sourcery-ai anywhere in the pull
request title to generate a title at any time. You can also comment
@sourcery-ai title on the pull request to (re-)generate the title at any time.
Generate a pull request summary: Write @sourcery-ai summary anywhere in
the pull request body to generate a PR summary at any time exactly where you
want it. You can also comment @sourcery-ai summary on the pull request to
(re-)generate the summary at any time.
Generate reviewer's guide: Comment @sourcery-ai guide on the pull
request to (re-)generate the reviewer's guide at any time.
Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
pull request to resolve all Sourcery comments. Useful if you've already
addressed all the comments and don't want to see them anymore.
Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
request to dismiss all existing Sourcery reviews. Especially useful if you
want to start fresh with a new review - don't forget to comment
@sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

Enable or disable review features such as the Sourcery-generated pull request
summary, the reviewer's guide, and others.
Change the review language.
Add, remove or edit custom review instructions.
Adjust other review settings.

Getting Help

Contact our support team for questions or feedback.
Visit our documentation for detailed guides and information.
Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

e2e/tests/api/fixtures.ts

codecov · 2025-09-16T13:23:42Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.72%. Comparing base (596e5fe) to head (8f4c632).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #714   +/-   ##
=======================================
  Coverage   58.72%   58.72%           
=======================================
  Files         163      163           
  Lines        2871     2871           
  Branches      653      653           
=======================================
  Hits         1686     1686           
  Misses        941      941           
  Partials      244      244

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

sourcery-ai

Hey there - I've reviewed your changes - here's some feedback:

Ensure the REPORT_DIR exists (e.g. mkdirSync) before writing performance CSVs to avoid errors when the directory is missing.
Consider moving the AxiosRequestConfig/AxiosResponse type augmentations into a dedicated .d.ts file instead of inlining them in fixtures.ts for better type organization.
The sequential SBOM deletion test is currently skipped—either enable it or add a comment explaining why it's excluded so it doesn’t get overlooked.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Ensure the REPORT_DIR exists (e.g. mkdirSync) before writing performance CSVs to avoid errors when the directory is missing.
- Consider moving the AxiosRequestConfig/AxiosResponse type augmentations into a dedicated .d.ts file instead of inlining them in fixtures.ts for better type organization.
- The sequential SBOM deletion test is currently skipped—either enable it or add a comment explaining why it's excluded so it doesn’t get overlooked.

## Individual Comments

### Comment 1
<location> `e2e/tests/api/features/performance.ts:47` </location>
<code_context>
+  logger.info(`Uploaded ${sbomIds.length} SBOMs.`);
+});
+
+test.skip("@performance Delete / All / Sequential", async ({ axios }) => {
+  const currentTimeStamp = Date.now();
+  const reportFile = `${REPORT_FILE_PREFIX}sequential-${currentTimeStamp}.csv`;
</code_context>

<issue_to_address>
**question (testing):** The sequential deletion performance test is skipped.

If the test is intentionally skipped, please document the reason in the code or remove it to prevent confusion. Otherwise, enable the test to ensure both deletion methods are properly evaluated.
</issue_to_address>

### Comment 2
<location> `e2e/tests/api/features/performance.ts:35-45` </location>
<code_context>
+test.beforeEach(async ({ axios }) => {
+  logger.info("Uploading SBOMs before deletion performance tests.");
+
+  var uploads = await uploadSboms(axios, SBOM_FILES, SBOM_DIR);
+
+  uploads.forEach((upload) => sbomIds.push(upload.id));
+
+  sbomIds.forEach((id) => logger.info(id));
</code_context>

<issue_to_address>
**suggestion (testing):** No assertion on successful upload of SBOMs before deletion.

Add assertions to verify SBOM uploads succeed and IDs are valid before measuring deletion performance.

```suggestion
import { expect } from "@playwright/test";

test.beforeEach(async ({ axios }) => {
  logger.info("Uploading SBOMs before deletion performance tests.");

  var uploads = await uploadSboms(axios, SBOM_FILES, SBOM_DIR);

  // Assert that uploads array is not empty and matches SBOM_FILES length
  expect(uploads.length, "Number of uploaded SBOMs should match input files").toBe(SBOM_FILES.length);

  uploads.forEach((upload, idx) => {
    // Assert each upload has a valid id
    expect(upload).toHaveProperty("id");
    expect(typeof upload.id).toBe("string");
    expect(upload.id.length, `Upload at index ${idx} should have a non-empty id`).toBeGreaterThan(0);
    sbomIds.push(upload.id);
  });

  sbomIds.forEach((id) => logger.info(id));

  logger.info(`Uploaded ${sbomIds.length} SBOMs.`);
});
```
</issue_to_address>

### Comment 3
<location> `e2e/tests/api/features/performance.ts:78-96` </location>
<code_context>
+
+  writeRequestDurationToFile(reportFile, "No.", "SBOM ID", "Duration [ms]");
+
+  const deletionPromises = sbomIds.map(async (sbomId) => {
+    const deletePromise = axios
+      .delete(`/api/v2/sbom/${sbomId}`)
+      .then((response) =>
+        writeRequestDurationToFile(
+          reportFile,
+          "n/a",
+          response.data.id,
+          String(response.duration),
+        ),
+      )
+      .catch((error) => {
+        logger.error(`SBOM with ID ${sbomId} could not be deleted.`, error);
+      });
+
+    return deletePromise;
+  });
+
+  await Promise.all(deletionPromises);
+});
+
</code_context>

<issue_to_address>
**suggestion (testing):** No assertion on successful deletion of SBOMs during parallel test.

Add assertions or a final check to verify all SBOMs were deleted, and explicitly report any failures.

```suggestion
  const deletionResults: { sbomId: string; success: boolean; error?: any }[] = [];

  const deletionPromises = sbomIds.map(async (sbomId) => {
    try {
      const response = await axios.delete(`/api/v2/sbom/${sbomId}`);
      writeRequestDurationToFile(
        reportFile,
        "n/a",
        response.data.id,
        String(response.duration),
      );
      deletionResults.push({ sbomId, success: true });
    } catch (error) {
      logger.error(`SBOM with ID ${sbomId} could not be deleted.`, error);
      deletionResults.push({ sbomId, success: false, error });
    }
  });

  await Promise.all(deletionPromises);

  // Assert all deletions were successful
  const failedDeletions = deletionResults.filter(result => !result.success);
  if (failedDeletions.length > 0) {
    const failedIds = failedDeletions.map(result => result.sbomId).join(", ");
    throw new Error(`Failed to delete SBOMs with IDs: ${failedIds}`);
  }
```
</issue_to_address>

### Comment 4
<location> `e2e/tests/api/features/performance.ts:100-109` </location>
<code_context>
+});
+
+// Re-try deletion of all SBOMs in case some of the SBOMs didn't get deleted during the tests.
+test.afterEach(async ({ axios }) => {
+  logger.info("Cleaning up SBOMs after deletion performance tests.");
+
+  await deleteSboms(axios, sbomIds).then((success) => {
+    if (success) {
+      logger.info("All SBOMs were deleted successfully.");
+    } else {
+      logger.warn(
+        "One or more SBOMs could not be deleted. Check the logs and/or consider deleting the SBOMs manually.",
+      );
+    }
+  });
+
+  sbomIds = [];
+});
</code_context>

<issue_to_address>
**suggestion:** Cleanup logic does not handle partial failures robustly.

Currently, failures are only logged as a warning without identifying which SBOMs failed or attempting retries. Please update the cleanup to retry failed deletions and log the IDs of SBOMs that could not be deleted.

Suggested implementation:

```typescript
test.afterEach(async ({ axios }) => {
  logger.info("Cleaning up SBOMs after deletion performance tests.");

  const MAX_RETRIES = 3;
  let remainingSbomIds = [...sbomIds];
  let failedSbomIds: string[] = [];

  for (let attempt = 1; attempt <= MAX_RETRIES && remainingSbomIds.length > 0; attempt++) {
    logger.info(`SBOM cleanup attempt ${attempt} for IDs: ${remainingSbomIds.join(", ")}`);
    // deleteSboms should return an array of IDs that failed deletion
    failedSbomIds = await deleteSboms(axios, remainingSbomIds);

    if (failedSbomIds.length === 0) {
      logger.info("All SBOMs were deleted successfully.");
      break;
    } else {
      logger.warn(
        `Attempt ${attempt}: Failed to delete SBOMs with IDs: ${failedSbomIds.join(", ")}`
      );
      remainingSbomIds = failedSbomIds;
    }
  }

  if (failedSbomIds.length > 0) {
    logger.error(
      `After ${MAX_RETRIES} attempts, the following SBOMs could not be deleted: ${failedSbomIds.join(", ")}. Please check the logs and/or consider deleting the SBOMs manually.`
    );
  }

  sbomIds = [];
});

```

You must update the `deleteSboms` function so that it returns an array of SBOM IDs that failed deletion, rather than a boolean. If it currently returns a boolean, refactor it to collect and return the failed IDs.
</issue_to_address>

### Comment 5
<location> `e2e/tests/api/features/performance.ts:31` </location>
<code_context>

</code_context>

<issue_to_address>
**issue (code-quality):** Use `const` or `let` instead of `var`. ([`avoid-using-var`](https://docs.sourcery.ai/Reference/Rules-and-In-Line-Suggestions/TypeScript/Default-Rules/avoid-using-var))

<details><summary>Explanation</summary>`const` is preferred as it ensures you cannot reassign references (which can lead to buggy and confusing code).
`let` may be used if you need to reassign references - it's preferred to `var` because it is block- rather than
function-scoped.

From the [Airbnb JavaScript Style Guide](https://airbnb.io/javascript/#references--prefer-const)
</details>
</issue_to_address>

### Comment 6
<location> `e2e/tests/api/features/performance.ts:38` </location>
<code_context>

</code_context>

<issue_to_address>
**issue (code-quality):** Use `const` or `let` instead of `var`. ([`avoid-using-var`](https://docs.sourcery.ai/Reference/Rules-and-In-Line-Suggestions/TypeScript/Default-Rules/avoid-using-var))

<details><summary>Explanation</summary>`const` is preferred as it ensures you cannot reassign references (which can lead to buggy and confusing code).
`let` may be used if you need to reassign references - it's preferred to `var` because it is block- rather than
function-scoped.

From the [Airbnb JavaScript Style Guide](https://airbnb.io/javascript/#references--prefer-const)
</details>
</issue_to_address>

### Comment 7
<location> `e2e/tests/api/features/performance.ts:50` </location>
<code_context>

</code_context>

<issue_to_address>
**issue (code-quality):** Use `const` or `let` instead of `var`. ([`avoid-using-var`](https://docs.sourcery.ai/Reference/Rules-and-In-Line-Suggestions/TypeScript/Default-Rules/avoid-using-var))

<details><summary>Explanation</summary>`const` is preferred as it ensures you cannot reassign references (which can lead to buggy and confusing code).
`let` may be used if you need to reassign references - it's preferred to `var` because it is block- rather than
function-scoped.

From the [Airbnb JavaScript Style Guide](https://airbnb.io/javascript/#references--prefer-const)
</details>
</issue_to_address>

### Comment 8
<location> `e2e/tests/api/features/performance.ts:52` </location>
<code_context>

</code_context>

<issue_to_address>
**issue (code-quality):** Use `const` or `let` instead of `var`. ([`avoid-using-var`](https://docs.sourcery.ai/Reference/Rules-and-In-Line-Suggestions/TypeScript/Default-Rules/avoid-using-var))

<details><summary>Explanation</summary>`const` is preferred as it ensures you cannot reassign references (which can lead to buggy and confusing code).
`let` may be used if you need to reassign references - it's preferred to `var` because it is block- rather than
function-scoped.

From the [Airbnb JavaScript Style Guide](https://airbnb.io/javascript/#references--prefer-const)
</details>
</issue_to_address>

### Comment 9
<location> `e2e/tests/api/features/performance.ts:79-93` </location>
<code_context>
    const deletePromise = axios
      .delete(`/api/v2/sbom/${sbomId}`)
      .then((response) =>
        writeRequestDurationToFile(
          reportFile,
          "n/a",
          response.data.id,
          String(response.duration),
        ),
      )
      .catch((error) => {
        logger.error(`SBOM with ID ${sbomId} could not be deleted.`, error);
      });

    return deletePromise;

</code_context>

<issue_to_address>
**suggestion (code-quality):** Inline variable that is immediately returned ([`inline-immediately-returned-variable`](https://docs.sourcery.ai/Reference/Rules-and-In-Line-Suggestions/TypeScript/Default-Rules/inline-immediately-returned-variable))

```suggestion
    return axios
          .delete(`/api/v2/sbom/${sbomId}`)
          .then((response) =>
            writeRequestDurationToFile(
              reportFile,
              "n/a",
              response.data.id,
              String(response.duration),
            ),
          )
          .catch((error) => {
            logger.error(`SBOM with ID ${sbomId} could not be deleted.`, error);
          });

```

<br/><details><summary>Explanation</summary>Something that we often see in people's code is assigning to a result variable
and then immediately returning it.

Returning the result directly shortens the code and removes an unnecessary
variable, reducing the mental load of reading the function.

Where intermediate variables can be useful is if they then get used as a
parameter or a condition, and the name can act like a comment on what the
variable represents. In the case where you're returning it from a function, the
function name is there to tell you what the result is, so the variable name
is unnecessary.
</details>
</issue_to_address>

### Comment 10
<location> `e2e/tests/api/helpers/delete.ts:6` </location>
<code_context>

</code_context>

<issue_to_address>
**issue (code-quality):** Use `const` or `let` instead of `var`. ([`avoid-using-var`](https://docs.sourcery.ai/Reference/Rules-and-In-Line-Suggestions/TypeScript/Default-Rules/avoid-using-var))

<details><summary>Explanation</summary>`const` is preferred as it ensures you cannot reassign references (which can lead to buggy and confusing code).
`let` may be used if you need to reassign references - it's preferred to `var` because it is block- rather than
function-scoped.

From the [Airbnb JavaScript Style Guide](https://airbnb.io/javascript/#references--prefer-const)
</details>
</issue_to_address>

### Comment 11
<location> `e2e/tests/api/helpers/delete.ts:25-29` </location>
<code_context>
  const allSuccessful = results.every(
    (result) => result.status === "fulfilled" && result.value?.status === 200,
  );

  return allSuccessful;

</code_context>

<issue_to_address>
**suggestion (code-quality):** Inline variable that is immediately returned ([`inline-immediately-returned-variable`](https://docs.sourcery.ai/Reference/Rules-and-In-Line-Suggestions/TypeScript/Default-Rules/inline-immediately-returned-variable))

```suggestion
  return results.every(
      (result) => result.status === "fulfilled" && result.value?.status === 200,
    );

```

<br/><details><summary>Explanation</summary>Something that we often see in people's code is assigning to a result variable
and then immediately returning it.

Returning the result directly shortens the code and removes an unnecessary
variable, reducing the mental load of reading the function.

Where intermediate variables can be useful is if they then get used as a
parameter or a condition, and the name can act like a comment on what the
variable represents. In the case where you're returning it from a function, the
function name is there to tell you what the result is, so the variable name
is unnecessary.
</details>
</issue_to_address>

### Comment 12
<location> `e2e/tests/api/helpers/upload.ts:16-20` </location>
<code_context>
    const promise = axios.post("/api/v2/sbom", fileStream, {
      headers: { "Content-Type": "application/json+bzip2" },
    });

    return promise;

</code_context>

<issue_to_address>
**suggestion (code-quality):** Inline variable that is immediately returned ([`inline-immediately-returned-variable`](https://docs.sourcery.ai/Reference/Rules-and-In-Line-Suggestions/TypeScript/Default-Rules/inline-immediately-returned-variable))

```suggestion
    return axios.post("/api/v2/sbom", fileStream, {
          headers: { "Content-Type": "application/json+bzip2" },
        });

```

<br/><details><summary>Explanation</summary>Something that we often see in people's code is assigning to a result variable
and then immediately returning it.

Returning the result directly shortens the code and removes an unnecessary
variable, reducing the mental load of reading the function.

Where intermediate variables can be useful is if they then get used as a
parameter or a condition, and the name can act like a comment on what the
variable represents. In the case where you're returning it from a function, the
function name is there to tell you what the result is, so the variable name
is unnecessary.
</details>
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

e2e/tests/api/features/performance.ts