From 39a79d3a9667ff650fdebfc395329da307a473ab Mon Sep 17 00:00:00 2001
From: Shivam-nagar23 <shivam@devtron.ai>
Date: Fri, 20 Jun 2025 16:00:51 +0530
Subject: [PATCH 1/2] optimisation

---
 api/restHandler/ImageScanRestHandler.go       | 67 ++++++++++++-------
 .../pipelineConfig/CdWorfkflowRepository.go   | 34 ++++++----
 wire_gen.go                                   |  2 +-
 3 files changed, 67 insertions(+), 36 deletions(-)

diff --git a/api/restHandler/ImageScanRestHandler.go b/api/restHandler/ImageScanRestHandler.go
index b19c92efc9..02f0e0e33c 100644
--- a/api/restHandler/ImageScanRestHandler.go
+++ b/api/restHandler/ImageScanRestHandler.go
@@ -23,6 +23,7 @@ import (
 	"github.com/devtron-labs/devtron/pkg/policyGovernance/security/imageScanning"
 	securityBean "github.com/devtron-labs/devtron/pkg/policyGovernance/security/imageScanning/bean"
 	security2 "github.com/devtron-labs/devtron/pkg/policyGovernance/security/imageScanning/repository"
+	"github.com/devtron-labs/devtron/util/sliceUtil"
 	"net/http"
 	"strconv"
 
@@ -104,6 +105,44 @@ func (impl ImageScanRestHandlerImpl) ScanExecutionList(w http.ResponseWriter, r
 		return
 	}
 	token := r.Header.Get("token")
+	isSuperAdmin := false
+	if ok := impl.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); ok {
+		isSuperAdmin = true
+	}
+	var ids []int
+	if isSuperAdmin {
+		ids = sliceUtil.NewSliceFromFuncExec(filteredDeployInfoList, func(item *security2.ImageScanDeployInfo) int {
+			return item.Id
+		})
+	} else {
+		ids, err = impl.getAuthorisedImageScanDeployInfoIds(token, filteredDeployInfoList)
+		if err != nil {
+			impl.logger.Errorw("error in getting authorised image scan deploy info ids", "err", err)
+			common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+			return
+		}
+	}
+
+	if len(ids) == 0 {
+		responseList := make([]*securityBean.ImageScanHistoryResponse, 0)
+		common.WriteJsonResp(w, nil, &securityBean.ImageScanHistoryListingResponse{ImageScanHistoryResponse: responseList}, http.StatusOK)
+		return
+	}
+
+	results, err := impl.imageScanService.FetchScanExecutionListing(request, ids)
+	if err != nil {
+		impl.logger.Errorw("service err, ScanExecutionList", "err", err, "payload", request)
+		if util.IsErrNoRows(err) {
+			responseList := make([]*securityBean.ImageScanHistoryResponse, 0)
+			common.WriteJsonResp(w, nil, &securityBean.ImageScanHistoryListingResponse{ImageScanHistoryResponse: responseList}, http.StatusOK)
+		} else {
+			common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		}
+		return
+	}
+	common.WriteJsonResp(w, err, results, http.StatusOK)
+}
+func (impl ImageScanRestHandlerImpl) getAuthorisedImageScanDeployInfoIds(token string, filteredDeployInfoList []*security2.ImageScanDeployInfo) ([]int, error) {
 	var ids []int
 	var appRBACObjects []string
 	var envRBACObjects []string
@@ -119,8 +158,8 @@ func (impl ImageScanRestHandlerImpl) ScanExecutionList(w http.ResponseWriter, r
 
 	appObjects, envObjects, appIdtoApp, envIdToEnv, err := impl.enforcerUtil.GetAppAndEnvRBACNamesByAppAndEnvIds(IdToAppEnvPairs)
 	if err != nil {
-		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
-		return
+		impl.logger.Errorw("error in getting app and env rbac objects", "err", err)
+		return nil, err
 	}
 
 	for _, item := range filteredDeployInfoList {
@@ -136,8 +175,8 @@ func (impl ImageScanRestHandlerImpl) ScanExecutionList(w http.ResponseWriter, r
 		} else if item.ScanObjectMetaId > 0 && (item.ObjectType == ObjectTypePod) {
 			environments, err := impl.environmentService.GetByClusterId(item.ClusterId)
 			if err != nil {
-				common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
-				return
+				impl.logger.Errorw("error in getting environments for cluster", "clusterId", item.ClusterId, "err", err)
+				return nil, err
 			}
 			for _, environment := range environments {
 				podObject := environment.EnvironmentIdentifier
@@ -163,25 +202,7 @@ func (impl ImageScanRestHandlerImpl) ScanExecutionList(w http.ResponseWriter, r
 			}
 		}
 	}
-
-	if ids == nil || len(ids) == 0 {
-		responseList := make([]*securityBean.ImageScanHistoryResponse, 0)
-		common.WriteJsonResp(w, nil, &securityBean.ImageScanHistoryListingResponse{ImageScanHistoryResponse: responseList}, http.StatusOK)
-		return
-	}
-
-	results, err := impl.imageScanService.FetchScanExecutionListing(request, ids)
-	if err != nil {
-		impl.logger.Errorw("service err, ScanExecutionList", "err", err, "payload", request)
-		if util.IsErrNoRows(err) {
-			responseList := make([]*securityBean.ImageScanHistoryResponse, 0)
-			common.WriteJsonResp(w, nil, &securityBean.ImageScanHistoryListingResponse{ImageScanHistoryResponse: responseList}, http.StatusOK)
-		} else {
-			common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
-		}
-		return
-	}
-	common.WriteJsonResp(w, err, results, http.StatusOK)
+	return ids, nil
 }
 
 func (impl ImageScanRestHandlerImpl) FetchExecutionDetail(w http.ResponseWriter, r *http.Request) {
diff --git a/internal/sql/repository/pipelineConfig/CdWorfkflowRepository.go b/internal/sql/repository/pipelineConfig/CdWorfkflowRepository.go
index a005445a64..4df9b57ab0 100644
--- a/internal/sql/repository/pipelineConfig/CdWorfkflowRepository.go
+++ b/internal/sql/repository/pipelineConfig/CdWorfkflowRepository.go
@@ -774,13 +774,25 @@ func (impl *CdWorkflowRepositoryImpl) FindDeployedCdWorkflowRunnersByPipelineId(
 }
 
 func (impl *CdWorkflowRepositoryImpl) FindLatestCdWorkflowRunnerArtifactMetadataForAppAndEnvIds(appVsEnvIdMap map[int][]int, runnerType apiBean.WorkflowType) ([]*cdWorkflow.CdWorkflowRunnerArtifactMetadata, error) {
-	var allRunners []*cdWorkflow.CdWorkflowRunnerArtifactMetadata
+	var runners []*cdWorkflow.CdWorkflowRunnerArtifactMetadata
+
+	// Prepare the (app_id, env_id) tuple list for the query
+	tupleList := make([]interface{}, 0, len(appVsEnvIdMap))
+	for appId, envIds := range appVsEnvIdMap {
+		for _, envId := range envIds {
+			tupleList = append(tupleList, []interface{}{appId, envId})
+		}
+	}
+	if len(tupleList) == 0 {
+		return nil, nil
+	}
+
 	query := `
 WITH RankedData AS (
     SELECT 
         p.app_id AS "app_id",
         p.environment_id AS "env_id",
-		p.deleted AS "deleted",
+        p.deleted AS "deleted",
         wf.ci_artifact_id AS "ci_artifact_id",
         ci_artifact.parent_ci_artifact AS "parent_ci_artifact",
         ci_artifact.scanned AS "scanned",
@@ -788,17 +800,15 @@ WITH RankedData AS (
     FROM cd_workflow_runner INNER JOIN cd_workflow wf ON wf.id = cd_workflow_runner.cd_workflow_id
     INNER JOIN pipeline p ON p.id = wf.pipeline_id
     INNER JOIN ci_artifact ON ci_artifact.id = wf.ci_artifact_id
-    WHERE cd_workflow_runner.workflow_type = ? AND p.app_id = ? AND p.environment_id IN (?))
+    WHERE cd_workflow_runner.workflow_type = ? 
+      AND (p.app_id, p.environment_id) IN ( ? )
+)
 SELECT "app_id","env_id","ci_artifact_id","parent_ci_artifact","scanned" FROM RankedData WHERE rn = 1 and deleted= false;
 `
-	for appId, envIds := range appVsEnvIdMap {
-		var runners []*cdWorkflow.CdWorkflowRunnerArtifactMetadata
-		_, err := impl.dbConnection.Query(&runners, query, runnerType, appId, pg.In(envIds))
-		if err != nil {
-			impl.logger.Errorw("error in getting cdWfrs by appId and envIds and runner type", "appVsEnvIdMap", appVsEnvIdMap, "err", err)
-			return nil, err
-		}
-		allRunners = append(allRunners, runners...)
+	_, err := impl.dbConnection.Query(&runners, query, runnerType, pg.In(tupleList))
+	if err != nil {
+		impl.logger.Errorw("error in getting cdWfrs by appId and envIds and runner type", "appVsEnvIdMap", appVsEnvIdMap, "err", err)
+		return nil, err
 	}
-	return allRunners, nil
+	return runners, nil
 }
diff --git a/wire_gen.go b/wire_gen.go
index df755b0a44..31520f79bb 100644
--- a/wire_gen.go
+++ b/wire_gen.go
@@ -1,6 +1,6 @@
 // Code generated by Wire. DO NOT EDIT.
 
-//go:generate go run -mod=mod github.com/google/wire/cmd/wire
+//go:generate go run github.com/google/wire/cmd/wire
 //go:build !wireinject
 // +build !wireinject
 

From 2ffdc98beee18d53fc233720dce3d201a80203d1 Mon Sep 17 00:00:00 2001
From: Shivam-nagar23 <shivam@devtron.ai>
Date: Fri, 20 Jun 2025 16:11:26 +0530
Subject: [PATCH 2/2] optimisation

---
 api/restHandler/ImageScanRestHandler.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/api/restHandler/ImageScanRestHandler.go b/api/restHandler/ImageScanRestHandler.go
index 02f0e0e33c..087d53d3a4 100644
--- a/api/restHandler/ImageScanRestHandler.go
+++ b/api/restHandler/ImageScanRestHandler.go
@@ -142,6 +142,7 @@ func (impl ImageScanRestHandlerImpl) ScanExecutionList(w http.ResponseWriter, r
 	}
 	common.WriteJsonResp(w, err, results, http.StatusOK)
 }
+
 func (impl ImageScanRestHandlerImpl) getAuthorisedImageScanDeployInfoIds(token string, filteredDeployInfoList []*security2.ImageScanDeployInfo) ([]int, error) {
 	var ids []int
 	var appRBACObjects []string