perf(tags): wrap importer in tag_inheritance.batch() + bulk flush after exit

valentijnscholten · valentijnscholten · commit 97079016eeac · 2026-05-07T00:06:57.000+02:00
Stage 2 of Phase B. Wraps the import / reimport orchestration in
`process_scan` (default_importer + default_reimporter) inside
`tag_inheritance.batch()`. Inside the batch:

  - `make_inherited_tags_sticky` (m2m_changed) early-returns
  - `inherit_tags_on_instance` (post_save, gated on created=True) early-returns
  - `inherit_tags_on_linked_instance` (post_save) early-returns

After the batch exits, `tag_inheritance.flush_for_product(product)` runs
once and bulk-applies inheritance to every child via the Phase A bulk
diff path.

The bulk diff in `_sync_inheritance_for_qs` (dojo/product/helpers.py) is
extended with a re-merge step: it reads each child's current `tags`
through-table and ensures every target inherited name is present.
This is the bulk equivalent of `make_inherited_tags_sticky` and is
needed because `tags.set([...])` inside the batch (e.g.
`update_test_tags` during reimport) can wipe inherited names from
`tags` while `inherited_tags` stays in sync. A current-tags read is
added to gate the re-merge so it only writes rows that are actually
missing.

`tag_inheritance.flush_for_product(product)` is added as the public
flush helper. Internally delegates to `propagate_tags_on_product_sync`.

Pinned perf-test impact (this branch vs Stage 1):

  ZAP scan import V2  : 1385 -&gt; 1006   (~27% drop)
  ZAP scan import V3  : 1263 -&gt;  984   (~22% drop)
  ZAP reimport V2     :   69 -&gt;   82   (+13: flush has fixed cost)
  ZAP reimport V3     :   87 -&gt;  140   (+53: flush has fixed cost)

  product_tag_add  -&gt; 100 findings  V2/V3 :  91 -&gt;  94 (+3: tags read for re-merge)
  product_tag_remove -&gt; 100 findings V2/V3 :  53 -&gt;  56 (+3)
  product_tag_add  -&gt; 100 endpoints V2     :  91 -&gt; 194 (eager Celery + explicit propagate both pay re-merge cost)
  product_tag_remove -&gt; 100 endpoints V2   :  53 -&gt;  56
  product_tag_add  -&gt; 100 locations V3     : 316 -&gt; 320
  product_tag_remove -&gt; 100 locations V3   : 266 -&gt; 270

The reimport and product-toggle increases are eliminated in
Stages 3+4+5 (drop the duplicate `inherited_tags` TagField and the
re-merge step becomes free because `tags` is the single source of
truth).
diff --git a/dojo/importers/default_importer.py b/dojo/importers/default_importer.py
@@ -5,6 +5,7 @@
 from django.db.models.query_utils import Q
 from django.urls import reverse
 
+from dojo import tag_inheritance
 from dojo.celery_dispatch import dojo_dispatch_task
 from dojo.finding import helper as finding_helper
 from dojo.importers.base_importer import BaseImporter, Parser
@@ -114,29 +115,39 @@ def process_scan(
         # Note: for fresh imports, parse_findings() calls create_test() internally,
         # so self.test is guaranteed to be set after this call.
         parsed_findings = self.parse_findings(scan, parser) or []
-        new_findings = self.process_findings(parsed_findings, **kwargs)
-        # Close any old findings in the processed list if the the user specified for that
-        # to occur in the form that is then passed to the kwargs
-        closed_findings = self.close_old_findings(self.test.finding_set.all(), **kwargs)
-        # Update the timestamps of the test object by looking at the findings imported
-        self.update_timestamps()
-        # Update the test meta
-        self.update_test_meta()
-        # Save the test and engagement for changes to take affect
-        self.test.save()
-        self.test.engagement.save()
-        # Create a test import history object to record the flags sent to the importer
-        # This operation will return None if the user does not have the import history
-        # feature enabled
-        test_import_history = self.update_import_history(
-            new_findings=new_findings,
-            closed_findings=closed_findings,
-        )
-        # Apply tags to findings and endpoints/locations
-        self.apply_import_tags(
-            new_findings=new_findings,
-            closed_findings=closed_findings,
-        )
+        # Suppress per-row tag-inheritance signal work during the import hot
+        # loop. Inheritance is applied in bulk after the batch via
+        # `tag_inheritance.flush_for_product` (see below). This replaces the
+        # per-finding `_manage_inherited_tags` signal cascade with a single
+        # `propagate_tags_on_product_sync` pass.
+        with tag_inheritance.batch():
+            new_findings = self.process_findings(parsed_findings, **kwargs)
+            # Close any old findings in the processed list if the the user specified for that
+            # to occur in the form that is then passed to the kwargs
+            closed_findings = self.close_old_findings(self.test.finding_set.all(), **kwargs)
+            # Update the timestamps of the test object by looking at the findings imported
+            self.update_timestamps()
+            # Update the test meta
+            self.update_test_meta()
+            # Save the test and engagement for changes to take affect
+            self.test.save()
+            self.test.engagement.save()
+            # Create a test import history object to record the flags sent to the importer
+            # This operation will return None if the user does not have the import history
+            # feature enabled
+            test_import_history = self.update_import_history(
+                new_findings=new_findings,
+                closed_findings=closed_findings,
+            )
+            # Apply tags to findings and endpoints/locations
+            self.apply_import_tags(
+                new_findings=new_findings,
+                closed_findings=closed_findings,
+            )
+        # Flush inherited tags in bulk for all children of the product touched
+        # by this import. Idempotent and cheap when tag inheritance is
+        # disabled (it short-circuits on the system + per-product flags).
+        tag_inheritance.flush_for_product(self.test.engagement.product)
         # Send out some notifications to the user
         logger.debug("IMPORT_SCAN: Generating notifications")
         dojo_dispatch_task(
diff --git a/dojo/importers/default_reimporter.py b/dojo/importers/default_reimporter.py
@@ -6,6 +6,7 @@
 from django.db.models.query_utils import Q
 
 import dojo.finding.helper as finding_helper
+from dojo import tag_inheritance
 from dojo.celery_dispatch import dojo_dispatch_task
 from dojo.finding.deduplication import (
     find_candidates_for_deduplication_hash,
@@ -107,43 +108,51 @@ def process_scan(
         # Get the findings from the parser based on what methods the parser supplies
         # This could either mean traditional file parsing, or API pull parsing
         parsed_findings = self.parse_findings(scan, parser) or []
-        (
-            new_findings,
-            reactivated_findings,
-            findings_to_mitigate,
-            untouched_findings,
-        ) = self.process_findings(parsed_findings, **kwargs)
-        # Close any old findings in the processed list if the the user specified for that
-        # to occur in the form that is then passed to the kwargs
-        closed_findings = self.close_old_findings(findings_to_mitigate, **kwargs)
-        # Update the timestamps of the test object by looking at the findings imported
-        logger.debug("REIMPORT_SCAN: Updating test/engagement timestamps")
-        # Update the timestamps of the test object by looking at the findings imported
-        self.update_timestamps()
-        # Update the test meta
-        self.update_test_meta()
-        # Update the test tags
-        self.update_test_tags()
-        # Save the test and engagement for changes to take affect
-        self.test.save()
-        self.test.engagement.save()
-        logger.debug("REIMPORT_SCAN: Updating test tags")
-        # Create a test import history object to record the flags sent to the importer
-        # This operation will return None if the user does not have the import history
-        # feature enabled
-        test_import_history = self.update_import_history(
-            new_findings=new_findings,
-            closed_findings=closed_findings,
-            reactivated_findings=reactivated_findings,
-            untouched_findings=untouched_findings,
-        )
-        # Apply tags to findings and endpoints
-        self.apply_import_tags(
-            new_findings=new_findings,
-            closed_findings=closed_findings,
-            reactivated_findings=reactivated_findings,
-            untouched_findings=untouched_findings,
-        )
+        # Suppress per-row tag-inheritance signal work during the reimport
+        # hot loop. Inheritance is applied in bulk after the batch via
+        # `tag_inheritance.flush_for_product`. See default_importer for the
+        # rationale.
+        with tag_inheritance.batch():
+            (
+                new_findings,
+                reactivated_findings,
+                findings_to_mitigate,
+                untouched_findings,
+            ) = self.process_findings(parsed_findings, **kwargs)
+            # Close any old findings in the processed list if the the user specified for that
+            # to occur in the form that is then passed to the kwargs
+            closed_findings = self.close_old_findings(findings_to_mitigate, **kwargs)
+            # Update the timestamps of the test object by looking at the findings imported
+            logger.debug("REIMPORT_SCAN: Updating test/engagement timestamps")
+            # Update the timestamps of the test object by looking at the findings imported
+            self.update_timestamps()
+            # Update the test meta
+            self.update_test_meta()
+            # Update the test tags
+            self.update_test_tags()
+            # Save the test and engagement for changes to take affect
+            self.test.save()
+            self.test.engagement.save()
+            logger.debug("REIMPORT_SCAN: Updating test tags")
+            # Create a test import history object to record the flags sent to the importer
+            # This operation will return None if the user does not have the import history
+            # feature enabled
+            test_import_history = self.update_import_history(
+                new_findings=new_findings,
+                closed_findings=closed_findings,
+                reactivated_findings=reactivated_findings,
+                untouched_findings=untouched_findings,
+            )
+            # Apply tags to findings and endpoints
+            self.apply_import_tags(
+                new_findings=new_findings,
+                closed_findings=closed_findings,
+                reactivated_findings=reactivated_findings,
+                untouched_findings=untouched_findings,
+            )
+        # Bulk-apply tag inheritance for all children of the product touched
+        # by this reimport.
+        tag_inheritance.flush_for_product(self.test.engagement.product)
         # Send out som notifications to the user
         logger.debug("REIMPORT_SCAN: Generating notifications")
         updated_count = (
diff --git a/dojo/product/helpers.py b/dojo/product/helpers.py
@@ -112,11 +112,20 @@ def _sync_inheritance_for_qs(queryset, *, target_names_per_child):
     for child_id, tag_name in existing_pairs:
         old_inherited_by_child[child_id].add(tag_name)
 
-    # Compute per-child diff and bucket by tag name.
+    # Compute per-child diff and bucket by tag name. Two diffs are computed:
+    #   - inherited_tags add/remove: keeps the inherited_tags M2M in sync
+    #     with the target.
+    #   - tags re-merge: ensures every target name is also present on `tags`,
+    #     even when inherited_tags already matched. This is the bulk
+    #     equivalent of `make_inherited_tags_sticky` enforcement, needed for
+    #     the importer hot path where `test.tags.set([...])` overwrites the
+    #     full tag list inside a `tag_inheritance.batch()` block.
     add_map: dict[str, list] = defaultdict(list)
     remove_map: dict[str, list] = defaultdict(list)
+    target_per_child: dict[int, set[str]] = {}
     for child in children:
         target = target_names_per_child(child)
+        target_per_child[child.pk] = target
         old = old_inherited_by_child.get(child.pk, set())
         for name in target - old:
             add_map[name].append(child)
@@ -133,3 +142,33 @@ def _sync_inheritance_for_qs(queryset, *, target_names_per_child):
     for name, instances in remove_map.items():
         bulk_remove_tags_from_instances(name, instances, tag_field_name="inherited_tags")
         bulk_remove_tags_from_instances(name, instances, tag_field_name="tags")
+
+    # Bulk re-merge: ensure every target name is present on `tags`. We need
+    # this for the importer hot path where `tags.set([...])` inside a
+    # `tag_inheritance.batch()` can wipe inherited names from `tags` while
+    # `inherited_tags` stays in sync (so the diff above is empty).
+    #
+    # Read the current `tags` per child so we only write rows that are
+    # actually missing — without this guard the re-merge becomes O(target *
+    # children) bulk_create attempts for every product-tag toggle.
+    tags_field = model_class._meta.get_field("tags")
+    tags_through = tags_field.remote_field.through
+    tags_tag_model = tags_field.related_model
+    existing_tags_pairs = tags_through.objects.filter(
+        **{f"{source_field_name}__in": child_ids},
+    ).values_list(source_field_name, f"{tags_tag_model._meta.model_name}__name")
+
+    current_tags_by_child: dict[int, set[str]] = defaultdict(set)
+    for child_id, tag_name in existing_tags_pairs:
+        current_tags_by_child[child_id].add(tag_name)
+
+    remerge_map: dict[str, list] = defaultdict(list)
+    for child in children:
+        target = target_per_child[child.pk]
+        current = current_tags_by_child.get(child.pk, set())
+        # Skip names already added by the diff above; only fix true drift.
+        already_added = {name for name, lst in add_map.items() if child in lst}
+        for name in target - current - already_added:
+            remerge_map[name].append(child)
+    if remerge_map:
+        bulk_add_tag_mapping(remerge_map, tag_field_name="tags")
diff --git a/dojo/tag_inheritance.py b/dojo/tag_inheritance.py
@@ -37,6 +37,9 @@ def batch():
             # Bulk operations that would otherwise fire `make_inherited_tags_sticky`
             # or `inherit_tags_on_instance` per row.
             ...
+        # After exit, callers should explicitly bulk-apply inheritance via
+        # `propagate_tags_on_product_sync(product)` (or equivalent) for any
+        # product whose children were created/modified inside the batch.
 
     The context is reentrant; nested ``with`` blocks share the suppression
     until the outermost block exits. State lives in ``threading.local()``,
@@ -52,3 +55,19 @@ def batch():
             # Clean up the attribute so leak-free thread reuse stays simple.
             with contextlib.suppress(AttributeError):
                 del _state.depth
+
+
+def flush_for_product(product) -> None:
+    """
+    Bulk-apply tag inheritance to all children of `product`.
+
+    Intended to be called after a ``batch()`` block exits, when the calling
+    code has created/modified many children of one product and the
+    per-instance signal handlers were suppressed. Delegates to
+    ``propagate_tags_on_product_sync``, which uses the Phase A bulk-diff
+    helpers to sync `inherited_tags` and `tags` across all children in O(1)
+    queries per (model x tag) instead of O(N) rows.
+    """
+    # Local import to avoid circulars at module import time.
+    from dojo.product.helpers import propagate_tags_on_product_sync  # noqa: PLC0415
+    propagate_tags_on_product_sync(product)
diff --git a/dojo/tags_signals.py b/dojo/tags_signals.py
@@ -72,12 +72,19 @@ def inherit_tags_on_instance(sender, instance, created, **kwargs):
     # tag edits is handled by `make_inherited_tags_sticky` (m2m_changed).
     if not created:
         return
+    # Inside a `tag_inheritance.batch()` block the caller takes responsibility
+    # for applying inheritance in bulk after exit (typically via
+    # `tag_inheritance.flush_for_product`).
+    if tag_inheritance.is_in_batch():
+        return
     inherit_instance_tags(instance)
 
 
 @receiver(signals.post_save, sender=LocationFindingReference)
 @receiver(signals.post_save, sender=LocationProductReference)
 def inherit_tags_on_linked_instance(sender, instance, created, **kwargs):
+    if tag_inheritance.is_in_batch():
+        return
     inherit_linked_instance_tags(instance)
 
 
diff --git a/unittests/test_tag_inheritance_perf.py b/unittests/test_tag_inheritance_perf.py
@@ -359,10 +359,12 @@ def test_baseline_product_tag_remove_propagates_to_100_locations_v3(self):
     # Findings-only scenarios.
     # Pre-Phase-A V2: 4758 add, 4540 remove. V3: 4759/4541.
     # Phase A bulk-propagate drops these dramatically.
-    EXPECTED_PRODUCT_TAG_ADD_100_V2 = 91
-    EXPECTED_PRODUCT_TAG_ADD_100_V3 = 91
-    EXPECTED_PRODUCT_TAG_REMOVE_100_V2 = 53
-    EXPECTED_PRODUCT_TAG_REMOVE_100_V3 = 53
+    # Phase B Stage 2 adds ~3 queries to read current `tags` for the bulk
+    # re-merge step (compensates for tags wiped inside batch contexts).
+    EXPECTED_PRODUCT_TAG_ADD_100_V2 = 94
+    EXPECTED_PRODUCT_TAG_ADD_100_V3 = 94
+    EXPECTED_PRODUCT_TAG_REMOVE_100_V2 = 56
+    EXPECTED_PRODUCT_TAG_REMOVE_100_V3 = 56
 
     EXPECTED_CREATE_ONE_FINDING_V2 = 64
     EXPECTED_CREATE_ONE_FINDING_V3 = 64
@@ -375,12 +377,18 @@ def test_baseline_product_tag_remove_propagates_to_100_locations_v3(self):
     EXPECTED_FINDING_REMOVE_INHERITED_V3 = 44
 
     # V2 endpoint paths. Pre-Phase-A: 3958 add, 3740 remove.
-    EXPECTED_PRODUCT_TAG_ADD_100_ENDPOINTS = 91
-    EXPECTED_PRODUCT_TAG_REMOVE_100_ENDPOINTS = 53
+    # Phase B Stage 2 raises endpoint add 91 -> 194 because the eager Celery
+    # propagate dispatched by m2m_changed and the explicit
+    # propagate_tags_on_product_sync call both pay the new tags-read for
+    # bulk re-merge. Acceptable: the same lever delivers a 27% drop on the
+    # ZAP import path. Will go further down in Stages 3+4+5 when the
+    # duplicate inherited_tags M2M is dropped.
+    EXPECTED_PRODUCT_TAG_ADD_100_ENDPOINTS = 194
+    EXPECTED_PRODUCT_TAG_REMOVE_100_ENDPOINTS = 56
 
     # V3 location paths. Pre-Phase-A: 4532 add, 4307 remove.
-    EXPECTED_PRODUCT_TAG_ADD_100_LOCATIONS = 316
-    EXPECTED_PRODUCT_TAG_REMOVE_100_LOCATIONS = 266
+    EXPECTED_PRODUCT_TAG_ADD_100_LOCATIONS = 320
+    EXPECTED_PRODUCT_TAG_REMOVE_100_LOCATIONS = 270
 
 
 @override_settings(
@@ -495,9 +503,13 @@ def test_baseline_zap_scan_reimport_no_change_v3(self):
     # Pre-Phase-A: 1461/1319 import, 77/95 reimport.
     # Phase B Stage 1 (thread-safe batch context) adds ~20 queries on the V3
     # import path because the previous process-global signal-disconnect was
-    # narrower in scope (Location.tags.through only). Net-positive trade for
-    # eliminating the threading bug; full Phase B reductions land in Stage 2.
-    EXPECTED_ZAP_IMPORT_V2 = 1385
-    EXPECTED_ZAP_IMPORT_V3 = 1263
-    EXPECTED_ZAP_REIMPORT_NO_CHANGE_V2 = 69
-    EXPECTED_ZAP_REIMPORT_NO_CHANGE_V3 = 87
+    # narrower in scope (Location.tags.through only).
+    # Phase B Stage 2 (importer-wide batch + flush_for_product) drops import
+    # ~27%/22% (signal cascade replaced by single bulk propagate). Reimport
+    # rises because flush always runs; bulk re-merge has a fixed cost even
+    # when there's no work. Stages 3+4+5 (drop duplicate inherited_tags M2M)
+    # will collapse the reimport cost.
+    EXPECTED_ZAP_IMPORT_V2 = 1006
+    EXPECTED_ZAP_IMPORT_V3 = 984
+    EXPECTED_ZAP_REIMPORT_NO_CHANGE_V2 = 82
+    EXPECTED_ZAP_REIMPORT_NO_CHANGE_V3 = 140
