tests: Add API tests for sorting by various categories on the Search page

[matejnesuta]

Adding this, as it is a more convenient and less flaky approach of testing the sorting than directly in the UI.

Summary by Sourcery

Add API-level tests to verify sorting behavior for PURLs, vulnerabilities, and SBOMs across multiple sortable fields.

Tests:

• Add PURL sorting tests covering name, namespace, and version in both ascending and descending orders.
• Add vulnerability sorting tests validating ID, CVSS score, and published date ordering for ascending and descending sort directions.
• Add SBOM sorting tests that assert correct name and published-date ordering for ascending and descending sorts.

[sourcery-ai]

Reviewer's Guide

Adds API-level end-to-end tests to validate sorting behavior for PURLs, vulnerabilities, and SBOMs across multiple sort keys and directions, preferring API checks over UI-based sorting tests for stability.

File-Level Changes

Change	Details	Files
Add API tests to validate PURL sorting across name, namespace, and version in both ascending and descending order.	Introduce a new Playwright test.describe block for PURL sorting validation using the /api/v2/purl endpoint. Add tests that assert successful responses and non-empty results when sorting by name, namespace, and version in ascending order. Add descending sort tests that compare first items between asc/desc or explicitly parse PURL components to ensure the ordering meaningfully differs.	e2e/tests/api/features/purl.ts
Add API tests to validate vulnerability sorting across ID, CVSS score, and published date, including basic order verification for numeric and date fields.	Introduce a new Playwright test.describe block for vulnerability sorting validation using the /api/v2/vulnerability endpoint. Add tests that verify the API accepts sort options for id and base_score and returns non-empty results for both ascending and descending directions. Implement assertions that CVSS average_score and published date fields are actually ordered correctly (ascending/descending) while handling null values safely.	e2e/tests/api/features/vulnerability.ts
Add API tests to validate SBOM sorting by name and published date with strict order checks.	Add tests that call /api/v2/sbom with sort parameters for name and published, verifying 200 responses and non-zero totals. Implement locale-insensitive string sorting checks for SBOM names in both ascending and descending order by comparing to a locally sorted copy. Implement date-based ascending and descending checks for SBOM published timestamps using Date comparisons.	e2e/tests/api/features/sboms.ts

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 4 issues, and left some high level feedback:

• The ascending/descending tests for PURLs, vulnerabilities, and SBOMs repeat a lot of boilerplate (request params, status checks, sort comparison loops); consider extracting shared helpers (e.g., fetchSorted, expectSortedAscending/Descending) to make the tests shorter and easier to maintain.
• In the vulnerability CVSS score tests you sort by base_score but assert against average_score; if both exist in the API this mismatch could make the tests misleading, so it would be clearer to validate the same field that is used in the sort parameter.
• The SBOM published-date sort tests assume item.published is always non-null, unlike the vulnerability date tests which explicitly filter out nulls; aligning the SBOM tests to handle potential null published dates would reduce flakiness if such data exists.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The ascending/descending tests for PURLs, vulnerabilities, and SBOMs repeat a lot of boilerplate (request params, status checks, sort comparison loops); consider extracting shared helpers (e.g., `fetchSorted`, `expectSortedAscending/Descending`) to make the tests shorter and easier to maintain.
- In the vulnerability CVSS score tests you sort by `base_score` but assert against `average_score`; if both exist in the API this mismatch could make the tests misleading, so it would be clearer to validate the same field that is used in the `sort` parameter.
- The SBOM published-date sort tests assume `item.published` is always non-null, unlike the vulnerability date tests which explicitly filter out nulls; aligning the SBOM tests to handle potential null published dates would reduce flakiness if such data exists.

## Individual Comments

### Comment 1
<location> `e2e/tests/api/features/purl.ts:41-50` </location>
<code_context>
 });
+
+test.describe("PURL sorting validation", () => {
+  test("Sort PURLs by name ascending", async ({ axios }) => {
+    const response = await axios.get("/api/v2/purl", {
+      params: {
+        offset: 0,
+        limit: 100,
+        sort: "name:asc",
+      },
+    });
+
+    expect(response.status).toBe(200);
+    expect(response.data.total).toBeGreaterThan(0);
+    expect(response.data.items.length).toBeGreaterThan(0);
+
+    // Verify the sort parameter is accepted and returns data
+    // Note: We don't validate exact sort order because database collation
+    // may differ from JavaScript's string comparison
+  });
</code_context>

<issue_to_address>
**suggestion (testing):** The ascending name sort test only checks that data is returned, not that the sort actually works.

This only asserts that `sort=name:asc` returns data, so it won’t catch regressions where the sort parameter is ignored. You can still check ordering by asserting that the extracted `name` values are monotonic, or by comparing them to a locally sorted copy using the same comparison logic as the backend. Without that, the test provides little validation of sorting behavior.
</issue_to_address>

### Comment 2
<location> `e2e/tests/api/features/purl.ts:59-68` </location>
<code_context>
+  test("Sort PURLs by name descending", async ({ axios }) => {
</code_context>

<issue_to_address>
**suggestion (testing):** Comparing only the first item between asc/desc is a fragile way to validate sorting.

`expect(descFirst).not.toEqual(ascFirst);` can still pass even if sorting is wrong (e.g., many items share the same name or the backend only partially sorts). Instead, extract all names, build full asc/desc arrays, and assert that one is the reverse of the other (or at least that both sequences are monotonic in opposite directions) to more reliably verify the sort behavior.
</issue_to_address>

### Comment 3
<location> `e2e/tests/api/features/purl.ts:140-143` </location>
<code_context>
+      return match ? match[1] : null;
+    };
+
+    const descFirst = getNamespace(response.data.items[0].purl);
+    const ascFirst = getNamespace(ascResponse.data.items[0].purl);
+
+    if (descFirst && ascFirst) {
+      // First item should be different between asc and desc
+      expect(descFirst).not.toEqual(ascFirst);
</code_context>

<issue_to_address>
**issue (testing):** The namespace descending test silently passes when all namespaces are null or unparsable.

Since the assertion is guarded by `if (descFirst && ascFirst)`, the test becomes a no-op (but still passes) when either extracted namespace is falsy. If all items can have null/empty namespaces, the sort behavior isn’t actually tested. You could either filter to items with non-null namespaces and assert on those, or first assert that at least one non-null namespace exists before comparing asc/desc results.
</issue_to_address>

### Comment 4
<location> `e2e/tests/api/features/vulnerability.ts:25-34` </location>
<code_context>
 });
+
+test.describe("Vulnerability sorting validation", () => {
+  test("Sort vulnerabilities by ID ascending", async ({ axios }) => {
+    const response = await axios.get("/api/v2/vulnerability", {
+      params: {
+        offset: 0,
+        limit: 100,
+        sort: "id:asc",
+      },
+    });
+
+    expect(response.status).toBe(200);
+    expect(response.data.total).toBeGreaterThan(0);
+    expect(response.data.items.length).toBeGreaterThan(0);
+
+    // Verify the sort parameter is accepted and returns data
+    // Note: We don't validate exact sort order because database collation
+    // may differ from JavaScript's string comparison
+  });
</code_context>

<issue_to_address>
**suggestion (testing):** ID ascending vulnerability test doesn’t assert any ordering, so it won’t catch sorting regressions.

Right now this only checks that the endpoint returns data; it would still pass if `sort=id:asc` were ignored. Please also assert on the ordering by extracting the identifier/canonical ID field and verifying the list is non‑decreasing, or matches a locally sorted copy, so the test actually detects sorting regressions.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.21%. Comparing base (a676b36) to head (bdb8ff1).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #918      +/-   ##
==========================================
+ Coverage   66.50%   67.21%   +0.70%     
==========================================
  Files         218      218              
  Lines        3828     3828              
  Branches      873      873              
==========================================
+ Hits         2546     2573      +27     
+ Misses        948      916      -32     
- Partials      334      339       +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[vobratil]

I would say that this PR looks pretty good, no major changes needed. The only thing I would like to ask for is moving the helpers file, so that we keep at least some order in the repo. And then there are my questions about why we are okay with the basic sort in some places and actually do a proper validation elsewhere.

[vobratil]

Just a small nitpick, but for better readability, I would make this an if else block or specifically state the order for both options.

[vobratil]

Again, just a nitpick, but this method and validateDateSorting could probably share a big part of the body, since the only difference seems to be in the sorted data type.

[vobratil]

Oh, this is neat, I should start writing my requests like this.

[vobratil]

Once again, I know that this is not really important to your PR, but we should probably agree on how to name the tests, so that the test results are a little easier to read. It's already getting messy and we haven't even reached 100 tests.

[vobratil]

So why are we not running actual sorting checks here and in purl.ts, like we do in sboms.ts and vulnerability.ts?

[matejnesuta]

Yeah, that was a mistake. I fixed it.

[vobratil]

@matejnesuta Alright, thank you for the changes! I think that it's good to go, now.