PM-34686 Remove Summary Count Limit

[prograhamming]

🎟️ Tracking

PM-34686

📔 Objective

The Access Intelligence risk-over-time graph widget (PM-26961) requires time-series data to display trends for applications, passwords, and members at-risk over various time periods.

In PM-28531, the server-side endpoint GET /reports/organizations/{organizationId}/data/summary was created to serve this data. The original implementation grouped summaries by time period and limited the response to six data points — matching the chart's planned display of six evenly-spaced x-axis points.

During team review, the server-side grouping seemed limited. The decision has been made to remove the six-summary constraint so the endpoint returns all summaries within the requested date range. If grouping or sampling is needed in the future, it will be handled on the client side.

Current State
The endpoint currently applies grouping logic that limits the response to six OrganizationReportSummaryModel entries regardless of how many records exist in the requested date range.

📸 Screenshots

[github-actions]

Checkmarx One – Scan Summary & Details – 4dd760dd-966d-4b7c-951c-67ffc63b6f7e

---

New Issues (121)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		Stored_XSS	/src/SharedWeb/Health/HealthCheckServiceExtensions.cs: 61	details The method embeds untrusted data in generated output with WriteAsync, at line 60 of /src/SharedWeb/Health/HealthCheckServiceExtensions.cs. This ... Attack Vector
2		Stored_XSS	/util/Server/Startup.cs: 57	details The method embeds untrusted data in generated output with WriteAsync, at line 59 of /util/Server/Startup.cs. This untrusted data is embedded int... Attack Vector
3		CSRF	/src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs: 55	details Method at line 55 of /src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs gets a parameter from a user request from user. This pa... Attack Vector
4		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 145	details Method at line 145 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from request. T... Attack Vector
5		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 145	details Method at line 145 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from request. T... Attack Vector
6		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 97	details Method at line 97 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from model. This... Attack Vector
7		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 97	details Method at line 97 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from model. This... Attack Vector
8		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 534	details Method at line 534 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from model. This par... Attack Vector
9		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 229	details Method at line 229 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from model. Thi... Attack Vector
10		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1558	details Method at line 1558 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
11		CSRF	/src/Api/Tools/Controllers/SendsController.cs: 73	details Method at line 73 of /src/Api/Tools/Controllers/SendsController.cs gets a parameter from a user request from id. This parameter value flows thro... Attack Vector
12		CSRF	/src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs: 145	details Method at line 145 of /src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs gets a parameter from a user request from user. This p... Attack Vector
13		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 217	details Method at line 217 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
14		CSRF	/src/Api/Public/Controllers/CollectionsController.cs: 91	details Method at line 91 of /src/Api/Public/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value ... Attack Vector
15		CSRF	/src/Api/Public/Controllers/CollectionsController.cs: 91	details Method at line 91 of /src/Api/Public/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value ... Attack Vector
16		CSRF	/src/Api/Public/Controllers/CollectionsController.cs: 91	details Method at line 91 of /src/Api/Public/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value ... Attack Vector
17		CSRF	/src/Api/Public/Controllers/CollectionsController.cs: 91	details Method at line 91 of /src/Api/Public/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value ... Attack Vector
18		CSRF	/src/Api/Controllers/CollectionsController.cs: 184	details Method at line 184 of /src/Api/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value flows ... Attack Vector
19		CSRF	/src/Api/Controllers/CollectionsController.cs: 184	details Method at line 184 of /src/Api/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value flows ... Attack Vector
20		CSRF	/src/Api/Controllers/CollectionsController.cs: 184	details Method at line 184 of /src/Api/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value flows ... Attack Vector
21		CSRF	/src/Api/Controllers/CollectionsController.cs: 184	details Method at line 184 of /src/Api/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value flows ... Attack Vector
22		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 173	details Method at line 173 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from model. Thi... Attack Vector
23		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 452	details Method at line 452 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
24		CSRF	/src/Api/Dirt/Controllers/OrganizationReportsController.cs: 187	details Method at line 187 of /src/Api/Dirt/Controllers/OrganizationReportsController.cs gets a parameter from a user request from request. This paramet... Attack Vector
25		CSRF	/src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs: 104	details Method at line 104 of /src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs gets a parameter from a user request from user. This p... Attack Vector
26		CSRF	/src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs: 107	details Method at line 107 of /src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs gets a parameter from a user request from organiza... Attack Vector
27		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1417	details Method at line 1417 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
28		CSRF	/src/Api/Dirt/Controllers/OrganizationReportsController.cs: 284	details Method at line 284 of /src/Api/Dirt/Controllers/OrganizationReportsController.cs gets a parameter from a user request from request. This paramet... Attack Vector
29		CSRF	/src/Api/Dirt/Controllers/OrganizationReportsController.cs: 231	details Method at line 231 of /src/Api/Dirt/Controllers/OrganizationReportsController.cs gets a parameter from a user request from request. This paramet... Attack Vector
30		CSRF	/src/Api/Dirt/Controllers/OrganizationReportsController.cs: 187	details Method at line 187 of /src/Api/Dirt/Controllers/OrganizationReportsController.cs gets a parameter from a user request from request. This paramet... Attack Vector
31		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1417	details Method at line 1417 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
32		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1417	details Method at line 1417 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
33		CSRF	/src/Api/AdminConsole/Controllers/GroupsController.cs: 289	details Method at line 289 of /src/Api/AdminConsole/Controllers/GroupsController.cs gets a parameter from a user request from orgUserId. This parameter ... Attack Vector
34		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1385	details Method at line 1385 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
35		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1446	details Method at line 1446 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
36		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1148	details Method at line 1148 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
37		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1032	details Method at line 1032 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
38		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1281	details Method at line 1281 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from organizationId. This parameter ... Attack Vector
39		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 394	details Method at line 394 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from model. This par... Attack Vector
40		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 385	details Method at line 385 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from model. This par... Attack Vector
41		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 385	details Method at line 385 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from id. This parame... Attack Vector
42		CSRF	/src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs: 95	details Method at line 95 of /src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs gets a parameter from a user request from organizat... Attack Vector
43		CSRF	/src/Api/Billing/Controllers/VNext/ProviderBillingVNextController.cs: 82	details Method at line 82 of /src/Api/Billing/Controllers/VNext/ProviderBillingVNextController.cs gets a parameter from a user request from provider. Th... Attack Vector
44		CSRF	/src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs: 93	details Method at line 93 of /src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs gets a parameter from a user request from user. This pa... Attack Vector
45		CSRF	/src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs: 49	details Method at line 49 of /src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs gets a parameter from a user request from organizat... Attack Vector
46		CSRF	/src/Api/Billing/Controllers/VNext/ProviderBillingVNextController.cs: 40	details Method at line 40 of /src/Api/Billing/Controllers/VNext/ProviderBillingVNextController.cs gets a parameter from a user request from provider. Th... Attack Vector
47		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1226	details Method at line 1226 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flo... Attack Vector
48		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 173	details Method at line 173 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from model. Thi... Attack Vector
49		CSRF	/src/Api/Vault/Controllers/SecurityTaskController.cs: 66	details Method at line 66 of /src/Api/Vault/Controllers/SecurityTaskController.cs gets a parameter from a user request from taskId. This parameter value... Attack Vector
50		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 721	details Method at line 721 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from request. This parameter value fl... Attack Vector
51		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 192	details Method at line 192 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
52		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 664	details Method at line 664 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
53		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 641	details Method at line 641 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
54		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 126	details Method at line 126 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
55		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 412	details Method at line 412 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
56		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 385	details Method at line 385 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
57		CSRF	/src/Api/Auth/Controllers/EmergencyAccessController.cs: 173	details Method at line 173 of /src/Api/Auth/Controllers/EmergencyAccessController.cs gets a parameter from a user request from model. This parameter val... Attack Vector
58		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 825	details Method at line 825 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
59		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 825	details Method at line 825 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
60		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 825	details Method at line 825 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows t... Attack Vector
61		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 825	details Method at line 825 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows t... Attack Vector
62		CSRF	/src/Api/NotificationCenter/Controllers/NotificationsController.cs: 61	details Method at line 61 of /src/Api/NotificationCenter/Controllers/NotificationsController.cs gets a parameter from a user request from id. This param... Attack Vector
63		CSRF	/src/Api/NotificationCenter/Controllers/NotificationsController.cs: 67	details Method at line 67 of /src/Api/NotificationCenter/Controllers/NotificationsController.cs gets a parameter from a user request from id. This param... Attack Vector
64		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1446	details Method at line 1446 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
65		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 790	details Method at line 790 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
66		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 790	details Method at line 790 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows t... Attack Vector
67		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 763	details Method at line 763 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
68		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 763	details Method at line 763 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows t... Attack Vector
69		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 790	details Method at line 790 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows t... Attack Vector
70		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 790	details Method at line 790 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
71		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 763	details Method at line 763 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows t... Attack Vector
72		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 763	details Method at line 763 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
73		CSRF	/src/Api/AdminConsole/Controllers/GroupsController.cs: 138	details Method at line 138 of /src/Api/AdminConsole/Controllers/GroupsController.cs gets a parameter from a user request from model. This parameter valu... Attack Vector
74		CSRF	/src/Api/AdminConsole/Controllers/GroupsController.cs: 166	details Method at line 166 of /src/Api/AdminConsole/Controllers/GroupsController.cs gets a parameter from a user request from model. This parameter valu... Attack Vector
75		CSRF	/src/Api/AdminConsole/Controllers/GroupsController.cs: 166	details Method at line 166 of /src/Api/AdminConsole/Controllers/GroupsController.cs gets a parameter from a user request from model. This parameter valu... Attack Vector
76		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 414	details Method at line 414 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from model. This par... Attack Vector
77		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 414	details Method at line 414 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from model. This par... Attack Vector
78		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 558	details Method at line 558 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector

More results are available on the CxOne platform

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.42%. Comparing base (c04ee9c) to head (0036dea).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7398      +/-   ##
==========================================
- Coverage   58.42%   58.42%   -0.01%     
==========================================
  Files        2063     2063              
  Lines       91182    91168      -14     
  Branches     8129     8127       -2     
==========================================
- Hits        53276    53262      -14     
  Misses      36008    36008              
  Partials     1898     1898              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Bitwarden Claude Code Review

Overall Assessment: APPROVE

This PR removes the server-side 6-record sampling limit from the organization report summary endpoint, allowing it to return all entries within the requested date range. The removed GetMostRecentEntries method and MaxRecordsForWidget constant are cleanly excised, the cache integration remains intact, and the test is updated to verify all 12 records are now returned. Authorization checks (AccessReports) and input validation are unaffected.

Code Review Details

No findings. The change is well-scoped: it removes server-side grouping logic as described in the objective, preserves all existing validation and caching behavior, and updates tests appropriately.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud