specification icon indicating copy to clipboard operation
specification copied to clipboard
Published 1 month ago verified publisher icon CycloneDX

Add "Hash of all the hashes" to speed up processing in Dependency Track

Open oxdef opened this issue 4 years ago • 0 comments

The problem

Consider that you have big amount of services (thousands) which are processed in Dependency Track during CI/CD daily. It is not necessary that the list of components for that services also changes everyday. In such configuration DTrack will make a work to simply try to determine if there are new components in every sbom upload.

Proposed solution

Calculate hash of components hashes and add it into the result sbom file. Dtack could store this hash along the project (like "last uploaded sbom hash") and check on every upload of new sbom to this project. If hash is changed then we need to update components list for the project.

Update

It could be also done on the Dtrack side without changing CycloneDX specification. Dtrack can gather hashes of the all components and generates the new one to compare against "last uploaded sbom hash". It should be a fast operation. https://github.com/DependencyTrack/dependency-track/issues/1326

oxdef avatar Dec 30 '21 08:12 oxdef