dependency-track

dependency-track copied to clipboard

Current Behavior:

Currently, everything works as an event. The problem is when I send X reviews (bom upload) at the same time, it starts to create events and send them to the queue waiting to be processed for a worker and you get the result of the first review almost when the X review has finished.

Proposed Behavior:

I would like that BomUploadProcessTask would be asynchronous, but the rest of events that this process task calls, were synchronous. This way, it assures you that when you launch a review, it will be process this review from the beginning until the end of it before starting with other reviews. This way, you will get the response of the first review before waiting the others doing many stuff. Even, it could be parametrised at the config file.

I have tested it with a no-elegant solution but it works. It would be something like this with all dispatch events that BomUploadProcessingTask calls:

For example, In BomUploadProcessingTask, instead of:

final VulnerabilityAnalysisEvent vae = new VulnerabilityAnalysisEvent(detachedFlattenedComponent).project(detachedProject);
vae.setChainIdentifier(event.getChainIdentifier());
Event.dispatch(vae);

do something like this:

final VulnerabilityAnalysisEvent vae = new VulnerabilityAnalysisEvent(detachedFlattenedComponent).project(detachedProject);
vae.setChainIdentifier(event.getChainIdentifier());
final VulnerabilityAnalysisTask vat = new VulnerabilityAnalysisTask();
vat.inform(vae);

Currently, the VulnerabilityAnalysisEvent is fired and goes into a FIFO queue. If the VulnerabilityAnalysisTask is called directly, then we would need to engineer a way to prevent the system from being victim of a denial of service due to excessive importing of simultaneous BOMs, either intentional or unintentional.

Parsing and importing the BOM isn't a processor or i/o intensive task. Vulnerability analysis and the downstream tasks that go along with it, are.

I don't know if I have understood you well. BomUploadProcessingTask is calling asynchronously others events with Event.dispatch(), among others, is calling VulnerabilityAnalysisEvent (as an example). I don't understand why it can be victim of a denial of service due to BomUploadEvent is called asynchronously and sent it to a FIFO queue (before calling VulnerabilityAnalysisEvent). I'm not saying that VulnerabilityAnalysisEvent is called always synchronously. What I was trying to say if it makes sense that BomUploadEvent, VulnerabilityAnalysisEvent and the others events that BomUploadEvent calls, were just one task (one asynchronous task all together due that BomUploadEvent calls the others). Probably it wasn't designed to work this way but it makes sense for me when I send multiple boms and I want to get the vulns of the components of each bom consecutively. As a simple example (with one thread) if I sent 10 boms, analysis number 1 would be the first to analyse and return vulnerabilities, then, the second one and so on... instead of sending multiple events to the queue and return vulnerabilities and metrics at the end (after analyzing those 10 boms). I hope I have explained myself better.