external-sources: throttle requests to maven central to avoid being r…

…ate limited for large sets of java dependencies (#2384) * external-sources: throttle requests to maven central to avoid being rate limited for large sets of java depenencies When [external-sources](https://github.com/anchore/grype?tab=readme-ov-file#external-sources) are enabled if an Image contains a large number of Java dependencies Grype can get rate limited by maven central. This change will: - add a rate limiter to throttle requests at 300ms per second to produce reliable results - if a normal artifact not found error is returned by maven central the existing debug logging happens - any other error from maven central will result in an error being logged - adds an integration test that can be used to verify the rate limiter so we can verify against the real external api settings Related to issue #2383 Signed-off-by: James Rawlings <[email protected]> * incorporate review feedback, add a unit test for the rate limiter behaviour Signed-off-by: James Rawlings <[email protected]> * fix linting issues Signed-off-by: Alex Goodman <[email protected]> --------- Signed-off-by: James Rawlings <[email protected]> Signed-off-by: Alex Goodman <[email protected]> Co-authored-by: Alex Goodman <[email protected]>
anchore · Jan 22, 2025 · 1685196 · 1685196
1 parent a09c704
commit 1685196
Show file tree

Hide file tree

Showing 7 changed files with 825 additions and 15 deletions.
diff --git a/go.mod b/go.mod
@@ -67,6 +67,7 @@ require (
 
 require (
 	github.com/invopop/jsonschema v0.13.0
+	golang.org/x/time v0.8.0
 	golang.org/x/tools v0.29.0
 )
 
@@ -278,7 +279,6 @@ require (
 	golang.org/x/sys v0.29.0 // indirect
 	golang.org/x/term v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
-	golang.org/x/time v0.8.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	google.golang.org/api v0.215.0 // indirect
 	google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect

diff --git a/grype/db/v5/matcher/java/matcher.go b/grype/db/v5/matcher/java/matcher.go
@@ -1,8 +1,10 @@
 package java
 
 import (
+	"context"
 	"fmt"
 	"net/http"
+	"strings"
 
 	v5 "github.com/anchore/grype/grype/db/v5"
 	"github.com/anchore/grype/grype/db/v5/search"
@@ -34,11 +36,8 @@ type MatcherConfig struct {
 
 func NewJavaMatcher(cfg MatcherConfig) *Matcher {
 	return &Matcher{
-		cfg: cfg,
-		MavenSearcher: &mavenSearch{
-			client:  http.DefaultClient,
-			baseURL: cfg.MavenBaseURL,
-		},
+		cfg:           cfg,
+		MavenSearcher: newMavenSearch(http.DefaultClient, cfg.MavenBaseURL),
 	}
 }
 
@@ -55,7 +54,10 @@ func (m *Matcher) Match(store v5.VulnerabilityProvider, d *distro.Distro, p pkg.
 	if m.cfg.SearchMavenUpstream {
 		upstreamMatches, err := m.matchUpstreamMavenPackages(store, d, p)
 		if err != nil {
-			log.Debugf("failed to match against upstream data for %s: %v", p.Name, err)
+			if strings.Contains(err.Error(), "no artifact found") {
+				log.Debugf("no upstream maven artifact found for %s", p.Name)
+			}
+			log.WithFields("package", p.Name, "error", err).Warn("failed to resolve package details with maven")
 		} else {
 			matches = append(matches, upstreamMatches...)
 		}
@@ -76,10 +78,12 @@ func (m *Matcher) Match(store v5.VulnerabilityProvider, d *distro.Distro, p pkg.
 func (m *Matcher) matchUpstreamMavenPackages(store v5.VulnerabilityProvider, d *distro.Distro, p pkg.Package) ([]match.Match, error) {
 	var matches []match.Match
 
+	ctx := context.Background()
+
 	if metadata, ok := p.Metadata.(pkg.JavaMetadata); ok {
 		for _, digest := range metadata.ArchiveDigests {
 			if digest.Algorithm == "sha1" {
-				indirectPackage, err := m.GetMavenPackageBySha(digest.Value)
+				indirectPackage, err := m.GetMavenPackageBySha(ctx, digest.Value)
 				if err != nil {
 					return nil, err
 				}