Huge performance degradation after upgrade dependency-check-maven from 6.3.1 to 6.4.x / 6.5.x #3923
Comments
|
Are you keeping the dependency-check database between executions or are you abusing the NVD and downloading the full data set on each execution? As the NVD implemented some fairly strict rate limiting with the 6.4.x we had to slow down the downloads from the NVD. That being said - I've never seen it take over an hour. Can you provide the full verbose log file for 6.5.1 so we can see where the extra time is being spent? |
|
|
Can you do a run with the verbose log as indicated by Jeremy (including If not we would definitely be interested in the underlying debug log to try and trace down where the extra time is spent. |
|
@aikebah looking at the code: If that is the culprit - instead of resolving on each dependency that hits this line could we save the resolution results and re-use them? Alternatively - can a filter be created (like the else clause ~18 lines below) that includes the scope? |
|
@jeremylong Regarding the first: I guess caching it should be doable - if you take into consideration the alternative caching of resolution results from the exception handling as well. I was planning on seeing whether we could massively sanitize this code by doing the resolution once (never use a filter), caching the result and looking up all from either the successfully resolved dependencies or the resolved dependencies status contained in the ArtifactResolutionException, but didn't get time yet to further investigate on that. Just let me know if you're planning to work on the first approach (caching) as a quick-win. If not, I'll look and see if I can spend time on that tonight after work. So that we can try and include it in 6.5.2. |
|
I'm not going to have time with other things I'm working on to dig into this one. If you do have time - great. |
|
@sammyhk Would you be so kind to try what a snapshot built from https://github.com/jeremylong/DependencyCheck/tree/issue-3923 would yield for your project? |
|
@jeremylong local run of aggregate goal on DependencyProject itself (failing on |
|
Debug log added and a profiling result using VisualVM attached (https://gist.github.com/sammyhk/b4f5c7bd21eaacd7aea289c1341d7e7b). Please check. Will build the branch locally and check. |
|
WoW, the fix works, the execution time drop back to become 5 minutes. 👍 |
|
Added log for 6.5.2-SNAPSHOT |
Describe the bug
There is a hug performance degradation after upgrade dependency-check-maven from 6.3.1 to 6.4.x / 6.5.x.
Before the upgrade (v6.3.1) it just take ~7 minutes for running
org.owasp:dependency-check-maven:aggregatebut it bump to ~1.5 hour for running the same command in v6.4.x / v6.5.x.Note that due to issue #3679, v6.3.2 got NPE in my project so cannot have the statistic data.
Detail of the execution time:
v6.3.1: 07:06 minutes
v6.3.2: 02:04 minutes and then NPE exception
v6.4.0: 01:21 hours
v6.4.1: 01:19 hours
v6.5.0: 01:16 hours
v6.5.1: 01:17 hours
Version of dependency-check used
The problem occurs using version 6.4.0 / 6.4.1 / 6.5.0 / 6.5.1 of the maven plugin
Log file
Log will be provided when needed.
To Reproduce
Steps to reproduce the behavior:
org.owasp:dependency-check-maven:6.3.1:aggregateon a multi-module project, notice the execution timeorg.owasp:dependency-check-maven:6.4.0:aggregateon the same multi-module project, notice the execution timeExpected behavior
Should not talking some much time to execute.
Additional context
N/A
The text was updated successfully, but these errors were encountered: