Skip to content

perf(local): only load advisories that are about the packages being scanned #2241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 1, 2025
Merged

perf(local): only load advisories that are about the packages being scanned #2241

merged 3 commits into from
Oct 1, 2025

Conversation

@G-Rath
Copy link
Collaborator

@G-Rath G-Rath commented Sep 22, 2025

This updates the local matcher to have it skip advisories that don't have at least one affected entry with a package name matching one of the packages being scanned in the current run, which can greatly reduce the peak memory usage for databases like Ubuntu (going from something like 10gb down to 1gb).

Since we cache databases based on their ecosystem only, this does mean subsequent calls to LocalMatcher#MatchVulnerabilities will not give any results for packages that were not present in the first call - while this shouldn't be a problem currently since we handle creating the VulnerabilityMatcher as part of scanning, I've added a basic guard that returns an error if the function is called with any "partial" database cached to catch this (be it on purpose or because of a bug)

This should not impact guided remediation since it explicitly loads the database before doing any work meaning this change won't help it but should also not hurt it

Resolves #2217 (again)

@G-Rath G-Rath force-pushed the skip-advisories-locally branch 2 times, most recently from 67db513 to fea59d2 Compare September 22, 2025 03:37
@codecov-commenter
Copy link

codecov-commenter commented Sep 22, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 71.87500% with 18 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.46%. Comparing base (df179f4) to head (3aa885f).

Files with missing lines Patch % Lines
internal/clients/clientimpl/localmatcher/zip.go 71.42% 12 Missing ⚠️
...al/clients/clientimpl/localmatcher/localmatcher.go 72.72% 5 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2241      +/-   ##
==========================================
- Coverage   67.71%   67.46%   -0.26%     
==========================================
  Files         169      169              
  Lines       16272    16386     +114     
==========================================
+ Hits        11019    11055      +36     
- Misses       4578     4655      +77     
- Partials      675      676       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@G-Rath G-Rath changed the title perf(local): only load advisories that are about the packages being s… perf(local): only load advisories that are about the packages being scanned Sep 22, 2025
@G-Rath G-Rath force-pushed the skip-advisories-locally branch from fea59d2 to ee40413 Compare September 22, 2025 03:51
@G-Rath G-Rath mentioned this pull request Sep 22, 2025
Merged
@G-Rath G-Rath force-pushed the skip-advisories-locally branch from ee40413 to 53a40b3 Compare September 22, 2025 18:56
G-Rath
G-Rath commented Sep 23, 2025
View reviewed changes
another-rex pushed a commit that referenced this pull request Sep 23, 2025
@G-Rath
test(fix): add cases for --offline-vulnerabilities and unsupported …
b9bc640 
…flag values (#2244)

I realized we were missing these while working on #2241
@G-Rath G-Rath force-pushed the skip-advisories-locally branch 3 times, most recently from 364707c to 88bcecd Compare September 29, 2025 21:28
@another-rex
Copy link
Collaborator

Got a conflict, but otherwise should be good to merge

@G-Rath G-Rath force-pushed the skip-advisories-locally branch 2 times, most recently from 582ea62 to 0786a18 Compare October 1, 2025 01:01
another-rex
another-rex reviewed Oct 1, 2025
View reviewed changes
internal/clients/clientimpl/localmatcher/zip.go
func mightAffectPackages(v osvschema.Vulnerability, names []string) bool {
for _, affected := range v.Affected {
for _, name := range names {
if affected.Package.Name == name {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need another check for Repo name here I believe to solve the GIT issue

@G-Rath G-Rath force-pushed the skip-advisories-locally branch from 0786a18 to 3aa885f Compare October 1, 2025 01:20
@another-rex another-rex merged commit e40bcbd into google:main Oct 1, 2025
15 checks passed
@another-rex another-rex deleted the skip-advisories-locally branch October 1, 2025 01:42
@BrewTestBot BrewTestBot mentioned this pull request Oct 1, 2025
Merged
@G-Rath G-Rath mentioned this pull request Oct 3, 2025
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@another-rex another-rex another-rex approved these changes

@cuixq cuixq Awaiting requested review from cuixq

@jess-lowe jess-lowe Awaiting requested review from jess-lowe

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

osv-scanner in offline mode has massive memory leak

3 participants

@G-Rath @codecov-commenter @another-rex