Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tasks not cached #100

Open
tduehr opened this issue Sep 6, 2018 · 7 comments
Open

Tasks not cached #100

tduehr opened this issue Sep 6, 2018 · 7 comments

Comments

@tduehr
Copy link

tduehr commented Sep 6, 2018

Running dependency check on a large project takes quite a while. Gradle has build caching to alleviate this problem for tasks that have not changed. Dependency check does not properly declare its inputs or outputs to enable this. Further, things that could be cached (like dependency -> cpe resolutions) are not either.

Each dependencyCheckAnalyze task should declare its inputs and outputs so the plugin can properly advise Gradle for build caching. Cache misses may also be reduced by further breaking up the tasks into sub tasks (e.g., dependency resolution, and CVE lookup) that may be cached separately. This way, an update from NIST (for example) need not invalidate all cached tasks, only the CVE lookup.

The dependencyCheckAggregate task should depend on the Analyze tasks to leverage this caching and allow parallel processing. Only the aggregation step of this task cannot be parallelized.

@jeremylong
Copy link
Collaborator

Defining the inputs and outputs has been on my todo list for a while. I'll have to consider caching some of the other items listed.

@jeremylong
Copy link
Collaborator

One of the issues I've been trying to figure out is how one would make the incoming configuration an input (in terms of gradle's incremental build). What makes this more complex is the difference between the modern way of resolving dependencies as opposed to the legacy method.

@tduehr
Copy link
Author

tduehr commented Dec 20, 2018

Use a flag file generated by the dB update task and the project’s ‘build.gradle’ file. Not the most accurate but good enough to start.

Possibly also an intermediate task that dumps a dependency tree somewhere.

@skjolber
Copy link
Contributor

skjolber commented Jul 4, 2019

Any progress on this? We're now mostly running dependency checks in the build pipeline, because running locally is a bit too much time consuming.

@jeremylong
Copy link
Collaborator

@skjolber in all honesty I keep looking at this from time to time and while defining the @Output is easy trying to figure out what the best @Input is a challenge. Considering @classpath to capture the list of resolved dependencies:

  @Classpath
  @InputFiles
  FileCollection classpath 

We also have to consider the scan set which is going to need to consider the differences for an aggregate build vs the standard analyzer: https://github.com/jeremylong/dependency-check-gradle/blob/724dfab1cb3c863a1aaa9c2dc6130ec54476b17c/src/main/groovy/org/owasp/dependencycheck/gradle/tasks/AbstractAnalyze.groovy#L328-L335

Lastly, when implementing the caching we have to consider the timeliness of the datasources. By default ODC will update the h2 database every 4 hours. So technically, we should only cache build results for 4 hours.

@gmariotti
Copy link

Hi @jeremylong, any update on this issue?

@jeremylong
Copy link
Collaborator

nope - we accept PRs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants