Implement resilient and memory sparing mirror process #279
Conversation
jeremylong#259) * Reimplement caching to use a per-year scope * Add forgiveness if a year fails, continue to the next one * Reimplement how the lastUpdated date is used and stored per year * Add lockfile * fix: preserve modified entries if year fails * polish docs, add exit code --------- Co-authored-by: Jeremy Long <[email protected]>
* fix: bugfix in yearly cache update * fix: ensure sorted * fix: updated modified date in properties
* feat: retry nvd cache on failure * fix: updated per peer review
|
I found out, that the slice-size is something and makes the NVD API crash. For example: is a 115 days slice that does consistently crash. So 30 days less, works. Also using it to 'cross the 04/28' works so the API, maybe under load, decides to simply not handle requests of a specific size. This crash is consistent since 6 hours. I thus implemented a new parameter for the cli This is most probably one of those things that make the current main implementation so fragile - consider the API load status, the API will not return more items then X and fail with an 503 if a request still would return so many items. 'Fetch them all' is just nothing that works, neither for the memory nor on the API, like expected |
|
NVD is likely under load right now because of the error and users not upgrading and instead just trying again. It should level off soon. |
|
This is not an exception at all. This is the case for a long long time (weeks)- it was the motivation for my work in the first place. And several days around the first implementation the API was down regularly. This happens day in day out IMHO. |
|
If you are running into this daily - you are doing something wrong. Once you build the cache don't throw it away. For instance: https://github.com/dependency-check/DependencyCheck_Builder/actions/workflows/cache.yml has been running for a long time and has only had a few times where it had issues. |
EugenMayer
changed the base branch from
scratch/memory-usage-per-year
to
main
|
The current status of this pr, aka 'api resilience and memory' does finally work with the current ODC like gradle. Features are:
Drawbacks;
IMHO this approach finishes more reliable and deterministic, even with NVD API errors, while it can be slower then the current process, if the NVD API does not fail at all. For me, neither from the dev machine nor from our DC k8s cluster, I have never seen a run that finished without NVD failing to answer (including the 12 retries). So IMHO for me, betting on that horse does not make sense. You can try it yourself using |
EugenMayer
changed the title
|
@jeremylong am i right to assume that you are not considering merging this PR? |
I would love to work on a patch to improve the situation:
Seperate the processes to
--forceUpdate, off by defaultThose process run one after the other
With this, we combine the positive effects of both: Reduce memory hogging and speedy regular modified updates.
@jeremylong what are your thoughts?
Stats:
innitial population
= 93 API calls
after the first cache population, lets say i run the next day:
= 1 API request
after 9 days passed
= 93 API calls
Thus the more expensive api calls are triggered every 8 days.
Further options: