Skip to content

Commit

Permalink
external-sources: throttle requests to maven central to avoid being r…
Browse files Browse the repository at this point in the history
…ate limited for large sets of java dependencies (#2384)

* external-sources: throttle requests to maven central to avoid being rate limited for large sets of java depenencies

When [external-sources](https://github.com/anchore/grype?tab=readme-ov-file#external-sources) are enabled if an Image contains a large number of Java dependencies Grype can get rate limited by maven central.

This change will:
- add a rate limiter to throttle requests at 300ms per second to produce reliable results
- if a normal artifact not found error is returned by maven central the existing debug logging happens
- any other error from maven central will result in an error being logged
- adds an integration test that can be used to verify the rate limiter so we can verify against the real external api settings

Related to issue #2383

Signed-off-by: James Rawlings <[email protected]>

* incorporate review feedback, add a unit test for the rate limiter behaviour

Signed-off-by: James Rawlings <[email protected]>

* fix linting issues

Signed-off-by: Alex Goodman <[email protected]>

---------

Signed-off-by: James Rawlings <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>
Co-authored-by: Alex Goodman <[email protected]>
  • Loading branch information
rawlingsj and wagoodman authored Jan 22, 2025
1 parent a09c704 commit 1685196
Show file tree
Hide file tree
Showing 7 changed files with 825 additions and 15 deletions.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ require (

require (
github.com/invopop/jsonschema v0.13.0
golang.org/x/time v0.8.0
golang.org/x/tools v0.29.0
)

Expand Down Expand Up @@ -278,7 +279,6 @@ require (
golang.org/x/sys v0.29.0 // indirect
golang.org/x/term v0.28.0 // indirect
golang.org/x/text v0.21.0 // indirect
golang.org/x/time v0.8.0 // indirect
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
google.golang.org/api v0.215.0 // indirect
google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect
Expand Down
18 changes: 11 additions & 7 deletions grype/db/v5/matcher/java/matcher.go
Original file line number Diff line number Diff line change
@@ -1,8 +1,10 @@
package java

import (
"context"
"fmt"
"net/http"
"strings"

v5 "github.com/anchore/grype/grype/db/v5"
"github.com/anchore/grype/grype/db/v5/search"
Expand Down Expand Up @@ -34,11 +36,8 @@ type MatcherConfig struct {

func NewJavaMatcher(cfg MatcherConfig) *Matcher {
return &Matcher{
cfg: cfg,
MavenSearcher: &mavenSearch{
client: http.DefaultClient,
baseURL: cfg.MavenBaseURL,
},
cfg: cfg,
MavenSearcher: newMavenSearch(http.DefaultClient, cfg.MavenBaseURL),
}
}

Expand All @@ -55,7 +54,10 @@ func (m *Matcher) Match(store v5.VulnerabilityProvider, d *distro.Distro, p pkg.
if m.cfg.SearchMavenUpstream {
upstreamMatches, err := m.matchUpstreamMavenPackages(store, d, p)
if err != nil {
log.Debugf("failed to match against upstream data for %s: %v", p.Name, err)
if strings.Contains(err.Error(), "no artifact found") {
log.Debugf("no upstream maven artifact found for %s", p.Name)
}
log.WithFields("package", p.Name, "error", err).Warn("failed to resolve package details with maven")
} else {
matches = append(matches, upstreamMatches...)
}
Expand All @@ -76,10 +78,12 @@ func (m *Matcher) Match(store v5.VulnerabilityProvider, d *distro.Distro, p pkg.
func (m *Matcher) matchUpstreamMavenPackages(store v5.VulnerabilityProvider, d *distro.Distro, p pkg.Package) ([]match.Match, error) {
var matches []match.Match

ctx := context.Background()

if metadata, ok := p.Metadata.(pkg.JavaMetadata); ok {
for _, digest := range metadata.ArchiveDigests {
if digest.Algorithm == "sha1" {
indirectPackage, err := m.GetMavenPackageBySha(digest.Value)
indirectPackage, err := m.GetMavenPackageBySha(ctx, digest.Value)
if err != nil {
return nil, err
}
Expand Down
Loading

0 comments on commit 1685196

Please sign in to comment.