-
Notifications
You must be signed in to change notification settings - Fork 581
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Syft scan in offline mode is slow #3455
Comments
An initial glance shows that what's taking time is the
Now the time to read that many DLLs make sense, however, looking at the raw syft results I think a few things need to be verified:
I see a lot of packages (46,897!) and a lot of them have multiple duplicates (some in the hundreds!). We try to keep distinct project dependency graphs, so it might be possible that this is correct, but I think it would be worth double checking this result too. Back to the topic at hand: performance... I don't see how we can scan that many DLLs in only seconds, so that doesn't seem like the right answer here. The
And when we ignore DLLs (thus look purely at the deps.json) we see much better performance:
As a workaround @KeylinxTobias can you try out running syft with Side note: I wonder if we should have a |
There is a request for a csproj cataloger: #1522 |
is this issue happens on windows OS? |
@TimBrown1611 I don't believe this is a windows specific issue, no. GIven @wagoodman ran |
We are having our build environment disconnected from Internet for security reasons and want to be able to produce an non enriched SBOM using Syft. However when running Syft, the scanning is very slow. Using the verbose logging and we can track that it is some dll's that take a lot of time. We have checked the configuration options and tried to disable as much as possible but it still does not go well. It seems that when scanning each file, Syft tries to go out on Internet and check for something and then times out? A common solution for us can sometimes take about an hour to produce the SBOM. When using other scanners like Trivy, we are down to seconds.
We are mainly using nuget packages in our solution and are using windows servers for our build environment.
How to reproduce:
Thanks in advance.
The text was updated successfully, but these errors were encountered: