Giters

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

Home Page:https://dependencytrack.org/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Upcoming Trivy integration is awesome, but a bit slow

robert-blackman opened this issue · comments

commented

Current Behavior

Hey! We're really looking forward to the Trivy support added in 4.11.x so we've been testing out the snapshot. We've noticed some poor performance when scanning sboms with larger numbers of components (~600+), in some cases the scan can take 10 minutes. The trivy scan itself only takes a few seconds to return a result.

It's understood that this functionality is unreleased, but I'm keen to take a run at improving it 👍

Thanks again everyone, really great project.

Steps to Reproduce

  1. Enable Trivy integration using 4.11.0-SNAPSHOT
  2. Start an analysis
  3. Make coffee
  4. Get results

Expected Behavior

Repro steps minus step 3 🙂

It would be nice to reduce the scan time as much as possible to facilitate blocking CICD pipelines.

Dependency-Track Version

4.11.0-SNAPSHOT

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

15.4

Browser

N/A

Checklist