Skip to content

improve caching of SBOM/scan results #478

Description

@smira

Short version:

  1. Derive proper caching key for SBOM/scan result.
  2. Do singleflight for both SBOM generation based on the key and for the scan itself.

See also #476

Cache key - we can try to follow the path established for image building:

  1. Schematic is mapped into the imager's Profile. Here SBOM depends only on the extensions list, so don't need to populate anything else.
  2. Profile is cleaned up, marshaled and hashed.
  3. This provides an SBOM key which already includes schematic, Talos version and arch.
  4. Add singleflight based on this key around SBOM generation, use it for caching.
  5. For the security scan - same applies, the only new stuff is invalidation based on VEX/vulndb. We should also do singleflight.

Test plan:

  1. Get an SBOM/scan for a schematic A.
  2. Mutate schematic in a way that shouldn't affect the SBOM - e.g. test with embedded config, kernel args, etc.
  3. Verify that SBOM for schematic B is delivered (almost) immediately - it should be cached.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions