feat: add local cache to sbom enrichment (#119)

Author: snyk-will

lib/ecosystems/cache.go

@@ -0,0 +1,93 @@
+/*
+ * © 2023 Snyk Limited All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package ecosystems
+
+import (
+	"sync"
+
+	"github.com/package-url/packageurl-go"
+
+	"github.com/snyk/parlay/ecosystems/packages"
+)
+
+type Cache interface {
+	GetPackageData(purl packageurl.PackageURL) (*packages.GetRegistryPackageResponse, error)
+	GetPackageVersionData(purl packageurl.PackageURL) (*packages.GetRegistryPackageVersionResponse, error)
+}
+
+type InMemoryCache struct {
+	packageCache        map[string]*packages.GetRegistryPackageResponse
+	packageVersionCache map[string]*packages.GetRegistryPackageVersionResponse
+	mu                  sync.RWMutex
+}
+
+func NewInMemoryCache() *InMemoryCache {
+	return &InMemoryCache{
+		packageCache:        make(map[string]*packages.GetRegistryPackageResponse),
+		packageVersionCache: make(map[string]*packages.GetRegistryPackageVersionResponse),
+	}
+}
+
+func (c *InMemoryCache) GetPackageData(purl packageurl.PackageURL) (*packages.GetRegistryPackageResponse, error) {
+	key := purl.ToString()
+
+	c.mu.RLock()
+	if cached, exists := c.packageCache[key]; exists {
+		c.mu.RUnlock()
+		return cached, nil
+	}
+	c.mu.RUnlock()
+
+	response, err := GetPackageData(purl)
+	if err != nil {
+		return nil, err
+	}
+
+	c.mu.Lock()
+	c.packageCache[key] = response
+	c.mu.Unlock()
+
+	return response, nil
+}
+
+func (c *InMemoryCache) GetPackageVersionData(purl packageurl.PackageURL) (*packages.GetRegistryPackageVersionResponse, error) {
+	key := purl.ToString()
+
+	c.mu.RLock()
+	if cached, exists := c.packageVersionCache[key]; exists {
+		c.mu.RUnlock()
+		return cached, nil
+	}
+	c.mu.RUnlock()
+
+	response, err := GetPackageVersionData(purl)
+	if err != nil {
+		return nil, err
+	}
+
+	c.mu.Lock()
+	c.packageVersionCache[key] = response
+	c.mu.Unlock()
+
+	return response, nil
+}
+
+func (c *InMemoryCache) GetCacheStats() (int, int) {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	return len(c.packageCache), len(c.packageVersionCache)
+}

lib/ecosystems/cache_test.go

@@ -0,0 +1,224 @@
+/*
+ * © 2023 Snyk Limited All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package ecosystems
+
+import (
+	"sync"
+	"testing"
+
+	"github.com/jarcoal/httpmock"
+	"github.com/package-url/packageurl-go"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestInMemoryCache_GetPackageData(t *testing.T) {
+	httpmock.Activate()
+	defer httpmock.DeactivateAndReset()
+
+	mockResponse := `{"name": "test-package", "description": "Test package"}`
+	httpmock.RegisterResponder(
+		"GET",
+		`=~^https://packages.ecosyste.ms/api/v1/registries`,
+		httpmock.NewStringResponder(200, mockResponse),
+	)
+
+	cache := NewInMemoryCache()
+	purl, err := packageurl.FromString("pkg:npm/[email protected]")
+	require.NoError(t, err)
+
+	resp1, err := cache.GetPackageData(purl)
+	assert.NoError(t, err)
+	assert.NotNil(t, resp1)
+
+	resp2, err := cache.GetPackageData(purl)
+	assert.NoError(t, err)
+	assert.NotNil(t, resp2)
+	assert.Equal(t, resp1, resp2)
+
+	callCount := httpmock.GetTotalCallCount()
+	assert.Equal(t, 1, callCount)
+
+	pkgCacheSize, versionCacheSize := cache.GetCacheStats()
+	assert.Equal(t, 1, pkgCacheSize)
+	assert.Equal(t, 0, versionCacheSize)
+}
+
+func TestInMemoryCache_GetPackageVersionData(t *testing.T) {
+	httpmock.Activate()
+	defer httpmock.DeactivateAndReset()
+
+	mockResponse := `{"number": "1.0.0", "licenses": "MIT"}`
+	httpmock.RegisterResponder(
+		"GET",
+		`=~^https://packages.ecosyste.ms/api/v1/registries`,
+		httpmock.NewStringResponder(200, mockResponse),
+	)
+
+	cache := NewInMemoryCache()
+	purl, err := packageurl.FromString("pkg:npm/[email protected]")
+	require.NoError(t, err)
+
+	resp1, err := cache.GetPackageVersionData(purl)
+	assert.NoError(t, err)
+	assert.NotNil(t, resp1)
+
+	resp2, err := cache.GetPackageVersionData(purl)
+	assert.NoError(t, err)
+	assert.NotNil(t, resp2)
+	assert.Equal(t, resp1, resp2)
+
+	callCount := httpmock.GetTotalCallCount()
+	assert.Equal(t, 1, callCount)
+
+	pkgCacheSize, versionCacheSize := cache.GetCacheStats()
+	assert.Equal(t, 0, pkgCacheSize)
+	assert.Equal(t, 1, versionCacheSize)
+}
+
+func TestInMemoryCache_DifferentPackages(t *testing.T) {
+	httpmock.Activate()
+	defer httpmock.DeactivateAndReset()
+
+	httpmock.RegisterResponder(
+		"GET",
+		`=~^https://packages.ecosyste.ms/api/v1/registries`,
+		httpmock.NewStringResponder(200, `{}`),
+	)
+
+	cache := NewInMemoryCache()
+	purl1, err := packageurl.FromString("pkg:npm/[email protected]")
+	require.NoError(t, err)
+	purl2, err := packageurl.FromString("pkg:npm/[email protected]")
+	require.NoError(t, err)
+
+	_, err = cache.GetPackageData(purl1)
+	assert.NoError(t, err)
+	_, err = cache.GetPackageData(purl2)
+	assert.NoError(t, err)
+
+	callCount := httpmock.GetTotalCallCount()
+	assert.Equal(t, 2, callCount)
+
+	pkgCacheSize, versionCacheSize := cache.GetCacheStats()
+	assert.Equal(t, 2, pkgCacheSize)
+	assert.Equal(t, 0, versionCacheSize)
+}
+
+func TestInMemoryCache_SamePackageDifferentVersions(t *testing.T) {
+	httpmock.Activate()
+	defer httpmock.DeactivateAndReset()
+
+	httpmock.RegisterResponder(
+		"GET",
+		`=~^https://packages.ecosyste.ms/api/v1/registries`,
+		httpmock.NewStringResponder(200, `{}`),
+	)
+
+	cache := NewInMemoryCache()
+	purl1, err := packageurl.FromString("pkg:npm/[email protected]")
+	require.NoError(t, err)
+	purl2, err := packageurl.FromString("pkg:npm/[email protected]")
+	require.NoError(t, err)
+
+	_, err = cache.GetPackageData(purl1)
+	assert.NoError(t, err)
+	_, err = cache.GetPackageData(purl2)
+	assert.NoError(t, err)
+
+	// Different versions = different cache entries
+	callCount := httpmock.GetTotalCallCount()
+	assert.Equal(t, 2, callCount)
+
+	pkgCacheSize, versionCacheSize := cache.GetCacheStats()
+	assert.Equal(t, 2, pkgCacheSize)
+	assert.Equal(t, 0, versionCacheSize)
+}
+
+func TestInMemoryCache_APIError(t *testing.T) {
+	httpmock.Activate()
+	defer httpmock.DeactivateAndReset()
+
+	// HTTP client returns a successful response even with 500 status
+	// So we need to test that the client properly handles this case
+	httpmock.RegisterResponder(
+		"GET",
+		`=~^https://packages.ecosyste.ms/api/v1/registries`,
+		httpmock.NewStringResponder(500, `{"error": "internal server error"}`),
+	)
+
+	cache := NewInMemoryCache()
+	purl, err := packageurl.FromString("pkg:npm/[email protected]")
+	require.NoError(t, err)
+
+	// HTTP client doesn't treat 500 as error
+	resp1, err := cache.GetPackageData(purl)
+	assert.NoError(t, err)
+	assert.Equal(t, 500, resp1.StatusCode())
+
+	resp2, err := cache.GetPackageData(purl)
+	assert.NoError(t, err)
+	assert.Equal(t, 500, resp2.StatusCode())
+	assert.Equal(t, resp1, resp2)
+
+	// Second call used cache
+	callCount := httpmock.GetTotalCallCount()
+	assert.Equal(t, 1, callCount)
+
+	pkgCacheSize, versionCacheSize := cache.GetCacheStats()
+	assert.Equal(t, 1, pkgCacheSize)
+	assert.Equal(t, 0, versionCacheSize)
+}
+
+func TestInMemoryCache_ConcurrentAccess(t *testing.T) {
+	httpmock.Activate()
+	defer httpmock.DeactivateAndReset()
+
+	httpmock.RegisterResponder(
+		"GET",
+		`=~^https://packages.ecosyste.ms/api/v1/registries`,
+		httpmock.NewStringResponder(200, `{}`),
+	)
+
+	cache := NewInMemoryCache()
+	purl, err := packageurl.FromString("pkg:npm/[email protected]")
+	require.NoError(t, err)
+
+	var wg sync.WaitGroup
+	numGoroutines := 100
+
+	for i := 0; i < numGoroutines; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			_, err := cache.GetPackageData(purl)
+			assert.NoError(t, err)
+		}()
+	}
+
+	wg.Wait()
+
+	// Should only have one entry despite concurrent access
+	pkgCacheSize, versionCacheSize := cache.GetCacheStats()
+	assert.Equal(t, 1, pkgCacheSize)
+	assert.Equal(t, 0, versionCacheSize)
+
+	// API should have been called at least once, but should be much less than 100 due to caching
+	// Can't guarantee exactly 1 call due to race conditions, but should be significantly less than numGoroutines
+	callCount := httpmock.GetTotalCallCount()
+	assert.True(t, callCount >= 1 && callCount < numGoroutines)
+}

lib/ecosystems/enrich_cyclonedx.go

@@ -30,8 +30,10 @@ import (
 	"github.com/snyk/parlay/internal/utils"
 )
 
-type cdxPackageEnricher = func(*cdx.Component, *packages.Package)
-type cdxPackageVersionEnricher = func(*cdx.Component, *packages.VersionWithDependencies, *packages.Package)
+type (
+	cdxPackageEnricher        = func(*cdx.Component, *packages.Package)
+	cdxPackageVersionEnricher = func(*cdx.Component, *packages.VersionWithDependencies, *packages.Package)
+)
 
 var cdxPackageEnrichers = []cdxPackageEnricher{
 	enrichCDXDescription,
@@ -195,6 +197,7 @@ func enrichCDXTopics(comp *cdx.Component, data *packages.Package) {
 
 func enrichCDX(bom *cdx.BOM, logger *zerolog.Logger) {
 	wg := sizedwaitgroup.New(20)
+	cache := NewInMemoryCache()
 
 	comps := utils.DiscoverCDXComponents(bom)
 	logger.Debug().Msgf("Detected %d packages", len(comps))
@@ -213,7 +216,7 @@ func enrichCDX(bom *cdx.BOM, logger *zerolog.Logger) {
 				return
 			}
 
-			packageResp, err := GetPackageData(purl)
+			packageResp, err := cache.GetPackageData(purl)
 			if err != nil {
 				l.Debug().
 					Err(err).
@@ -232,7 +235,7 @@ func enrichCDX(bom *cdx.BOM, logger *zerolog.Logger) {
 				enrichFunc(comp, packageResp.JSON200)
 			}
 
-			packageVersionResp, err := GetPackageVersionData(purl)
+			packageVersionResp, err := cache.GetPackageVersionData(purl)
 			if err != nil {
 				l.Debug().
 					Err(err).
@@ -250,7 +253,6 @@ func enrichCDX(bom *cdx.BOM, logger *zerolog.Logger) {
 			for _, enrichFunc := range cdxPackageVersionEnrichers {
 				enrichFunc(comp, packageVersionResp.JSON200, packageResp.JSON200)
 			}
-
 		}(comps[i])
 	}
 

lib/ecosystems/enrich_spdx.go

@@ -35,13 +35,15 @@ func enrichSPDX(bom *spdx.Document, logger *zerolog.Logger) {
 
 	logger.Debug().Msgf("Detected %d packages", len(packages))
 
+	cache := NewInMemoryCache()
+
 	for _, pkg := range packages {
 		purl, err := extractPurl(pkg)
 		if err != nil {
 			continue
 		}
 
-		packageResp, err := GetPackageData(*purl)
+		packageResp, err := cache.GetPackageData(*purl)
 		if err != nil {
 			continue
 		}
@@ -55,7 +57,7 @@ func enrichSPDX(bom *spdx.Document, logger *zerolog.Logger) {
 		enrichSPDXHomepage(pkg, pkgData)
 		enrichSPDXSupplier(pkg, pkgData)
 
-		packageVersionResp, err := GetPackageVersionData(*purl)
+		packageVersionResp, err := cache.GetPackageVersionData(*purl)
 		if err != nil {
 			continue
 		}