perf(local): only load advisories that are about the packages being scanned

Author: G-Rath

internal/clients/clientimpl/localmatcher/localmatcher.go

@@ -69,7 +69,7 @@ func (matcher *LocalMatcher) MatchVulnerabilities(ctx context.Context, invs []*e
 			continue
 		}
 
-		db, err := matcher.loadDBFromCache(ctx, pkg.Ecosystem())
+		db, err := matcher.loadDBFromCache(ctx, pkg.Ecosystem(), invs)
 
 		if err != nil {
 			// no logging here as the loader will have already done that
@@ -87,12 +87,12 @@ func (matcher *LocalMatcher) MatchVulnerabilities(ctx context.Context, invs []*e
 // LoadEcosystem tries to preload the ecosystem into the cache, and returns an error if the ecosystem
 // cannot be loaded.
 func (matcher *LocalMatcher) LoadEcosystem(ctx context.Context, eco osvecosystem.Parsed) error {
-	_, err := matcher.loadDBFromCache(ctx, eco)
+	_, err := matcher.loadDBFromCache(ctx, eco, nil)
 
 	return err
 }
 
-func (matcher *LocalMatcher) loadDBFromCache(ctx context.Context, eco osvecosystem.Parsed) (*ZipDB, error) {
+func (matcher *LocalMatcher) loadDBFromCache(ctx context.Context, eco osvecosystem.Parsed, invs []*extractor.Package) (*ZipDB, error) {
 	if db, ok := matcher.dbs[eco.Ecosystem]; ok {
 		return db, nil
 	}
@@ -101,7 +101,15 @@ func (matcher *LocalMatcher) loadDBFromCache(ctx context.Context, eco osvecosyst
 		return nil, matcher.failedDBs[eco.Ecosystem]
 	}
 
-	db, err := NewZippedDB(ctx, matcher.dbBasePath, string(eco.Ecosystem), fmt.Sprintf("%s/%s/all.zip", zippedDBRemoteHost, eco.Ecosystem), matcher.userAgent, !matcher.downloadDB)
+	db, err := NewZippedDB(
+		ctx,
+		matcher.dbBasePath,
+		string(eco.Ecosystem),
+		fmt.Sprintf("%s/%s/all.zip", zippedDBRemoteHost, eco.Ecosystem),
+		matcher.userAgent,
+		!matcher.downloadDB,
+		invs,
+	)
 
 	if err != nil {
 		matcher.failedDBs[eco.Ecosystem] = err

internal/clients/clientimpl/localmatcher/zip.go

@@ -16,6 +16,7 @@ import (
 	"path"
 	"strings"
 
+	"github.com/google/osv-scalibr/extractor"
 	"github.com/google/osv-scanner/v2/internal/cmdlogger"
 	"github.com/google/osv-scanner/v2/internal/imodels"
 	"github.com/google/osv-scanner/v2/internal/utility/vulns"
@@ -143,9 +144,21 @@ func (db *ZipDB) fetchZip(ctx context.Context) ([]byte, error) {
 	return body, nil
 }
 
+func mightAffectPackages(v osvschema.Vulnerability, names []string) bool {
+	for _, affected := range v.Affected {
+		for _, name := range names {
+			if affected.Package.Name == name {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
 // Loads the given zip file into the database as an OSV.
 // It is assumed that the file is JSON and in the working directory of the db
-func (db *ZipDB) loadZipFile(zipFile *zip.File) {
+func (db *ZipDB) loadZipFile(zipFile *zip.File, names []string) {
 	file, err := zipFile.Open()
 	if err != nil {
 		cmdlogger.Warnf("Could not read %s: %v", zipFile.Name, err)
@@ -169,16 +182,23 @@ func (db *ZipDB) loadZipFile(zipFile *zip.File) {
 		return
 	}
 
-	db.Vulnerabilities = append(db.Vulnerabilities, vulnerability)
+	// if we have been provided a list of package names, only load advisories
+	// that might actually affect those packages, rather than all advisories
+	if len(names) == 0 || mightAffectPackages(vulnerability, names) {
+		db.Vulnerabilities = append(db.Vulnerabilities, vulnerability)
+	}
 }
 
 // load fetches a zip archive of the OSV database and loads known vulnerabilities
 // from it (which are assumed to be in json files following the OSV spec).
 //
+// If a list of package names is provided, then only advisories with at least
+// one affected entry for a listed package will be loaded.
+//
 // Internally, the archive is cached along with the date that it was fetched
 // so that a new version of the archive is only downloaded if it has been
 // modified, per HTTP caching standards.
-func (db *ZipDB) load(ctx context.Context) error {
+func (db *ZipDB) load(ctx context.Context, names []string) error {
 	db.Vulnerabilities = []osvschema.Vulnerability{}
 
 	body, err := db.fetchZip(ctx)
@@ -198,21 +218,30 @@ func (db *ZipDB) load(ctx context.Context) error {
 			continue
 		}
 
-		db.loadZipFile(zipFile)
+		db.loadZipFile(zipFile, names)
 	}
 
 	return nil
 }
 
-func NewZippedDB(ctx context.Context, dbBasePath, name, url, userAgent string, offline bool) (*ZipDB, error) {
+func NewZippedDB(ctx context.Context, dbBasePath, name, url, userAgent string, offline bool, invs []*extractor.Package) (*ZipDB, error) {
 	db := &ZipDB{
 		Name:       name,
 		ArchiveURL: url,
 		Offline:    offline,
 		StoredAt:   path.Join(dbBasePath, name, "all.zip"),
 		UserAgent:  userAgent,
 	}
-	if err := db.load(ctx); err != nil {
+	names := make([]string, 0, len(invs))
+
+	// map the packages to their names ahead of loading,
+	// to make things simpler and reduce double working
+	for _, inv := range invs {
+		in := imodels.FromInventory(inv)
+		names = append(names, in.Name())
+	}
+
+	if err := db.load(ctx, names); err != nil {
 		return nil, fmt.Errorf("unable to fetch OSV database: %w", err)
 	}
 

internal/clients/clientimpl/localmatcher/zip_test.go

@@ -16,6 +16,7 @@ import (
 	"sort"
 	"testing"
 
+	"github.com/google/osv-scalibr/extractor"
 	"github.com/google/osv-scanner/v2/internal/clients/clientimpl/localmatcher"
 	"github.com/google/osv-scanner/v2/internal/testutility"
 	"github.com/google/osv-scanner/v2/internal/version"
@@ -146,7 +147,7 @@ func TestNewZippedDB_Offline_WithoutCache(t *testing.T) {
 		t.Errorf("a server request was made when running offline")
 	})
 
-	_, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, true)
+	_, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, true, nil)
 
 	if !errors.Is(err, localmatcher.ErrOfflineDatabaseNotFound) {
 		t.Errorf("expected \"%v\" error but got \"%v\"", localmatcher.ErrOfflineDatabaseNotFound, err)
@@ -178,7 +179,7 @@ func TestNewZippedDB_Offline_WithCache(t *testing.T) {
 		"GHSA-5.json": {ID: "GHSA-5"},
 	}))
 
-	db, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, true)
+	db, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, true, nil)
 
 	if err != nil {
 		t.Fatalf("unexpected error \"%v\"", err)
@@ -196,7 +197,7 @@ func TestNewZippedDB_BadZip(t *testing.T) {
 		_, _ = w.Write([]byte("this is not a zip"))
 	})
 
-	_, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false)
+	_, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false, nil)
 
 	if err == nil {
 		t.Errorf("expected an error but did not get one")
@@ -208,7 +209,7 @@ func TestNewZippedDB_UnsupportedProtocol(t *testing.T) {
 
 	testDir := testutility.CreateTestDir(t)
 
-	_, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", "file://hello-world", userAgent, false)
+	_, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", "file://hello-world", userAgent, false, nil)
 
 	if err == nil {
 		t.Errorf("expected an error but did not get one")
@@ -238,7 +239,7 @@ func TestNewZippedDB_Online_WithoutCache(t *testing.T) {
 		})
 	})
 
-	db, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false)
+	db, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false, nil)
 
 	if err != nil {
 		t.Fatalf("unexpected error \"%v\"", err)
@@ -270,7 +271,7 @@ func TestNewZippedDB_Online_WithoutCacheAndNoHashHeader(t *testing.T) {
 		}))
 	})
 
-	db, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false)
+	db, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false, nil)
 
 	if err != nil {
 		t.Fatalf("unexpected error \"%v\"", err)
@@ -308,7 +309,7 @@ func TestNewZippedDB_Online_WithSameCache(t *testing.T) {
 
 	cacheWrite(t, determineStoredAtPath(testDir, "my-db"), cache)
 
-	db, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false)
+	db, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false, nil)
 
 	if err != nil {
 		t.Fatalf("unexpected error \"%v\"", err)
@@ -346,7 +347,7 @@ func TestNewZippedDB_Online_WithDifferentCache(t *testing.T) {
 		"GHSA-3.json": {ID: "GHSA-3"},
 	}))
 
-	db, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false)
+	db, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false, nil)
 
 	if err != nil {
 		t.Fatalf("unexpected error \"%v\"", err)
@@ -376,7 +377,7 @@ func TestNewZippedDB_Online_WithCacheButNoHashHeader(t *testing.T) {
 		"GHSA-3.json": {ID: "GHSA-3"},
 	}))
 
-	_, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false)
+	_, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false, nil)
 
 	if err == nil {
 		t.Errorf("expected an error but did not get one")
@@ -404,7 +405,7 @@ func TestNewZippedDB_Online_WithBadCache(t *testing.T) {
 
 	cacheWriteBad(t, determineStoredAtPath(testDir, "my-db"), "this is not json!")
 
-	db, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false)
+	db, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false, nil)
 
 	if err != nil {
 		t.Fatalf("unexpected error \"%v\"", err)
@@ -430,11 +431,92 @@ func TestNewZippedDB_FileChecks(t *testing.T) {
 		})
 	})
 
-	db, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false)
+	db, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false, nil)
 
 	if err != nil {
 		t.Fatalf("unexpected error \"%v\"", err)
 	}
 
 	expectDBToHaveOSVs(t, db, osvs)
 }
+
+func TestNewZippedDB_WithSpecificPackages(t *testing.T) {
+	t.Parallel()
+
+	testDir := testutility.CreateTestDir(t)
+
+	ts := createZipServer(t, func(w http.ResponseWriter, _ *http.Request) {
+		_, _ = writeOSVsZip(t, w, map[string]osvschema.Vulnerability{
+			"GHSA-1.json": {
+				ID:       "GHSA-1",
+				Affected: []osvschema.Affected{},
+			},
+			"GHSA-2.json": {
+				ID: "GHSA-2",
+				Affected: []osvschema.Affected{
+					{Package: osvschema.Package{Name: "pkg-1"}},
+				},
+			},
+			"GHSA-3.json": {
+				ID: "GHSA-3",
+			},
+			"GHSA-4.json": {
+				ID: "GHSA-4",
+				Affected: []osvschema.Affected{
+					{Package: osvschema.Package{Name: "pkg-2"}},
+				},
+			},
+			"GHSA-5.json": {
+				ID: "GHSA-5",
+				Affected: []osvschema.Affected{
+					{Package: osvschema.Package{Name: "pkg-2"}},
+					{Package: osvschema.Package{Name: "pkg-1"}},
+				},
+			},
+			"GHSA-6.json": {
+				ID: "GHSA-6",
+				Affected: []osvschema.Affected{
+					{Package: osvschema.Package{Name: "pkg-3"}},
+					{Package: osvschema.Package{Name: "pkg-2"}},
+				},
+			},
+		})
+	})
+
+	db, err := localmatcher.NewZippedDB(
+		t.Context(),
+		testDir,
+		"my-db",
+		ts.URL,
+		userAgent,
+		false,
+		[]*extractor.Package{{Name: "pkg-1"}, {Name: "pkg-3"}},
+	)
+
+	if err != nil {
+		t.Fatalf("unexpected error \"%v\"", err)
+	}
+
+	expectDBToHaveOSVs(t, db, []osvschema.Vulnerability{
+		{
+			ID: "GHSA-2",
+			Affected: []osvschema.Affected{
+				{Package: osvschema.Package{Name: "pkg-1"}},
+			},
+		},
+		{
+			ID: "GHSA-5",
+			Affected: []osvschema.Affected{
+				{Package: osvschema.Package{Name: "pkg-2"}},
+				{Package: osvschema.Package{Name: "pkg-1"}},
+			},
+		},
+		{
+			ID: "GHSA-6",
+			Affected: []osvschema.Affected{
+				{Package: osvschema.Package{Name: "pkg-3"}},
+				{Package: osvschema.Package{Name: "pkg-2"}},
+			},
+		},
+	})
+}