Spike: estimate resource usage for SBOM ingestion
Time-box: 3 days.
Topic to Evaluate
In order to implement Ingest SBOM reports (&8024 - closed), we need to know what the increase in resource usage will be.
In order to educate our implementation plan, we need to estimate the data storage increase, as well as the number of DB reads/writes.
Tasks to Evaluate
-
SBOM. Based on dependency scanning reports: -
Calculate the average size of SBOM reports -
Calculate the average DB data usage for a report -
Estimate the number of projects that would produce SBOM reports -
Estimate the number of changes in each SBOM report (this should give us an estimate number of DB writes)
-
-
Estimate total DB initial size -
Estimate total number of records -
Estimate number of DB reads and writes
References
- https://cyclonedx.org/specification/overview/
- https://about.gitlab.com/handbook/engineering/development/sec/secure/tech-docs/data-model-for-dependencies-information/#software-of-bill-of-materials
- #297661 (closed)
- #352203 (comment 950726313)
SBoM Samples
- trivy-ubuntu-latest.cdx.json
- cyclonedx-go-go.json
- cyclonedx-npm-npm.json
- cyclonedx-gem-bundler.json (multi-project)
Risks and Implementation Considerations
Edited by Brian Williams