Cache dependency scanning job results
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Release notes
- Dependency Scanning now caches previous results. This speeds up consecutive runs where build files and lock files have not changed.
Problem to solve
When running dependency scanning, a complete scan will run for each build file and lock file. This can be a time consuming task and can be improved by utilizing a caching system.
Proposal
This MR proposes using a system that validates if an analyzed file has changed since the last scan. If the file has not changed and the corresponding results exist within the cache, then the scan should re-use the results instead of building and/or parsing the project/sub-project once again. Usage of a cache is a common optimization technique used by various tools e.g. Docker.
The addition of a cache will reduce the cpu, memory and energy usage of the runners executing the dependency scanning jobs. Furthermore, the time it takes to generate a dependency scanning report, and ultimately an SBoM from the generators, will be reduced. Caching is a hard problem, so we will need to be careful when setting the rules for writing, getting, and invalidating cached entries.