You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Modify the behavior during cmp plugin evaluation (DetectConfigManagementPlugin) to avoid transferring the entire repository to cmp-server when the application configures the plugin by name.
Motivation
In scenarios involving monorepos and/or multiple clusters, transferring the entire repository multiple times solely for verifying the correct configuration of the plugin can lead to disk usage bottlenecks impacting performance and resource utilization:
Proposal
Instead of transferring the entire repository during plugin evaluation, consider adjusting the implementation to return the client (cmpClient) without performing a matchRepository operation when the application'plugin be configured by its.
utils/app/discovery/discovery.go
funccmpSupports(ctx context.Context, pluginSockFilePath, appPath, repoPath, fileNamestring, env []string, tarExcludedGlobs []string, namedPluginbool) (io.Closer, pluginclient.ConfigManagementPluginServiceClient, bool) {
absPluginSockFilePath, err:=filepath.Abs(pluginSockFilePath)
iferr!=nil {
log.Errorf("error getting absolute path for plugin socket dir %v, %v", pluginSockFilePath, err)
returnnil, nil, false
}
address:=filepath.Join(absPluginSockFilePath, fileName)
if!files.Inbound(address, absPluginSockFilePath) {
log.Errorf("invalid socket file path, %v is outside plugin socket dir %v", fileName, pluginSockFilePath)
returnnil, nil, false
}
cmpclientset:=pluginclient.NewConfigManagementPluginClientSet(address)
conn, cmpClient, err:=cmpclientset.NewConfigManagementPluginClient()
iferr!=nil {
log.WithFields(log.Fields{
common.SecurityField: common.SecurityMedium,
common.SecurityCWEField: common.SecurityCWEMissingReleaseOfFileDescriptor,
}).Errorf("error dialing to cmp-server for plugin %s, %v", fileName, err)
returnnil, nil, false
}
// if plugin name is specified, lets return the client directlyifnamedPlugin {
returnconn, cmpClient, true
}
isSupported, _, err:=matchRepositoryCMP(ctx, appPath, repoPath, cmpClient, env, tarExcludedGlobs)
iferr!=nil {
log.WithFields(log.Fields{
common.SecurityField: common.SecurityMedium,
common.SecurityCWEField: common.SecurityCWEMissingReleaseOfFileDescriptor,
}).Errorf("repository %s is not the match because %v", repoPath, err)
io.Close(conn)
returnnil, nil, false
}
if!isSupported {
log.WithFields(log.Fields{
common.SecurityField: common.SecurityLow,
common.SecurityCWEField: common.SecurityCWEMissingReleaseOfFileDescriptor,
}).Debugf("Reponse from socket file %s does not support %v", fileName, repoPath)
io.Close(conn)
returnnil, nil, false
}
returnconn, cmpClient, true
}
The text was updated successfully, but these errors were encountered:
Summary
Modify the behavior during cmp plugin evaluation (
DetectConfigManagementPlugin
) to avoid transferring the entire repository tocmp-server
when the application configures the plugin by name.Motivation
In scenarios involving monorepos and/or multiple clusters, transferring the entire repository multiple times solely for verifying the correct configuration of the plugin can lead to disk usage bottlenecks impacting performance and resource utilization:
Proposal
Instead of transferring the entire repository during plugin evaluation, consider adjusting the implementation to return the client (cmpClient) without performing a
matchRepository
operation when the application'plugin be configured by its.utils/app/discovery/discovery.go
The text was updated successfully, but these errors were encountered: