Skip to content

Improve package scan performance #4606

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
AyanSinhaMahapatra wants to merge 9 commits into
base: develop
Choose a base branch
from
Open

Improve package scan performance #4606

AyanSinhaMahapatra wants to merge 9 commits into from

Conversation

@AyanSinhaMahapatra
Copy link
Member

@AyanSinhaMahapatra AyanSinhaMahapatra commented Nov 17, 2025
edited by pombredanne
Loading

This PR improve package scan performance by....

References:

Tasks

  • Reviewed contribution guidelines
  • PR is descriptively titled 📑 and links the original issue above 🔗
  • Tests pass -- look for a green checkbox ✔️ a few minutes after opening your PR
    Run tests locally to check for errors.
  • Commits are in uniquely-named feature branch and has no merge conflicts 📁
  • Updated documentation pages (if applicable)
  • Updated CHANGELOG.rst (if applicable)

@AyanSinhaMahapatra
Simplify GemfileHandler path patterns
489af1b 
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
@AyanSinhaMahapatra
Add multiregex as a dependency
8d6fa73 
Reference: https://github.com/Quantco/multiregex
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
@AyanSinhaMahapatra
Add initial multiregex implementation
4fc3af2 
Use multiregex to use a cached regex path patterns and
datafile handlers mapping to detect package datafiles faster.

Reference: #4064
Reference: #4061
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
@AyanSinhaMahapatra AyanSinhaMahapatra marked this pull request as draft November 17, 2025 09:49
@AyanSinhaMahapatra AyanSinhaMahapatra changed the title Fast package scan Improve package scan performance Nov 17, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 17, 2025
View reviewed changes
@AyanSinhaMahapatra
Add minimal tests for package cache
4438526 
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
@AyanSinhaMahapatra
Cache multiregex matchers instead of patterns
3bbf35e 
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 18, 2025
View reviewed changes
@AyanSinhaMahapatra
Restore binary package manifest scanning
e0460ef 
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
@AyanSinhaMahapatra AyanSinhaMahapatra marked this pull request as ready for review November 19, 2025 09:47
@AyanSinhaMahapatra
Only scan for bianry packages optionally
dde6bc9 
Introduce a new option --binary-packages which looks for
package/dependency data in binaries.

Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
@AyanSinhaMahapatra
Do not setup license index on --package-only
5cd5f74 
We do not need the license index in a --package-only scan
as this is designed to do a fast package detection only scan
which skips the license detection. As license index loading
takes a couple seconds in each case, this makes the
package only scan much faster.

Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
@AyanSinhaMahapatra
Add a new console script to build the package patterns cache
6b6a79b 
Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>
pombredanne
pombredanne reviewed Dec 15, 2025
View reviewed changes
docs/source/rst_snippets/basic_options.rst
--system-package Scan ``<input>`` for installed system package
databases.

-b, --binary-package Scan <input> for package and dependency related
Copy link
Member

@pombredanne pombredanne Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about this:

--package-in-exec Scan compiled executable binaries such as ELF, WinpE and Mach-O files, looking for structured package and dependency metadata as found for example in Go and Rust binaries.

Copy link
Member

@pombredanne pombredanne Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or

--package-in-compiled Scan compiled executable binaries such as ELF, WinpE and Mach-O files, looking for structured package and dependency metadata as found for example in Go and Rust compiled binaries.

pombredanne
pombredanne reviewed Dec 15, 2025
View reviewed changes
etc/release/scancode-create-pypi-wheel.sh

./configure --dev
venv/bin/scancode-reindex-licenses
venv/bin/scancode-cache-package-patterns
Copy link
Member

@pombredanne pombredanne Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about naming this venv/bin/scancode-reindex-package-patterns to be consistent?

pombredanne
pombredanne reviewed Dec 15, 2025
View reviewed changes
src/packagedcode/__init__.py


# These handlers are special as they use filetype to
# detect these binaries instead of datafile path patterns
Copy link
Member

@pombredanne pombredanne Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# detect these binaries instead of datafile path patterns
# detect these compiled executable binaries instead of datafile path patterns

pombredanne
pombredanne reviewed Dec 15, 2025
View reviewed changes
pombredanne
pombredanne reviewed Dec 15, 2025
View reviewed changes
src/packagedcode/cache.py
PACKAGE_INDEX_DIR = 'package_patterns_index'
PACKAGE_INDEX_FILENAME = 'index_cache'
PACKAGE_LOCKFILE_NAME = 'scancode_package_index_lockfile'
PACKAGE_CHECKSUM_FILE = 'scancode_package_index_tree_checksums'
Copy link
Member

@pombredanne pombredanne Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not used anymore (also should be dropped from licensing)

Suggested change
PACKAGE_CHECKSUM_FILE = 'scancode_package_index_tree_checksums'

pombredanne
pombredanne reviewed Dec 15, 2025
View reviewed changes
Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here are some nits for your consideration!

docs/source/rst_snippets/basic_options.rst
--system-package Scan ``<input>`` for installed system package
databases.

-b, --binary-package Scan <input> for package and dependency related
Copy link
Member

@pombredanne pombredanne Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or

--package-in-compiled Scan compiled executable binaries such as ELF, WinpE and Mach-O files, looking for structured package and dependency metadata as found for example in Go and Rust compiled binaries.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pombredanne pombredanne pombredanne left review comments

@JonoYang JonoYang Awaiting requested review from JonoYang

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AyanSinhaMahapatra @pombredanne