Whitesource插件需要很长时间(而且过于健谈)

Question

这是从昨天开始发生的。

在过去的几个月里，我已经将白源螺栓扫描(流行的Snyk的免费替代品)集成到我们的DevOps项目中。

通常需要几分钟来扫描我们的包裹，我们对管道感到满意。

这是一个典型的经过编辑的管道日志

Starting: WhiteSource Bolt Scan
==============================================================================
Task         : WhiteSource Bolt
Description  : Detect security vulnerabilities, problematic open source licenses.
Version      : 21.3.2
Author       : WhiteSource
Help         : http://www.whitesourcesoftware.com
==============================================================================
Working directory is /home/vsts/work/1/s
Getting scan config data
unifiedAgent.config file created successfully at /home/vsts/work/1/s
Finished getScanConfigData
Finished archive and encryption
Starting Upload zip file to s3
Getting temp credentials
Finished to prepare scm scan request
Sending SCM scan request
Succeed to send SCM scan request
WhiteSource Support Token: 
Async Command Start: Add Build Tag
Build '4998' has following tags now: ws_support_token=ws_scan_start_time=Wed, 05 May 2021 12_32_26 GMT
Async Command End: Add Build Tag
Async Command Start: Add Build Tag
Build '4998' has following tags now: ws_support_token=
Async Command End: Add Build Tag
Finishing: WhiteSource Bolt Scan

从昨天开始，输出日志将分解为下面的没完没了的调试日志，一个角度项目花费了30分钟。

Starting: WhiteSource Bolt Scan
==============================================================================
Task         : WhiteSource Bolt
Description  : Detect security vulnerabilities, problematic open source licenses.
Version      : 21.6.2
Author       : WhiteSource
Help         : http://www.whitesourcesoftware.com
==============================================================================





[CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]     resolved url in file = https://pkgs.dev.azure.com/_/_packaging/_/npm/registry/@babel/plugin-transform-template-literals/-/plugin-transform-template-literals-7.13.0.tgz
[DEBUG] [2021-07-06 08:41:49,836 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   resolved url in link = http://pkgs.dev.azure.com/@babel/plugin-transform-template-literals/7.13.0
[DEBUG] [2021-07-06 08:41:49,918 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   npm.accessToken is not defined
[DEBUG] [2021-07-06 08:41:50,043 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   Succeed to download the npm package @babel/plugin-transform-modules-umd-7.13.0.tgz-7.13.0.
[DEBUG] [2021-07-06 08:41:50,043 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   resolved url in file = https://pkgs.dev.azure.com/_/_packaging/_/npm/registry/@babel/plugin-transform-modules-amd/-/plugin-transform-modules-amd-7.13.0.tgz
[DEBUG] [2021-07-06 08:41:50,043 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   resolved url in link = http://pkgs.dev.azure.com/@babel/plugin-transform-modules-amd/7.13.0
[DEBUG] [2021-07-06 08:41:50,085 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   npm.accessToken is not defined
[DEBUG] [2021-07-06 08:41:50,085 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   Succeed to download the npm package @babel/plugin-syntax-optional-chaining-7.8.3.tgz-7.8.3.
[DEBUG] [2021-07-06 08:41:50,086 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   resolved url in file = https://pkgs.dev.azure.com/_/_packaging/_/npm/registry/babel-plugin-dynamic-import-node/-/babel-plugin-dynamic-import-node-2.3.3.tgz
[DEBUG] [2021-07-06 08:41:50,086 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   resolved url in link = http://pkgs.dev.azure.com/babel-plugin-dynamic-import-node/2.3.3
[DEBUG] [2021-07-06 08:41:50,146 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   npm.accessToken is not defined
[DEBUG] [2021-07-06 08:41:50,147 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   Succeed to download the npm package @babel/compat-data-7.13.8.tgz-7.13.8.
[DEBUG] [2021-07-06 08:41:50,147 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   resolved url in file = https://registry.npmjs.org/object.assign/-/object.assign-4.1.0.tgz
[DEBUG] [2021-07-06 08:41:50,147 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   resolved url in link = http://registry.npmjs.org/object.assign/4.1.0
[DEBUG] [2021-07-06 08:41:50,256 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   npm.accessToken is not defined
[DEBUG] [2021-07-06 08:41:50,258 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   Succeed to download the npm package @babel/plugin-proposal-logical-assignment-operators-7.13.8.tgz-7.13.8.
[DEBUG] [2021-07-06 08:41:50,258 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   resolved url in file = https://pkgs.dev.azure.com/_/_packaging/_/npm/registry/@babel/plugin-transform-parameters/-/plugin-transform-parameters-7.13.0.tgz
[DEBUG] [2021-07-06 08:41:50,258 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   resolved url in link = http://pkgs.dev.azure.com/@babel/plugin-transform-parameters/7.13.0
[DEBUG] [2021-07-06 08:41:51,633 +0000] - [CTX=sjgpwi107sx5to1j1pxbeasjdlvfsjqhzf6oqzeo1phtb]   npm.accessToken is not defined

我们从未更改过管道配置。

      - task: WhiteSource@21
        displayName: WhiteSource Bolt Scan
        inputs:
          cwd: '$(System.DefaultWorkingDirectory)'
          projectName: '$(projectName)'

有人也注意到了吗？除了放弃这个插件，我们还能做些什么呢？

Answer 1

这是来自Whitesource支持的官方反馈

从21.6.2版开始，WhiteSource扫描直接在Azure DevOps管道内执行。这意味着WhiteSource任务正在运行一个扫描，作为管道构建的一部分。在此更改之前，WhiteSource任务没有直接执行扫描，而是收集相关信息，将其发送到远程WhiteSource服务器，该服务器是运行扫描本身的服务器。只有当远程服务器上的扫描完成并将结果发回时，才会显示Azure DevOps上的DevOps风险报告。这导致WhiteSource报告在很长一段时间后被加载，并且有几个问题。因此，我们决定对直接扫描进行更改，这是一种更加简单的扫描方法，WhiteSource报告的加载速度要快得多，还有许多其他改进。但是，重要的是要了解，现在扫描是作为构建的一部分(而不是远程异步)同步执行的，与以前的版本相比，构建时间(而不是扫描时间)增加了。

因此，他们似乎推动了一项重大改变，但没有警告用户管道将需要更长的时间。