search

microsoft / sbom-tool

The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
MIT License
1.6k stars 126 forks source link

Timeout when fetching license information #584

Open erri120 opened 4 months ago

erri120 commented 4 months ago

The timeout of 30 seconds is a bit too short for larger projects:

##[debug]Retrieving license information for 500 components...
##[warning]Error encountered while fetching license information from API, resulting SBOM may have incomplete license information: The request was canceled due to the configured HttpClient.Timeout of 30 seconds elapsing.

Would it be possible to increase the timeout or have a configuration option?

https://github.com/microsoft/sbom-tool/blob/0b4db48ca4f235cb75d9deaff2e094f710d55b2d/src/Microsoft.Sbom.Api/Executors/LicenseInformationService.cs#L23

https://github.com/microsoft/sbom-tool/blob/0b4db48ca4f235cb75d9deaff2e094f710d55b2d/src/Microsoft.Sbom.Api/Executors/LicenseInformationService.cs#L41

LucaBlackDragon commented 1 month ago

I'm facing the same issue in what I'd consider a small project (102 components in total, 27 explicitly referenced). Maybe using a lower batchSize would help preventing timeouts: https://github.com/microsoft/sbom-tool/blob/0b4db48ca4f235cb75d9deaff2e094f710d55b2d/src/Microsoft.Sbom.Api/Executors/LicenseInformationService.cs#L34 But it would also increase the risk of hitting the documented rate limits, so all things considered, I think a configurable timeout would be the best solution.

EDIT: I tried to make a PR about this, but can't build the solution, see #687.

georg-eckert-zeiss commented 1 month ago

Same here. But I don't know the root cause for the timeout. Very large project.