Merge pull request #86 from sonukapoor/feature/issue-78-sync-performance

sonukapoor · web-flow · commit 6528e03f43ca · 2026-04-04T15:26:13.000-04:00
[Enhancement] Speed up advisory sync ingestion for growing OSV datasets
diff --git a/src/advisory/local-db.ts b/src/advisory/local-db.ts
@@ -50,6 +50,13 @@ const SCHEMA_SQL = `
 
 export class LocalAdvisoryDatabase {
   private readonly db: Database.Database;
+  private readonly upsertAdvisoryStatement: Database.Statement;
+  private readonly deleteRangesStatement: Database.Statement;
+  private readonly insertRangeStatement: Database.Statement;
+  private readonly setMetadataStatement: Database.Statement;
+  private readonly getMetadataStatement: Database.Statement;
+  private readonly getVulnerabilityStatement: Database.Statement;
+  private readonly findMatchingIdsStatement: Database.Statement;
 
   constructor(
     private readonly dbPath: string,
@@ -64,44 +71,7 @@ export class LocalAdvisoryDatabase {
     this.db = new Database(dbPath, readonly ? { readonly: true, fileMustExist: true } : undefined);
     this.db.pragma("foreign_keys = ON");
     this.db.exec(SCHEMA_SQL);
-  }
-
-  close(): void {
-    this.db.close();
-  }
-
-  setMetadata(metadata: AdvisoryDbMetadata): void {
-    this.db.prepare(`
-      INSERT INTO advisory_db_metadata (id, last_sync_at, source_url)
-      VALUES (1, @last_sync_at, @source_url)
-      ON CONFLICT(id) DO UPDATE SET
-        last_sync_at = excluded.last_sync_at,
-        source_url = excluded.source_url
-    `).run({
-      last_sync_at: metadata.lastSyncAt,
-      source_url: metadata.sourceUrl,
-    });
-  }
-
-  getMetadata(): AdvisoryDbMetadata {
-    const row = this.db.prepare(`
-      SELECT last_sync_at, source_url
-      FROM advisory_db_metadata
-      WHERE id = 1
-    `).get() as { last_sync_at: string | null; source_url: string | null } | undefined;
-
-    return {
-      lastSyncAt: row?.last_sync_at ?? null,
-      sourceUrl: row?.source_url ?? null,
-    };
-  }
-
-  upsertVulnerability(vuln: OsvVuln): void {
-    const advisoryRows = deriveAdvisoryPackageRows(vuln);
-    const advisoryJson = JSON.stringify(vuln);
-    const aliasesJson = JSON.stringify(vuln.aliases ?? []);
-
-    const upsertAdvisory = this.db.prepare(`
+    this.upsertAdvisoryStatement = this.db.prepare(`
       INSERT INTO advisories (id, modified_at, aliases_json, summary, osv_json)
       VALUES (@id, @modified_at, @aliases_json, @summary, @osv_json)
       ON CONFLICT(id) DO UPDATE SET
@@ -110,11 +80,11 @@ export class LocalAdvisoryDatabase {
         summary = excluded.summary,
         osv_json = excluded.osv_json
     `);
-    const deleteRanges = this.db.prepare(`
+    this.deleteRangesStatement = this.db.prepare(`
       DELETE FROM advisory_packages
       WHERE advisory_id = ?
     `);
-    const insertRange = this.db.prepare(`
+    this.insertRangeStatement = this.db.prepare(`
       INSERT INTO advisory_packages (
         advisory_id,
         ecosystem,
@@ -131,31 +101,89 @@ export class LocalAdvisoryDatabase {
         @last_affected
       )
     `);
+    this.setMetadataStatement = this.db.prepare(`
+      INSERT INTO advisory_db_metadata (id, last_sync_at, source_url)
+      VALUES (1, @last_sync_at, @source_url)
+      ON CONFLICT(id) DO UPDATE SET
+        last_sync_at = excluded.last_sync_at,
+        source_url = excluded.source_url
+    `);
+    this.getMetadataStatement = this.db.prepare(`
+      SELECT last_sync_at, source_url
+      FROM advisory_db_metadata
+      WHERE id = 1
+    `);
+    this.getVulnerabilityStatement = this.db.prepare(`
+      SELECT osv_json
+      FROM advisories
+      WHERE id = ?
+    `);
+    this.findMatchingIdsStatement = this.db.prepare(`
+      SELECT advisory_id, introduced, fixed, last_affected
+      FROM advisory_packages
+      WHERE ecosystem = ? AND package_name = ?
+    `);
+  }
+
+  close(): void {
+    this.db.close();
+  }
 
-    const transaction = this.db.transaction(() => {
-      upsertAdvisory.run({
-        id: vuln.id,
-        modified_at: null,
-        aliases_json: aliasesJson,
-        summary: vuln.summary ?? null,
-        osv_json: advisoryJson,
-      });
-
-      deleteRanges.run(vuln.id);
-      for (const row of advisoryRows) {
-        insertRange.run(row);
+  setMetadata(metadata: AdvisoryDbMetadata): void {
+    this.setMetadataStatement.run({
+      last_sync_at: metadata.lastSyncAt,
+      source_url: metadata.sourceUrl,
+    });
+  }
+
+  getMetadata(): AdvisoryDbMetadata {
+    const row = this.getMetadataStatement.get() as { last_sync_at: string | null; source_url: string | null } | undefined;
+
+    return {
+      lastSyncAt: row?.last_sync_at ?? null,
+      sourceUrl: row?.source_url ?? null,
+    };
+  }
+
+  upsertVulnerability(vuln: OsvVuln): void {
+    const transaction = this.db.transaction((item: OsvVuln) => {
+      this.upsertVulnerabilityInternal(item);
+    });
+
+    transaction(vuln);
+  }
+
+  bulkUpsertVulnerabilities(vulns: Iterable<OsvVuln>): void {
+    const transaction = this.db.transaction((items: OsvVuln[]) => {
+      for (const item of items) {
+        this.upsertVulnerabilityInternal(item);
       }
     });
 
-    transaction();
+    transaction([...vulns]);
+  }
+
+  private upsertVulnerabilityInternal(vuln: OsvVuln): void {
+    const advisoryRows = deriveAdvisoryPackageRows(vuln);
+    const advisoryJson = JSON.stringify(vuln);
+    const aliasesJson = JSON.stringify(vuln.aliases ?? []);
+
+    this.upsertAdvisoryStatement.run({
+      id: vuln.id,
+      modified_at: null,
+      aliases_json: aliasesJson,
+      summary: vuln.summary ?? null,
+      osv_json: advisoryJson,
+    });
+
+    this.deleteRangesStatement.run(vuln.id);
+    for (const row of advisoryRows) {
+      this.insertRangeStatement.run(row);
+    }
   }
 
   getVulnerability(id: string): OsvVuln | null {
-    const row = this.db.prepare(`
-      SELECT osv_json
-      FROM advisories
-      WHERE id = ?
-    `).get(id) as { osv_json: string } | undefined;
+    const row = this.getVulnerabilityStatement.get(id) as { osv_json: string } | undefined;
 
     if (!row) return null;
     return JSON.parse(row.osv_json) as OsvVuln;
@@ -166,11 +194,7 @@ export class LocalAdvisoryDatabase {
       return [];
     }
 
-    const rows = this.db.prepare(`
-      SELECT advisory_id, introduced, fixed, last_affected
-      FROM advisory_packages
-      WHERE ecosystem = ? AND package_name = ?
-    `).all(pkg.ecosystem, pkg.name) as AdvisoryRangeRow[];
+    const rows = this.findMatchingIdsStatement.all(pkg.ecosystem, pkg.name) as AdvisoryRangeRow[];
 
     const ids = new Set<string>();
     for (const row of rows) {
diff --git a/src/advisory/osv-sync.ts b/src/advisory/osv-sync.ts
@@ -123,7 +123,7 @@ export async function syncOsvAdvisories(
   await yieldToEventLoop();
 
   const archiveEntries = unzipSync(zippedBytes);
-  const advisoryEntries = Object.keys(archiveEntries).filter(entryName => entryName.endsWith(".json"));
+  const advisoryEntries = Object.entries(archiveEntries).filter(([entryName]) => entryName.endsWith(".json"));
   onProgress?.({
     phase: "extract",
     totalEntries: Object.keys(archiveEntries).length,
@@ -134,21 +134,18 @@ export async function syncOsvAdvisories(
   const db = new LocalAdvisoryDatabase(dbPath);
 
   try {
+    const parsedVulns: OsvVuln[] = [];
     let advisoryCount = 0;
     const progressInterval = 250;
 
-    for (const [entryName, bytes] of Object.entries(archiveEntries)) {
-      if (!entryName.endsWith(".json")) {
-        continue;
-      }
-
+    for (const [, bytes] of advisoryEntries) {
       const text = Buffer.from(bytes).toString("utf8");
       const vuln = JSON.parse(text) as OsvVuln;
       if (!vuln.id) {
         continue;
       }
 
-      db.upsertVulnerability(vuln);
+      parsedVulns.push(vuln);
       advisoryCount += 1;
 
       if (
@@ -166,6 +163,8 @@ export async function syncOsvAdvisories(
       }
     }
 
+    db.bulkUpsertVulnerabilities(parsedVulns);
+
     db.setMetadata({
       lastSyncAt: new Date().toISOString(),
       sourceUrl,
