initial attempts at speeding up linux detection

Author: pauld-msft

src/Microsoft.ComponentDetection.Common/DockerService.cs

@@ -2,8 +2,8 @@
 namespace Microsoft.ComponentDetection.Common;
 
 using System;
+using System.Collections.Concurrent;
 using System.Collections.Generic;
-using System.IO;
 using System.Linq;
 using System.Text.Json;
 using System.Threading;
@@ -23,6 +23,15 @@ internal class DockerService : IDockerService
     private const string BaseImageDigestAnnotation = "image.base.digest";
 
     private static readonly DockerClient Client = new DockerClientConfiguration().CreateClient();
+
+    /// <summary>
+    /// Serializes image pull operations so only one pull runs at a time,
+    /// and tracks which images have already been pulled to avoid redundant work.
+    /// </summary>
+    private static readonly SemaphoreSlim PullSemaphore = new(1, 1);
+
+    private static readonly ConcurrentDictionary<string, bool> PulledImages = new();
+
     private static int incrementingContainerId;
 
     private readonly ILogger logger;
@@ -95,6 +104,46 @@ private async Task<ImageInspectResponse> InspectImageAndSanitizeVarsAsync(string
     }
 
     public async Task<bool> TryPullImageAsync(string image, CancellationToken cancellationToken = default)
+    {
+        // Fast path: already pulled in this process
+        if (PulledImages.ContainsKey(image))
+        {
+            return true;
+        }
+
+        // Check if already available locally before acquiring the semaphore
+        if (await this.ImageExistsLocallyAsync(image, cancellationToken))
+        {
+            PulledImages.TryAdd(image, true);
+            return true;
+        }
+
+        await PullSemaphore.WaitAsync(cancellationToken);
+        try
+        {
+            // Double-check after acquiring semaphore — another caller may have
+            // pulled this image (or a different image that satisfied the local check)
+            // while we were waiting.
+            if (PulledImages.ContainsKey(image))
+            {
+                return true;
+            }
+
+            var result = await this.PullImageCoreAsync(image, cancellationToken);
+            if (result)
+            {
+                PulledImages.TryAdd(image, true);
+            }
+
+            return result;
+        }
+        finally
+        {
+            PullSemaphore.Release();
+        }
+    }
+
+    private async Task<bool> PullImageCoreAsync(string image, CancellationToken cancellationToken)
     {
         using var record = new DockerServiceTryPullImageTelemetryRecord
         {
@@ -353,7 +402,6 @@ private static async Task<CreateContainerResponse> CreateContainerAsync(
         {
             var binds = new List<string>
             {
-                $"{Path.GetTempPath()}:/tmp",
                 "/var/run/docker.sock:/var/run/docker.sock",
             };
 

src/Microsoft.ComponentDetection.Detectors/linux/LinuxScanner.cs

@@ -1,6 +1,7 @@
 namespace Microsoft.ComponentDetection.Detectors.Linux;
 
 using System;
+using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.Linq;
 using System.Text.Json;
@@ -31,6 +32,13 @@ internal class LinuxScanner : ILinuxScanner
 
     private static readonly SemaphoreSlim ContainerSemaphore = new SemaphoreSlim(2);
 
+    /// <summary>
+    /// Caches in-flight and completed syft runs keyed by (source, scope).
+    /// When multiple detectors scan the same image concurrently, the second
+    /// caller awaits the already-running task instead of launching a new container.
+    /// </summary>
+    private static readonly ConcurrentDictionary<(string Source, LinuxScannerScope Scope), Task<string>> SyftRunCache = new();
+
     private static readonly int SemaphoreTimeout = Convert.ToInt32(
         TimeSpan.FromHours(1).TotalMilliseconds
     );
@@ -253,6 +261,8 @@ private IEnumerable<LayerMappedLinuxComponents> ProcessSyftOutputWithTelemetry(
 
     /// <summary>
     /// Runs the Syft scanner container and returns the stdout output.
+    /// For Docker image scans (no additional binds), results are cached so that
+    /// concurrent callers scanning the same image+scope share a single container run.
     /// </summary>
     private async Task<string> RunSyftAsync(
         string syftSource,
@@ -261,6 +271,50 @@ private async Task<string> RunSyftAsync(
         LinuxScannerTelemetryRecord record,
         LinuxScannerSyftTelemetryRecord syftTelemetryRecord,
         CancellationToken cancellationToken)
+    {
+        // Local image scans use additional binds specific to each call, so they
+        // cannot be deduplicated safely — run them directly.
+        if (additionalBinds is { Count: > 0 })
+        {
+            return await this.RunSyftCoreAsync(syftSource, scope, additionalBinds, record, syftTelemetryRecord, cancellationToken);
+        }
+
+        var cacheKey = (syftSource, scope);
+        var tcs = new TaskCompletionSource<string>(TaskCreationOptions.RunContinuationsAsynchronously);
+        var existingTask = SyftRunCache.GetOrAdd(cacheKey, tcs.Task);
+
+        if (existingTask != tcs.Task)
+        {
+            // Another caller is already running syft for this image+scope — await their result.
+            return await existingTask;
+        }
+
+        // We own this cache entry — run syft and propagate the result.
+        try
+        {
+            var result = await this.RunSyftCoreAsync(syftSource, scope, additionalBinds, record, syftTelemetryRecord, cancellationToken);
+            tcs.SetResult(result);
+            return result;
+        }
+        catch (Exception ex)
+        {
+            // Remove the failed entry so a retry can start fresh.
+            SyftRunCache.TryRemove(cacheKey, out _);
+            tcs.SetException(ex);
+            throw;
+        }
+    }
+
+    /// <summary>
+    /// Executes the Syft scanner container and returns the stdout output.
+    /// </summary>
+    private async Task<string> RunSyftCoreAsync(
+        string syftSource,
+        LinuxScannerScope scope,
+        IList<string> additionalBinds,
+        LinuxScannerTelemetryRecord record,
+        LinuxScannerSyftTelemetryRecord syftTelemetryRecord,
+        CancellationToken cancellationToken)
     {
         var acquired = false;
         var stdout = string.Empty;
@@ -357,4 +411,9 @@ HashSet<IArtifactComponentFactory> enabledFactories
         var layerIds = artifact.Locations?.Select(location => location.LayerId).Distinct() ?? [];
         return (component, layerIds);
     }
+
+    /// <summary>
+    /// Clears the syft run cache. Intended for test isolation only.
+    /// </summary>
+    internal static void ResetCache() => SyftRunCache.Clear();
 }

test/Microsoft.ComponentDetection.Detectors.Tests/LinuxScannerTests.cs

@@ -228,6 +228,9 @@ public class LinuxScannerTests
 
     public LinuxScannerTests()
     {
+        // Clear the static syft run cache to prevent cross-test interference.
+        LinuxScanner.ResetCache();
+
         this.mockDockerService = new Mock<IDockerService>();
         this.mockDockerService.Setup(service =>
                 service.CanPingDockerAsync(It.IsAny<CancellationToken>())