Improving Unified Agent scan performance
Summary
When scanning your project with the Unified Agent, Mend gives you complete control over how you would like your scan to run. However, if you do not configure the Unified Agent to perform optimally, it can cause your Mend scan to run longer than necessary.
Source file vs. package manager scans
To begin with, knowing what is in your project is important to understanding how you should be scanning. Does your project have a large amount of .c files? Then you will need to use a source file scan. Is it mostly JavaScript? Then the recommended way to scan is with the NPM or Yarn Package Manager. Therefore, it is extremely important to understand the Unified Agent Workflow.
Unified Agent Workflow
The Unified Agent Scan Flow details how exactly the Unified Agent executes each scan. This is helpful to determine what parts need to be included for your project, and which parts need not execute.
Includes and excludes
After understanding the Unified Agent Scan Flow, then the first thing that you should determine whether you need to run a source file scan. This type of scan simply goes through all of your project hierarchy (specified with -d at the command line), and looks for every single file that matches the includes directive, but not the excludes directive. This is particularly useful for running scans of supported source file types, but does not have a supported package manager, such as C code.
If you do not want to use the includes or excludes directives, then you can set something like:
fileSystemScan=falseThis will prevent a source file scan from running.
Package Manager Optimization
Every package manager has configurations that you can optimize based on the needs of your project. Here are some things that you should know concerning our parameters for the Package Manager Resolutions:
First, you should note that if you are wanting to optimize your scan performance, then we suggest that every single scan you perform uses the directive: resolveAllDependencies=false. This is because almost no project is actually going to use all of the package managers in it. And therefore it will attempt to run the resolver for package managers that are not used in your project. Rather, we recommend that you should only configure the package managers you are using in your project.
Second, every package manager has some baseline settings that we have found to be optimal for most projects. You can access these baseline settings by referring to Unified Agent Configuration for Native Integrations . From there, the process is as simple as using our Unified Agent Configuration Parameters document to determine what other parameters should be configured for your specific project.
Lastly, these parameters can have a large impact on the performance of your scan:
<package_manager>.ignoreSourceFiles=true means that the source files for that package manager (.js for NPM, .java for Maven, etc.) will be added by default into the excludes parameter.
<package_manager>.runPreStep=true means that before the package manager collects the dependency tree, it will run the install command to download all of the dependencies. If you are scanning inside of a pipeline and already run your own install command, then this can be set to false.
html.resolveDependencies=true is automatically set to true even if you have resolveAllDependencies=false. However, this HTML resolver looks for “src” attributes in the html files that point to .js files. Therefore if you are not concerned about JavaScript files being referenced in HTML files for a project of yours, then you should set this to false.
Splitting up scans
The last portion of this document you should consider if you have a large project is splitting up your scans into multiple scans. This is described in Splitting Unified Agent Scans for Large or Mono Repos and lets you control which parts of your project are scanned among multiple scans.