Add caching to package details page vulnerabilities query

[drewgillies]

Addresses: #8543

Note that this change is against dev and will need to be rebased to main if we wish to deploy it as a hotfix.

This introduces the PackageVulnerabilitiesCacheService which is modelled on TypoSquatting caching. I've moved the query logic into the cache service, using an arbitrary 30-minute caching length per query result.

[joelverhagen]

Could we do caching at a higher level and use the same caching method used elsewhere?
HttpContext.Cache
e.g.

NuGetGallery/src/NuGetGallery/Controllers/PackagesController.cs

Lines 1025 to 1055 in f248171

	private PackageDependents GetPackageDependents(string id)
	{
	PackageDependents dependents;
	var cacheDependentsCacheKey = "CacheDependents_" + id.ToLowerInvariant();
	var cacheDependents = HttpContext.Cache.Get(cacheDependentsCacheKey);
	// Cache doesn't contain PackageDependents so PackageDependents gets put in the cache
	if (cacheDependents == null)
	{
	dependents = _packageService.GetPackageDependents(id);
	// note: this is a per instance cache
	HttpContext.Cache.Add(
	cacheDependentsCacheKey,
	dependents,
	null,
	DateTime.UtcNow.AddSeconds(_contentObjectService.CacheConfiguration.PackageDependentsCacheTimeInSeconds),
	Cache.NoSlidingExpiration,
	CacheItemPriority.Default, null);
	}
	// Cache contains PackageDependents
	else
	{
	dependents = (PackageDependents)cacheDependents;
	// TODO Make cache time configurable / slidy
	// https://github.com/NuGet/NuGetGallery/issues/4718
	}
	return dependents;
	}

This has expiration logic built in. There are other example usages of this API.

[drewgillies]

Could we do caching at a higher level and use the same caching method used elsewhere?
HttpContext.Cache

@joelverhagen is this preferable to the typosquatting approach (i.e. https://github.com/NuGet/NuGetGallery/blob/main/src/NuGetGallery/Services/TyposquattingCheckListCacheService.cs)? What are the merits of each?

[joelverhagen]

HttpContext.Cache: automatically handles concurrency and cache invalidation time. Smaller code. Perhaps more consistent with other caching scenarios, but it's hard to discover all instances of the alternative.
TyposquattingCheckListCacheService: not dependent on ASP.NET/HTTP types. Probably easier to UT.

[joelverhagen]

What do you think about those merits? Perhaps you can take a look at pros/cons as well? I think it's possible that HttpContext.Cache automatically evicts the cache in the event of memory pressure but I'm not 100% sure.

[zhhyu]

I think the use case of "Typosquatting" cache may be different compared with this. The "Typosquatting" cache only contains one entry, which is a list of package names and only used when a package is pushed. For vulnerabilities, it is a very similar scenario as "Used By" info. So I agree that maybe using the highly-optimized caching component provided by the framework is better.

[skofman1]

Another thought: we have a perf problem with Vulnerabilities when it comes to the 'Manage Packages' page as well (#8361). This might help to fix both.
Btw @drewgillies , should we re-open #8361 ? It's currently disabled due to perf, right?

[drewgillies]

@skofman1 yes, that's right--I closed because we needed an entirely new approach. I've reopened it just now so we can investigate this idea. I'd be (pleasantly) surprised if caching is going to get us over the line on that one, as my understanding is that any regression at all is unacceptable given how poor the page's perf is already. And introducing a new table (let alone 3) regresses perf whichever way we slice it.
@joelverhagen I like the notion of http caching on the strength of what you're saying--UTs will still cover the logic, and if I can make the change more elegantly in code, I'm up for that.

[skofman1]

I made the comment before going over the code. My initial thinking was that we can cache in memory all the vulnerability information, and load it from DB on start-up. What do you think?

[drewgillies]

That's an interesting idea, @skofman1. I'll look into it.

[drewgillies]

Interested in thoughts on this approach @joelverhagen @skofman1 @zhhyu --based on @skofman's idea, I'm loading the cache on startup, and have chosen an arbitrary 1 day for cache invalidation. This approach could then be extended to the manage packages page if we wish to experiment. More testing required but there is UT coverage here and the cache loads nicely. I went for the complex linq statement to get the best perf out of EF, so commented heavily.

[joelverhagen]

nit: DateTimeOffset.UtcNow instead of DateTime.Now for clarity

[joelverhagen]

I'm wondering whether this dependency even makes much sense. The two new methods introduced on IPackageVulnerabilitiesManagementService are very small so it might be clearer to just depend on IEntitiesContext here.

[drewgillies]

The separation of responsibilities was initially related to DI scopes. PackageVulnerabilitiesManagementService is InstancePerLifetimeScope, and this is a SingleInstance (in order for caching to work), initially with the management service passed to caching service methods (rather than having it stored in a field). I expect I'll return to this model if I'm unable to run the Initialize method from the constructor, which in that sense I like better.

The reason we have a caching service class which is separate from PackageVulnerabilitiesService (rather than just adding caching capabilities to it) is the same --PackageVulnerabilitiesService is InstancePerLifetimeScope.

[joelverhagen]

We should not do SQL in the constructor

[joelverhagen]

nit: you can just return a Dictionary<TKey, TValue> which itself implements IReadOnlyDictionary<TKey, TValue>. No need to construct a ReadOnlyDictionary.

[joelverhagen]

This dictionary read could operate on the cache dictionary while it is being modified on line 49. Better to use a ConcurrentDictionary. See https://stackoverflow.com/a/24586924.

[joelverhagen]

You don't need AsReadOnly. You can just cast to IReadOnlyList.

[drewgillies]

background refresh

@joelverhagen I love this idea. That's the missing piece. Thanks for all of your granular feedback above as well.

[drewgillies]

@joelverhagen @skofman1 @zhhyu I've implemented the background refresh on the cache, and I'll have it report load time telemetry like the downloads refresh does--it would be good to track this over time as the cache grows in size.

[skofman1]

30

what's the frequency of the GitHub job? Why 30 minutes?

[drewgillies]

This was arbitrary - it could easily be a day and work quite well. I thought that if we were to extend this cache's use to the manage packages page, a customer would want to see more "live" updates, so 30 minutes seemed like the happy medium.

[skofman1]

if the GitHub job runs once a day to get updates, there's no point in having this cache updated every 30 mins. If the job runs frequently (say every 10 minutes), 30 minutes definetly makes sense.

[skofman1]

add units to the metric name for debuggability. i.e. VulnerabilitiesCacheRefreshDurationMs

[drewgillies]

Sure thing--I was modelling it off TrackDownloadJsonRefreshDuration - I can change that too if you like. Also, do you want the string value changed or just the name of the const?

[skofman1]

Add to both. When you look at telemetry it will be super useful to know the units without going to the code. Regarding TrackDownloadJsonRefreshDuration , it will be nice to change that, assuming no one is depending on the event name for dashboards/monitoring.

[drewgillies]

Will do! I might hang off on ...DownloadJson... then, but yes, will change mine.

[skofman1]

packageVulnerabilitiesManagementService

if I understand correctly, the IPackageVulnerabilitiesManagementService will be created only once, which is not good because it has a dependency on EntityContext (DB connection), meaning we need a new one with every request.

[drewgillies]

The lifecycle pieces of this are the real trick (and the reason the cache service exists at all)--I may have the Job pass the management service each time to get around this.

[zhhyu]

I don't know too much about what happens for this behind the scene. This seems running as a background thread, and the query may take some time to run. Will it have a race condition between the application and the query? For example, the application starts accepting requests while the query has not finished running. That may not mean customer impacts because we have functional/e2e tests but if we have some tests for vulnerabilities, the test may fail because the result has not been loaded yet.

[drewgillies]

If you look in the RefreshCache you'll see that this is catered for in the _isRefreshing sync'd field. The first refresh is run in AppActivator so we should have data available (and I don't believe any E2E tests cover vulnerabilities data).

[zhhyu]

Besides logging the duration, I am thinking whether it will be better if we also log the status of the query, for example, possible exceptions thrown from the DB query (Timeout, etc..).

[drewgillies]

I'll trace exceptions in the query code. Good idea.

[zhhyu]

This looks like a heavy query for DB. I wonder it may cause glitches for DB performance. We may need some stress tests to understand the behavior.

Besides, my understanding is that each time we reload everything from DB again. I am not sure whether we can only load the difference (for example, depend on the timestamp somehow) because it sounds like most of existing vulnerabilities should not need to be updated with a high frequency, but the effort may not be worth if the performance is ok.

[drewgillies]

I think it would be good to track telemetry on this and see how it performs generally, before introducing performance tweaks. It's only heavy in post-query transformation--the query itself loads records from the VulnerablePackageVersionRange table and related PackageVulnerabilities records--this should be relatively lightweight. But we should watch telemetry. If it turns out we need to find ways to speed up load, we could start looking at timestamping vulnerable range records, but of course, the table and all of the records would need to be loaded in order to test for changes (but it would reduce PackageVulnerabilities reads)--I think the wins would be small there. Let's investigate down the road if we need to.

[drewgillies]

Another option for reducing DTUs is, of course, increasing the refresh interval from 30 minutes to something far longer.

[zhhyu]

For discussions: I can see that the only write action now is to update the reference to another new dictionary when we refresh the cache. Do we still need to use "ConcurrenctDictionary"? We don't update the granularity such as some entries in the dictionary.

[drewgillies]

Good call--I'm reverting this to a Dictionary.

[drewgillies]

@skofman1 I've worked with @joelverhagen and @agr to land on a more elegant solution here--we're caching a scope factory in the PackageVulnerabilitiesCacheService which will spin up an entirely new scope every time we refresh, and generate a new EntitiesContext instance each time we do. I believe I've addressed all feedback now (including @zhhyu's). Interested in how close you feel we are to an acceptable design. I'll be running some more tests on it before merging.

[skofman1]

packageVulnerabilitiesCacheService

why would packageVulnerabilitiesCacheService ever be null? If it's null it means we have a bug and forgot to register it. In that case, it would be better to fail fast then to get into a state where the cache isn't refreshed. I suggest to drop the null check.

[joelverhagen]

Why not make the necessary methods just available on the interface? I don't see why any cast is necessary.

[drewgillies]

Yep--good call. The same thing is being done for cloudDownloadCountService above, but it is redundant. I'll remove that.

[skofman1]

telemetryService

null check

[skofman1]

Some comments. Otherwise looks good :)

[joelverhagen]

nit: pass TimeSpan here, don't mention "ms". The implementation below can make a "ms" specific metric emitted to AI but the interface can be cleaner than that. It's not a big deal though.

[drewgillies]

I'm so confused :) #8580 (comment)

[drewgillies]

TimeSpan makes sense but is inconsistent with other telemetry methods. I'd like us to retrofit code if we pivot on practice, so other devs can follow the lead of what's there more efficiently. I'm happy to do this here but it may be good to consider this going forward.

[drewgillies]

Thinking further, TimeSpan here would mean removing Ms from the method name, which would conflict with @skofman1's comment as well. I think I'll leave it as-is for now? When we arrive at consensus on how we want our telemetry to function for duration tracking, perhaps we can go through and change them all as a separate change.

[drewgillies]

Just did a quick visual scan: TrackDownloadJsonRefreshDuration is the only outlier. Perhaps I could change both of them in this change?

[drewgillies]

(I would still leave Ms off the method name as it's no longer ms, and would make them both use TimeSpan)

[joelverhagen]

nit: please minimize changes to unrelated lines.

[drewgillies]

Wasn't sure of our policy on cleanup. Thanks.

[joelverhagen]

Why is this predicated on AzureStorage?

[drewgillies]

It didn't seem to make sense to have this running on local environments. If you think it should be all cases, I'm happy to remove it.

[joelverhagen]

You can just registry the type, i.e. RegistryType. You don't need explicit ctor here right?

[drewgillies]

Yes, I'm sure there was a reason I thought this was appropriate when it was more complex, but on reflection even then I was mistaken. Will clean up.

[joelverhagen]

please use explicit parameter name for ambiguous values like this empty string

[joelverhagen]

Does this need to be a new task? Who calls Execute? Is it already in a background task? If so, you can just synchronously execute RefreshCache and return Task.CompletedTask.