Generating 'CycloneDX' report(s) took 12m for a cargo monorepo project

[mawl]

Describe the bug

Generating 'CycloneDX' report(s) took 12m for a cargo monorepo project.

WebApp report file size is 36.7MB and says:

To Reproduce

Steps to reproduce the behavior:

Download and unzip: evaluation-result.yml.zip

docker run --platform linux/amd64 --user root -it --rm -e "JAVA_OPTS=-Xms1024m -Xmx12g" -v $(pwd):/project ghcr.io/oss-review-toolkit/ort:52.0.0 --debug report --report-formats CycloneDX -i /project/evaluation-result.yml -o /project

Expected behavior

The CycloneDX JSON report should be generated in a reasonable time.

Console / log output

______________________________                                                        
/        \_______   \__    ___/ The OSS Review Toolkit, version 52.0.0,                
|    |   | |       _/ |    |    built with JDK 21.0.6+7-LTS, running under Java 21.0.6.
|    |   | |    |   \ |    |    Executing 'report' as 'root' on Linux                  
\________/ |____|___/ |____|    with 8 CPUs and a maximum of 12288 MiB of memory.      
                                                                                       
Environment variables:                                                                
ORT_CONFIG_DIR = /root/.ort/config                                                    
ORT_DATA_DIR = /root/.ort                                                             
HOME = /home/ort                                                                      
TERM = xterm                                                                          
JAVA_HOME = /opt/java/openjdk                                                         
ANDROID_HOME = /opt/android-sdk                                                       
                                                                                      
Looking for ORT configuration in the following file:
        /root/.ort/config/config.yml (does not exist)

09:48:21.841 [main] DEBUG org.ossreviewtoolkit.plugins.commands.api.utils.ExtensionsKt - Input ORT result file has SHA-1 hash a1f06353491ea08dd2bbe18a93b208ad35616a9b.
09:48:23.978 [main] INFO  org.ossreviewtoolkit.plugins.commands.api.utils.ExtensionsKt - Read ORT result from 'evaluation-result.yml' (0.72 MiB) in 2.126708626s.
Generating 'CycloneDX' report(s) in thread 'DefaultDispatcher-worker-2'...
Successfully created 'CycloneDX' report at '/project/bom.cyclonedx.json'.
Generating 'CycloneDX' report(s) took 12m 44.286519281s.
Created 1 of 1 report(s) in 12m 44.297341323s. 

Environment

Output of the ort requirements -l commands command:

 ______________________________                                                        
/        \_______   \__    ___/ The OSS Review Toolkit, version 52.0.0,                
|    |   | |       _/ |    |    built with JDK 21.0.6+7-LTS, running under Java 21.0.6.
|    |   | |    |   \ |    |    Executing 'requirements' as 'root' on Linux            
\________/ |____|___/ |____|    with 8 CPUs and a maximum of 3994 MiB of memory.       
                                                                                       
Environment variables:                                                                
ORT_CONFIG_DIR = /root/.ort/config                                                    
ORT_DATA_DIR = /root/.ort                                                             
HOME = /home/ort                                                                      
TERM = xterm                                                                          
JAVA_HOME = /opt/java/openjdk                                                         
ANDROID_HOME = /opt/android-sdk                                                       
                                                                                      
Looking for ORT configuration in the following file:
        /root/.ort/config/config.yml (does not exist)

Scanners:
        - Askalono: Requires 'askalono' in no specific version. Tool not found.
        - BoyterLc: Requires 'lc' in no specific version. Tool not found.
        - Licensee: Requires 'licensee' in no specific version. Tool not found.
        * ScanCode: Requires 'scancode' in version >=30.0.0. Found version 32.3.2.

PackageManagers:
        * Bazel: Requires 'bazel' in version >=7.0.0. Found version 7.0.1.
        * Bower: Requires 'bower' in version >=1.8.8. Found version 1.8.14.
        + Buildozer: Requires 'buildozer' in no specific version. Found version redacted.
        * Cargo: Requires 'cargo' in no specific version. Found version 1.84.0.
        * CocoaPods: Requires 'pod' in version >=1.11.0. Found version 1.16.2.
        * Composer: Requires 'composer' in version >=1.5.0. Found version 2.8.5.
        * Conan: Requires 'conan' in version >=1.44.0 and <2.0.0. Found version 1.66.0.
        * Go: Requires 'go' in version >=1.21.1. Found version 1.24.0.
        * Npm: Requires 'npm' in version >=6.0.0 and <11.0.0. Found version 10.9.2.
        + NuGetInspector: Requires 'nuget-inspector' in no specific version. Could not determine the version.
        * Pipenv: Requires 'pipenv' in version >=2018.10.9. Found version 2023.12.1.
        * Pnpm: Requires 'pnpm' in version >=5.0.0 and <10.0.0. Found version 9.15.4.
        * Poetry: Requires 'poetry' in no specific version. Found version 2.0.1.
        * Pub: Requires 'dart' in version >=2.10.0. Found version 2.18.4.
        * PythonInspector: Requires 'python-inspector' in version >=0.9.2. Found version 0.10.0.
        * Sbt: Requires 'sbt' in no specific version. Found version copying runtime jar...
sbt version in this project: 1.10.0
sbt script version: 1.10.0.
        * Stack: Requires 'stack' in version >=2.1.1. Found version 3.3.1.
        * Swift: Requires 'swift' in no specific version. Found version 6.0.3.
        * Yarn: Requires 'yarn' in version >=1.3.0 and <1.23.0. Found version 1.22.22.

VersionControlSystems:
        * Git: Requires 'git' in version >=2.29.0. Found version 2.34.1.
        * GitRepo: Requires 'repo' in no specific version. Found version 2.50 (launcher).
        * Mercurial: Requires 'hg' in no specific version. Found version 6.9.1.

Prefix legend:
        - The tool was not found in the PATH environment.
        + The tool was found in the PATH environment, but not in the required version.
        * The tool was found in the PATH environment in the required version.

ScanCode license texts found in '/opt/scancode-license-data'.

Not all tools requirements were satisfied:
        ! Some tools were not found in their required versions.

[sschuberth]

@tsteenbe and other who are affected by this: Can you try to narrow this down by e.g. disabling Cargo as a PM, does it then still take long for other PMs found?

[sschuberth]

Also, for those who have a dev setup, you may want to try running a profiler.

[mawl]

As I can say, this issue only occurs with cargo dependencies. Other package managers like npm doesn't lead to that.