Summary
Currently, Micromize fetches the SBOM when a container is created and populates the relevant eBPF maps with the file hashes. When the container exits, the eBPF map entries are cleaned up.
This works correctly but introduces unnecessary overhead when containers are started from the same image (restarts, jobs, etc.). We repeatedly fetch and parse the same SBOM even though the image digest is identical.
Proposed Improvement
Introduce a user-space SBOM cache keyed by image digest.
Desired Behavior
On container create:
- Extract the image digest.
- Check if the SBOM for this digest exists in cache.
- If present:
- Reuse parsed SBOM data.
- Populate the eBPF map immediately.
- If not present:
- Fetch SBOM.
- Parse and store it in cache.
- Populate the eBPF map.
On container exit:
- Continue cleaning up container-specific eBPF map entries.
- Do not remove the SBOM from cache (unless evicted by LRU policy).
Summary
Currently, Micromize fetches the SBOM when a container is created and populates the relevant eBPF maps with the file hashes. When the container exits, the eBPF map entries are cleaned up.
This works correctly but introduces unnecessary overhead when containers are started from the same image (restarts, jobs, etc.). We repeatedly fetch and parse the same SBOM even though the image digest is identical.
Proposed Improvement
Introduce a user-space SBOM cache keyed by image digest.
Desired Behavior
On container create:
On container exit: