After SBOM upload how long does it take to be able to see vulnerabilities

[rightphp]

Using latest version of DT Server (4.6)

I am uploading SBOM from within CI/CD in test stage, and want to fetch policy violation in post stage of same pipeline. Whole pipeline may take from 30 seconds to 5 minutes to complete. I am implementing DT Server Api to fetch vulnerabilities/policy violation for my project.

My questions are if above approach to show analysis results is viable?
I am not sure how long does it take to process SBOM after uploading and give analysis results?
How long does it take first time?
How long it will take next time and so on?

[syalioune]

Hello @rightphp
Best approach is to use the token returned by the BOM upload API and check the async processing state with the API below

Once you get a false response, you can then fetch vuln/policy violations.

[rightphp]

This is a good idea in deed @syalioune to check whether processing has been completed before we start fetching results.

But do you have any for how long does it usually take to perform analysis, I do not want my pipeline to wait for a long time.

[syalioune]

Can't say, it depend on too many factor :

• Number of component in the SBOM
• Number of SBOM uploaded at the same time
• Hardware sizing
• Network bandwith if OSS Index is enabled
• Cache
• Asynchronous tasks running at the same time
• ...

You can expect that more than few minutes is too much for a timeout.

[t-vorobyova]

I have the same issue