Symptoms: Java Garbage Collection is very slow, and there are very long running queries in the Artifactory database.
The problem comes from the Artifacts Browser menu's "builds" section. This endpoint can find which builds an artifact belongs to, including if it is a dependency. Normally this is fine, but for very popular dependencies, for example the JUnit Java package, can be linked to thousands or hundreds of thousands of builds.
When this happens, visiting the UI endpoint causes very heavy load on Artifactory, both on the database and the JVM heap. I believe this is because the heap stores the SQL results in memory without pagination.
The number of builds an artifact can belong to is potentially infinite, this endpoint will cause problems for popular build dependencies.
Steps to reproduce:
- Deploy one artifact to Artifactory, note its checksum
- Deploy around 10,000 buildinfo.json files that list this artifact as a dependency
- Attempt to browse to the Artifacts -> Repository -> Artifact -> "Builds" menu, observe an extremely long response time
This response time grows the more builds that are added, presenting a linear scaling issue.
The current suggested workaround is to block the /ui/artifactBuilds endpoint. Other endpoints are available to gather this information.
#7k builds linked
20191119184241| [7 seconds] 7251|REQUEST|RESTRICTED_IP|admin|GET|/ui/artifactbuilds|HTTP/1.1|200|0
#15k builds linked
20191119185634| [12 seconds] 12715|REQUEST|RESTRICTED_IP|admin|GET|/ui/artifactbuilds|HTTP/1.1|200|0
#30k builds linked
20191119193239| [24 seconds]24990|REQUEST|RESTRICTED_IP|anonymous|GET|/ui/artifactbuilds|HTTP/1.1|200|0