Context
benches/diff.rs exists but is small. The diff core (src/diff/) is on the critical path for every bomdrift run, and we have no perf regression catcher for changes that touch it. v0.9.6's BaselineEntry unification and v0.9.8's lib.rs split would have been good moments to verify perf didn't regress; we relied on intuition.
Scope
Add a criterion benchmark covering the realistic shape of a bomdrift diff:
- Two SBOMs of ~500 components each (typical mid-sized JS app).
- A second pair of ~5,000 components each (typical large monorepo).
- Optionally: ~20,000 components for the upper-bound stress case.
Use checked-in fixtures or generate synthetic SBOMs deterministically (e.g. for i in 0..N { Component::new("pkg:npm/synthetic-{i}@1.0.0") }).
The bench should measure:
Wire it into Cargo.toml:
[[bench]]
name = "diff"
harness = false
(if not already wired the way you'd structure it).
Acceptance criteria
Nice to have (not required): a .github/workflows/bench.yml job that runs on schedule (weekly) and posts the results as a sticky comment, mirroring the v0.9.8 coverage job pattern.
A note on commit signing
main requires verified signatures (the repo ships cosign-signed releases — we hold our own commits to the same bar).
You usually don't need to set up signing as a contributor — when a maintainer merges via "Merge" or "Squash", GitHub auto-signs the resulting commit and your unsigned PR-branch commits are fine. The friendlier path for everyone.
If you'd like your individual commits to land verbatim on main (so your name shows up in git blame), set up local signing once and your PR can be rebase-merged:
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true
Then add the same SSH public key under GitHub → Settings → SSH and GPG keys → Signing keys.
See CONTRIBUTING.md → Commit signing on main for the full picture. Either way, please don't sweat it — if your PR is otherwise great, the maintainer will pick a merge mode that works.
Context
benches/diff.rsexists but is small. The diff core (src/diff/) is on the critical path for every bomdrift run, and we have no perf regression catcher for changes that touch it. v0.9.6'sBaselineEntryunification and v0.9.8's lib.rs split would have been good moments to verify perf didn't regress; we relied on intuition.Scope
Add a criterion benchmark covering the realistic shape of a bomdrift diff:
Use checked-in fixtures or generate synthetic SBOMs deterministically (e.g.
for i in 0..N { Component::new("pkg:npm/synthetic-{i}@1.0.0") }).The bench should measure:
diff::compute(before, after)end-to-end.into_changesetstep).Wire it into
Cargo.toml:(if not already wired the way you'd structure it).
Acceptance criteria
cargo bench --bench diffruns in under 30 seconds total.docs/src/architecture.mdlinking to the bench file as the perf reference.cargo clippy --all-targets --all-features --release -- -D warningsclean (benchmarks are part of--all-targets).Nice to have (not required): a
.github/workflows/bench.ymljob that runs on schedule (weekly) and posts the results as a sticky comment, mirroring the v0.9.8 coverage job pattern.A note on commit signing
mainrequires verified signatures (the repo ships cosign-signed releases — we hold our own commits to the same bar).You usually don't need to set up signing as a contributor — when a maintainer merges via "Merge" or "Squash", GitHub auto-signs the resulting commit and your unsigned PR-branch commits are fine. The friendlier path for everyone.
If you'd like your individual commits to land verbatim on
main(so your name shows up ingit blame), set up local signing once and your PR can be rebase-merged:Then add the same SSH public key under GitHub → Settings → SSH and GPG keys → Signing keys.
See CONTRIBUTING.md → Commit signing on
mainfor the full picture. Either way, please don't sweat it — if your PR is otherwise great, the maintainer will pick a merge mode that works.