(fix/refactor): Remove unnecessary calls to Notification APIs (IDETECT-4992) by shantyk · Pull Request #1708 · blackducksoftware/detect

shantyk · 2026-04-02T05:00:44Z

Goal: Remove or replace expensive notification API usage in Detect (as per request from perflab) without changing existing behaviour.

Related blackbuck-common PR that must be merged and released first: blackducksoftware/blackduck-common#475. This will be a major version bump as the removal of the now unused "get latest user notification timestamp" API is a breaking change.

Summary of changes:

1. Safe removal of calls to notifications API in places where we do not need it:
► detector and signature (uses BOM status polling in all cases)
► binary (uses BOM status polling, except when server version is too old for multipart upload)
► impact analysis (currently no mechanism for checking the completion status. See HUB-25142)
► iac (never used notification based waiting, noop)

2. For remaining notification use cases, reduce API calls by simply using upload start time as the polling window start.

Previously, two API calls were made for each code location upload: one to fetch the current user and another to fetch the user’s notifications. The timestamp of the most recent notification becomes a given code location's NotificationTaskRange.startDate.
All ranges were eventually combined to derive the earliest polling start date.
This happened before Detect even checked whether waiting for results was required or whether BOM status polling was available instead.

New behavior:

Now we have codeLocationsUploadStartTime, recorded at code location upload initiation which eliminates per-upload API calls (and potential for race conditions from server delays, caching, or persistence lags, etc) and is a tighter start for the notification window than querying the most recent notification date (which will always be earlier or equal to upload start so we are certain to count only notifications from this Detect run).

If and when needed, notifications APIs are used for polling as they were before, only the starting timestamp has changed.
3. Removal of waitAtScanLevel boolean which simply represented if BD sever version exists and it is >=2023.1.1. 2023.1.x has reached end of support.
4. Docs: release note + updating wait property to indicate iac and impact analysis tools are not applicable.

Note on where we still use notification APIs:

In the case of a binary scan against a BD version < 2024.7.0, we use pre-SCASS binary scan with legacy upload mechanism (no multiparty upload possible). In this specific case, we mustWaitAtBomSummaryLevel for completion if detect.wait.for.results is set to TRUE. Though we will no longer make API calls to determine most recent notification, we will still eventually poll the notifications endpoint. In this case, we will see in the logs:

DEBUG [main] --- Using legacy binary scan upload method. This can be slow, consider upgrading to a newer version of Black Duck SCA to enable multipart uploading if possible.
INFO  [main] --- Preparing to upload binary scan file: /Users/shanty/blackduck/example-source/binaries/ifm.tar
DEBUG [main] --- Will use old notifications based waiting for the following code locations: [ifm.tar/shanty-testing/testing binary]
...
DEBUG [main] --- Will use old notifications based waiting for the following code locations: [ifm.tar/shanty-testing/testing binary]
DEBUG [main] --- Notifications after Tue Apr 14 04:47:10 MDT 2026 will be considered.
DEBUG [main] --- Expected notification count 1
DEBUG [main] --- Expected code locations:
DEBUG [main] ---   Code Location -> ifm.tar/shanty-testing/testing binary
DEBUG [main] --- 
DEBUG [main] --- At least one code location has been found, now looking for notifications.
DEBUG [main] --- There were 2 notifications found.
INFO  [main] --- All code locations have not been added to the BOM yet...
INFO  [main] --- Try #1 for task code location (elapsed: 00:00:00.000)...not done yet, waiting 60 seconds and trying again...
DEBUG [main] --- At least one code location has been found, now looking for notifications.
DEBUG [main] --- There were 3 notifications found.
INFO  [main] --- Found ifm.tar/shanty-testing/testing binary code location (1 of 1).

…not check their completion status via notifications or bom status. This is existing behaviour, setting wait to true was a noop.

…utNotificationTaskRange. Prevents call to notifications API for which the results were never used downstream, CodeLocationCreationData's NotificationTaskRange is null.

…rsion exists and is at least 2023.1.1 which has reached end of service.

…red a waitable (via notifications).

shantyk · 2026-04-14T11:29:53Z

+            failedScans.add(output.getCodeLocationName());
+            handleNoScanStatusFile(scassScan, scanOutputLocation);
+            return;
+        }


Just moved to make try/catch block tighter around different exceptions expected, instead of one big umbrella try/catch.

bd-samratmuk · 2026-04-15T13:13:14Z

    }

-    public void uploadBdioEntries(BlackDuckRunData blackDuckRunData, UUID bdScanId) throws IntegrationException, IOException {
+    public void uploadBdioEntriesForRapidMode(BlackDuckRunData blackDuckRunData, UUID bdScanId) throws IntegrationException, IOException {


thanks for changing these names, massive w! 👍

…tructor as it is no longer used.

…removal

…tions are tightly coupled with the legacy idea of a waitable code location.

shantyk added 2 commits April 1, 2026 11:55

Notification APIs: remove unnecessary calls

71c11a3

Don't wait at BOM level for IAC or impact analysis scans since we can…

af636c8

…not check their completion status via notifications or bom status. This is existing behaviour, setting wait to true was a noop.

shantyk changed the base branch from master to 11.4.z April 2, 2026 08:10

Refactor Impact Analysis upload operation to createCodeLocationsWitho…

42d0c54

…utNotificationTaskRange. Prevents call to notifications API for which the results were never used downstream, CodeLocationCreationData's NotificationTaskRange is null.

shantyk force-pushed the dev/shanty/IDETECT-4992_notification_apis_removal branch from 8477775 to 9036a70 Compare April 6, 2026 20:58

Latest IntelligentModeStepRunner changes

5f4efc0

shantyk force-pushed the dev/shanty/IDETECT-4992_notification_apis_removal branch from 9036a70 to 5f4efc0 Compare April 6, 2026 23:39

shantyk self-assigned this Apr 13, 2026

shantyk changed the title ~~Notification APIs: remove unnecessary calls~~ (fix/tests/refactor): Remove calls to Notification APIs (IDETECT-4992) Apr 13, 2026

shantyk added 6 commits April 13, 2026 16:33

Pkg mngr and signature updates

e93a8d7

Testing for regressions

0644815

Remove unused impact analysis related methods

0d05709

Remove unused ImpactAnalysisToolResult class

86a3e60

Deprecate shouldWaitAtScanLevel since it simply checks if a server ve…

0cde1a1

…rsion exists and is at least 2023.1.1 which has reached end of service.

Update bd-common version with soon to be released lib version

784a008

shantyk force-pushed the dev/shanty/IDETECT-4992_notification_apis_removal branch from 4b1c584 to 784a008 Compare April 14, 2026 07:27

Propogate removal of shouldWaitAtScanLevel to signature scanner

1637aa2

shantyk changed the title ~~(fix/tests/refactor): Remove calls to Notification APIs (IDETECT-4992)~~ (fix/tests/refactor): Remove unnecessary calls to Notification APIs (IDETECT-4992) Apr 14, 2026

shantyk mentioned this pull request Apr 14, 2026

(breaking change): Remove API call to query for a user's most recent notification. Code locations by Detect will be created without querying notifications API. blackducksoftware/blackduck-common#475

Merged

shantyk added 4 commits April 14, 2026 04:13

Remove prescass pkg mngr BDIO code location upload from being conside…

ee6e20e

…red a waitable (via notifications).

Minor updates

aed3a40

Rename back to uploadBdioFiles

2ccfdd6

Clean up comments

74c9aa5

shantyk force-pushed the dev/shanty/IDETECT-4992_notification_apis_removal branch from 76512a3 to 74c9aa5 Compare April 14, 2026 11:27

Revert changes to waitable signature scanner code loctaion

4d3e7ee

shantyk force-pushed the dev/shanty/IDETECT-4992_notification_apis_removal branch from 32756b4 to 08a210c Compare April 14, 2026 11:41

shantyk changed the title ~~(fix/tests/refactor): Remove unnecessary calls to Notification APIs (IDETECT-4992)~~ (fix/refactor): Remove unnecessary calls to Notification APIs (IDETECT-4992) Apr 14, 2026

shantyk marked this pull request as ready for review April 14, 2026 11:56

Remove comments in signaturescansteprunner

01329b3

shantyk force-pushed the dev/shanty/IDETECT-4992_notification_apis_removal branch from 08a210c to 01329b3 Compare April 14, 2026 12:04

shantyk requested review from bd-samratmuk, devmehtabd, dterrybd and zahidblackduck April 14, 2026 12:05

Add missed method update for binary upload

75546af

dterrybd reviewed Apr 14, 2026

View reviewed changes

Comment thread ...main/java/com/blackduck/integration/detect/lifecycle/run/step/IntelligentModeStepRunner.java Outdated

dterrybd reviewed Apr 14, 2026

View reviewed changes

Comment thread ...m/blackduck/integration/detect/workflow/blackduck/codelocation/WaitableCodeLocationData.java

Comment thread ...blackduck/integration/detect/workflow/blackduck/codelocation/CodeLocationWaitCalculator.java

shantyk commented Apr 14, 2026

View reviewed changes

dterrybd reviewed Apr 14, 2026

View reviewed changes

Comment thread ...m/blackduck/integration/detect/workflow/blackduck/codelocation/WaitableCodeLocationData.java Outdated

dterrybd approved these changes Apr 14, 2026

View reviewed changes

devmehtabd approved these changes Apr 14, 2026

View reviewed changes

bd-samratmuk reviewed Apr 15, 2026

View reviewed changes

bd-samratmuk approved these changes Apr 15, 2026

View reviewed changes

shantyk added 6 commits April 15, 2026 19:27

Remove NotificationTaskRange param from WaitableCodeLocationData cons…

35e13a0

…tructor as it is no longer used.

Fix whitespace in diff

2d175bd

Merge branch '11.4.z' into dev/shanty/IDETECT-4992_notification_apis_…

5f3007d

…removal

Fix method rename issue after rebase

07cc4d2

Fix regression wrt correlated scanning. Correlated scan count calcula…

29922b9

…tions are tightly coupled with the legacy idea of a waitable code location.

Bump bd-common version 68.0.0

de0b0aa

shantyk merged commit c30a8d4 into 11.4.z Apr 17, 2026

shantyk deleted the dev/shanty/IDETECT-4992_notification_apis_removal branch April 17, 2026 05:30

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(fix/refactor): Remove unnecessary calls to Notification APIs (IDETECT-4992)#1708

(fix/refactor): Remove unnecessary calls to Notification APIs (IDETECT-4992)#1708
shantyk merged 24 commits into11.4.zfrom
dev/shanty/IDETECT-4992_notification_apis_removal

shantyk commented Apr 2, 2026 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

shantyk Apr 14, 2026 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

bd-samratmuk Apr 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

shantyk commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary of changes:

Note on where we still use notification APIs:

Uh oh!

Uh oh!

Uh oh!

Uh oh!

shantyk Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

bd-samratmuk Apr 15, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

shantyk commented Apr 2, 2026 •

edited

Loading

shantyk Apr 14, 2026 •

edited

Loading