* Where possible, enriches an affected package's PURL with `distro` qualifier inferred from the package's `ecosystem`. e.g. `ecosystem=Debian:7` becomes `distro=debian-11`, `ecosystem=Ubuntu:20.04:LTS` becomes `distro=ubuntu-20.04` etc.
* During vulnerability analysis, if both component and matching criteria have a PURL `distro` qualifier, ensures they match. Matching can handle codename <-> version comparisons, e.g. for Ubuntu `focal` would match `20.04` and vice versa.
* Generally improves performance of OSV mirroring by using fewer transactions and disabling ORM features that caused expensive unnecessary queries.
Currently Alpine, Debian, and Ubuntu distribution matching is implemented. These seem to work for SBOMs generated with Trivy and Syft.
The codename <-> version mapping is currently hardcoded for Debian and Ubuntu. There is a fallback mechanism that will handle exact matches, such that when Debian publishes a hypothetical "foo" release, we can still match components with vulnerabilities if both `distro` qualifiers are exactly "foo".
Debian and Ubuntu provide CSV which we could regularly fetch at runtime, but this involves more work to coordinate.
Fixes https://github.com/DependencyTrack/dependency-track/issues/1374
Fixes https://github.com/DependencyTrack/dependency-track/issues/5776
Fixes https://github.com/DependencyTrack/dependency-track/issues/4445
Fixes https://github.com/DependencyTrack/dependency-track/issues/4725
Signed-off-by: nscuro <nscuro@protonmail.com>
Switches from Parallel to the G1 garbage collector. It has been used successfully in Hyades API server and tends to not let the heap grow as much as Parallel GC.
Also configure the default Docker Compose file to limit the API server's memory to 4GB. Since we configure the container with `MaxRAMPercentage=80.0`, the JVM can potentially use up to 80% of available memory for heap size alone. This could lead to seemingly excessive memory usage even though most of the claimed memory is not actually needed.
Signed-off-by: nscuro <nscuro@protonmail.com>
* Uses recommended JSON array notation for `CMD` directives.
* Suppresses warnings for `sun.misc.Unsafe` usage (for Lucene) emitted by Java 25.
* Removes undesired `|| true` and `|| exit 1` occurrences as they don't provide any benefit.
* Specifies `--chown` for COPY directives to make ownership more explicit.
* Switches from `wget` to `curl` for health check as it has the same flags in Alpine and Debian, which wget does not have.
Signed-off-by: nscuro <nscuro@protonmail.com>
Since we don't recommend using H2, and H2 keeps causing issues, we shouldn't have it as a default for new users.
Relates to #4573
Signed-off-by: nscuro <nscuro@protonmail.com>
Ensure the field defaults to `true`, both in Java and the database. During upgrade, migrate all values that are currently `null` to `true`.
Solidify this change by switching `project.active` from `Boolean` to `boolean`. Adjust logic that previously had to check for `null`.
Fixes#4410
Signed-off-by: nscuro <nscuro@protonmail.com>
* Align property names
* Durations are now specified in milliseconds instead of seconds
* Reduce retry attempts and retry durations for OSS Index; The previous values were excessive
* Ensure that retries are only performed under certain transient error conditions, not for *any* error
* Provide a common mechanism to log when retries are performed, when max attempts were exceeded, or errors were not considered for retries
Signed-off-by: nscuro <nscuro@protonmail.com>
The current setup is parsing the CWE dictionary XML at runtime and persisting it to the database (`CweImporter`), just to load it from the database again into memory (`CweResolver`). Both `CweImporter` and `CweResolver` end up holding the entire CWE dictionary in static `Map`s, which is unnecessary.
CWEs are synchronized with the database on startup, where each CWE is processed in a database transaction. That is over 1400 transactions before anything meaningful is done.
As of v4.5 (https://github.com/DependencyTrack/dependency-track/issues/1467), CWEs are stored as serialized list in the `VULNERABILITY` table. The `CWE` table is thus not required anymore, as nothing is referring to it. Lookups can be served immediately from in-memory maps.
With this change, the CWE dictionary is pre-processed with a Python script. It generates a Java class that holds all entries in a static `LinkedHashMap`. Persistence logic around CWEs is removed, and the `CWE` table is dropped.
This is a backport from Hyades.
Signed-off-by: nscuro <nscuro@protonmail.com>
To make it clear that these Compose files are only meant for dev and testing work. Avoiding confusion with the existing `src/main/docker/docker-compose.yml`, which is also used as quickstart.
Signed-off-by: nscuro <nscuro@protonmail.com>
