Comments (14)
I'm wondering if we need DISTINCT at all here. The query doesn't look like it would produce duplicate rows, as it operates on the concept of findings (Component <-> Vulnerability pairs). Am I missing something?
AFAIK DISTINCT
was necessary because the query could otherwise produce duplicate rows if ACL
is enabled.
Without it if a user is a part of multiple teams and two of those different teams include the same project, the query would produce a duplicate entry for both project teams.
Maybe there's a fix to this problem that does not include DISTINCT
in the query, but unfortunately I'm not the biggest SQL expert 😅.
from dependency-track.
I currently don't have MSSQL installed so I can't try to reproduce the issue but I'm 100% sure that I successfully tested this with MSSQL 2022 when I created the PR.
from dependency-track.
I'll try to reproduce later today.
from dependency-track.
Seems like DTrack uses TEXT datatype, but MSSQL doesn't support DISTINCT on it.
According to https://stackoverflow.com/questions/8056339/ef-the-text-data-type-cannot-be-selected-as-distinct-because-it-is-not-comparab
the question should be: Why do we use TEXT as datatype instead VARCHAR(MAX)?
from dependency-track.
@rkg-mm Limitation of the ORM we use. It maps the CLOB
JDBC type (required for "string of unlimited size") to TEXT
for SQL Server: https://github.com/datanucleus/datanucleus-rdbms/blob/ae929d4a97961ebc53a21a4d0bf4c845ebdf4705/src/main/java/org/datanucleus/store/rdbms/adapter/SQLServerAdapter.java#L173-L175
It's not a decision we actively made to choose TEXT
over VARCHAR(MAX)
...
from dependency-track.
Which fields would be affected by this? Since you drop support for MSSQL anyway with 5.x, maybe as quick fix those fields can be excluded...
from dependency-track.
Based on the query in the exception, it seems to be these:
dependency-track/src/main/java/org/dependencytrack/model/Vulnerability.java
Lines 175 to 179 in cf4f2d4
dependency-track/src/main/java/org/dependencytrack/model/Vulnerability.java
Lines 187 to 191 in cf4f2d4
from dependency-track.
For the moment those are not used in the UI, but could be in future once we add expanding of those table rows.
Could also cast these 2 in the query
CAST(field AS VARCHAR(MAX))
Just not sure how that impacts performance of the query.
from dependency-track.
I'm wondering if we need DISTINCT
at all here. The query doesn't look like it would produce duplicate rows, as it operates on the concept of findings (Component <-> Vulnerability pairs). Am I missing something?
CAST(field AS VARCHAR(MAX))
I'd expect this to slow down the query, but not sure by how much. Also this would need to be a specific cast for SQL Server, since the same will not work in H2, MySQL, or PostgreSQL.
from dependency-track.
Perhaps there is a way to solve this in a "two-stage" CTE, where we:
- Select only the unique IDs of all applicable findings (this can use
DISTINCT
) - Based on the CTE holding the IDs, fetch the actual fields we want to display (doesn't need
DISTINCT
anymore)
Separately, are you seeing the same issue in your instance @rbt-mm @rkg-mm?
I'm 99% sure I tested this feature with the MSSQL Compose setup, so I am a bit baffled why it may have worked before but then somehow broke. Does the MSSQL version play a role? The Compose setup uses the 2022 version.
from dependency-track.
I haven't found the time to update our instance yet. But I also think @rbt-mm tested this with MSSQL...
from dependency-track.
Thank you for your immediate reactions. I would like to share some additional logs with you, which shows the database migration done by DT API server. Maybe it will help you.
2024-05-08 08:18:45,250 INFO [RequirementsVerifier] Initializing requirements verifier
2024-05-08 08:18:45,251 INFO [UpgradeInitializer] Initializing upgrade framework
2024-05-08 08:18:48,009 INFO [UpgradeExecutor] Upgrade class org.dependencytrack.upgrade.v4110.v4110Updater about to run.
2024-05-08 08:18:48,009 INFO [v4110Updater] Dropping foreign key constraint from "VULNERABILITY"."CWE"
2024-05-08 08:18:48,011 INFO [v4110Updater] Dropping index "VULNERABILITY"."VULNERABILITY_CWE_IDX"
2024-05-08 08:18:48,011 INFO [v4110Updater] Dropping column "VULNERABILITY"."CWE"
2024-05-08 08:18:48,013 INFO [v4110Updater] Dropping table "CWE"
2024-05-08 08:18:48,020 INFO [v4110Updater] Computing severities for vulnerabilities where severity is currently NULL
2024-05-08 08:18:48,778 INFO [v4110Updater] Updated 12753 vulnerabilities in 26 batches
2024-05-08 08:18:48,780 INFO [v4110Updater] Extending length of PURL and PURLCOORDINATES columns from 255 to 786
2024-05-08 08:18:48,806 INFO [UpgradeExecutor] Completed running upgrade class org.dependencytrack.upgrade.v4110.v4110Updater in 778 ms.
2024-05-08 08:18:48,809 INFO [PersistenceManagerFactory] Initializing persistence framework
2024-05-08 08:18:48,810 INFO [PersistenceManagerFactory] Creating transactional connection pool
2024-05-08 08:18:48,844 INFO [PersistenceManagerFactory] Creating non-transactional connection pool
2024-05-08 08:18:49,844 INFO [HealthCheckInitializer] Registering health checks
2024-05-08 08:18:49,846 INFO [DefaultObjectGenerator] Initializing default object generator
2024-05-08 08:18:49,847 INFO [DefaultObjectGenerator] Synchronizing permissions to datastore
2024-05-08 08:18:50,036 INFO [DefaultObjectGenerator] Synchronizing SPDX license definitions to datastore
2024-05-08 08:18:57,408 INFO [DefaultObjectGenerator] Synchronizing default repositories to datastore
2024-05-08 08:18:57,462 INFO [DefaultObjectGenerator] Synchronizing config properties to datastore
2024-05-08 08:18:57,685 INFO [DefaultObjectGenerator] Synchronizing notification publishers to datastore
2024-05-08 08:18:58,115 INFO [EventSubsystemInitializer] Initializing asynchronous event subsystem
2024-05-08 08:18:58,152 INFO [NotificationSubsystemInitializer] Initializing notification service
2024-05-08 08:18:58,154 INFO [IndexSubsystemInitializer] Building lucene indexes if required
2024-05-08 08:18:58,165 INFO [IndexManager] Checking the health of index PROJECT
2024-05-08 08:18:58,331 INFO [IndexManager] The index PROJECT is healthy
2024-05-08 08:18:58,332 INFO [IndexManager] Checking the health of index COMPONENT
2024-05-08 08:18:58,917 INFO [IndexManager] The index COMPONENT is healthy
2024-05-08 08:18:58,918 INFO [IndexManager] Checking the health of index SERVICECOMPONENT
2024-05-08 08:18:58,919 INFO [IndexManager] The index SERVICECOMPONENT is healthy
2024-05-08 08:18:58,919 INFO [IndexManager] Checking the health of index VULNERABILITY
2024-05-08 08:19:04,172 INFO [IndexManager] The index VULNERABILITY is healthy
2024-05-08 08:19:04,173 INFO [IndexManager] Checking the health of index LICENSE
2024-05-08 08:19:04,179 INFO [IndexManager] The index LICENSE is healthy
2024-05-08 08:19:04,179 INFO [IndexManager] Checking the health of index VULNERABLESOFTWARE
2024-05-08 08:19:05,575 INFO [IndexManager] The index VULNERABLESOFTWARE is healthy
2024-05-08 08:19:05,590 INFO [AlpineServlet] Starting Dependency-Track
2024-05-08 08:19:07,914 INFO [AlpineServlet] Dependency-Track is ready
There are no error messages beside this issue.
from dependency-track.
Confirmed to be broken for MSSQL.
from dependency-track.
Working around this now by using a subquery instead of a LEFT JOIN
to perform the ACL check: #3700.
from dependency-track.
Related Issues (20)
- Vulnerability Table Error HOT 2
- About the Restful API error: lookup and search HOT 1
- Unique constraint violation while mirroring NVD via feed files HOT 1
- Flutter packages (pub) get vulnerability from npm HOT 1
- Cannot delete OpenID Connect users HOT 2
- False positive reported for webpack HOT 1
- NuGet component with space breaks analyzer HOT 1
- BOM Validation: Unable to determine schema version from JSON HOT 1
- 401 HTTP Request Error HOT 2
- Allow Policies to have rules based on EPSS values HOT 1
- Upgrade REST API Spec from Swagger 2.0.0 to OAS 3.1.x HOT 3
- add more information to the Component details HOT 1
- StackOverflowError when uploading sbom twice HOT 3
- add golang module analysis in SnykAnalysisTask
- Project component view displays abnormal "t.$t is not a function" HOT 1
- Make components page default show all components HOT 2
- Dependency Ttrack makes Trivy-generated SBOM unusable to Trivy server HOT 12
- Aliases do not appear to be reported in notifications
- Bom.xml showing zero components after upload (Version server V4.6.3) HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-track.