Unique constraint violation while mirroring NVD via feed files
nscuro opened this issue · comments
Current Behavior
Mirroring the NVD via feed files can fail due to unique constraint violations in the AFFECTEDVERSIONATTRIBUTION
table:
javax.jdo.JDODataStoreException: Insert of object "org.dependencytrack.model.AffectedVersionAttribution@65e2bfba" using statement "INSERT INTO "AFFECTEDVERSIONATTRIBUTION" ("FIRST_SEEN","LAST_SEEN","SOURCE","UUID","VULNERABILITY","VULNERABLE_SOFTWARE") VALUES (?,?,?,?,?,?)" failed : ERROR: duplicate key value violates unique constraint "AFFECTEDVERSIONATTRIBUTION_COMPOSITE_IDX"
Mirroring via API does not seem to be affected. Taking an educated guess here, the logic that processes the feed files can sometimes create duplicate Vulnerability
<-> VulnerableSoftware
relationships. I had to deal with that while implementing the API mirroring:
Steps to Reproduce
- Mirror NVD via feed files
Expected Behavior
Mirroring should not fail. We should not create duplicate records that cause unique constraint violations.
Dependency-Track Version
4.11.0-SNAPSHOT
Dependency-Track Distribution
Container Image, Executable WAR
Database Server
N/A
Database Server Version
No response
Browser
N/A
Checklist
- I have read and understand the contributing guidelines
- I have checked the existing issues for whether this defect was already reported