DependencyTrack / dependency-track

Current Behavior

Mirroring the NVD via feed files can fail due to unique constraint violations in the AFFECTEDVERSIONATTRIBUTION table:

 javax.jdo.JDODataStoreException: Insert of object "org.dependencytrack.model.AffectedVersionAttribution@65e2bfba" using statement "INSERT INTO "AFFECTEDVERSIONATTRIBUTION" ("FIRST_SEEN","LAST_SEEN","SOURCE","UUID","VULNERABILITY","VULNERABLE_SOFTWARE") VALUES (?,?,?,?,?,?)" failed : ERROR: duplicate key value violates unique constraint "AFFECTEDVERSIONATTRIBUTION_COMPOSITE_IDX"

Mirroring via API does not seem to be affected. Taking an educated guess here, the logic that processes the feed files can sometimes create duplicate Vulnerability <-> VulnerableSoftware relationships. I had to deal with that while implementing the API mirroring:

dependency-track/src/main/java/org/dependencytrack/tasks/NistApiMirrorTask.java

Lines 268 to 273 in fd82e58

    
           // Get all VulnerableSoftware records that are currently associated with the vulnerability. 
        
           // Note: For SOME ODD REASON, duplicate (as in, same database ID and all) VulnerableSoftware 
        
           // records are returned, when operating on data that was originally created by the feed-based 
        
           // NistMirrorTask. We thus have to deduplicate here. 
        
           final List<VulnerableSoftware> vsOldList = persistentVuln.getVulnerableSoftware().stream().distinct().toList(); 
        
           LOGGER.trace("%s: Existing VS: %d".formatted(persistentVuln.getVulnId(), vsOldList.size()));

Steps to Reproduce

Mirror NVD via feed files

Expected Behavior

Mirroring should not fail. We should not create duplicate records that cause unique constraint violations.

Dependency-Track Version

4.11.0-SNAPSHOT

Dependency-Track Distribution

Container Image, Executable WAR

Database Server

N/A

Database Server Version

No response

Browser

N/A

Checklist

I have read and understand the contributing guidelines
I have checked the existing issues for whether this defect was already reported

	// Get all VulnerableSoftware records that are currently associated with the vulnerability.
	// Note: For SOME ODD REASON, duplicate (as in, same database ID and all) VulnerableSoftware
	// records are returned, when operating on data that was originally created by the feed-based
	// NistMirrorTask. We thus have to deduplicate here.
	final List<VulnerableSoftware> vsOldList = persistentVuln.getVulnerableSoftware().stream().distinct().toList();
	LOGGER.trace("%s: Existing VS: %d".formatted(persistentVuln.getVulnId(), vsOldList.size()));

Unique constraint violation while mirroring NVD via feed files