Dependencycheck: Initial Database cleanup performance

Created on 8 Jul 2020  路  4Comments  路  Source: jeremylong/DependencyCheck

Describe the bug
The time taken to build the CVE database from scratch has increased dramatically.

Version of dependency-check used
5.3.2, gradle plugin.

Log file
This is an example of when it was fast: https://gist.github.com/mikehalmamoj/92726c89e5c1f0f4640ff069aa4fc5be
And an example of slow: https://gist.github.com/mikehalmamoj/067cf29c629dc0b1b084f46e9424281a

Note that the key difference is End database maintenance (52108 ms) compared to End database maintenance (1624822 ms)

To Reproduce
Run the gradle task dependencyCheckUpdate in a clean environment.

Additional context
Having watched the builds, the step that takes forever is Removed the CPE ecosystem on 5515 NVD records.

I traced that back to the UPDATE_ECOSYSTEM2 SQL statement: https://github.com/jeremylong/DependencyCheck/blob/master/core/src/main/resources/data/dbStatements.properties#L47

I wonder if some recent CVE additions have exposed a flaw in the SQL?

bug duplicate
Source
picture mikehalmamoj
👍2

All 4 comments

I am facing the same issue. Taking too long (13+ hours) to build the database for the first time (in fact, it's still going on as I write this 馃槃)
image

Version of dependency-check used
CLI 5.3.2

I am trying to setup a centralized MySQL database, initialized using the corresponding script (on MacOS 10.15, if that helps). The initialization script worked perfectly & threw no errors.

Here is the exact command I ran to update the database
dependency-check.sh --updateonly --connectionString jdbc:mysql://MY_HOST:3306/dependencycheck --dbDriverName com.mysql.jdbc.Driver --dbPassword MY_DB_PWD --dbUser MY_DB_USER

Let me know if I can provide additional info to help figure this out!

aravindparappil46 picture aravindparappil46 on 8 Jul 2020

Sorry to hear about your woes @aravindparappil46 but I don't think we have the same issue. My problem is only with the database cleanup, not the building of the database which hasn't slowed down for me.

For example I see Processing Complete for NVD CVE - 2017 (109127 ms) whereas you see Processing Complete for NVD CVE - 2017 (47856652 ms). That's more than 400 times slower than me.

mikehalmamoj picture mikehalmamoj on 9 Jul 2020
👍1

@aravindparappil46 - yes building the centralized database does currently take a long time. No one has had time to investigate this problem.

@mikehalmamoj this issue has already been reported and we have already adjusted the UPDATE_ECOSYSTEM2 statement to be more performant. See #2610

jeremylong picture jeremylong on 11 Jul 2020
👍1

Thanks Jeremy - any timescales on the next release?

mikehalmamoj picture mikehalmamoj on 22 Jul 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

KevinMcT picture KevinMcT  路  3Comments
axel3rd picture axel3rd  路  5Comments
jkrusic19 picture jkrusic19  路  3Comments
amandel picture amandel  路  3Comments
Stephan202 picture Stephan202  路  3Comments