From 9f01f3cc8fea4c2b24fdde24f1136beeb3e11051 Mon Sep 17 00:00:00 2001 From: nscuro Date: Mon, 18 Dec 2023 20:34:50 +0100 Subject: [PATCH] Fix NVD API's last modified timestamp requiring restart to be applied The timestamp is created with value `null` in a context where L2 caching is enabled (`DefaultObjectGenerator`), but updated in one where L2 caching is disabled (`NistApiMirrorTask#updateLastModified`). What's more, it's queried in a context with L2 caching enabled (`NistApiMirrorTask#inform`). This causes the property to be updated, but the cache not being invalidated, thus still serving queries. To not have similar inconsistencies in other areas of the application, re-enable L2 caching when updating the property. Eventually, L2 caching should be disabled system-wide. Signed-off-by: nscuro --- .../org/dependencytrack/tasks/NistApiMirrorTask.java | 2 +- .../dependencytrack/tasks/NistApiMirrorTaskTest.java | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/dependencytrack/tasks/NistApiMirrorTask.java b/src/main/java/org/dependencytrack/tasks/NistApiMirrorTask.java index 38377bd922..2feddbd9f1 100644 --- a/src/main/java/org/dependencytrack/tasks/NistApiMirrorTask.java +++ b/src/main/java/org/dependencytrack/tasks/NistApiMirrorTask.java @@ -395,7 +395,7 @@ private static boolean updateLastModified(final ZonedDateTime lastModifiedDateTi } LOGGER.debug("Latest captured modification date: %s".formatted(lastModifiedDateTime)); - try (final var qm = new QueryManager().withL2CacheDisabled()) { + try (final var qm = new QueryManager()) { qm.runInTransaction(() -> { final ConfigProperty property = qm.getConfigProperty( VULNERABILITY_SOURCE_NVD_API_LAST_MODIFIED_EPOCH_SECONDS.getGroupName(), diff --git a/src/test/java/org/dependencytrack/tasks/NistApiMirrorTaskTest.java b/src/test/java/org/dependencytrack/tasks/NistApiMirrorTaskTest.java index b7e4cb13ea..a10169f6d0 100644 --- a/src/test/java/org/dependencytrack/tasks/NistApiMirrorTaskTest.java +++ b/src/test/java/org/dependencytrack/tasks/NistApiMirrorTaskTest.java @@ -18,6 +18,7 @@ */ package org.dependencytrack.tasks; +import alpine.model.ConfigProperty; import com.github.tomakehurst.wiremock.junit.WireMockRule; import org.dependencytrack.PersistenceCapableTest; import org.dependencytrack.event.NistApiMirrorEvent; @@ -233,6 +234,16 @@ public void testInformWithNewVulnerability() throws Exception { assertThat(qm.hasAffectedVersionAttribution(vuln, vs, Source.NVD)).isTrue(); } ); + + // Property is in L1 cache because it was created in the test's setUp method. + // Evict L1 cache to reach L2 cache / datastore instead. + qm.getPersistenceManager().evictAll(); + final ConfigProperty lastModifiedProperty = qm.getConfigProperty( + VULNERABILITY_SOURCE_NVD_API_LAST_MODIFIED_EPOCH_SECONDS.getGroupName(), + VULNERABILITY_SOURCE_NVD_API_LAST_MODIFIED_EPOCH_SECONDS.getPropertyName() + ); + assertThat(lastModifiedProperty).isNotNull(); + assertThat(lastModifiedProperty.getPropertyValue()).isEqualTo("1691504544"); } @Test