Allow users to configure intervals for periodic tasks

[AbdelHajou]

Current Behavior:

Currently most scheduled tasks are performed at a fixed interval that is hard-coded. For example, vulnerability analysis is performed every 24 hours after an initial delay of 6 hours.

Proposed Behavior:

Some organizations may have stricter rules for how often components are scanned for vulnerabilities. We would like to scan for vulnerabilities twice a day.

I think it would be a nice improvement to allow the Dependency-Track administrator to configure the intervals for some tasks, like vulnerability analysis and repository metadata analysis.

I'm not sure whether configuring this via the dashboard would be the best route, or to just configure this via environment variables in the docker-compose deployment.

If you agree that this would be a nice addition, I would like to work on this issue.

[stevespringett]

We would like to scan for vulnerabilities twice a day.

Thats nice, however, in most cases OSS Index only updates their feed once a day. The only exceptions to this are for things like when log4j happened. In those cases, they push out updates sooner.

I'm not sure how often GitHub updates their advisories.

I think there are two things required here:

1. Make the scans interval configurable
2. Make the ComponentAnalysisCache configurable 2.1 Separate out repository from vulnerability cache

[msymons]

in most cases OSS Index only updates their feed once a day

From recent Sonatype announcement regarding upcoming changes to OSSI:

1. OSSI will be updated faster. OSSI users will now get updated vulnerability information as quickly as our enterprise users do, as evidenced with Log4Shell

[AbdelHajou]

@msymons That's great news, do you have a link to this announcement?

[msymons]

wrt Sonatype announcement, this was sent out via email on 8th March 2022. Steve copied it into DT Slack the same day.

So as not to add noise to this enhancement issue, I (or someone else) will update the Slack channel when more information is available.

[syalioune]

@AbdelHajou Are you working on this enhancement request ? or anyone else ? We are very interested by this feature in my organization and I should have time to get it done in the next weeks if need be.

[syalioune]

@stevespringett I see that the issue is assigned to you, are you actively working on it ? If not, I would like to provide an implementation. Does not seem like @AbdelHajou is on the subject either. Thanks.

[AbdelHajou]

@syalioune I’m on vacation so I wont have time to work on this anytime soon

[syalioune]

I think there are two things required here:

1. Make the scans interval configurable
2. Make the ComponentAnalysisCache configurable 2.1 Separate out repository from vulnerability cache

@stevespringett You can find early developments in the related PR. Regarding 2.1 above, I'm not really sure what you meant. Did you mean having two distinct tables for Vuln and Repository caches ? Seems like ComponentAnalysisCache.CacheType.REPOSITORY is never used anyway.

[nscuro]

@syalioune: Seems like ComponentAnalysisCache.CacheType.REPOSITORY is never used anyway

Huh, yeah, I stumbled over the same thing in https://github.com/DependencyTrack/dependency-track/pull/1772#issuecomment-1204430099. But it really should be used, seems like we're doing a lot of unnecessary network IO right now due to this. I can take care of that in the PR I'm working on right now.

[syalioune]

Great, it will surely benefit to the overall performance of DT.

[nscuro]

This has been implemented in #1841. Thanks again, @syalioune! 🚀

[github-actions[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.