Reset scanner cache validity period to 12h

Fixes #2115

Signed-off-by: nscuro <nscuro@protonmail.com>

Author: nscuro

docs/_docs/analysis-types/known-vulnerabilities.md

@@ -45,8 +45,8 @@ analyzed.
 VulnDB is a source of vulnerability intelligence that provides its own content. Refer to 
 [VulnDB (Datasource)]({{ site.baseurl }}{% link _docs/datasources/vulndb.md %}) for additional information.
 
-### Analysis Interval Throttle
+### Analysis Result Cache
 
 Dependency-Track contains an internal limiter which prevents repeated requests to remote services when performing
-vulnerability analysis. When a components Package URL or CPE is successfully used for a given analyzer, the action
-and the timestamp is recorded and compared to the interval throttle. The interval throttle defaults to 24 hours.
+vulnerability analysis. When a component's Package URL or CPE is successfully analyzed by a given analyzer, 
+the result is cached. By default, cache entries expire after 12 hours.

docs/_posts/2022-11-18-v4.6.3.md

@@ -0,0 +1,41 @@
+---
+title: v4.6.3
+type: patch
+---
+
+This release fixes a defect in the caching of vulnerability analysis results from external sources.  
+There are no changes for the frontend, the latest version of it remains 4.6.1.
+
+**Fixes:**
+
+* Resolved a defect that caused the [component analysis cache] validity period to be too short - [#2115]
+
+**Upgrade Notes:**
+
+* The value of the `scanner.analysis.cache.validity.period` configuration property will be reset to 12 hours
+during the automated upgrade. No manual actions are required.
+
+For a complete list of changes, refer to the respective GitHub milestones:
+
+* [API server milestone 4.6.3](https://github.com/DependencyTrack/dependency-track/milestone/30?closed=1)
+
+###### dependency-track-apiserver.jar
+
+| Algorithm | Checksum |
+|:----------|:---------|
+| SHA-1     |          |
+| SHA-256   |          |
+
+###### dependency-track-bundled.jar
+
+| Algorithm | Checksum |
+|:----------|:---------|
+| SHA-1     |          |
+| SHA-256   |          |
+
+###### Software Bill of Materials (SBOM)
+
+* API Server: [bom.json](https://github.com/DependencyTrack/dependency-track/releases/download/4.6.3/bom.json)
+
+[#2115]: https://github.com/DependencyTrack/dependency-track/issues/2115
+[component analysis cache]: {{ site.baseurl }}{% link _docs/analysis-types/known-vulnerabilities.md %}#analysis-result-cache

src/main/java/org/dependencytrack/model/ConfigPropertyConstants.java

@@ -46,7 +46,7 @@ public enum ConfigPropertyConstants {
     SCANNER_VULNDB_ENABLED("scanner", "vulndb.enabled", "false", PropertyType.BOOLEAN, "Flag to enable/disable VulnDB"),
     SCANNER_VULNDB_OAUTH1_CONSUMER_KEY("scanner", "vulndb.api.oauth1.consumerKey", null, PropertyType.STRING, "The OAuth 1.0a consumer key"),
     SCANNER_VULNDB_OAUTH1_CONSUMER_SECRET("scanner", "vulndb.api.oath1.consumerSecret", null, PropertyType.ENCRYPTEDSTRING, "The OAuth 1.0a consumer secret"),
-    SCANNER_ANALYSIS_CACHE_VALIDITY_PERIOD("scanner", "analysis.cache.validity.period","864000", PropertyType.NUMBER, "Validity period for individual component analysis cache"),
+    SCANNER_ANALYSIS_CACHE_VALIDITY_PERIOD("scanner", "analysis.cache.validity.period","43200000", PropertyType.NUMBER, "Validity period for individual component analysis cache"),
     VULNERABILITY_SOURCE_NVD_ENABLED("vuln-source", "nvd.enabled", "true", PropertyType.BOOLEAN, "Flag to enable/disable National Vulnerability Database"),
     VULNERABILITY_SOURCE_NVD_FEEDS_URL("vuln-source", "nvd.feeds.url", "https://nvd.nist.gov/feeds", PropertyType.URL, "A base URL pointing to the hostname and path of the NVD feeds"),
     VULNERABILITY_SOURCE_GITHUB_ADVISORIES_ENABLED("vuln-source", "github.advisories.enabled", "false", PropertyType.BOOLEAN, "Flag to enable/disable GitHub Advisories"),

src/main/java/org/dependencytrack/upgrade/UpgradeItems.java

@@ -33,6 +33,7 @@ class UpgradeItems {
         UPGRADE_ITEMS.add(org.dependencytrack.upgrade.v440.v440Updater.class);
         UPGRADE_ITEMS.add(org.dependencytrack.upgrade.v450.v450Updater.class);
         UPGRADE_ITEMS.add(org.dependencytrack.upgrade.v460.v460Updater.class);
+        UPGRADE_ITEMS.add(org.dependencytrack.upgrade.v463.v463Updater.class);
     }
 
     static List<Class<? extends UpgradeItem>> getUpgradeItems() {

src/main/java/org/dependencytrack/upgrade/v463/v463Updater.java

@@ -0,0 +1,52 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) Steve Springett. All Rights Reserved.
+ */
+package org.dependencytrack.upgrade.v463;
+
+import alpine.common.logging.Logger;
+import alpine.persistence.AlpineQueryManager;
+import alpine.server.upgrade.AbstractUpgradeItem;
+
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+
+import static org.dependencytrack.model.ConfigPropertyConstants.SCANNER_ANALYSIS_CACHE_VALIDITY_PERIOD;
+
+public class v463Updater extends AbstractUpgradeItem {
+
+    private static final Logger LOGGER = Logger.getLogger(v463Updater.class);
+
+    @Override
+    public String getSchemaVersion() {
+        return "4.6.3";
+    }
+
+    @Override
+    public void executeUpgrade(final AlpineQueryManager qm, final Connection connection) throws Exception {
+        LOGGER.info("Resetting scanner cache validity period to 12h");
+        final PreparedStatement ps = connection.prepareStatement("""
+                UPDATE "CONFIGPROPERTY" SET "PROPERTYVALUE" = ?
+                WHERE "GROUPNAME" = ? AND "PROPERTYNAME" = ?
+                """);
+        ps.setString(1, SCANNER_ANALYSIS_CACHE_VALIDITY_PERIOD.getDefaultPropertyValue());
+        ps.setString(2, SCANNER_ANALYSIS_CACHE_VALIDITY_PERIOD.getGroupName());
+        ps.setString(3, SCANNER_ANALYSIS_CACHE_VALIDITY_PERIOD.getPropertyName());
+        ps.executeUpdate();
+    }
+
+}