Skip to content

Comments

fix: performance issue with PURL lookups #5710#5711

Merged
nscuro merged 2 commits intoDependencyTrack:masterfrom
WoozyMasta:fix/5710-purl-index
Jan 20, 2026
Merged

fix: performance issue with PURL lookups #5710#5711
nscuro merged 2 commits intoDependencyTrack:masterfrom
WoozyMasta:fix/5710-purl-index

Conversation

@WoozyMasta
Copy link
Contributor

@WoozyMasta WoozyMasta commented Jan 19, 2026

Description

Added a missing database index on the VULNERABLESOFTWARE table to include the VERSION column. This significantly improves the performance of PURL lookups (specifically when checking for a concrete version) by enabling Index-Only Scans (or precise Index Scans) and eliminating heavy heap page thrashing (LWLock: BufferMapping) on large datasets.

Addressed Issue

Fixes #5710

Additional Details

Investigation revealed that the existing index VULNERABLESOFTWARE_PURL_TYPE_NS_NAME_IDX does not cover the VERSION column. Queries filtering by PURL + VERSION were forced to scan the heap for every row matching the component, leading to extreme I/O and CPU usage on tables with millions of records.

This PR:

  1. Adds the @Index annotation to the VulnerableSoftware entity.
  2. Implements an upgrade task (v4136Updater) to create the index VULNERABLESOFTWARE_FULL_PURL_IDX on existing installations.
  3. Supports PostgreSQL, MySQL, MSSQL, and H2.

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have added corresponding update logic
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

@owasp-dt-bot
Copy link

owasp-dt-bot commented Jan 19, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@WoozyMasta
fix: performance issue with PURL lookups DependencyTrack#5710
a6df1a3 
Signed-off-by: WoozyMasta <kagbe.leviy@gmail.com>
@codacy-production
Copy link

codacy-production bot commented Jan 19, 2026
edited
Loading

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation Diff coverage
+0.01% (target: -1.00%) (target: 70.00%)
Coverage variation details
Coverable lines Covered lines Coverage
Common ancestor commit (0304029) 24512 19940 81.35%
Head commit (960eb24) 24511 (-1) 19941 (+1) 81.36% (+0.01%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details
Coverable lines Covered lines Diff coverage
Pull request (#5711) 0 0 ∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

nscuro
nscuro requested changes Jan 19, 2026
View reviewed changes
@nscuro nscuro added this to the 4.14.0 milestone Jan 19, 2026
@nscuro nscuro added defect Something isn't working performance labels Jan 19, 2026
@WoozyMasta
fix: remove manual migration
960eb24 
Signed-off-by: WoozyMasta <kagbe.leviy@gmail.com>
@WoozyMasta WoozyMasta requested a review from nscuro January 19, 2026 20:44
nscuro
nscuro approved these changes Jan 20, 2026
View reviewed changes
Copy link
Member

@nscuro nscuro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@nscuro nscuro merged commit eb72aa7 into DependencyTrack:master Jan 20, 2026
11 checks passed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 20, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@nscuro nscuro nscuro approved these changes

Assignees

No one assigned

Labels

defect Something isn't working performance

Projects

None yet

Milestone

4.14.0

Development

Successfully merging this pull request may close these issues.

Performance: Missing index on VULNERABLESOFTWARE causes high DB load

3 participants

@WoozyMasta @owasp-dt-bot @nscuro