Snyk analyser fails for SBOMs with components that share vulnerabilities (Part 2)

[ad8-adriant]

Current Behavior

I've discovered a race condition affecting 4.12.6 that causes the Snyk analyser to fail when processing vulnerabilities shared by multiple components (e.g. two or more similar versions of the same component.)

The first time a vulnerability is encountered via Snyk, if it is attributed to multiple components simultaneously there seems to be a race to write that vulnerability into the DB:

2025-03-06 01:50:52,516 ERROR [Persist] Insert of object "org.dependencytrack.model.Vulnerability@d2e6f78" using statement "INSERT INTO "VULNERABILITY" ("CREATED","CREDITS","CVSSV2BASESCORE","CVSSV2EXPLOITSCORE","CVSSV2IMPACTSCORE","CVSSV2VECTOR","CVSSV3BASESCORE","CVSSV3EXPLOITSCORE","CVSSV3IMPACTSCORE","CVSSV3VECTOR","CWES","DESCRIPTION","DETAIL","EPSSPERCENTILE","EPSSSCORE","FRIENDLYVULNID","OWASPRRBUSINESSIMPACTSCORE","OWASPRRLIKELIHOODSCORE","OWASPRRTECHNICALIMPACTSCORE","OWASPRRVECTOR","PATCHEDVERSIONS","PUBLISHED","RECOMMENDATION","REFERENCES","SEVERITY","SOURCE","SUBTITLE","TITLE","UPDATED","UUID","VULNID","VULNERABLEVERSIONS") VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)" failed : ERROR: duplicate key value violates unique constraint "VULNERABILITY_U1"
  Detail: Key ("VULNID", "SOURCE")=(SNYK-UNMANAGED-OPENSSL-8663322, SNYK) already exists.
2025-03-06 01:50:52,520 ERROR [SnykAnalysisTask] Request failure
javax.jdo.JDODataStoreException: Insert of object "org.dependencytrack.model.Vulnerability@d2e6f78" using statement "INSERT INTO "VULNERABILITY" ("CREATED","CREDITS","CVSSV2BASESCORE","CVSSV2EXPLOITSCORE","CVSSV2IMPACTSCORE","CVSSV2VECTOR","CVSSV3BASESCORE","CVSSV3EXPLOITSCORE","CVSSV3IMPACTSCORE","CVSSV3VECTOR","CWES","DESCRIPTION","DETAIL","EPSSPERCENTILE","EPSSSCORE","FRIENDLYVULNID","OWASPRRBUSINESSIMPACTSCORE","OWASPRRLIKELIHOODSCORE","OWASPRRTECHNICALIMPACTSCORE","OWASPRRVECTOR","PATCHEDVERSIONS","PUBLISHED","RECOMMENDATION","REFERENCES","SEVERITY","SOURCE","SUBTITLE","TITLE","UPDATED","UUID","VULNID","VULNERABLEVERSIONS") VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)" failed : ERROR: duplicate key value violates unique constraint "VULNERABILITY_U1"
  Detail: Key ("VULNID", "SOURCE")=(SNYK-UNMANAGED-OPENSSL-8663322, SNYK) already exists.
        at org.datanucleus.api.jdo.JDOAdapter.getJDOExceptionForNucleusException(JDOAdapter.java:608)
        at org.datanucleus.api.jdo.JDOPersistenceManager.jdoMakePersistent(JDOPersistenceManager.java:702)
        at org.datanucleus.api.jdo.JDOPersistenceManager.makePersistent(JDOPersistenceManager.java:722)
        at alpine.persistence.AbstractAlpineQueryManager.lambda$persist$1(AbstractAlpineQueryManager.java:316)
        at alpine.persistence.Transaction.call(Transaction.java:139)
        at alpine.persistence.AbstractAlpineQueryManager.callInTransaction(AbstractAlpineQueryManager.java:542)
        at alpine.persistence.AbstractAlpineQueryManager.callInTransaction(AbstractAlpineQueryManager.java:553)
        at alpine.persistence.AbstractAlpineQueryManager.persist(AbstractAlpineQueryManager.java:316)
        at org.dependencytrack.persistence.VulnerabilityQueryManager.createVulnerability(VulnerabilityQueryManager.java:78)
        at org.dependencytrack.persistence.VulnerabilityQueryManager.synchronizeVulnerability(VulnerabilityQueryManager.java:148)
        at org.dependencytrack.persistence.QueryManager.synchronizeVulnerability(QueryManager.java:807)
        at org.dependencytrack.parser.snyk.SnykParser.parse(SnykParser.java:104)
        at org.dependencytrack.tasks.scanners.SnykAnalysisTask.handle(SnykAnalysisTask.java:368)
        at org.dependencytrack.tasks.scanners.SnykAnalysisTask.analyzeComponent(SnykAnalysisTask.java:332)
        at org.dependencytrack.tasks.scanners.SnykAnalysisTask.lambda$analyze$1(SnykAnalysisTask.java:254)
        at java.base/java.util.concurrent.CompletableFuture$AsyncRun.run(Unknown Source)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.base/java.lang.Thread.run(Unknown Source)
Caused by: org.postgresql.util.PSQLException: ERROR: duplicate key value violates unique constraint "VULNERABILITY_U1"
  Detail: Key ("VULNID", "SOURCE")=(SNYK-UNMANAGED-OPENSSL-8663322, SNYK) already exists.
        at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2733)
        at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2420)
        at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:372)
        at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:517)
        at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:434)
        at org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:194)
        at org.postgresql.jdbc.PgPreparedStatement.executeUpdate(PgPreparedStatement.java:155)
        at com.zaxxer.hikari.pool.ProxyPreparedStatement.executeUpdate(ProxyPreparedStatement.java:61)
        at com.zaxxer.hikari.pool.HikariProxyPreparedStatement.executeUpdate(HikariProxyPreparedStatement.java)
        at org.datanucleus.store.rdbms.SQLController.doExecuteStatementUpdate(SQLController.java:465)
        at org.datanucleus.store.rdbms.SQLController.executeStatementUpdateDeferRowCountCheckForBatching(SQLController.java:415)
        at org.datanucleus.store.rdbms.request.InsertRequest.execute(InsertRequest.java:532)
        at org.datanucleus.store.rdbms.RDBMSPersistenceHandler.insertObjectInTable(RDBMSPersistenceHandler.java:235)
        at org.datanucleus.store.rdbms.RDBMSPersistenceHandler.insertObject(RDBMSPersistenceHandler.java:211)
        at org.datanucleus.state.StateManagerImpl.internalMakePersistent(StateManagerImpl.java:4614)
        at org.datanucleus.state.StateManagerImpl.makePersistent(StateManagerImpl.java:4591)
        at org.datanucleus.ExecutionContextImpl.persistObjectInternal(ExecutionContextImpl.java:2077)
        at org.datanucleus.ExecutionContext.persistObjectInternal(ExecutionContext.java:320)
        at org.datanucleus.ExecutionContextImpl.persistObjectWork(ExecutionContextImpl.java:1925)
        at org.datanucleus.ExecutionContextImpl.persistObject(ExecutionContextImpl.java:1786)
        at org.datanucleus.api.jdo.JDOPersistenceManager.jdoMakePersistent(JDOPersistenceManager.java:697)
        ... 17 common frames omitted

While similar, I believe this issue is unrelated to #4716. It only occurs the first time a given vulnerability is encountered, is not guaranteed to happen, and is not a permanent failure (triggering a re-analysis after the initial failure will resolve the issue.)

So far I've not been able to reproduce the issue on master. I couldn't find any explicit mention of it as a known/fixed issue, but could it have been fixed by a change like #4359? Alternatively, it might be that changes on master have altered the timing of the analysis task enough that the problem is hidden.

Steps to Reproduce

The issue can be reproduced by creating a new project and uploading the following SBOM:

demo_sbom.json

A fresh install of DT should be used as it only seems to occur the very first time a given vulnerability is analysed. If necessary, more components can be added to the SBOM to increase the probability of the issue occurring.

Expected Behavior

DT should successfully analyse projects involving components that share vulnerabilities.

Dependency-Track Version

4.12.6

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

17.3

Browser

Google Chrome

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported