Dependency-Track logov4.6

Dependency-Track includes an embedded H2 database enabled by default. The intended purpose of this database is for quick evaluation, testing, and demonstration of the platform and its capabilities.

The embedded H2 database is not intended for production use!

Dependency-Track supports the following database servers:

RDBMS Supported Versions Recommended
PostgreSQL >= 9.0
Microsoft SQL Server >= 2012
MySQL 5.6 - 5.7

Dependency-Track requires extensive unicode support, which is not provided per default in MySQL. Both PostgreSQL and SQL Server have been proven to work very well in production deployments, while MySQL / MariaDB can require lots of extra care. Only use MySQL if you know what you’re doing!

Refer to the Configuration documentation for how database settings may be changed.

Examples #

PostgreSQL #


Microsoft SQL Server #




It is necessary to configure the SQL mode such that it does not include NO_ZERO_IN_DATE and NO_ZERO_DATE, but does include ANSI_QUOTES. There are several ways to change this configuration, however the recommended way is to modify the MySQL configuration file (typically my.ini or similar) with the following:


Alternatively, when the database is shared with other applications, session variables in the JDBC URL can be used:


MySQL may erroneously report index key length violations (“Specified key was too long”), when in fact the multi-byte key length is lower than the actual value. Do not use MySQL if don’t know how to work around errors like this!

Migrating to H2 v2 #

With Dependency-Track 4.6.0, the embedded H2 database has been upgraded to version 2. As stated in the official Migration to 2.0 guide, databases created by H2 v1 are incompatible with H2 v2. As a consequence, Dependency-Track 4.6.0 will not work with H2 databases created by earlier Dependency-Track versions.

For this reason, upgrading an existing Dependency-Track 4.5.x installation to 4.6.x requires a manual migration of the H2 database beforehand. The migration procedure is outlined below.

  1. Stop the Dependency-Track API server
  2. Download the H2 v1.4.200 JAR and dump the existing database using the Script tool:
    java -cp h2-1.4.200.jar \
      -url "jdbc:h2:file:~/.dependency-track/db" \
      -user sa -password ""
    • This will dump the database to a backup.sql file in the current working directory
  3. Create a backup of the entire data directory, so you can easily roll back if something goes south during the next steps:
    tar -czf dtrack-backup.tar.gz ~/.dependency-track
  4. Delete the old H2 database and download H2 2.1.214:
    rm -rf ~/.dependency-track/db.*
  5. Launch the H2 shell using the H2 2.1.214 JAR and create a new database:
    java -cp h2-2.1.214.jar
    Welcome to H2 Shell 2.1.214 (2022-06-13)
    Exit with Ctrl+C
    [Enter]   jdbc:h2:~/test
    URL       jdbc:h2:~/.dependency-track/db
    [Enter]   org.h2.Driver
    User      sa
    Type the same password again to confirm database creation.
    sql> quit
  6. If you haven’t modified any database settings for your Dependency-Track instance, use the following values when prompted by the H2 shell:
    • URL: jdbc:h2:~/.dependency-track/db
    • Driver: org.h2.Driver (or just press Enter)
    • User: sa
    • Password: (Empty, just press Enter)
    • Once the shell confirms the successful creation with Connected, exit the shell using the quit command
  7. Import backup.sql into the new database you just created using the RunScript tool:
    java -cp h2-2.1.214.jar \
      -url jdbc:h2:~/.dependency-track/db \
      -user sa -password "" \
      -script backup.sql \
      -options quirks_mode variable_binary
  8. That’s it! It’s now safe to start Dependency-Track 4.6.0