Dependency-Track logov4.6

Dependency-Track heavily relies on asynchronous recurring tasks to perform various forms of analyses, calculations, data mirroring, and interactions with 3rd party integrations.

Each recurring task has a predefined initial delay, as well as a default interval. The initial delay ensures that not all tasks are started at the same time, which would put the system under heavy load from the get-go. Intervals can be configured (see Configuration) if desired.

In simple terms, if Dependency-Track is started at 04:00 PM, a task with an initial delay of 5 minutes and an interval of 24 hours will run at 04:05 PM every day.

Tasks #

Recurring tasks typically emit log messages whenever they start, complete, or fail unexpectedly. The task names as listed below will be reflected in those log messages.

Name Description Initial Delay Default Interval
LdapSyncTask* Synchronizes LDAP users 10s 6h
GitHubAdvisoryMirrorTask* Mirrors the GitHub Advisories database 10s 24h
NistMirrorTask* Mirrors the NVD database 1m 24h
EpssMirrorTask* Mirrors the EPSS database - (Immediately after NistMirrorTask)
OsvMirrorTask* Mirrors the OSV database 10s 24h
VulnDbSyncTask* Mirrors the VulnDB database 1m 24h
PortfolioMetricsUpdateTask Updates time series metrics for all projects in the portfolio 10s 1h
VulnerabilityMetricsUpdateTask Updates time series metrics for the local vulnerability database 10s 1h
VulnerabilityAnalysisTask Analyzes all components in the portfolio for vulnerabilities 6h 24h
RepositoryMetaAnalyzerTask Fetches repository metadata (e.g. latest versions) for all components in the portfolio 1h 24h
InternalComponentIdentificationTask Identifies internal components in the portfolio 1h 6h
ClearComponentAnalysisCacheTask Clears internal caches used for vulnerability analysis with external sources (e.g. OSS Index) 10s 72h
FortifySscUploadTask* Publishes findings to Fortify SSC 5m 1h
DefectDojoUploadTask* Publishes findings to Defect Dojo 5m 1h
KennaSecurityUploadTask* Publishes findings to Kenna Security 5m 1h

* Is only executed when the corresponding feature is enabled and configured.

Configuration #

As of Dependency-Track v4.6.0, the interval of recurring tasks is configurable in the administration panel.

Users are strongly encouraged to have proper monitoring in place before modifying these settings. Because some tasks can potentially put the system under high load, or take a long(er) time to complete, choosing intervals that are too short may cause unexpected issues. As a rule of thumb, a task’s interval should only be modified if there’s a good reason to.

For technical reasons, changes to task interval configurations require a restart of the application to take effect.

Recurring Tasks Configuration