From 681aa759572a5a1ef131107327ed1166fbff6770 Mon Sep 17 00:00:00 2001 From: Steffen Jacobs Date: Wed, 29 Apr 2026 10:30:40 +0200 Subject: [PATCH 1/8] fix: widen reference URL column to handle long Mozilla CVE URLs Some Mozilla CVE references (e.g. CVE-2026-6785 at 1585 chars, CVE-2026-6786 at 1115 chars) contain bugzilla URLs with many concatenated bug IDs that exceed the existing VARCHAR(1000) limit on the reference.url column, causing NvdApiProcessor to fail processing the affected CVEs. Widen the reference.url column from VARCHAR(1000) to VARCHAR(4000) across all dialect schemas (H2, MSSQL, MySQL, Oracle, PostgreSQL), add upgrade_5.5.sql so existing H2 databases auto-migrate, and bump the schema version from 5.5 to 5.6. Fixes #8466 --- core/src/main/resources/data/initialize.sql | 4 ++-- core/src/main/resources/data/initialize_mssql.sql | 4 ++-- core/src/main/resources/data/initialize_mysql.sql | 4 ++-- core/src/main/resources/data/initialize_oracle.sql | 4 ++-- core/src/main/resources/data/initialize_postgres.sql | 4 ++-- core/src/main/resources/data/upgrade_5.5.sql | 3 +++ core/src/main/resources/dependencycheck.properties | 2 +- core/src/test/resources/dependencycheck.properties | 2 +- 8 files changed, 15 insertions(+), 12 deletions(-) create mode 100644 core/src/main/resources/data/upgrade_5.5.sql diff --git a/core/src/main/resources/data/initialize.sql b/core/src/main/resources/data/initialize.sql index b2c5ee29baf..dc7ba7957eb 100644 --- a/core/src/main/resources/data/initialize.sql +++ b/core/src/main/resources/data/initialize.sql @@ -35,7 +35,7 @@ CREATE TABLE vulnerability (id int auto_increment PRIMARY KEY, cve VARCHAR(20) U v4baseScore DECIMAL(3,1), v4baseSeverity VARCHAR(15), v4threatScore DECIMAL(3,1), v4threatSeverity VARCHAR(15), v4environmentalScore DECIMAL(3,1), v4environmentalSeverity VARCHAR(15), v4source VARCHAR(50), v4type VARCHAR(15)); -CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255), +CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(4000), source VARCHAR(255), CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE); CREATE TABLE cpeEntry (id INT auto_increment PRIMARY KEY, part CHAR(1), vendor VARCHAR(255), product VARCHAR(255), @@ -81,4 +81,4 @@ CREATE ALIAS insert_software FOR "org.owasp.dependencycheck.data.nvdcve.H2Functi CREATE ALIAS merge_knownexploited FOR "org.owasp.dependencycheck.data.nvdcve.H2Functions.mergeKnownExploited"; CREATE TABLE properties (id varchar(50) PRIMARY KEY, `value` varchar(500)); -INSERT INTO properties(id, `value`) VALUES ('version', '5.5'); \ No newline at end of file +INSERT INTO properties(id, `value`) VALUES ('version', '5.6'); \ No newline at end of file diff --git a/core/src/main/resources/data/initialize_mssql.sql b/core/src/main/resources/data/initialize_mssql.sql index 2a79d913910..84d34d37f0f 100644 --- a/core/src/main/resources/data/initialize_mssql.sql +++ b/core/src/main/resources/data/initialize_mssql.sql @@ -54,7 +54,7 @@ CREATE TABLE vulnerability (id int identity(1,1) PRIMARY KEY, cve VARCHAR(20) UN v4baseScore DECIMAL(3,1), v4baseSeverity VARCHAR(15), v4threatScore DECIMAL(3,1), v4threatSeverity VARCHAR(15), v4environmentalScore DECIMAL(3,1), v4environmentalSeverity VARCHAR(15), v4source VARCHAR(50), v4type VARCHAR(15)); -CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255), +CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(4000), source VARCHAR(255), CONSTRAINT FK_Reference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE); CREATE TABLE cpeEntry (id INT identity(1,1) PRIMARY KEY, part CHAR(1), vendor VARCHAR(255), product VARCHAR(255), @@ -311,7 +311,7 @@ END; GO -INSERT INTO properties(id,value) VALUES ('version','5.5'); +INSERT INTO properties(id,value) VALUES ('version','5.6'); GO /** diff --git a/core/src/main/resources/data/initialize_mysql.sql b/core/src/main/resources/data/initialize_mysql.sql index 52fe18fea6f..530e7f1dbc9 100644 --- a/core/src/main/resources/data/initialize_mysql.sql +++ b/core/src/main/resources/data/initialize_mysql.sql @@ -54,7 +54,7 @@ CREATE TABLE vulnerability (id int auto_increment PRIMARY KEY, cve VARCHAR(20) U v4baseScore DECIMAL(3,1), v4baseSeverity VARCHAR(15), v4threatScore DECIMAL(3,1), v4threatSeverity VARCHAR(15), v4environmentalScore DECIMAL(3,1), v4environmentalSeverity VARCHAR(15), v4source VARCHAR(50), v4type VARCHAR(15)); -CREATE TABLE `reference` (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255), +CREATE TABLE `reference` (cveid INT, name VARCHAR(1000), url VARCHAR(4000), source VARCHAR(255), CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE); CREATE TABLE cpeEntry (id INT auto_increment PRIMARY KEY, part CHAR(1), vendor VARCHAR(255), product VARCHAR(255), @@ -379,4 +379,4 @@ GRANT EXECUTE ON PROCEDURE dependencycheck.merge_knownexploited TO 'dcuser'; GRANT SELECT, INSERT, UPDATE, DELETE ON dependencycheck.* TO 'dcuser'; -INSERT INTO properties(id, value) VALUES ('version', '5.5'); +INSERT INTO properties(id, value) VALUES ('version', '5.6'); diff --git a/core/src/main/resources/data/initialize_oracle.sql b/core/src/main/resources/data/initialize_oracle.sql index 483a0071814..5da88098658 100644 --- a/core/src/main/resources/data/initialize_oracle.sql +++ b/core/src/main/resources/data/initialize_oracle.sql @@ -135,7 +135,7 @@ CREATE TABLE vulnerability (id INT NOT NULL PRIMARY KEY, cve VARCHAR(20) UNIQUE, v4baseScore DECIMAL(3,1), v4baseSeverity VARCHAR(15), v4threatScore DECIMAL(3,1), v4threatSeverity VARCHAR(15), v4environmentalScore DECIMAL(3,1), v4environmentalSeverity VARCHAR(15), v4source VARCHAR(50), v4type VARCHAR(15)); -CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255), +CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(4000), source VARCHAR(255), CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE); CREATE TABLE cpeEntry (id INT NOT NULL PRIMARY KEY, part CHAR(1), vendor VARCHAR(255), product VARCHAR(255), @@ -538,4 +538,4 @@ CREATE OR REPLACE VIEW v_update_ecosystems AS ON c.vendor=e.vendor AND c.product=e.product; -INSERT INTO properties(id,value) VALUES ('version','5.5'); +INSERT INTO properties(id,value) VALUES ('version','5.6'); diff --git a/core/src/main/resources/data/initialize_postgres.sql b/core/src/main/resources/data/initialize_postgres.sql index 6cf743115d0..cc5d23aefb1 100644 --- a/core/src/main/resources/data/initialize_postgres.sql +++ b/core/src/main/resources/data/initialize_postgres.sql @@ -41,7 +41,7 @@ CREATE TABLE vulnerability (id SERIAL PRIMARY KEY, cve VARCHAR(20) UNIQUE, v4baseScore DECIMAL(3,1), v4baseSeverity VARCHAR(15), v4threatScore DECIMAL(3,1), v4threatSeverity VARCHAR(15), v4environmentalScore DECIMAL(3,1), v4environmentalSeverity VARCHAR(15), v4source VARCHAR(50), v4type VARCHAR(15)); -CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255), +CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(4000), source VARCHAR(255), CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE); CREATE TABLE cpeEntry (id SERIAL PRIMARY KEY, part CHAR(1), vendor VARCHAR(255), product VARCHAR(255), @@ -324,4 +324,4 @@ GRANT EXECUTE ON FUNCTION public.insert_software (INT, CHAR(1), VARCHAR(255), -INSERT INTO properties(id,value) VALUES ('version','5.5'); +INSERT INTO properties(id,value) VALUES ('version','5.6'); diff --git a/core/src/main/resources/data/upgrade_5.5.sql b/core/src/main/resources/data/upgrade_5.5.sql new file mode 100644 index 00000000000..d27083fe622 --- /dev/null +++ b/core/src/main/resources/data/upgrade_5.5.sql @@ -0,0 +1,3 @@ +ALTER TABLE reference ALTER COLUMN url SET DATA TYPE VARCHAR(4000); + +UPDATE Properties SET `value`='5.6' WHERE ID='version'; diff --git a/core/src/main/resources/dependencycheck.properties b/core/src/main/resources/dependencycheck.properties index 5c9ebd57c0f..63c22a57171 100644 --- a/core/src/main/resources/dependencycheck.properties +++ b/core/src/main/resources/dependencycheck.properties @@ -21,7 +21,7 @@ data.file_name=odc.mv.db ### if you increment the DB version then you must increment the database file path ### in the mojo.properties, task.properties (maven and ant respectively), and ### the gradle PurgeDataExtension. -data.version=5.5 +data.version=5.6 #The analysis timeout in minutes odc.analysis.timeout=180 diff --git a/core/src/test/resources/dependencycheck.properties b/core/src/test/resources/dependencycheck.properties index feca39a60cd..7942cf161bf 100644 --- a/core/src/test/resources/dependencycheck.properties +++ b/core/src/test/resources/dependencycheck.properties @@ -17,7 +17,7 @@ engine.version.url=https://dependency-check.github.io/DependencyCheck/current.tx data.directory=[JAR]/data/11.0 #if the filename has a %s it will be replaced with the current expected version data.file_name=odc.mv.db -data.version=5.5 +data.version=5.6 #The analysis timeout in minutes odc.analysis.timeout=20 From ddc9fa15dc1229de74499b6ca23492e1878ca70f Mon Sep 17 00:00:00 2001 From: Steffen Jacobs Date: Wed, 29 Apr 2026 14:58:15 +0200 Subject: [PATCH 2/8] Update core/src/main/resources/data/initialize.sql Co-authored-by: Jeremy Long --- core/src/main/resources/data/initialize.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/src/main/resources/data/initialize.sql b/core/src/main/resources/data/initialize.sql index dc7ba7957eb..016deae4e30 100644 --- a/core/src/main/resources/data/initialize.sql +++ b/core/src/main/resources/data/initialize.sql @@ -35,7 +35,7 @@ CREATE TABLE vulnerability (id int auto_increment PRIMARY KEY, cve VARCHAR(20) U v4baseScore DECIMAL(3,1), v4baseSeverity VARCHAR(15), v4threatScore DECIMAL(3,1), v4threatSeverity VARCHAR(15), v4environmentalScore DECIMAL(3,1), v4environmentalSeverity VARCHAR(15), v4source VARCHAR(50), v4type VARCHAR(15)); -CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(4000), source VARCHAR(255), +CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(8000), source VARCHAR(255), CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE); CREATE TABLE cpeEntry (id INT auto_increment PRIMARY KEY, part CHAR(1), vendor VARCHAR(255), product VARCHAR(255), From 49b03430340afcdbd8666dbc51e848733f630340 Mon Sep 17 00:00:00 2001 From: Steffen Jacobs Date: Wed, 29 Apr 2026 14:58:24 +0200 Subject: [PATCH 3/8] Update core/src/main/resources/data/initialize_mssql.sql Co-authored-by: Jeremy Long --- core/src/main/resources/data/initialize_mssql.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/src/main/resources/data/initialize_mssql.sql b/core/src/main/resources/data/initialize_mssql.sql index 84d34d37f0f..882148910c8 100644 --- a/core/src/main/resources/data/initialize_mssql.sql +++ b/core/src/main/resources/data/initialize_mssql.sql @@ -54,7 +54,7 @@ CREATE TABLE vulnerability (id int identity(1,1) PRIMARY KEY, cve VARCHAR(20) UN v4baseScore DECIMAL(3,1), v4baseSeverity VARCHAR(15), v4threatScore DECIMAL(3,1), v4threatSeverity VARCHAR(15), v4environmentalScore DECIMAL(3,1), v4environmentalSeverity VARCHAR(15), v4source VARCHAR(50), v4type VARCHAR(15)); -CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(4000), source VARCHAR(255), +CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(8000), source VARCHAR(255), CONSTRAINT FK_Reference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE); CREATE TABLE cpeEntry (id INT identity(1,1) PRIMARY KEY, part CHAR(1), vendor VARCHAR(255), product VARCHAR(255), From f9d6521d3c1129bfc442d7991c0fc2a2c4d4632f Mon Sep 17 00:00:00 2001 From: Steffen Jacobs Date: Wed, 29 Apr 2026 14:58:32 +0200 Subject: [PATCH 4/8] Update core/src/main/resources/data/initialize_mysql.sql Co-authored-by: Jeremy Long --- core/src/main/resources/data/initialize_mysql.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/src/main/resources/data/initialize_mysql.sql b/core/src/main/resources/data/initialize_mysql.sql index 530e7f1dbc9..c3072936c05 100644 --- a/core/src/main/resources/data/initialize_mysql.sql +++ b/core/src/main/resources/data/initialize_mysql.sql @@ -54,7 +54,7 @@ CREATE TABLE vulnerability (id int auto_increment PRIMARY KEY, cve VARCHAR(20) U v4baseScore DECIMAL(3,1), v4baseSeverity VARCHAR(15), v4threatScore DECIMAL(3,1), v4threatSeverity VARCHAR(15), v4environmentalScore DECIMAL(3,1), v4environmentalSeverity VARCHAR(15), v4source VARCHAR(50), v4type VARCHAR(15)); -CREATE TABLE `reference` (cveid INT, name VARCHAR(1000), url VARCHAR(4000), source VARCHAR(255), +CREATE TABLE `reference` (cveid INT, name VARCHAR(1000), url VARCHAR(8000), source VARCHAR(255), CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE); CREATE TABLE cpeEntry (id INT auto_increment PRIMARY KEY, part CHAR(1), vendor VARCHAR(255), product VARCHAR(255), From a3520a596e6fa36e7c95d4b7d4707457d60912a3 Mon Sep 17 00:00:00 2001 From: Steffen Jacobs Date: Wed, 29 Apr 2026 14:58:40 +0200 Subject: [PATCH 5/8] Update core/src/main/resources/data/initialize_oracle.sql Co-authored-by: Jeremy Long --- core/src/main/resources/data/initialize_oracle.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/src/main/resources/data/initialize_oracle.sql b/core/src/main/resources/data/initialize_oracle.sql index 5da88098658..e56f0bc4b9e 100644 --- a/core/src/main/resources/data/initialize_oracle.sql +++ b/core/src/main/resources/data/initialize_oracle.sql @@ -135,7 +135,7 @@ CREATE TABLE vulnerability (id INT NOT NULL PRIMARY KEY, cve VARCHAR(20) UNIQUE, v4baseScore DECIMAL(3,1), v4baseSeverity VARCHAR(15), v4threatScore DECIMAL(3,1), v4threatSeverity VARCHAR(15), v4environmentalScore DECIMAL(3,1), v4environmentalSeverity VARCHAR(15), v4source VARCHAR(50), v4type VARCHAR(15)); -CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(4000), source VARCHAR(255), +CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(8000), source VARCHAR(255), CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE); CREATE TABLE cpeEntry (id INT NOT NULL PRIMARY KEY, part CHAR(1), vendor VARCHAR(255), product VARCHAR(255), From 25b6588caac82d2ce6c73c0ff298bac9a647fab2 Mon Sep 17 00:00:00 2001 From: Steffen Jacobs Date: Wed, 29 Apr 2026 14:58:48 +0200 Subject: [PATCH 6/8] Update core/src/main/resources/data/initialize_postgres.sql Co-authored-by: Jeremy Long --- core/src/main/resources/data/initialize_postgres.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/src/main/resources/data/initialize_postgres.sql b/core/src/main/resources/data/initialize_postgres.sql index cc5d23aefb1..32fc125601f 100644 --- a/core/src/main/resources/data/initialize_postgres.sql +++ b/core/src/main/resources/data/initialize_postgres.sql @@ -41,7 +41,7 @@ CREATE TABLE vulnerability (id SERIAL PRIMARY KEY, cve VARCHAR(20) UNIQUE, v4baseScore DECIMAL(3,1), v4baseSeverity VARCHAR(15), v4threatScore DECIMAL(3,1), v4threatSeverity VARCHAR(15), v4environmentalScore DECIMAL(3,1), v4environmentalSeverity VARCHAR(15), v4source VARCHAR(50), v4type VARCHAR(15)); -CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(4000), source VARCHAR(255), +CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(8000), source VARCHAR(255), CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE); CREATE TABLE cpeEntry (id SERIAL PRIMARY KEY, part CHAR(1), vendor VARCHAR(255), product VARCHAR(255), From 4ba2839834d469dce060139db8d503130d2eb341 Mon Sep 17 00:00:00 2001 From: Steffen Jacobs Date: Wed, 29 Apr 2026 14:58:56 +0200 Subject: [PATCH 7/8] Update core/src/main/resources/data/upgrade_5.5.sql Co-authored-by: Jeremy Long --- core/src/main/resources/data/upgrade_5.5.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/src/main/resources/data/upgrade_5.5.sql b/core/src/main/resources/data/upgrade_5.5.sql index d27083fe622..d3fbf26e286 100644 --- a/core/src/main/resources/data/upgrade_5.5.sql +++ b/core/src/main/resources/data/upgrade_5.5.sql @@ -1,3 +1,3 @@ -ALTER TABLE reference ALTER COLUMN url SET DATA TYPE VARCHAR(4000); +ALTER TABLE reference ALTER COLUMN url SET DATA TYPE VARCHAR(8000); UPDATE Properties SET `value`='5.6' WHERE ID='version'; From 88d68e044a504f1d01a55643728bec4e4eba5ef5 Mon Sep 17 00:00:00 2001 From: Steffen Jacobs Date: Thu, 30 Apr 2026 13:34:14 +0200 Subject: [PATCH 8/8] fix: keep Oracle url column at VARCHAR(4000) Oracle's standard VARCHAR2 max is 4000 bytes (without enabling MAX_STRING_SIZE=EXTENDED), so revert just the Oracle init script to VARCHAR(4000) while the other dialects stay at VARCHAR(8000). --- core/src/main/resources/data/initialize_oracle.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/src/main/resources/data/initialize_oracle.sql b/core/src/main/resources/data/initialize_oracle.sql index e56f0bc4b9e..5da88098658 100644 --- a/core/src/main/resources/data/initialize_oracle.sql +++ b/core/src/main/resources/data/initialize_oracle.sql @@ -135,7 +135,7 @@ CREATE TABLE vulnerability (id INT NOT NULL PRIMARY KEY, cve VARCHAR(20) UNIQUE, v4baseScore DECIMAL(3,1), v4baseSeverity VARCHAR(15), v4threatScore DECIMAL(3,1), v4threatSeverity VARCHAR(15), v4environmentalScore DECIMAL(3,1), v4environmentalSeverity VARCHAR(15), v4source VARCHAR(50), v4type VARCHAR(15)); -CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(8000), source VARCHAR(255), +CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(4000), source VARCHAR(255), CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE); CREATE TABLE cpeEntry (id INT NOT NULL PRIMARY KEY, part CHAR(1), vendor VARCHAR(255), product VARCHAR(255),