Consider OS distro during vulnerability matching

* Where possible, enriches an affected package's PURL with `distro` qualifier inferred from the package's `ecosystem`. e.g. `ecosystem=Debian:7` becomes `distro=debian-11`, `ecosystem=Ubuntu:20.04:LTS` becomes `distro=ubuntu-20.04` etc.
* During vulnerability analysis, if both component and matching criteria have a PURL `distro` qualifier, ensures they match. Matching can handle codename <-> version comparisons, e.g. for Ubuntu `focal` would match `20.04` and vice versa.
* Generally improves performance of OSV mirroring by using fewer transactions and disabling ORM features that caused expensive unnecessary queries.

Currently Alpine, Debian, and Ubuntu distribution matching is implemented. These seem to work for SBOMs generated with Trivy and Syft.

The codename <-> version mapping is currently hardcoded for Debian and Ubuntu. There is a fallback mechanism that will handle exact matches, such that when Debian publishes a hypothetical "foo" release, we can still match components with vulnerabilities if both `distro` qualifiers are exactly "foo".

Debian and Ubuntu provide CSV which we could regularly fetch at runtime, but this involves more work to coordinate.

Fixes #1374
Fixes #5776
Fixes #4445
Fixes #4725

Signed-off-by: nscuro <nscuro@protonmail.com>

Author: nscuro

dev/docker-compose.postgres.yml

@@ -28,6 +28,11 @@ services:
 
   postgres:
     image: postgres:14-alpine
+    command: >-
+      -c 'shared_preload_libraries=pg_stat_statements'
+      -c 'pg_stat_statements.track=all'
+      -c 'pg_stat_statements.max=10000'
+      -c 'track_activity_query_size=2048'
     environment:
       POSTGRES_DB: "dtrack"
       POSTGRES_USER: "dtrack"
@@ -43,5 +48,16 @@ services:
     - "postgres-data:/var/lib/postgresql/data"
     restart: unless-stopped
 
+  pghero:
+    image: ankane/pghero
+    depends_on:
+      postgres:
+        condition: service_healthy
+    environment:
+      DATABASE_URL: "postgres://dtrack:dtrack@postgres:5432/dtrack"
+    ports:
+    - "127.0.0.1:8432:8080"
+    restart: unless-stopped
+
 volumes:
   postgres-data: { }

dev/docker-compose.yml

@@ -18,8 +18,9 @@ name: "dependency-track"
 
 services:
   apiserver:
-    image: dependencytrack/apiserver:snapshot-alpine
+    image: dependencytrack/apiserver:local-alpine
     environment:
+      EXTRA_JAVA_OPTIONS: "-Xmx2g"
       # Speed up password hashing for faster initial login (default is 14 rounds).
       ALPINE_BCRYPT_ROUNDS: "4"
       TELEMETRY_SUBMISSION_ENABLED_DEFAULT: "false"

src/main/java/org/dependencytrack/model/ConfigPropertyConstants.java

@@ -85,7 +85,7 @@ public enum ConfigPropertyConstants {
     VULNERABILITY_SOURCE_GITHUB_ADVISORIES_ACCESS_TOKEN("vuln-source", "github.advisories.access.token", null, PropertyType.STRING, "The access token used for GitHub API authentication"),
     VULNERABILITY_SOURCE_GITHUB_ADVISORIES_LAST_MODIFIED_EPOCH_SECONDS("vuln-source", "github.advisories.last.modified.epoch.seconds", null, PropertyType.INTEGER, "Epoch timestamp in seconds of the latest observed GHSA modification time"),
     VULNERABILITY_SOURCE_GOOGLE_OSV_BASE_URL("vuln-source", "google.osv.base.url", "https://osv-vulnerabilities.storage.googleapis.com/", PropertyType.URL, "A base URL pointing to the hostname and path for OSV mirroring"),
-    VULNERABILITY_SOURCE_GOOGLE_OSV_ENABLED("vuln-source", "google.osv.enabled", null, PropertyType.STRING, "List of enabled ecosystems to mirror OSV"),
+    VULNERABILITY_SOURCE_GOOGLE_OSV_ENABLED("vuln-source", "google.osv.enabled", "Alpine;Debian;Ubuntu", PropertyType.STRING, "List of enabled ecosystems to mirror OSV"),
     VULNERABILITY_SOURCE_GOOGLE_OSV_ALIAS_SYNC_ENABLED("vuln-source", "google.osv.alias.sync.enabled", "false", PropertyType.BOOLEAN, "Flag to enable/disable alias synchronization for OSV"),
     VULNERABILITY_SOURCE_EPSS_ENABLED("vuln-source", "epss.enabled", "true", PropertyType.BOOLEAN, "Flag to enable/disable Exploit Prediction Scoring System"),
     VULNERABILITY_SOURCE_EPSS_FEEDS_URL("vuln-source", "epss.feeds.url", "https://epss.cyentia.com", PropertyType.URL, "A base URL pointing to the hostname and path of the EPSS feeds"),