dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

DefectDojo Integration Read time out error

Open maxwai opened this issue 2 months ago • 3 comments

Current Behavior

Currently, when the DefectDojo Integration does a sync, it fails with a SocketTimeoutExection: Read timed out

Relevant Log output (on TRACE level):

2025-10-09 10:02:49,766 DEBUG [EventService] Dispatching event: class org.dependencytrack.event.DefectDojoUploadEventAbstract
2025-10-09 10:02:49,766 DEBUG [EventService] Alerting subscriber org.dependencytrack.tasks.DefectDojoUploadTask
2025-10-09 10:02:49,766 DEBUG [SingleThreadedEventService] Dispatching event: class org.dependencytrack.event.DefectDojoUploadEventAbstract
2025-10-09 10:02:49,766 DEBUG [SingleThreadedEventService] No subscribers to inform from event: org.dependencytrack.event.DefectDojoUploadEventAbstract
2025-10-09 10:02:49,766 DEBUG [DefectDojoUploadTask] Starting DefectDojo upload task
2025-10-09 10:02:49,804 DEBUG [VulnerabilityManagementUploadTask] Initializing integration point: DefectDojo [projectName=<ProjectName>, projectUuid=<ProjectUUID>, projectVersion=<ProjectVersion>]
2025-10-09 10:02:50,722 DEBUG [VulnerabilityManagementUploadTask] Uploading findings to DefectDojo [projectName=<ProjectName>, projectUuid=<ProjectUUID>, projectVersion=<ProjectVersion>]
2025-10-09 10:02:50,728 DEBUG [DefectDojoClient] Pulling DefectDojo Tests API ... [projectName=<ProjectName>, projectUuid=<ProjectUUID>, projectVersion=<ProjectVersion>]
2025-10-09 10:02:50,728 DEBUG [DefectDojoClient] Make the first pagination call [projectName=<ProjectName>, projectUuid=<ProjectUUID>, projectVersion=<ProjectVersion>]
2025-10-09 10:02:50,792 DEBUG [DefectDojoClient] Successfully retrieved the test list  [projectName=<ProjectName>, projectUuid=<ProjectUUID>, projectVersion=<ProjectVersion>]
2025-10-09 10:02:50,794 DEBUG [DefectDojoUploader] Found existing test Id: 27 [projectName=<ProjectName>, projectUuid=<ProjectUUID>, projectVersion=<ProjectVersion>]
2025-10-09 10:02:50,796 DEBUG [DefectDojoClient] Re-reimport Dependency-Track findings to DefectDojo per Engagement [projectName=<ProjectName>, projectUuid=<ProjectUUID>, projectVersion=<ProjectVersion>]
2025-10-09 10:03:20,885 ERROR [DefectDojoClient] An error occurred with the DefectDojo integration point [projectName=<ProjectName>, projectUuid=<ProjectUUID>, projectVersion=<ProjectVersion>]
java.net.SocketTimeoutException: Read timed out
        at java.base/sun.nio.ch.NioSocketImpl.timedRead(Unknown Source)
        at java.base/sun.nio.ch.NioSocketImpl.implRead(Unknown Source)
        at java.base/sun.nio.ch.NioSocketImpl.read(Unknown Source)
        at java.base/sun.nio.ch.NioSocketImpl$1.read(Unknown Source)
        at java.base/java.net.Socket$SocketInputStream.read(Unknown Source)
        at org.apache.http.impl.io.SessionInputBufferImpl.streamRead(SessionInputBufferImpl.java:137)
        at org.apache.http.impl.io.SessionInputBufferImpl.fillBuffer(SessionInputBufferImpl.java:153)
        at org.apache.http.impl.io.SessionInputBufferImpl.readLine(SessionInputBufferImpl.java:280)
        at org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:138)
        at org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:56)
        at org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:259)
        at org.apache.http.impl.DefaultBHttpClientConnection.receiveResponseHeader(DefaultBHttpClientConnection.java:163)
        at org.apache.http.impl.conn.CPoolProxy.receiveResponseHeader(CPoolProxy.java:157)
        at org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:273)
        at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:125)
        at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:272)
        at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
        at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
        at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
        at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
        at org.dependencytrack.integrations.defectdojo.DefectDojoClient.reimportDependencyTrackFindings(DefectDojoClient.java:191)
        at org.dependencytrack.integrations.defectdojo.DefectDojoUploader.upload(DefectDojoUploader.java:131)
        at org.dependencytrack.tasks.VulnerabilityManagementUploadTask.processProjectFindings(VulnerabilityManagementUploadTask.java:102)
        at org.dependencytrack.tasks.VulnerabilityManagementUploadTask.processProjects(VulnerabilityManagementUploadTask.java:83)
        at org.dependencytrack.tasks.VulnerabilityManagementUploadTask.inform(VulnerabilityManagementUploadTask.java:60)
        at org.dependencytrack.tasks.DefectDojoUploadTask.inform(DefectDojoUploadTask.java:37)
        at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:110)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.base/java.lang.Thread.run(Unknown Source)
2025-10-09 10:03:20,885 DEBUG [NotificationService] Dispatching notification: class alpine.notification.Notification [projectName=<ProjectName>, projectUuid=<ProjectUUID>, projectVersion=<ProjectVersion>]
2025-10-09 10:03:20,885 DEBUG [NotificationService] Alerting subscriber org.dependencytrack.notification.NotificationRouter [projectName=<ProjectName>, projectUuid=<ProjectUUID>, projectVersion=<ProjectVersion>]
2025-10-09 10:03:20,913 DEBUG [DefectDojoUploadTask] DefectDojo upload complete
2025-10-09 10:03:21,034 DEBUG [NotificationRouter] Matched 0 notification rules (PublishContext{notificationGroup=INTEGRATION, notificationLevel=ERROR, notificationScope=SYSTEM, notificationTimestamp=2025-10-09T10:03:20.885434219Z, notificationSubjects={}})

Steps to Reproduce

  1. Create a Project in DTrack with a lot of findings (in our example that crashes we have 2200 findings)
  2. Setup DefectDojo integration as described in the documentation with reimport and doNotReactivate options turned on
  3. Wait for sync
  4. See error in logs of DTrack

Expected Behavior

The Integration should be able to sync without error.

Dependency-Track Version

4.13.4

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

17

Browser

Google Chrome

Checklist

maxwai avatar Oct 09 '25 10:10 maxwai

same same here with "v4.13.5", any ideas?

forca84 avatar Nov 03 '25 13:11 forca84

It sounds like DefectDojo takes a long time to respond. Have you checked the DefectDojo logs for any hints?

nscuro avatar Nov 03 '25 14:11 nscuro

No the DefectDojo Instance doesn't have any relevant logs even when set to debug

maxwai avatar Nov 18 '25 17:11 maxwai