Niklas

Thanks. > Not sure if it's related or not, but I did try setting ALPINE_HTTP_TIMEOUT_CONNECTION and ALPINE_HTTP_TIMEOUT_SOCKET to 5, and ALPINE_HTTP_TIMEOUT_POOL to 10. The issue seems to have gone away,...

Good catch, and great report @Jonas-vdb! It indeed looks like we have to ensure that violation analyses are always deleted before we delete the violation itself.

@olafz Thanks for your thorough explanation, this is *super* helpful. I think everything except modifying the index lengths can be done prior to running DT for the first time. I've...

Thanks for the PR @florentulve! Makes sense to me at first glance. @officerNordberg, as you dabble with CPEs a lot, may I ask for you opinion on this?

Indeed DT should identify new vulnerabilities in older projects. However, the metrics update that runs hourly does *not* perform vulnerability analysis, it just calculates metrics based on the information that's...

As per my previous comment: > A portfolio scan also explicitly excludes projects that have been marked as "inactive".

Ok, please feel free to open another issue if the issue materialized into something reproducible. FYI, this is where the to-be-scanned projects are queried: https://github.com/DependencyTrack/dependency-track/blob/bcc57feb31e44295344d2d59d28a79c951dfd842/src/main/java/org/dependencytrack/tasks/VulnerabilityAnalysisTask.java#L76-L93 `qm.getAllProjects(true)` fetches all *active* projects....

Thanks for reporting @kuhball! This is indeed an odd behavior that has been kept for historical reasons until now. At the moment, whenever a component, project or vulnerability does not...

Thanks for reporting @zgael! I think your analysis is spot on. The nimbus OIDC SDK does support proxies, but it only considers them when defined via Java System properties per...

> Do you have any idea when this might get patched ? I'd like to get it done in the next version (4.7), as 4.6 is already quite packed and...