DefectDojo
diff --git a/‎docs/content/releases/pro/ddorch-database.md‎
Lines changed: 174 additions & 0 deletions b/‎docs/content/releases/pro/ddorch-database.md‎
Lines changed: 174 additions & 0 deletions
diff --git a/‎dojo/tools/dependency_track/parser.py‎
Lines changed: 8 additions & 117 deletions b/‎dojo/tools/dependency_track/parser.py‎
Lines changed: 8 additions & 117 deletions
@@ -0,0 +1,174 @@
+---
+title: "Adding the dd-orch Database on Upgrade"
+toc_hide: true
+weight: -20260501
+description: "Provisioning the dojodb-ddorch PostgreSQL database and pointing DefectDojo Pro at it on an existing self-hosted installation."
+audience: pro
+---
+
+Starting with 2.57.3, DefectDojo Pro requires a second PostgreSQL database, `dojodb-ddorch`, used by the new `ddorch` orchestrator service. The existing `dojodb` database continues to be used by the main Django application.
+
+This guide walks through adding `dojodb-ddorch` to an existing self-hosted PostgreSQL instance and pointing DefectDojo at it.
+
+## Prerequisites
+
+- PostgreSQL 16 is already installed and running on the DB server.
+- The `dojodbusr` role already exists with a known password.
+- `dojodb` is already created and reachable from the DefectDojo app server.
+- `listen_addresses` in `postgresql.conf` is already configured for remote access.
+- You have upgraded to the release that ships the `ddorch` and `ddorch-workers` services.
+
+> **A note on the database name:** `dojodb-ddorch` contains a hyphen, so it must be double-quoted in every SQL statement (`"dojodb-ddorch"`).
+
+## Part 1: Provision the Database
+
+### 1. Create the new database
+
+On the PostgreSQL server, open a `psql` session as the `postgres` superuser:
+
+```bash
+sudo -i -u postgres psql --username postgres
+```
+
+Create the database, grant privileges to the existing `dojodbusr` role, and transfer ownership:
+
+```sql
+CREATE DATABASE "dojodb-ddorch";
+GRANT ALL PRIVILEGES ON DATABASE "dojodb-ddorch" TO dojodbusr;
+ALTER DATABASE "dojodb-ddorch" OWNER TO dojodbusr;
+\q
+```
+
+**Example session:**
+
+```
+root@dbserver:~# sudo -i -u postgres psql --username postgres
+psql (16.8)
+Type "help" for help.
+
+postgres=# CREATE DATABASE "dojodb-ddorch";
+CREATE DATABASE
+postgres=# GRANT ALL PRIVILEGES ON DATABASE "dojodb-ddorch" TO dojodbusr;
+GRANT
+postgres=# ALTER DATABASE "dojodb-ddorch" OWNER TO dojodbusr;
+ALTER DATABASE
+postgres=# \q
+```
+
+> **PostgreSQL 15+ note:** Ownership covers schema rights for the owner, but if you ever connect as a non-owner role you will also need to grant schema privileges inside the new database:
+>
+> ```sql
+> \c "dojodb-ddorch"
+> GRANT ALL ON SCHEMA public TO dojodbusr;
+> ```
+
+### 2. Allow the app server to connect
+
+Edit `/etc/postgresql/16/main/pg_hba.conf` and add a new line for `dojodb-ddorch` next to the existing `dojodb` entry.
+
+**(a) Preferred — restrict to the DefectDojo app server's IP.**
+
+Supposing the app server's IP is `9.9.9.9`, add:
+
+```
+host  dojodb-ddorch  dojodbusr  9.9.9.9/32  scram-sha-256
+host  postgres  dojodbusr  9.9.9.9/32  scram-sha-256
+```
+
+**(b) Alternative — allow from any host.**
+
+```
+host  dojodb-ddorch  dojodbusr  0.0.0.0/0  scram-sha-256
+host  postgres  dojodbusr  0.0.0.0/0  scram-sha-256
+```
+
+> **Note:** The lines in `pg_hba.conf` are whitespace-delimited. The easiest way to add this line is to copy/paste the existing `dojodb` line and change the database name.
+
+**Alternative using `echo` (if no text editor is available):**
+
+```bash
+# For specific IP (replace 9.9.9.9 with your app server IP):
+echo "host  dojodb-ddorch  dojodbusr  9.9.9.9/32  scram-sha-256" | sudo tee -a /etc/postgresql/16/main/pg_hba.conf
+echo "host  postgres  dojodbusr  9.9.9.9/32  scram-sha-256" | sudo tee -a /etc/postgresql/16/main/pg_hba.conf
+
+# OR for all hosts:
+echo "host  dojodb-ddorch  dojodbusr  0.0.0.0/0  scram-sha-256" | sudo tee -a /etc/postgresql/16/main/pg_hba.conf
+echo "host  postgres  dojodbusr  0.0.0.0/0  scram-sha-256" | sudo tee -a /etc/postgresql/16/main/pg_hba.conf
+
+```
+
+### 3. Reload PostgreSQL
+
+Changes to `pg_hba.conf` only require a reload — no restart is needed:
+
+```bash
+sudo systemctl reload postgresql
+```
+
+Verify the reload was picked up:
+
+```bash
+sudo systemctl status postgresql
+```
+
+### 4. Verify connectivity from the app server
+
+From the **DefectDojo app server**, confirm `dojodbusr` can reach the new database. Replace `<db-server-ip>` with your DB server's IP and `<password>` with the password set for `dojodbusr`:
+
+```bash
+psql "host=<db-server-ip> dbname=dojodb-ddorch user=dojodbusr password=<password>" -c "SELECT 1;"
+```
+
+A successful response of `?column?` with a value of `1` confirms the database is reachable and the credentials are valid.
+
+## Part 2: Point DefectDojo at the New Database
+
+Only the `ddorch` service connects to the new database directly. The main Django application reaches the orchestrator over gRPC, so `DD_DATABASE_URL` does **not** change.
+
+### 1. Set the orchestrator database URL
+
+The `ddorch` service reads its connection string from the `DD_DATABASE_URL` environment variable and **automatically appends `-ddorch` to the database name** in whatever URL you pass it. This means you can reuse the same connection string you already use for the main Django application — no need to construct a second URL by hand.
+
+On startup, ddorch rewrites the database name in this URL from `dojodb` to `dojodb-ddorch` and connects to the database you created in Part 1.
+
+### 2. Restart the orchestrator services
+
+From the deployment directory, recreate the two orchestrator containers so they pick up the new environment:
+
+```bash
+docker compose up -d ddorch ddorch-workers
+```
+
+Docker Compose will detect the environment change and recreate the containers. The `ddorch` service runs its own schema migrations against `dojodb-ddorch` on startup — no manual migration command is required.
+
+### 3. Verify ddorch connected and migrated the new database
+
+The most direct signal that the database is correctly wired up is the ddorch startup log. Check the last hundred lines:
+
+```bash
+docker compose logs ddorch --tail=100
+```
+
+Look for three log lines in sequence:
+
+```
+{"level":"INFO","msg":"Appending database name to DATABASE_URL","from":"dojodb","to":"dojodb-ddorch"}
+INFO Running migrations current_schema_version=<N> next_version=<M> migrations_to_apply=<K>
+{"level":"INFO","msg":"starting server","port":9871}
+```
+
+What each line proves:
+
+- **`Appending database name to DATABASE_URL ... to: dojodb-ddorch`** — ddorch received your URL and derived the orch database name correctly.
+- **`Running migrations ... migrations_to_apply=0`** — ddorch connected to `dojodb-ddorch` and found the schema at the expected version. On a first-ever boot against a fresh database you may see `migrations_to_apply=<N>` with a non-zero value and no subsequent error — this means ddorch just created the tables from scratch. Both outcomes indicate success.
+- **`starting server ... port:9871`** — ddorch is up and listening.
+
+If instead you see an error such as `FATAL: password authentication failed`, `no pg_hba.conf entry for host`, or `database "dojodb-ddorch" does not exist`, the database is not reachable — revisit Part 1 before proceeding.
+
+Also confirm both orchestrator containers are running:
+
+```bash
+docker compose ps ddorch ddorch-workers
+```
+
+Both should report `Up`. With ddorch migrated and the workers container running, your installation is now using the new `dojodb-ddorch` database.
@@ -13,106 +13,6 @@
 
 class DependencyTrackParser:
 
-    r"""
-    A class that can be used to parse the JSON Finding Packaging Format (FPF) export from OWASP Dependency Track.
-
-    See here for more info on this JSON format: https://docs.dependencytrack.org/integrations/file-formats/
-
-    A typical Finding Packaging Format (FPF) export looks like the following:
-
-    {
-      "version": "1.3",
-      "meta" : {
-        "application": "Dependency-Track",
-        "version": "4.5.0",
-        "timestamp": "2022-02-18T23:31:42Z",
-        "baseUrl": "http://dtrack.example.org"
-      },
-      "project" : {
-        "uuid": "ca4f2da9-0fad-4a13-92d7-f627f3168a56",
-        "name": "Acme Example",
-        "version": "1.0",
-        "description": "A sample application"
-      },
-      "findings" : [
-      {
-        "component": {
-          "uuid": "b815b581-fec1-4374-a871-68862a8f8d52",
-          "name": "timespan",
-          "version": "2.3.0",
-          "purl": "pkg:npm/timespan@2.3.0",
-          "latestVersion": "3.2.0"
-        },
-        "vulnerability": {
-          "uuid": "115b80bb-46c4-41d1-9f10-8a175d4abb46",
-          "source": "NPM",
-          "vulnId": "533",
-          "title": "Regular Expression Denial of Service",
-          "subtitle": "timespan",
-          "severity": "LOW",
-          "severityRank": 3,
-          "cvssV2Vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P",
-          "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-          "cvssV4Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
-          "references": "* [https://example.com](https://example.com)\n* [https://example.org](https://example.org)",
-          "published": "2025-07-11 03:16:03.563",
-          "cweId": 400,
-          "cweName": "Uncontrolled Resource Consumption ('Resource Exhaustion')",
-          "cwes": [
-            {
-              "cweId": 400,
-              "name": "Uncontrolled Resource Consumption ('Resource Exhaustion')"
-            }
-          ],
-          "description": "Affected versions of `timespan`...",
-          "recommendation": "No direct patch is available..."
-        },
-        "analysis": {
-          "state": "NOT_SET",
-          "isSuppressed": false
-        },
-        "matrix": "ca4f2da9-0fad-4a13-92d7-f627f3168a56:b815b581-fec1-4374-a871-68862a8f8d52:115b80bb-46c4-41d1-9f10-8a175d4abb46"
-      },
-      {
-        "component": {
-          "uuid": "979f87f5-eaf5-4095-9d38-cde17bf9228e",
-          "name": "uglify-js",
-          "version": "2.4.24",
-          "purl": "pkg:npm/uglify-js@2.4.24"
-        },
-        "vulnerability": {
-          "uuid": "701a3953-666b-4b7a-96ca-e1e6a3e1def3",
-          "source": "NPM",
-          "vulnId": "48",
-          "aliases": [
-            {
-              "cveId": "CVE-2022-2053",
-              "ghsaId": "GHSA-95rf-557x-44g5"
-            }
-          ],
-          "title": "Regular Expression Denial of Service",
-          "subtitle": "uglify-js",
-          "severity": "LOW",
-          "severityRank": 3,
-          "cweId": 400,
-          "cweName": "Uncontrolled Resource Consumption ('Resource Exhaustion')",
-          "cwes": [
-            {
-              "cweId": 400,
-              "name": "Uncontrolled Resource Consumption ('Resource Exhaustion')"
-            }
-          ],
-          "description": "Versions of `uglify-js` prior to...",
-          "recommendation": "Update to version 2.6.0 or later."
-        },
-        "analysis": {
-          "isSuppressed": false
-        },
-        "matrix": "ca4f2da9-0fad-4a13-92d7-f627f3168a56:979f87f5-eaf5-4095-9d38-cde17bf9228e:701a3953-666b-4b7a-96ca-e1e6a3e1def3"
-      }]
-    }
-    """
-
     def _convert_dependency_track_severity_to_dojo_severity(self, dependency_track_severity):
         """
         Converts a Dependency Track severity to a DefectDojo severity.
@@ -171,23 +71,14 @@ def _convert_dependency_track_finding_to_dojo_finding(self, dependency_track_fin
 
         title = f"{component_name}:{version_description} affected by: {vuln_id} ({source})"
 
-        # We should collect all the vulnerability ids, the FPF format can add additional IDs as aliases
-        # we add these aliases in the vulnerability_id list making sure duplicate findings get correctly deduplicated
-        # older version of Dependency-track might not include these field therefore lets check first
-        if dependency_track_finding["vulnerability"].get("aliases"):
-            # There can be multiple alias entries
-            set_of_ids = set()
-            set_of_sources = {"cveId", "sonatypeId", "ghsaId", "osvId", "snykId", "gsdId", "vulnDbId"}
-            for alias in dependency_track_finding["vulnerability"]["aliases"]:
-                for source in set_of_sources:
-                    if source in alias:
-                        set_of_ids.add(alias[source])
-            vulnerability_id = list(set_of_ids)
-        else:
-            # The vulnId is not always a CVE (e.g. if the vulnerability is not from the NVD source)
-            # So here we set the cve for the DefectDojo finding to null unless the source of the
-            # Dependency Track vulnerability is NVD
-            vulnerability_id = [vuln_id] if source is not None and source.upper() == "NVD" else None
+        # Collect all vulnerability IDs: vulnId itself plus any aliases
+        set_of_ids = {vuln_id}
+        set_of_alias_sources = {"cveId", "sonatypeId", "ghsaId", "osvId", "snykId", "gsdId", "vulnDbId"}
+        for alias in dependency_track_finding["vulnerability"].get("aliases") or []:
+            for alias_source in set_of_alias_sources:
+                if alias_source in alias:
+                    set_of_ids.add(alias[alias_source])
+        vulnerability_id = list(set_of_ids)
 
         # Default CWE to CWE-1035 Using Components with Known Vulnerabilities if there is no CWE
         if "cweId" in dependency_track_finding["vulnerability"] and dependency_track_finding["vulnerability"]["cweId"] is not None: