-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Help Requested: Oracle SQL #2755
Comments
@jeremylong I'll try and see how far I can get on this with the help of a Dockerized Oracle XE 18 database |
Have an apparently working schema, but not yet satisfied by its (lack of) speed. On my containerized Oracle XE (18.4.0) initializing the DB from scratch with the NVD data takes 3.536.820ms - almost an hour. Can anyone tell what the 5.3.2 performance used to be for an Oracle initialization? |
Also needed some dirty hacks in CveDB (oracle specific codepaths) to get it running with my schema |
The performance on the update for any of the external databases is not great. I can't believe they were used before 6.x as we've had reports of updates taking 5-24 hours. One hour update time isn't horrible considering what it was before. I think people just had one node setup to update the external DB and after the initial load if they updated daily/weekly it would go much faster. |
To avoid some of the oracle specific code - instead of using an OUT parameter in CREATE OR REPLACE PROCEDURE update_vulnerability(p_cveId IN vulnerability.cve%type,
...
cursor_ OUT SYS_REFCURSOR)
AS
vulnerabilityId number;
BEGIN
...
OPEN cursor_ FOR
SELECT vulnerabilityId I know that isn't 100% right - but with some tweaking might work. Thoughts? |
I tried returning, but then Oracle needs a function - stored procedures in Oracle cannot return other then via an out parameter.... and the function also requires similar call structure from what I found (tried the function approach first will keep trying to find a better way, but first need to find out why currently no CPE gets registered while update-only runs successfully |
Managed to get cleaner code by using stored-procedure with OUT parameter. Still need some Oracle custom code there (additional parameter and need to use CallableStatement instead of prepared statement because of the OUT parameter), but in a much less ugly way. Currently testing my solution after validating curious to see what the timing of the initial load is going to be now that I have properly restored the creation of cpeEntry and software in the insert_software Stored procedure. |
Results of my load test:
record-stats of the database:
|
@jeremylong Any recommendations on how to best validate this Oracle database schema operates correctly? |
I'm a little suspicious of:
Although - that could be a difference in how the "counts" are retrieved on oracle vs. other DBs. for instance, on an initial load of the data there should not be any orphaned NVD records. The testing I've done is compare executions using H2 in comparison to MySQL/Postgresql/etc. |
@jeremylong The count of 1 is indeed due to different Oracle behaviour. Getting the update count would require adding an out-parameter to the stored procedure(s). So would require an additional oracle-special branch (in the body of cleanupDatabase) similar to the logic already added to updateOrInsertVulnerability for the insert_software stored procudure. Would be easy to integrate. Do you consider having the proper counts more beneficial than having a single code-path? Would be happy to adapt my code for it if so. Oracle code and schema still need some further debugging, as I managed to get logical duplicates into cpeEntry in the Oracle database (all fields apart from ID identical) - raising an error for multiple results instead of one during update for some integration tests of the maven plugin when I ran a build modified to use my oracle database:
A quick query on the database shows that I managed to create 19 duplicate CPEs. |
Looks like a side-effect of the parallel test execution. I think some kind of in-database lock-for-updating at the start of the update is required for the 'remote' database instances (all but the in-VM h2 database) to avoid 2 updates on separate JVMs from trying to mutate the database in parallel. Nevertheless added the 'UNIQUE' constraint to the index for all functional fields of cpeEntry to at least avoid this from ever happening again - will run a new IT test later to verify that I indeed see some testcases fail on attempts to add a duplicate cpeEntry. |
Regarding the counts being one for the three INFO statements that are updating the ecosystems and purging orphans. I might have a solution - instead of using stored procs such as: and Because these are single line stored procs the SQL could be moved to the |
Right on that one.... overlooked the opportunity. Updated the queries and the initialization script. Currently running a new full DB load to verify results. |
Database initialization verified against a fresh Postgresql database.
|
Analysis run for the Oracle DB is significantly slower (2.5-3 times for Jim Seller's multimodule project created to sample the slow h2 behaviour) than postgreSQL. Will look and see if I can find ways to improve there. |
Managed to get performance up a notch by increasing Oracle's default fetch-size of 10 records closer to the other DBMS's default of 'fetch all'. Decided to keep Oracle a bit more sane and limit it to 10_000 entries for a single fetch. |
Significant performance improvements have been made for MySQL in the 6.x branch and we are hoping to get someone to submit a PR to update the
initialize_oracle.sql
file to support the changes required for 6.0.0. The changes made for MySQL can be seen here: 6a6d21b#diff-23975a7378873c27620d7ccee40b72b8It would be very helpful if someone could create a PR to perform the medications for:
https://github.com/jeremylong/DependencyCheck/blob/addCvssVersions/core/src/main/resources/data/initialize_oracle.sql
Note that the performance enhancements for MySQL are currently in the
addCvssVersions
branch (https://github.com/jeremylong/DependencyCheck/tree/addCvssVersions) as the performance enhancement changes are combined with other breaking changes to enhance the CVSS meta data. If you are testing the stored procedures you should use theaddCvssVersions
branch.The text was updated successfully, but these errors were encountered: