Skip to content

Application

Dependency-Track's configuration system is based on MicroProfile Config, enabling it to support multiple sources.

Tip

A comprehensive list of supported config properties can be found in the configuration reference.

Sources

Config properties are loaded, in order, from the following sources:

  1. JVM system properties
  2. Environment variables
  3. ${cwd}/.env file
  4. ${cwd}/config/application.properties file
  5. application.properties embedded in the application

Tip

${cwd} refers to the current working directory. When running an official container image, it is /opt/owasp/dependency-track.

Once a value is found, later sources will not be checked. For example, when Dependency-Track attempts to look up the config property foo.bar, the environment variable FOO_BAR=123 is ignored if the JVM was launched with -Dfoo.bar=321.

Expressions

Configuration values may use expressions, indicated by ${...}, to reference each other:

1
2
dt.datasource.foo.url=jdbc:postgresql://localhost:5432/dtrack
dt.datasource.bar.url=${dt.datasource.foo.url}

This is useful to avoid redundant definition of identical values.

Loading Values From Files

Configuration values may be loaded from files using the ${file::/path/to/file} expression. This is useful when secrets are mounted into the container as files, for example via Docker or Kubernetes secrets:

1
2
dt.datasource.password=${file::/var/run/secrets/database-password}
dt.ldap.bind.password=${file::/var/run/secrets/ldap-bind-password}

The file is read once at startup, decoded as UTF-8, and trailing whitespace is stripped. Files larger than 64 KiB are rejected.

Environment Variable Mapping

The canonical representation of properties uses alphanumeric characters, separated by hyphens (-) and periods (.). For example:

1
foo.BAR-baz=123

Environment variables commonly only support alphanumeric characters and underscores (_). To bridge this gap, Dependency-Track will use the following matching strategies, as defined by MicroProfile Config:

  1. Exact match (that is, foo.BAR-baz)
  2. Replace each character that is neither alphanumeric nor _ with _ (that is, foo_BAR_baz)
  3. Replace each character that is neither alphanumeric nor _ with _; then convert the name to upper case (that is, FOO_BAR_BAZ)

Tip

The configuration reference includes the correct environment variable names for each listed config property.

Debugging Configuration Resolution

To verify whether config values are properly resolved and from which source, enable debug logging via dt.config.log.values and dt.logging.level."io.smallrye.config" set to DEBUG.

Warning

This will not mask or omit any secrets. Do not use in production environments.