Application¶
Dependency-Track's configuration system is based on MicroProfile Config, enabling it to support multiple sources.
Tip
A comprehensive list of supported config properties can be found in the configuration reference.
Sources¶
Config properties are loaded, in order, from the following sources:
- JVM system properties
- Environment variables
${cwd}/.envfile${cwd}/config/application.propertiesfileapplication.propertiesembedded in the application
Tip
${cwd} refers to the current working directory.
When running an official container image, it is /opt/owasp/dependency-track.
Once a value is found, later sources will not be checked. For example, when Dependency-Track
attempts to look up the config property foo.bar, the environment variable FOO_BAR=123 is
ignored if the JVM was launched with -Dfoo.bar=321.
Expressions¶
Configuration values may use expressions, indicated by ${...}, to reference each other:
1 2 | |
This is useful to avoid redundant definition of identical values.
Loading Values From Files¶
Configuration values may be loaded from files using the ${file::/path/to/file} expression. This is
useful when secrets are mounted into the container as files, for example via Docker or Kubernetes
secrets:
1 2 | |
The file is read once at startup, decoded as UTF-8, and trailing whitespace is stripped. Files larger than 64 KiB are rejected.
Environment Variable Mapping¶
The canonical representation of properties uses alphanumeric characters,
separated by hyphens (-) and periods (.). For example:
1 | |
Environment variables commonly only support alphanumeric characters and underscores (_).
To bridge this gap, Dependency-Track will use the following matching strategies,
as defined
by MicroProfile Config:
- Exact match (that is,
foo.BAR-baz)- Replace each character that is neither alphanumeric nor
_with_(that is,foo_BAR_baz)- Replace each character that is neither alphanumeric nor
_with_; then convert the name to upper case (that is,FOO_BAR_BAZ)
Tip
The configuration reference includes the correct environment variable names for each listed config property.
Debugging Configuration Resolution¶
To verify whether config values are properly resolved and from which source, enable debug logging
via dt.config.log.values and
dt.logging.level."io.smallrye.config" set to DEBUG.
Warning
This will not mask or omit any secrets. Do not use in production environments.