Overview
Dependency-Track's configuration system is based on MicroProfile Config, enabling it to support multiple sources.
Tip
A comprehensive list of supported config properties can be found in the configuration reference.
Sources¶
Config properties are loaded, in order, from the following sources:
- JVM system properties
- Environment variables
${cwd}/.envfile${cwd}/config/application.propertiesfileapplication.propertiesembedded in the application
Tip
${cwd} refers to the current working directory.
When running an official container image, it is /opt/owasp/dependency-track.
Once a value is found, later sources will not be checked. For example, when Dependency-Track
attempts to look up the config property foo.bar, the environment variable FOO_BAR=123 is
ignored if the JVM was launched with -Dfoo.bar=321.
Expressions¶
Configuration values may use expressions, indicated by ${...}, to reference each other:
This is useful to avoid redundant definition of identical values.
Environment Variable Mapping¶
The canonical representation of properties uses alphanumeric characters,
separated by hyphens (-) and periods (.). For example:
Environment variables commonly only support alphanumeric characters and underscores (_).
To bridge this gap, Dependency-Track will use the following matching strategies,
as defined
by MicroProfile Config:
- Exact match (i.e.
foo.BAR-baz)- Replace each character that is neither alphanumeric nor
_with_(i.e.foo_BAR_baz)- Replace each character that is neither alphanumeric nor
_with_; then convert the name to upper case (i.e.FOO_BAR_BAZ)
Tip
The configuration reference includes the correct environment variable names for each listed config property.
Debugging¶
To debug whether config values are properly resolved, and from which source they are resolved,
it's possible to enable debug logging via dt.config.log.values:
Warning
This will not mask or omit any secrets. Do not use in production environments!