Skip to content

API key migration must account for keys that pre-date introduction of the odt_ prefix #4652

New issue
New issue
Closed
#4682
Closed
API key migration must account for keys that pre-date introduction of the odt_ prefix#4652
#4682
Assignees
nscuro
Labels
defectSomething isn't workingp2Non-critical bugs, and features that help organizations to identify and reduce risksize/SSmall effort
Milestone
4.13
@nscuro

Description

@nscuro
nscuro
opened on Feb 16, 2025

Current Behavior

#4566 introduced a migration to the new API key format, which now includes a "public ID" segment.

The migration does not consider keys that do not match the length of prefix + key:

dependency-track/src/main/java/org/dependencytrack/upgrade/v4130/v4130Updater.java

Lines 74 to 77 in b42212f

clearKey = rs.getString("apikey");
if (clearKey.length() != ApiKey.LEGACY_FULL_KEY_LENGTH) {
continue;
}

This fails to account for API keys that were generated prior to DT v4.9.0, which is where the odt_ prefix was first introduced. Keys generated prior to that version won't match the migration logic's length check, and thus won't be migrated.

This happened in @msymons' test instance, where the first and oldest key has no public ID assigned (it shows as null), and is not marked as legacy (no yellow triangle):

Image

Steps to Reproduce

N/A

Expected Behavior

API keys that pre-date v4.9.0 should be migrated correctly.

Dependency-Track Version

4.13.0-SNAPSHOT

Dependency-Track Distribution

Container Image

Database Server

N/A

Database Server Version

No response

Browser

N/A

Checklist

Metadata

Metadata

Assignees

Labels

defectSomething isn't workingp2Non-critical bugs, and features that help organizations to identify and reduce risksize/SSmall effort

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions