SQLServerException: The incoming request has too many parameters. #5096
Description
Current Behavior
The following exception is triggered for a massive request with more the 2100 parameters:
2025-07-02 12:15:57,986 ERROR [GlobalExceptionHandler] Uncaught internal server error [principal=webmaster@localhost, requestUri=/v1/finding/project/{uuid}, requestId=3bbcb89e-9ba1-4c19-856c-f72703931d6e, requestMethod=GET]
javax.jdo.JDODataStoreException: Error executing SQL query "SELECT -913446514 , "GHSA_ID" , "INTERNAL_ID" , "CVE_ID" , "SONATYPE_ID" , "OSV_ID" , "SNYK_ID" , "VULNDB_ID" FROM "VULNERABILITYALIAS" WHERE "CVE_ID" = ? UNION ALL SELECT -918066878 , "GHSA_ID" , "INTERNAL_ID" , "CVE_ID" , "SONATYPE_ID" , "OSV_ID" , "SNYK_ID" , "VULNDB_ID" FROM "VULNERABILITYALIAS" WHERE "CVE_ID" = ? UNION ALL SELECT -945772632 , "GHSA_ID" , "INTERNAL_ID" , "CVE_ID" , "SONATYPE_ID" , "OSV_ID" , "SNYK_ID" , "VULNDB_ID" FROM "VULNERABILITYALIAS" WHERE "CVE_ID" = ? UNION ALL SELECT -944846941 , "GHSA_ID" , "INTERNAL_ID" , "CVE_ID" , "SONATYPE_ID" , "OSV_ID" , "SNYK_ID" , "VULNDB_ID" FROM "VULNERABILITYALIAS" WHERE "CVE_ID" = ? UNION ALL SELECT -973535767 , "GHSA_ID" , "INTERNAL_ID" , "CVE_ID" , "SONATYPE_ID" , "OSV_ID" , "SNYK_ID" , "VULNDB_ID" FROM "VULNERABILITYALIAS" WHERE "CVE_ID" = ? UNION ALL SELECT -973503000 , "GHSA_ID" , "INTERNAL_ID" , "CVE_ID" , "SONATYPE_ID" , "OSV_ID" , "SNYK_ID" , "VULNDB_ID" FROM [720464 bytes more repeating the same pattern]".
at org.datanucleus.api.jdo.JDOAdapter.getJDOExceptionForNucleusException(JDOAdapter.java:608)
at org.datanucleus.api.jdo.JDOQuery.executeInternal(JDOQuery.java:456)
at org.datanucleus.api.jdo.JDOQuery.executeList(JDOQuery.java:345)
at alpine.persistence.AbstractAlpineQueryManager.executeAndCloseList(AbstractAlpineQueryManager.java:666)
at org.dependencytrack.persistence.VulnerabilityQueryManager.getVulnerabilityAliases(VulnerabilityQueryManager.java:746)
at org.dependencytrack.persistence.QueryManager.getVulnerabilityAliases(QueryManager.java:1093)
at org.dependencytrack.persistence.FindingsQueryManager.getFindings(FindingsQueryManager.java:295)
at org.dependencytrack.persistence.QueryManager.getFindings(QueryManager.java:1127)
at org.dependencytrack.resources.v1.FindingResource.getFindingsByProject(FindingResource.java:126)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)
at java.base/java.lang.reflect.Method.invoke(Unknown Source)
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:146)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:189)
at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:93)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:478)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:400)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)
at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:274)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:266)
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:253)
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:696)
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:397)
at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:349)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:358)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:312)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205)
at org.eclipse.jetty.ee10.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1379)
at org.eclipse.jetty.ee10.servlet.ServletHolder.handle(ServletHolder.java:736)
at org.eclipse.jetty.ee10.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1621)
at alpine.server.filters.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:225)
at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1593)
at alpine.server.filters.ClickjackingFilter.doFilter(ClickjackingFilter.java:93)
at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:205)
at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1593)
at alpine.server.filters.WhitelistUrlFilter.doFilter(WhitelistUrlFilter.java:166)
at org.eclipse.jetty.ee10.servlet.FilterHolder.doFilter(FilterHolder.java:208)
at org.eclipse.jetty.ee10.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1593)
at org.eclipse.jetty.ee10.servlet.ServletHandler$MappedServlet.handle(ServletHandler.java:1554)
at org.eclipse.jetty.ee10.servlet.ServletChannel.dispatch(ServletChannel.java:819)
at org.eclipse.jetty.ee10.servlet.ServletChannel.handle(ServletChannel.java:436)
at org.eclipse.jetty.ee10.servlet.ServletHandler.handle(ServletHandler.java:469)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:575)
at org.eclipse.jetty.ee10.servlet.SessionHandler.handle(SessionHandler.java:717)
at org.eclipse.jetty.server.handler.ContextHandler.handle(ContextHandler.java:1064)
at org.eclipse.jetty.server.Server.handle(Server.java:182)
at org.eclipse.jetty.server.internal.HttpChannelState$HandlerInvoker.run(HttpChannelState.java:662)
at org.eclipse.jetty.server.internal.HttpConnection.onFillable(HttpConnection.java:416)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:322)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:99)
at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:480)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:443)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:293)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:201)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:311)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:979)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1209)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1164)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: com.microsoft.sqlserver.jdbc.SQLServerException: The incoming request has too many parameters. The server supports a maximum of 2100 parameters. Reduce the number of parameters and resend the request.
at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDatabaseError(SQLServerException.java:276)
at com.microsoft.sqlserver.jdbc.SQLServerStatement.getNextResult(SQLServerStatement.java:1787)
at com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement.doExecutePreparedStatement(SQLServerPreparedStatement.java:688)
at com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement$PrepStmtExecCmd.doExecute(SQLServerPreparedStatement.java:607)
at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7745)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:4700)
at com.microsoft.sqlserver.jdbc.SQLServerStatement.executeCommand(SQLServerStatement.java:321)
at com.microsoft.sqlserver.jdbc.SQLServerStatement.executeStatement(SQLServerStatement.java:253)
at com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement.executeQuery(SQLServerPreparedStatement.java:521)
at com.zaxxer.hikari.pool.ProxyPreparedStatement.executeQuery(ProxyPreparedStatement.java:52)
at com.zaxxer.hikari.pool.HikariProxyPreparedStatement.executeQuery(HikariProxyPreparedStatement.java)
at org.datanucleus.store.rdbms.SQLController.executeStatementQuery(SQLController.java:586)
at org.datanucleus.store.rdbms.query.SQLQuery.performExecute(SQLQuery.java:669)
at org.datanucleus.store.query.Query.executeQuery(Query.java:2004)
at org.datanucleus.store.rdbms.query.SQLQuery.executeWithMap(SQLQuery.java:840)
at org.datanucleus.api.jdo.JDOQuery.executeInternal(JDOQuery.java:437)
... 65 common frames omitted
Steps to Reproduce
- In a Project, create a component with CPE set to
cpe:2.3:*:*:linux_kernel:5.10:*:*:*:*:*:*:*. - Wait for completion of vulnerability analysis, more than 3000 vulnerabilities should be reported.
- Try to export vulnerability list, but will display red toast
Server Error (500):
- Option 1: Components > Download BOM > Inventory with Vulnerabilities.
- Option 2: Audit Vulnerabilities > Export VEX.
- Option 3: Audit Vulnerabilities > Export VDR.
Expected Behavior
Vulnerabilities are exported.
Dependency-Track Version
4.13.2
Dependency-Track Distribution
Container Image
Database Server
Microsoft SQL Server
Database Server Version
No response
Browser
Microsoft Edge
Checklist
- I have read and understand the contributing guidelines
- I have checked the existing issues for whether this defect was already reported