Merge branch 'DependencyTrack:master' into fix/unauthorized-access-to…

…-projects
DependencyTrack · Oct 1, 2024 · a3e9d56 · a3e9d56
2 parents c6ae757 + 82d9c84
commit a3e9d56
Show file tree

Hide file tree

Showing 17 changed files with 610 additions and 187 deletions.
diff --git a/.github/workflows/_meta-build.yaml b/.github/workflows/_meta-build.yaml
@@ -28,10 +28,10 @@ jobs:
  runs-on: ubuntu-latest
  steps:
  - name: Checkout Repository
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
+ uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # tag=v4.2.0
 
  - name: Set up JDK
- uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # tag=v4.3.0
+ uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # tag=v4.4.0
  with:
  distribution: 'temurin'
  java-version: '21'
@@ -78,7 +78,7 @@ jobs:
 
  steps:
  - name: Checkout Repository
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
+ uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # tag=v4.2.0
 
  - name: Download Artifacts
  uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # tag=v4.1.8
@@ -121,7 +121,7 @@ jobs:
  echo "tags=${TAGS}" >> $GITHUB_OUTPUT
 
  - name: Build multi-arch Container Image
- uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # tag=v6.7.0
+ uses: docker/build-push-action@32945a339266b759abcbdc89316275140b0fc960 # tag=v6.8.0
  with:
  tags: ${{ steps.tags.outputs.tags }}
  build-args: |-
@@ -145,6 +145,6 @@ jobs:
 
  - name: Upload Trivy Scan Results to GitHub Security Tab
  if: ${{ inputs.publish-container }}
- uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # tag=v3.26.8
+ uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # tag=v3.26.9
  with:
  sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/ci-publish.yaml b/.github/workflows/ci-publish.yaml
@@ -23,7 +23,7 @@ jobs:
  exit 1
  fi
  - name: Checkout Repository
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
+ uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # tag=v4.2.0
 
  - name: Parse Version from POM
  id: parse
@@ -52,7 +52,7 @@ jobs:
  - call-build
  steps:
  - name: Checkout Repository
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
+ uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # tag=v4.2.0
 
  - name: Download Artifacts
  uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # tag=v4.1.8

diff --git a/.github/workflows/ci-release.yaml b/.github/workflows/ci-release.yaml
@@ -20,7 +20,7 @@ jobs:
  release-branch: ${{ steps.variables.outputs.release-branch }}
  steps:
  - name: Checkout Repository
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
+ uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # tag=v4.2.0
 
  - name: Setup Environment
  id: variables
@@ -51,10 +51,10 @@ jobs:
 
  steps:
  - name: Checkout Repository
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
+ uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # tag=v4.2.0
 
  - name: Set up JDK
- uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # tag=v4.3.0
+ uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # tag=v4.4.0
  with:
  distribution: 'temurin'
  java-version: '21'
@@ -118,7 +118,7 @@ jobs:
 
  steps:
  - name: Checkout Repository
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
+ uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # tag=v4.2.0
  with:
  ref: ${{ needs.prepare-release.outputs.release-branch }}
 

diff --git a/.github/workflows/ci-test.yaml b/.github/workflows/ci-test.yaml
@@ -33,10 +33,10 @@ jobs:
  runs-on: ubuntu-latest
  steps:
  - name: Checkout repository
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
+ uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # tag=v4.2.0
 
  - name: Set up JDK
- uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # tag=v4.3.0
+ uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # tag=v4.4.0
  with:
  distribution: 'temurin'
  java-version: '21'

diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
@@ -9,7 +9,7 @@ jobs:
  runs-on: ubuntu-latest
  steps:
  - name: Checkout Repository
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
+ uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # tag=v4.2.0
 
  - name: Dependency Review
  uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # tag=v4.3.4
diff --git a/docs/_docs/best-practices.md b/docs/_docs/best-practices.md
@@ -12,7 +12,7 @@ how effective the system will be when performing component risk analysis.
 ### Generating and Obtaining BOMs
 * When developing software, generate BOMs during Continuous Integration (CI)
 * If using Jenkins, use the [Dependency-Track Jenkins Plugin](https://plugins.jenkins.io/dependency-track/) with synchronous publishing mode enabled
-* Contractually require BOMs ([CycloneDX](https://cyclonedx.org) from vendors
+* Contractually require BOMs ([CycloneDX](https://cyclonedx.org)) from vendors
 * Generate or acquire BOMs from commercial-off-the-shelf (COTS) software
 
 #### Summary

diff --git a/pom.xml b/pom.xml
@@ -108,14 +108,14 @@
  <lib.lucene.version>8.11.4</lib.lucene.version>
  <lib.maven-artifact.version>3.9.9</lib.maven-artifact.version>
  <lib.mockserver-netty.version>5.15.0</lib.mockserver-netty.version>
- <lib.open-vulnerability-clients.version>6.2.0</lib.open-vulnerability-clients.version>
+ <lib.open-vulnerability-clients.version>7.0.0</lib.open-vulnerability-clients.version>
  <lib.packageurl.version>1.5.0</lib.packageurl.version>
  <lib.pebble.version>3.2.2</lib.pebble.version>
  <lib.protobuf-java.version>4.28.2</lib.protobuf-java.version>
  <lib.resilience4j.version>2.2.0</lib.resilience4j.version>
  <lib.swagger-parser.version>2.1.22</lib.swagger-parser.version>
  <lib.system-rules.version>1.19.0</lib.system-rules.version>
- <lib.testcontainers.version>1.20.1</lib.testcontainers.version>
+ <lib.testcontainers.version>1.20.2</lib.testcontainers.version>
  <lib.wiremock.version>2.35.2</lib.wiremock.version>
  <lib.woodstox.version>7.0.0</lib.woodstox.version>
  <lib.junit-params.version>1.1.1</lib.junit-params.version>

diff --git a/src/main/docker/Dockerfile b/src/main/docker/Dockerfile
@@ -1,6 +1,6 @@
 FROM eclipse-temurin:21.0.4_7-jre-jammy@sha256:870aae69d4521fdaf26e952f8026f75b37cb721e6302d4d4d7100f6b09823057 AS jre-build
 
-FROM debian:stable-slim@sha256:a75706ac1838d761d95fe2690858392588310abcab67876a0c330252f1073373
+FROM debian:stable-slim@sha256:939e69ef5aa4dc178893a718ea567f1ca390df60793fd08c0bc7008362f72a57
 
 # Arguments that can be passed at build time
 # Directory names must end with / to avoid errors when ADDing and COPYing

diff --git a/src/main/java/org/dependencytrack/model/DependencyMetrics.java b/src/main/java/org/dependencytrack/model/DependencyMetrics.java
@@ -53,11 +53,13 @@ public class DependencyMetrics implements Serializable {
  @Persistent
  @Column(name = "PROJECT_ID", allowsNull = "false")
  @NotNull
+ @JsonIgnore
  private Project project;
 
  @Persistent
  @Column(name = "COMPONENT_ID", allowsNull = "false")
  @NotNull
+ @JsonIgnore
  private Component component;
 
  @Persistent

diff --git a/src/main/java/org/dependencytrack/model/ProjectMetrics.java b/src/main/java/org/dependencytrack/model/ProjectMetrics.java
@@ -51,7 +51,7 @@ public class ProjectMetrics implements Serializable {
 
  @Persistent
  @Column(name = "PROJECT_ID", allowsNull = "false")
- @Schema(requiredMode = Schema.RequiredMode.REQUIRED)
+ @JsonIgnore
  private Project project;
 
  @Persistent