Merge branch 'master' into master-global-audit-view-policy-violations

Signed-off-by: rbt-mm <113189967+rbt-mm@users.noreply.github.com>
DependencyTrack · Sep 17, 2024 · ebfb388 · ebfb388
2 parents 4064faf + ab9d19d
commit ebfb388
Show file tree

Hide file tree

Showing 1,474 changed files with 44,973 additions and 11,147 deletions.
diff --git a/.checkstyle-header b/.checkstyle-header
@@ -14,5 +14,5 @@
  * limitations under the License.
  *
  * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) Steve Springett. All Rights Reserved.
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
  */
diff --git a/.github/ISSUE_TEMPLATE/adopt-dependency-track.yaml b/.github/ISSUE_TEMPLATE/adopt-dependency-track.yaml
@@ -0,0 +1,65 @@
+name: Adopt Dependency Track
+description: Let the community know you have adopted Dependency Track.
+title: organization_name has adopted Dependency Track
+labels: "adopt-dependency-track"
+assignees: []
+body:
+ - type: markdown
+ attributes:
+ value: |
+ Thank you for supporting the Dependency track project. Adding your organization to the list of adopters raises awareness for the project and is more help than you think!
+
+ Check the current list of adopters:
+ https://github.com/DependencyTrack/dependency-track/blob/master/ADOPTERS.md
+ - type: input
+ id: org-name
+ attributes:
+ label: Organization Name
+ description: Name of the organization.
+ placeholder: ex. OWASP, Inc.
+ validations:
+ required: false
+ - type: input
+ id: org-url
+ attributes:
+ label: Organization Website
+ description: Provide a link to the organization website.
+ placeholder: ex. https://dependencytrack.org/
+ validations:
+ required: false
+ - type: input
+ id: org-logo
+ attributes:
+ label: Organization Logo (optional)
+ description: Provide a link to the organization logo.
+ placeholder: ex. https://avatars.githubusercontent.com/u/40258585?s=200&v=4
+ validations:
+ required: false
+ - type: textarea
+ id: dependency-track-use-case
+ attributes:
+ label: How is your organization using Dependency Track?
+ description: 2 or 3 sentences about how your organization has incorporated Dependency Track.
+ placeholder: We secure all the things!
+ validations:
+ required: false
+ - type: input
+ id: source-code
+ attributes:
+ label: Source Code Link (optional)
+ description: Is your use case open source? Provide a link.
+ placeholder: ex. https://github.com/DependencyTrack/dependency-track
+ validations:
+ required: false
+ - type: textarea
+ id: content-links
+ attributes:
+ label: Want to link blogs or videos? Share them here.
+ description: Please copy and paste links to content that shows how you're using Dependency Track.
+ - type: checkboxes
+ id: existing-entry
+ attributes:
+ label: Update entry
+ options:
+ - label: Check this box if you want to update an existing entry.
+ required: false
diff --git a/.github/ISSUE_TEMPLATE/defect-report.yml b/.github/ISSUE_TEMPLATE/defect-report.yml
@@ -63,9 +63,16 @@ body:
  - 4.7.x
  - 4.8.x
  - 4.9.x
- - 4.10.0
- - 4.10.1
- - 4.11.0-SNAPSHOT
+ - 4.10.x
+ - 4.11.0
+ - 4.11.1
+ - 4.11.2
+ - 4.11.3
+ - 4.11.4
+ - 4.11.5
+ - 4.11.6
+ - 4.11.7
+ - 4.12.0-SNAPSHOT
  validations:
  required: true
 - type: dropdown

diff --git a/.github/workflows/_meta-build.yaml b/.github/workflows/_meta-build.yaml
@@ -11,6 +11,10 @@ on:
  required: false
  default: false
  description: "publish and scan the container image once its built"
+ ref-name:
+ type: string
+ required: true
+ description: "Short ref name of the branch or tag that triggered the workflow run"
  secrets:
  registry-0-usr:
  required: true
@@ -24,34 +28,34 @@ jobs:
  runs-on: ubuntu-latest
  steps:
  - name: Checkout Repository
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
 
  - name: Set up JDK
- uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # tag=v4.1.0
+ uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # tag=v4.3.0
  with:
  distribution: 'temurin'
- java-version: '17'
+ java-version: '21'
  cache: 'maven'
 
  - name: Setup CycloneDX CLI
  run: |
  mkdir -p "$HOME/.local/bin"
  echo "$HOME/.local/bin" >> $GITHUB_PATH
- wget -O "$HOME/.local/bin/cyclonedx" https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.24.2/cyclonedx-linux-x64
- echo "ef0d3b31d176e02bc594f83e19cfcea053c6bc5b197351f71696e189390f851d $HOME/.local/bin/cyclonedx" | sha256sum -c
+ wget -O "$HOME/.local/bin/cyclonedx" https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.26.0/cyclonedx-linux-x64
+ echo "207c82fbbaed96642a033a4da1c20eb4c6d4b53acccf37619c8d4183803ccbf4 $HOME/.local/bin/cyclonedx" | sha256sum -c
  chmod +x "$HOME/.local/bin/cyclonedx"
 
  - name: Build with Maven
  run: |-
- mvn clean
- mvn package -Dmaven.test.skip=true -P enhance -P embedded-jetty -Dservices.bom.merge.skip=false -Dlogback.configuration.file=src/main/docker/logback.xml
- mvn clean -P clean-exclude-wars
- mvn package -Dmaven.test.skip=true -P enhance -P embedded-jetty -P bundle-ui -Dservices.bom.merge.skip=false -Dlogback.configuration.file=src/main/docker/logback.xml
- mvn clean -P clean-exclude-wars
- mvn cyclonedx:makeBom -Dservices.bom.merge.skip=false org.codehaus.mojo:exec-maven-plugin:exec@merge-services-bom
+ mvn -B --no-transfer-progress clean
+ mvn -B --no-transfer-progress package -Dmaven.test.skip=true -P enhance -P embedded-jetty -Dservices.bom.merge.skip=false -Dlogback.configuration.file=src/main/docker/logback.xml
+ mvn -B --no-transfer-progress clean -P clean-exclude-wars
+ mvn -B --no-transfer-progress package -Dmaven.test.skip=true -P enhance -P embedded-jetty -P bundle-ui -Dservices.bom.merge.skip=false -Dlogback.configuration.file=src/main/docker/logback.xml
+ mvn -B --no-transfer-progress clean -P clean-exclude-wars
+ mvn -B --no-transfer-progress cyclonedx:makeBom -Dservices.bom.merge.skip=false org.codehaus.mojo:exec-maven-plugin:exec@merge-services-bom
 
  - name: Upload Artifacts
- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # tag=v4.3.1
+ uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # tag=v4.4.0
  with:
  name: assembled-wars
  path: |-
@@ -74,25 +78,25 @@ jobs:
 
  steps:
  - name: Checkout Repository
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
 
  - name: Download Artifacts
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # tag=v4.1.4
+ uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # tag=v4.1.8
  with:
  name: assembled-wars
  path: target
 
  - name: Set up QEMU
- uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # tag=v3.0.0
+ uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # tag=v3.2.0
 
  - name: Set up Docker Buildx
- uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c # tag=v3.1.0
+ uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # tag=v3.6.1
  id: buildx
  with:
  install: true
 
  - name: Login to Docker.io
- uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # tag=v3.0.0
+ uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # tag=v3.3.0
  if: ${{ inputs.publish-container }}
  with:
  registry: docker.io
@@ -102,14 +106,22 @@ jobs:
  - name: Set Container Tags
  id: tags
  run: |-
- TAGS="docker.io/dependencytrack/${{ matrix.distribution }}:${{ inputs.app-version }}"
- if [[ "${{ inputs.app-version }}" != "snapshot" ]]; then
- TAGS="${TAGS},docker.io/dependencytrack/${{ matrix.distribution }}:latest"
+ IMAGE_NAME="docker.io/dependencytrack/${{ matrix.distribution }}"
+ REF_NAME="${{ inputs.ref-name }}"
+ TAGS=""
+ 
+ if [[ $REF_NAME == feature-* ]]; then
+ TAGS="${IMAGE_NAME}:${REF_NAME,,}"
+ else
+ TAGS="${IMAGE_NAME}:${{ inputs.app-version }}"
+ if [[ "${{ inputs.app-version }}" != "snapshot" ]]; then
+ TAGS="${TAGS},${IMAGE_NAME}:latest"
+ fi
  fi
  echo "tags=${TAGS}" >> $GITHUB_OUTPUT
 
  - name: Build multi-arch Container Image
- uses: docker/build-push-action@af5a7ed5ba88268d5278f7203fb52cd833f66d6e # tag=v5.2.0
+ uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # tag=v6.7.0
  with:
  tags: ${{ steps.tags.outputs.tags }}
  build-args: |-
@@ -123,7 +135,7 @@ jobs:
 
  - name: Run Trivy Vulnerability Scanner
  if: ${{ inputs.publish-container }}
- uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # tag=0.18.0
+ uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # tag=0.24.0
  with:
  image-ref: docker.io/dependencytrack/${{ matrix.distribution }}:${{ inputs.app-version }}
  format: 'sarif'
@@ -133,6 +145,6 @@ jobs:
 
  - name: Upload Trivy Scan Results to GitHub Security Tab
  if: ${{ inputs.publish-container }}
- uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # tag=v3.24.6
+ uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d # tag=v3.26.7
  with:
  sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml
@@ -4,13 +4,15 @@ on:
  push:
  branches:
  - 'master' # Default branch
+ - 'feature-**' # Feature branches
  - '[0-9]+.[0-9]+.x' # Release branches
  paths-ignore:
  - '**/*.md'
  - 'docs/**'
  pull_request:
  branches:
  - 'master' # Default branch
+ - 'feature-**' # Feature branches
  paths-ignore:
  - '**/*.md'
  - 'docs/**'
@@ -23,7 +25,8 @@ jobs:
  uses: ./.github/workflows/_meta-build.yaml
  with:
  app-version: "snapshot"
- publish-container: ${{ github.ref == 'refs/heads/master' }}
+ publish-container: ${{ github.ref_name == 'master' || startsWith(github.ref_name, 'feature-') }}
+ ref-name: ${{ github.ref_name }}
  permissions:
  security-events: write # Required to upload trivy's SARIF output
  secrets:

diff --git a/.github/workflows/ci-publish.yaml b/.github/workflows/ci-publish.yaml
@@ -23,7 +23,7 @@ jobs:
  exit 1
  fi
  - name: Checkout Repository
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
 
  - name: Parse Version from POM
  id: parse
@@ -38,6 +38,7 @@ jobs:
  with:
  app-version: ${{ needs.read-version.outputs.version }}
  publish-container: true
+ ref-name: ${{ github.ref_name }}
  permissions:
  security-events: write # Required to upload trivy's SARIF output
  secrets:
@@ -51,10 +52,10 @@ jobs:
  - call-build
  steps:
  - name: Checkout Repository
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
 
  - name: Download Artifacts
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # tag=v4.1.4
+ uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # tag=v4.1.8
  with:
  name: assembled-wars
  path: target

diff --git a/.github/workflows/ci-release.yaml b/.github/workflows/ci-release.yaml
@@ -20,7 +20,7 @@ jobs:
  release-branch: ${{ steps.variables.outputs.release-branch }}
  steps:
  - name: Checkout Repository
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
 
  - name: Setup Environment
  id: variables
@@ -51,17 +51,17 @@ jobs:
 
  steps:
  - name: Checkout Repository
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
 
  - name: Set up JDK
- uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # tag=v4.1.0
+ uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # tag=v4.3.0
  with:
  distribution: 'temurin'
- java-version: '17'
+ java-version: '21'
  cache: 'maven'
 
  - name: Set Version
- run: mvn versions:set -DnewVersion=${VERSION}
+ run: mvn -B --no-transfer-progress versions:set -DnewVersion=${VERSION}
 
  - name: Commit Version
  env:
@@ -118,12 +118,12 @@ jobs:
 
  steps:
  - name: Checkout Repository
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
  with:
  ref: ${{ needs.prepare-release.outputs.release-branch }}
 
  - name: Set SNAPSHOT Version after Release
- run: mvn versions:set -DnewVersion=${NEXT_VERSION}
+ run: mvn -B --no-transfer-progress versions:set -DnewVersion=${NEXT_VERSION}
 
  - name: Commit SNAPSHOT Version
  env:

diff --git a/.github/workflows/ci-test-pr-coverage.yml b/.github/workflows/ci-test-pr-coverage.yml
@@ -18,7 +18,7 @@ jobs:
  && github.event.workflow_run.conclusion == 'success'
  steps:
  - name: Download PR test coverage report
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # tag=v4.1.4
+ uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # tag=v4.1.8
  with:
  name: pr-test-coverage-report
  github-token: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/ci-test.yaml b/.github/workflows/ci-test.yaml
@@ -4,13 +4,15 @@ on:
  push:
  branches:
  - 'master' # Default branch
+ - 'feature-**' # Feature branches
  - '[0-9]+.[0-9]+.x' # Release branches
  paths-ignore:
  - '**/*.md'
  - 'docs/**'
  pull_request:
  branches:
  - 'master' # Default branch
+ - 'feature-**' # Feature branches
  - '[0-9]+.[0-9]+.x' # Release branches
  paths-ignore:
  - '**/*.md'
@@ -31,19 +33,19 @@ jobs:
  runs-on: ubuntu-latest
  steps:
  - name: Checkout repository
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
 
  - name: Set up JDK
- uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # tag=v4.1.0
+ uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # tag=v4.3.0
  with:
  distribution: 'temurin'
- java-version: '17'
+ java-version: '21'
  cache: 'maven'
 
  - name: Execute unit tests
  run: |-
- mvn clean
- mvn test -P enhance
+ mvn -B --no-transfer-progress clean
+ mvn -B --no-transfer-progress test -P enhance
 
  # Publishing coverage to Codacy is only possible for builds of push events.
  # PRs from forks do not get access to repository secrets.
@@ -64,7 +66,7 @@ jobs:
 
  - name: Upload PR test coverage report
  if: ${{ github.event_name == 'pull_request' }}
- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # tag=v4.3.1
+ uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # tag=v4.4.0
  with:
  name: pr-test-coverage-report
  path: |-

diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
@@ -9,7 +9,7 @@ jobs:
  runs-on: ubuntu-latest
  steps:
  - name: Checkout Repository
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
 
  - name: Dependency Review
- uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # tag=v4.1.3
+ uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # tag=v4.3.4