"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -161,7 +161,8 @@ public Response exportProjectAsCycloneDx (
@Produces(CycloneDxMediaType.APPLICATION_CYCLONEDX_XML)
@ApiOperation(
value = "Returns dependency metadata for a specific component in CycloneDX format",
- response = String.class
+ response = String.class,
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -207,14 +208,20 @@ public Response exportComponentAsCycloneDx (
@ApiOperation(
value = "Upload a supported bill of material format document",
notes = """
- Expects CycloneDX and a valid project UUID. If a UUID is not specified, \
- then the projectName and projectVersion must be specified. \
- Optionally, if autoCreate is specified and 'true' and the project does not exist, \
- the project will be created. In this scenario, the principal making the request will \
- additionally need the PORTFOLIO_MANAGEMENT or PROJECT_CREATION_UPLOAD permission.
- The BOM will be validated against the CycloneDX schema. If schema validation fails, \
- a response with problem details in RFC 9457 format will be returned. In this case, \
- the response's content type will be application/problem+json.""",
+
+ Expects CycloneDX and a valid project UUID. If a UUID is not specified,
+ then the projectName and projectVersion must be specified.
+ Optionally, if autoCreate is specified and true and the project does not exist,
+ the project will be created. In this scenario, the principal making the request will
+ additionally need the PORTFOLIO_MANAGEMENT or
+ PROJECT_CREATION_UPLOAD permission.
+
+
+ The BOM will be validated against the CycloneDX schema. If schema validation fails,
+ a response with problem details in RFC 9457 format will be returned. In this case,
+ the response's content type will be application/problem+json.
+
+
Requires permission BOM_UPLOAD
""",
response = BomUploadResponse.class,
nickname = "UploadBomBase64Encoded"
)
@@ -225,7 +232,7 @@ public Response exportComponentAsCycloneDx (
@ApiResponse(code = 404, message = "The project could not be found")
})
@PermissionRequired(Permissions.Constants.BOM_UPLOAD)
- public Response uploadBom(BomSubmitRequest request) {
+ public Response uploadBom(@ApiParam(required = true) BomSubmitRequest request) {
final Validator validator = getValidator();
if (request.getProject() != null) { // behavior in v3.0.0
failOnValidationError(
@@ -286,14 +293,20 @@ public Response uploadBom(BomSubmitRequest request) {
@ApiOperation(
value = "Upload a supported bill of material format document",
notes = """
- Expects CycloneDX and a valid project UUID. If a UUID is not specified, \
- then the projectName and projectVersion must be specified. \
- Optionally, if autoCreate is specified and 'true' and the project does not exist, \
- the project will be created. In this scenario, the principal making the request will \
- additionally need the PORTFOLIO_MANAGEMENT or PROJECT_CREATION_UPLOAD permission.
- The BOM will be validated against the CycloneDX schema. If schema validation fails, \
- a response with problem details in RFC 9457 format will be returned. In this case, \
- the response's content type will be application/problem+json.""",
+
+ Expects CycloneDX and a valid project UUID. If a UUID is not specified,
+ then the projectName and projectVersion must be specified.
+ Optionally, if autoCreate is specified and true and the project does not exist,
+ the project will be created. In this scenario, the principal making the request will
+ additionally need the PORTFOLIO_MANAGEMENT or
+ PROJECT_CREATION_UPLOAD permission.
+
+
+ The BOM will be validated against the CycloneDX schema. If schema validation fails,
+ a response with problem details in RFC 9457 format will be returned. In this case,
+ the response's content type will be application/problem+json.
+
+
Requires permission BOM_UPLOAD
""",
response = BomUploadResponse.class,
nickname = "UploadBom"
)
@@ -311,9 +324,7 @@ public Response uploadBom(@FormDataParam("project") String projectUuid,
@FormDataParam("parentName") String parentName,
@FormDataParam("parentVersion") String parentVersion,
@FormDataParam("parentUUID") String parentUUID,
- final FormDataMultiPart multiPart) {
-
- final List artifactParts = multiPart.getFields("bom");
+ @ApiParam(type = "string") @FormDataParam("bom") final List artifactParts) {
if (projectUuid != null) { // behavior in v3.0.0
try (QueryManager qm = new QueryManager()) {
final Project project = qm.getObjectByUuid(Project.class, projectUuid);
@@ -358,7 +369,24 @@ public Response uploadBom(@FormDataParam("project") String projectUuid,
@GET
@Path("/token/{uuid}")
@Produces(MediaType.APPLICATION_JSON)
- @ApiOperation(value = "Determines if there are any tasks associated with the token that are being processed, or in the queue to be processed.", notes = "Deprecated. Use /v1/event/token/{uuid} instead.", response = IsTokenBeingProcessedResponse.class)
+ @ApiOperation(
+ value = "Determines if there are any tasks associated with the token that are being processed, or in the queue to be processed.",
+ notes = """
+
+ This endpoint is intended to be used in conjunction with uploading a supported BOM document.
+ Upon upload, a token will be returned. The token can then be queried using this endpoint to
+ determine if any tasks (such as vulnerability analysis) is being performed on the BOM:
+
+
A value of true indicates processing is occurring.
+
A value of false indicates that no processing is occurring for the specified token.
+
+ However, a value of false also does not confirm the token is valid,
+ only that no processing is associated with the specified token.
+
+
Requires permission BOM_UPLOAD
+
Deprecated. Use /v1/event/token/{uuid} instead.
""",
+ response = IsTokenBeingProcessedResponse.class
+ )
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
})
diff --git a/src/main/java/org/dependencytrack/resources/v1/ComponentResource.java b/src/main/java/org/dependencytrack/resources/v1/ComponentResource.java
index 1a92757b79..599f241914 100644
--- a/src/main/java/org/dependencytrack/resources/v1/ComponentResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/ComponentResource.java
@@ -45,6 +45,7 @@
import org.dependencytrack.model.RepositoryType;
import org.dependencytrack.persistence.QueryManager;
import org.dependencytrack.util.InternalComponentIdentificationUtil;
+
import javax.validation.Validator;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
@@ -78,7 +79,8 @@ public class ComponentResource extends AlpineResource {
value = "Returns a list of all components for a given project",
response = Component.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of components")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of components"),
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -113,7 +115,8 @@ public Response getAllComponents(
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Returns a specific component",
- response = Component.class
+ response = Component.class,
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -155,7 +158,8 @@ public Response getComponentByUuid(
@ApiOperation(
value = "Returns a list of components that have the specified component identity. This resource accepts coordinates (group, name, version) or purl, cpe, or swidTagId",
responseContainer = "List",
- response = Component.class
+ response = Component.class,
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
@@ -213,7 +217,8 @@ public Response getComponentByIdentity(@ApiParam(value = "The group of the compo
@ApiOperation(
value = "Returns a list of components that have the specified hash value",
responseContainer = "List",
- response = Component.class
+ response = Component.class,
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
@@ -235,7 +240,8 @@ public Response getComponentByHash(
@ApiOperation(
value = "Creates a new component",
response = Component.class,
- code = 201
+ code = 201,
+ notes = "
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
diff --git a/src/main/java/org/dependencytrack/resources/v1/DependencyGraphResource.java b/src/main/java/org/dependencytrack/resources/v1/DependencyGraphResource.java
index 72dd3bfa2c..a42b5fb7d5 100644
--- a/src/main/java/org/dependencytrack/resources/v1/DependencyGraphResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/DependencyGraphResource.java
@@ -70,7 +70,8 @@ public class DependencyGraphResource extends AlpineResource {
@ApiOperation(
value = "Returns a list of specific components and services from project UUID",
response = DependencyGraphResponse.class,
- responseContainer = "List"
+ responseContainer = "List",
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -108,7 +109,8 @@ public Response getComponentsAndServicesByProjectUuid(final @PathParam("uuid") S
@ApiOperation(
value = "Returns a list of specific components and services from component UUID",
response = DependencyGraphResponse.class,
- responseContainer = "List"
+ responseContainer = "List",
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
diff --git a/src/main/java/org/dependencytrack/resources/v1/EventResource.java b/src/main/java/org/dependencytrack/resources/v1/EventResource.java
index 4c3cb4e1d8..9da4e56da0 100644
--- a/src/main/java/org/dependencytrack/resources/v1/EventResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/EventResource.java
@@ -22,10 +22,10 @@
import alpine.server.resources.AlpineResource;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
-import io.swagger.annotations.ApiResponses;
-import io.swagger.annotations.Authorization;
import io.swagger.annotations.ApiParam;
import io.swagger.annotations.ApiResponse;
+import io.swagger.annotations.ApiResponses;
+import io.swagger.annotations.Authorization;
import org.dependencytrack.resources.v1.vo.IsTokenBeingProcessedResponse;
import javax.ws.rs.GET;
@@ -49,12 +49,21 @@ public class EventResource extends AlpineResource {
@GET
@Path("/token/{uuid}")
@Produces(MediaType.APPLICATION_JSON)
- @ApiOperation(value = "Determines if there are any tasks associated with the token that are being processed, or in the queue to be processed.",
- notes = "This endpoint is intended to be used in conjunction with other API calls which return a token for asynchronous tasks. " +
- "The token can then be queried using this endpoint to determine if the task is complete. " +
- "A value of true indicates processing is occurring. A value of false indicates that no processing is " +
- "occurring for the specified token. However, a value of false also does not confirm the token is valid, " +
- "only that no processing is associated with the specified token.", response = IsTokenBeingProcessedResponse.class)
+ @ApiOperation(
+ value = "Determines if there are any tasks associated with the token that are being processed, or in the queue to be processed.",
+ response = IsTokenBeingProcessedResponse.class,
+ notes = """
+
+ This endpoint is intended to be used in conjunction with other API calls which return a token for asynchronous tasks.
+ The token can then be queried using this endpoint to determine if the task is complete:
+
+
A value of true indicates processing is occurring.
+
A value of false indicates that no processing is occurring for the specified token.
+
+ However, a value of false also does not confirm the token is valid,
+ only that no processing is associated with the specified token.
+ """
+ )
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
})
diff --git a/src/main/java/org/dependencytrack/resources/v1/FindingResource.java b/src/main/java/org/dependencytrack/resources/v1/FindingResource.java
index cec9c4cecb..dfbb162e67 100644
--- a/src/main/java/org/dependencytrack/resources/v1/FindingResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/FindingResource.java
@@ -41,6 +41,7 @@
import org.dependencytrack.model.Project;
import org.dependencytrack.model.Vulnerability;
import org.dependencytrack.persistence.QueryManager;
+
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
@@ -75,7 +76,8 @@ public class FindingResource extends AlpineResource {
value = "Returns a list of all findings for a specific project",
response = Finding.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of findings")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of findings"),
+ notes = "
Requires permission VIEW_VULNERABILITY
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -113,7 +115,8 @@ public Response getFindingsByProject(@PathParam("uuid") String uuid,
@Path("/project/{uuid}/export")
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
- value = "Returns the findings for the specified project as FPF"
+ value = "Returns the findings for the specified project as FPF",
+ notes = "
Requires permission VIEW_VULNERABILITY
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -145,7 +148,8 @@ public Response exportFindingsByProject(@PathParam("uuid") String uuid) {
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Triggers Vulnerability Analysis on a specific project",
- response = Project.class
+ response = Project.class,
+ notes = "
Requires permission VIEW_VULNERABILITY
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -187,7 +191,8 @@ public Response analyzeProject(
value = "Returns a list of all findings",
response = Finding.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of findings")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of findings"),
+ notes = "
Requires permission VIEW_VULNERABILITY
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -250,7 +255,8 @@ public Response getAllFindings(@ApiParam(value = "Show inactive projects")
value = "Returns a list of all findings grouped by vulnerability",
response = GroupedFinding.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of findings")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of findings"),
+ notes = "
Requires permission VIEW_VULNERABILITY
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
diff --git a/src/main/java/org/dependencytrack/resources/v1/IntegrationResource.java b/src/main/java/org/dependencytrack/resources/v1/IntegrationResource.java
index db701209c0..3d42f95736 100644
--- a/src/main/java/org/dependencytrack/resources/v1/IntegrationResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/IntegrationResource.java
@@ -46,7 +46,8 @@ public class IntegrationResource extends AlpineResource {
@ApiOperation(
value = "Returns a list of all ecosystems in OSV",
response = String.class,
- responseContainer = "List"
+ responseContainer = "List",
+ notes = "
Requires permission SYSTEM_CONFIGURATION
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
@@ -64,7 +65,8 @@ public Response getAllEcosystems() {
@ApiOperation(
value = "Returns a list of available inactive ecosystems in OSV to be selected by user",
response = String.class,
- responseContainer = "List"
+ responseContainer = "List",
+ notes = "
Requires permission SYSTEM_CONFIGURATION
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
diff --git a/src/main/java/org/dependencytrack/resources/v1/LdapResource.java b/src/main/java/org/dependencytrack/resources/v1/LdapResource.java
index 9c913db6ab..25c3edf894 100644
--- a/src/main/java/org/dependencytrack/resources/v1/LdapResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/LdapResource.java
@@ -72,7 +72,12 @@ public class LdapResource extends AlpineResource {
response = String.class,
responseContainer = "List",
responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of ldap groups that match the specified search criteria"),
- notes = "This API performs a pass-thru query to the configured LDAP server. Search criteria results are cached using default Alpine CacheManager policy"
+ notes = """
+
+ This API performs a pass-through query to the configured LDAP server.
+ Search criteria results are cached using default Alpine CacheManager policy.
+
+
Requires permission ACCESS_MANAGEMENT
"""
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
@@ -116,7 +121,8 @@ public Response retrieveLdapGroups () {
@ApiOperation(
value = "Returns the DNs of all groups mapped to the specified team",
response = String.class,
- responseContainer = "List"
+ responseContainer = "List",
+ notes = "
Requires permission ACCESS_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -141,7 +147,8 @@ public Response retrieveLdapGroups (@ApiParam(value = "The UUID of the team to r
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Adds a mapping",
- response = MappedLdapGroup.class
+ response = MappedLdapGroup.class,
+ notes = "
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
diff --git a/src/main/java/org/dependencytrack/resources/v1/MetricsResource.java b/src/main/java/org/dependencytrack/resources/v1/MetricsResource.java
index 3b3fa99fc3..9fb04d702b 100644
--- a/src/main/java/org/dependencytrack/resources/v1/MetricsResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/MetricsResource.java
@@ -66,7 +66,8 @@ public class MetricsResource extends AlpineResource {
@ApiOperation(
value = "Returns the sum of all vulnerabilities in the database by year and month",
response = VulnerabilityMetrics.class,
- responseContainer = "List"
+ responseContainer = "List",
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
@@ -84,7 +85,8 @@ public Response getVulnerabilityMetrics() {
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Returns current metrics for the entire portfolio",
- response = PortfolioMetrics.class
+ response = PortfolioMetrics.class,
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
@@ -102,7 +104,9 @@ public Response getPortfolioCurrentMetrics() {
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Returns historical metrics for the entire portfolio from a specific date",
- notes = "Date format must be YYYYMMDD",
+ notes = """
+
Date format must be YYYYMMDD
+
Requires permission VIEW_PORTFOLIO
""",
response = PortfolioMetrics.class,
responseContainer = "List"
)
@@ -130,7 +134,8 @@ public Response getPortfolioMetricsSince(
@ApiOperation(
value = "Returns X days of historical metrics for the entire portfolio",
response = PortfolioMetrics.class,
- responseContainer = "List"
+ responseContainer = "List",
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
@@ -152,7 +157,8 @@ public Response getPortfolioMetricsXDays(
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Requests a refresh of the portfolio metrics",
- response = PortfolioMetrics.class
+ response = PortfolioMetrics.class,
+ notes = "
Requires permission PORTFOLIO_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
@@ -168,7 +174,8 @@ public Response RefreshPortfolioMetrics() {
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Returns current metrics for a specific project",
- response = ProjectMetrics.class
+ response = ProjectMetrics.class,
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -199,7 +206,9 @@ public Response getProjectCurrentMetrics(
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Returns historical metrics for a specific project from a specific date",
- notes = "Date format must be YYYYMMDD",
+ notes = """
+
Date format must be YYYYMMDD
+
Requires permission VIEW_PORTFOLIO
""",
response = ProjectMetrics.class,
responseContainer = "List"
)
@@ -225,7 +234,8 @@ public Response getProjectMetricsSince(
@ApiOperation(
value = "Returns X days of historical metrics for a specific project",
response = ProjectMetrics.class,
- responseContainer = "List"
+ responseContainer = "List",
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -247,7 +257,8 @@ public Response getProjectMetricsXDays(
@Path("/project/{uuid}/refresh")
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
- value = "Requests a refresh of a specific projects metrics"
+ value = "Requests a refresh of a specific projects metrics",
+ notes = "
Requires permission PORTFOLIO_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -278,7 +289,8 @@ public Response RefreshProjectMetrics(
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Returns current metrics for a specific component",
- response = DependencyMetrics.class
+ response = DependencyMetrics.class,
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -309,7 +321,9 @@ public Response getComponentCurrentMetrics(
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Returns historical metrics for a specific component from a specific date",
- notes = "Date format must be YYYYMMDD",
+ notes = """
+
Date format must be YYYYMMDD
+
Requires permission VIEW_PORTFOLIO
""",
response = DependencyMetrics.class,
responseContainer = "List"
)
@@ -338,7 +352,8 @@ public Response getComponentMetricsSince(
@ApiOperation(
value = "Returns X days of historical metrics for a specific component",
response = DependencyMetrics.class,
- responseContainer = "List"
+ responseContainer = "List",
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -360,7 +375,8 @@ public Response getComponentMetricsXDays(
@Path("/component/{uuid}/refresh")
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
- value = "Requests a refresh of a specific components metrics"
+ value = "Requests a refresh of a specific components metrics",
+ notes = "
Requires permission PORTFOLIO_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
diff --git a/src/main/java/org/dependencytrack/resources/v1/NotificationPublisherResource.java b/src/main/java/org/dependencytrack/resources/v1/NotificationPublisherResource.java
index 63ae0e077c..66e3d11b96 100644
--- a/src/main/java/org/dependencytrack/resources/v1/NotificationPublisherResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/NotificationPublisherResource.java
@@ -78,7 +78,8 @@ public class NotificationPublisherResource extends AlpineResource {
@ApiOperation(
value = "Returns a list of all notification publishers",
response = NotificationPublisher.class,
- responseContainer = "List"
+ responseContainer = "List",
+ notes = "
"
)
@ApiResponses(value = {
@ApiResponse(code = 400, message = "Invalid notification class or trying to modify a default publisher"),
@@ -149,7 +151,8 @@ public Response createNotificationPublisher(NotificationPublisher jsonNotificati
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Updates a notification publisher",
- response = NotificationRule.class
+ response = NotificationRule.class,
+ notes = "
Requires permission SYSTEM_CONFIGURATION
"
)
@ApiResponses(value = {
@ApiResponse(code = 400, message = "Invalid notification class or trying to modify a default publisher"),
@@ -211,7 +214,8 @@ public Response updateNotificationPublisher(NotificationPublisher jsonNotificati
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Deletes a notification publisher and all related notification rules",
- code = 204
+ code = 204,
+ notes = "
Requires permission SYSTEM_CONFIGURATION
"
)
@ApiResponses(value = {
@ApiResponse(code = 400, message = "Deleting a default notification publisher is forbidden"),
@@ -241,7 +245,8 @@ public Response deleteNotificationPublisher(@ApiParam(value = "The UUID of the n
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
- value = "Restore the default notification publisher templates using the ones in the solution classpath"
+ value = "Restore the default notification publisher templates using the ones in the solution classpath",
+ notes = "
Requires permission SYSTEM_CONFIGURATION
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
@@ -268,7 +273,8 @@ public Response restoreDefaultTemplates() {
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
- value = "Dispatches a SMTP notification test"
+ value = "Dispatches a SMTP notification test",
+ notes = "
Requires permission SYSTEM_CONFIGURATION
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
diff --git a/src/main/java/org/dependencytrack/resources/v1/NotificationRuleResource.java b/src/main/java/org/dependencytrack/resources/v1/NotificationRuleResource.java
index 92db0e0e7e..1a2bc3deb3 100644
--- a/src/main/java/org/dependencytrack/resources/v1/NotificationRuleResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/NotificationRuleResource.java
@@ -70,7 +70,8 @@ public class NotificationRuleResource extends AlpineResource {
value = "Returns a list of all notification rules",
response = NotificationRule.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of notification rules")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of notification rules"),
+ notes = "
Requires permission SYSTEM_CONFIGURATION
"
)
@ApiResponses(value = {
@@ -90,7 +91,8 @@ public Response getAllNotificationRules() {
@ApiOperation(
value = "Creates a new notification rule",
response = NotificationRule.class,
- code = 201
+ code = 201,
+ notes = "
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -182,7 +186,8 @@ public Response deleteNotificationRule(NotificationRule jsonRule) {
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Adds a project to a notification rule",
- response = NotificationRule.class
+ response = NotificationRule.class,
+ notes = "
Requires permission SYSTEM_CONFIGURATION
"
)
@ApiResponses(value = {
@ApiResponse(code = 304, message = "The rule already has the specified project assigned"),
@@ -223,7 +228,8 @@ public Response addProjectToRule(
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Removes a project from a notification rule",
- response = NotificationRule.class
+ response = NotificationRule.class,
+ notes = "
Requires permission SYSTEM_CONFIGURATION
"
)
@ApiResponses(value = {
@ApiResponse(code = 304, message = "The rule does not have the specified project assigned"),
@@ -264,7 +270,8 @@ public Response removeProjectFromRule(
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Adds a team to a notification rule",
- response = NotificationRule.class
+ response = NotificationRule.class,
+ notes = "
Requires permission SYSTEM_CONFIGURATION
"
)
@ApiResponses(value = {
@ApiResponse(code = 304, message = "The rule already has the specified team assigned"),
@@ -305,7 +312,8 @@ public Response addTeamToRule(
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Removes a team from a notification rule",
- response = NotificationRule.class
+ response = NotificationRule.class,
+ notes = "
Requires permission SYSTEM_CONFIGURATION
"
)
@ApiResponses(value = {
@ApiResponse(code = 304, message = "The rule does not have the specified team assigned"),
diff --git a/src/main/java/org/dependencytrack/resources/v1/OidcResource.java b/src/main/java/org/dependencytrack/resources/v1/OidcResource.java
index 2430a118c2..9415ad221a 100644
--- a/src/main/java/org/dependencytrack/resources/v1/OidcResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/OidcResource.java
@@ -80,7 +80,8 @@ public Response isAvailable() {
@ApiOperation(
value = "Returns a list of all groups",
response = OidcGroup.class,
- responseContainer = "List"
+ responseContainer = "List",
+ notes = "
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -188,7 +192,8 @@ public Response deleteGroup(@ApiParam(value = "The UUID of the group to delete",
@ApiOperation(
value = "Returns a list of teams associated with the specified group",
response = Team.class,
- responseContainer = "List"
+ responseContainer = "List",
+ notes = "
Requires permission ACCESS_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -216,7 +221,8 @@ public Response retrieveTeamsMappedToGroup(@ApiParam(value = "The UUID of the ma
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Adds a mapping",
- response = MappedOidcGroup.class
+ response = MappedOidcGroup.class,
+ notes = "
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -207,7 +212,8 @@ public Response deletePolicy(
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Adds a project to a policy",
- response = Policy.class
+ response = Policy.class,
+ notes = "
Requires permission POLICY_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 304, message = "The policy already has the specified project assigned"),
@@ -245,7 +251,8 @@ public Response addProjectToPolicy(
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Removes a project from a policy",
- response = Policy.class
+ response = Policy.class,
+ notes = "
Requires permission POLICY_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 304, message = "The policy does not have the specified project assigned"),
@@ -283,7 +290,8 @@ public Response removeProjectFromPolicy(
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Adds a tag to a policy",
- response = Policy.class
+ response = Policy.class,
+ notes = "
Requires permission POLICY_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 304, message = "The policy already has the specified tag assigned"),
@@ -322,7 +330,8 @@ public Response addTagToPolicy(
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Removes a tag from a policy",
- response = Policy.class
+ response = Policy.class,
+ notes = "
Requires permission POLICY_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 304, message = "The policy does not have the specified tag assigned"),
diff --git a/src/main/java/org/dependencytrack/resources/v1/PolicyViolationResource.java b/src/main/java/org/dependencytrack/resources/v1/PolicyViolationResource.java
index 84d03a10d1..37889f19d5 100644
--- a/src/main/java/org/dependencytrack/resources/v1/PolicyViolationResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/PolicyViolationResource.java
@@ -61,7 +61,8 @@ public class PolicyViolationResource extends AlpineResource {
value = "Returns a list of all policy violations for the entire portfolio",
response = PolicyViolation.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of policy violations")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of policy violations"),
+ notes = "
Requires permission VIEW_POLICY_VIOLATION
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
@@ -84,7 +85,8 @@ public Response getViolations(@ApiParam(value = "Optionally includes suppressed
value = "Returns a list of all policy violations for a specific project",
response = PolicyViolation.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of policy violations")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of policy violations"),
+ notes = "
Requires permission VIEW_POLICY_VIOLATION
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -119,7 +121,8 @@ public Response getViolationsByProject(@PathParam("uuid") String uuid,
value = "Returns a list of all policy violations for a specific component",
response = PolicyViolation.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of policy violations")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of policy violations"),
+ notes = "
Requires permission VIEW_POLICY_VIOLATION
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
diff --git a/src/main/java/org/dependencytrack/resources/v1/ProjectPropertyResource.java b/src/main/java/org/dependencytrack/resources/v1/ProjectPropertyResource.java
index 895018cf91..56c72603c3 100644
--- a/src/main/java/org/dependencytrack/resources/v1/ProjectPropertyResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/ProjectPropertyResource.java
@@ -18,7 +18,6 @@
*/
package org.dependencytrack.resources.v1;
-import alpine.common.logging.Logger;
import alpine.server.auth.PermissionRequired;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
@@ -55,14 +54,13 @@
@Api(value = "projectProperty", authorizations = @Authorization(value = "X-Api-Key"))
public class ProjectPropertyResource extends AbstractConfigPropertyResource {
- private static final Logger LOGGER = Logger.getLogger(ProjectPropertyResource.class);
-
@GET
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Returns a list of all ProjectProperties for the specified project",
response = ProjectProperty.class,
- responseContainer = "List"
+ responseContainer = "List",
+ notes = "
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
diff --git a/src/main/java/org/dependencytrack/resources/v1/ProjectResource.java b/src/main/java/org/dependencytrack/resources/v1/ProjectResource.java
index ba238f0667..38c5dae39b 100644
--- a/src/main/java/org/dependencytrack/resources/v1/ProjectResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/ProjectResource.java
@@ -80,7 +80,8 @@ public class ProjectResource extends AlpineResource {
value = "Returns a list of all projects",
response = Project.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of projects")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of projects"),
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
@@ -113,7 +114,8 @@ public Response getProjects(@ApiParam(value = "The optional name of the project
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Returns a specific project",
- response = Project.class
+ response = Project.class,
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -141,7 +143,12 @@ public Response getProject(
@GET
@Path("/lookup")
@Produces(MediaType.APPLICATION_JSON)
- @ApiOperation(value = "Returns a specific project by its name and version", response = Project.class, nickname = "getProjectByNameAndVersion")
+ @ApiOperation(
+ value = "Returns a specific project by its name and version",
+ response = Project.class,
+ nickname = "getProjectByNameAndVersion",
+ notes = "
Requires permission VIEW_PORTFOLIO
"
+ )
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@ApiResponse(code = 403, message = "Access to the specified project is forbidden"),
@@ -174,7 +181,8 @@ public Response getProject(
value = "Returns a list of all projects by tag",
response = Project.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of projects with the tag")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of projects with the tag"),
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
@@ -201,7 +209,8 @@ public Response getProjectsByTag(
value = "Returns a list of all projects by classifier",
response = Project.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of projects of the specified classifier")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of projects of the specified classifier"),
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
@@ -228,13 +237,20 @@ public Response getProjectsByClassifier(
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Creates a new project",
- notes = "If a parent project exists, the UUID of the parent project is required ",
+ notes = """
+
If a parent project exists, parent.uuid is required
+
Requires permission PORTFOLIO_MANAGEMENT
+ """,
response = Project.class,
code = 201
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
- @ApiResponse(code = 409, message = "- An inactive Parent cannot be selected as parent\n- A project with the specified name already exists"),
+ @ApiResponse(code = 409, message = """
+
+
An inactive Parent cannot be selected as parent, or
+
A project with the specified name already exists
+
"""),
})
@PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT)
public Response createProject(Project jsonProject) {
@@ -282,12 +298,19 @@ public Response createProject(Project jsonProject) {
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Updates a project",
- response = Project.class
+ response = Project.class,
+ notes = "
Requires permission PORTFOLIO_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@ApiResponse(code = 404, message = "The UUID of the project could not be found"),
- @ApiResponse(code = 409, message = "- An inactive Parent cannot be selected as parent\n- Project cannot be set to inactive if active children are present\n- A project with the specified name already exists\n- A project cannot select itself as a parent")
+ @ApiResponse(code = 409, message = """
+
+
An inactive Parent cannot be selected as parent, or
+
Project cannot be set to inactive if active children are present, or
+
A project with the specified name already exists, or
+
A project cannot select itself as a parent
+
""")
})
@PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT)
public Response updateProject(Project jsonProject) {
@@ -344,12 +367,19 @@ public Response updateProject(Project jsonProject) {
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Partially updates a project",
- response = Project.class
+ response = Project.class,
+ notes = "
Requires permission PORTFOLIO_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@ApiResponse(code = 404, message = "The UUID of the project could not be found"),
- @ApiResponse(code = 409, message = "- An inactive Parent cannot be selected as parent\n- Project cannot be set to inactive if active children are present\n- A project with the specified name already exists\n- A project cannot select itself as a parent")
+ @ApiResponse(code = 409, message = """
+
+
An inactive Parent cannot be selected as parent, or
+
Project cannot be set to inactive if active children are present, or
+
A project with the specified name already exists, or
+
A project cannot select itself as a parent
+
""")
})
@PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT)
public Response patchProject(
@@ -470,7 +500,8 @@ private boolean setIfDifferent(final Project source, final Project target, f
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Deletes a project",
- code = 204
+ code = 204,
+ notes = "
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -544,7 +576,8 @@ public Response cloneProject(CloneProjectRequest jsonRequest) {
value = "Returns a list of all children for a project",
response = Project.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of projects")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of projects"),
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -578,7 +611,8 @@ public Response getChildrenProjects(@ApiParam(value = "The UUID of the project t
value = "Returns a list of all children for a project by classifier",
response = Project.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of projects")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of projects"),
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -616,7 +650,8 @@ public Response getChildrenProjectsByClassifier(
value = "Returns a list of all children for a project by tag",
response = Project.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of projects")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of projects"),
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -654,7 +689,8 @@ public Response getChildrenProjectsByTag(
value = "Returns a list of all projects without the descendants of the selected project",
response = Project.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of projects")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of projects"),
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
diff --git a/src/main/java/org/dependencytrack/resources/v1/RepositoryResource.java b/src/main/java/org/dependencytrack/resources/v1/RepositoryResource.java
index 0f1219af4a..b0404d66b1 100644
--- a/src/main/java/org/dependencytrack/resources/v1/RepositoryResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/RepositoryResource.java
@@ -69,7 +69,8 @@ public class RepositoryResource extends AlpineResource {
value = "Returns a list of all repositories",
response = Repository.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of repositories")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of repositories"),
+ notes = "
Requires permission SYSTEM_CONFIGURATION
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
@@ -89,7 +90,8 @@ public Response getRepositories() {
value = "Returns repositories that support the specific type",
response = Repository.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of repositories")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of repositories"),
+ notes = "
Requires permission SYSTEM_CONFIGURATION
"
)
@ApiResponses(value = {
@@ -148,7 +150,8 @@ public Response getRepositoryMetaComponent(
@ApiOperation(
value = "Creates a new repository",
response = Repository.class,
- code = 201
+ code = 201,
+ notes = "
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
@@ -185,7 +186,8 @@ public Response vulnerableSoftwareSearch(@QueryParam("query") String query, @Que
@POST
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
- value = "Rebuild lucene indexes for search operations"
+ value = "Rebuild lucene indexes for search operations",
+ notes = "
Requires permission SYSTEM_CONFIGURATION
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
diff --git a/src/main/java/org/dependencytrack/resources/v1/ServiceResource.java b/src/main/java/org/dependencytrack/resources/v1/ServiceResource.java
index 1304b2214f..9693b2b74b 100644
--- a/src/main/java/org/dependencytrack/resources/v1/ServiceResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/ServiceResource.java
@@ -63,7 +63,8 @@ public class ServiceResource extends AlpineResource {
value = "Returns a list of all services for a given project",
response = ServiceComponent.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of services")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of services"),
+ notes = "
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -198,7 +203,8 @@ public Response deleteTeam(Team jsonTeam) {
@ApiOperation(
value = "Generates an API key and returns its value",
response = ApiKey.class,
- code = 201
+ code = 201,
+ notes = "
Requires permission ACCESS_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -224,7 +230,8 @@ public Response generateApiKey(
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Regenerates an API key by removing the specified key, generating a new one and returning its value",
- response = ApiKey.class
+ response = ApiKey.class,
+ notes = "
Requires permission ACCESS_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -249,7 +256,11 @@ public Response regenerateApiKey(
@Path("/key/{key}/comment")
@Consumes(MediaType.TEXT_PLAIN)
@Produces(MediaType.APPLICATION_JSON)
- @ApiOperation(value = "Updates an API key's comment", response = ApiKey.class)
+ @ApiOperation(
+ value = "Updates an API key's comment",
+ response = ApiKey.class,
+ notes = "
Requires permission ACCESS_MANAGEMENT
"
+ )
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@ApiResponse(code = 404, message = "The API key could not be found")
@@ -279,7 +290,8 @@ public Response updateApiKeyComment(@PathParam("key") final String key,
@Path("/key/{apikey}")
@ApiOperation(
value = "Deletes the specified API key",
- code = 204
+ code = 204,
+ notes = "
Requires permission ACCESS_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
diff --git a/src/main/java/org/dependencytrack/resources/v1/UserResource.java b/src/main/java/org/dependencytrack/resources/v1/UserResource.java
index a427e9bdb6..c027e653e8 100644
--- a/src/main/java/org/dependencytrack/resources/v1/UserResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/UserResource.java
@@ -227,7 +227,8 @@ public Response forceChangePassword(@FormParam("username") String username, @For
value = "Returns a list of all managed users",
response = ManagedUser.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of managed users")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of managed users"),
+ notes = "
Requires permission ACCESS_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
@@ -248,7 +249,8 @@ public Response getManagedUsers() {
value = "Returns a list of all LDAP users",
response = LdapUser.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of LDAP users")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of LDAP users"),
+ notes = "
Requires permission ACCESS_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
@@ -272,7 +274,8 @@ public Response getLdapUsers() {
value = "Returns a list of all OIDC users",
response = OidcUser.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of OIDC users")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of OIDC users"),
+ notes = "
Requires permission ACCESS_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
@@ -371,7 +374,8 @@ public Response updateSelf(ManagedUser jsonUser) {
@ApiOperation(
value = "Creates a new user that references an existing LDAP object.",
response = LdapUser.class,
- code = 201
+ code = 201,
+ notes = "
Requires permission ACCESS_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 400, message = "Username cannot be null or blank."),
@@ -408,7 +412,8 @@ public Response createLdapUser(LdapUser jsonUser) {
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Deletes a user.",
- code = 204
+ code = 204,
+ notes = "
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -573,7 +581,8 @@ public Response deleteManagedUser(ManagedUser jsonUser) {
@ApiOperation(
value = "Creates a new user that references an existing OpenID Connect user.",
response = OidcUser.class,
- code = 201
+ code = 201,
+ notes = "
Requires permission ACCESS_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 400, message = "Username cannot be null or blank."),
@@ -610,7 +619,8 @@ public Response createOidcUser(final OidcUser jsonUser) {
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Deletes an OpenID Connect user.",
- code = 204
+ code = 204,
+ notes = "
Requires permission ACCESS_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -644,7 +654,8 @@ public Response deleteOidcUser(final OidcUser jsonUser) {
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Adds the username to the specified team.",
- response = UserPrincipal.class
+ response = UserPrincipal.class,
+ notes = "
Requires permission ACCESS_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 304, message = "The user is already a member of the specified team"),
@@ -683,7 +694,8 @@ public Response addTeamToUser(
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Removes the username from the specified team.",
- response = UserPrincipal.class
+ response = UserPrincipal.class,
+ notes = "
Requires permission ACCESS_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 304, message = "The user was not a member of the specified team"),
diff --git a/src/main/java/org/dependencytrack/resources/v1/VexResource.java b/src/main/java/org/dependencytrack/resources/v1/VexResource.java
index a07463a590..aa47764584 100644
--- a/src/main/java/org/dependencytrack/resources/v1/VexResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/VexResource.java
@@ -42,7 +42,6 @@
import org.dependencytrack.resources.v1.vo.VexSubmitRequest;
import org.glassfish.jersey.media.multipart.BodyPartEntity;
import org.glassfish.jersey.media.multipart.FormDataBodyPart;
-import org.glassfish.jersey.media.multipart.FormDataMultiPart;
import org.glassfish.jersey.media.multipart.FormDataParam;
import javax.validation.Validator;
@@ -79,7 +78,8 @@ public class VexResource extends AlpineResource {
@Produces({CycloneDxMediaType.APPLICATION_CYCLONEDX_JSON, MediaType.APPLICATION_OCTET_STREAM})
@ApiOperation(
value = "Returns a VEX for a project in CycloneDX format",
- response = String.class
+ response = String.class,
+ notes = "
Requires permission VULNERABILITY_ANALYSIS
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -124,11 +124,16 @@ public Response exportProjectAsCycloneDx (
@ApiOperation(
value = "Upload a supported VEX document",
notes = """
- Expects CycloneDX and a valid project UUID. If a UUID is not specified, \
- then the projectName and projectVersion must be specified.
- The VEX will be validated against the CycloneDX schema. If schema validation fails, \
- a response with problem details in RFC 9457 format will be returned. In this case, \
- the response's content type will be application/problem+json."""
+
+ Expects CycloneDX and a valid project UUID. If a UUID is not specified,
+ then the projectName and projectVersion must be specified.
+
+
+ The VEX will be validated against the CycloneDX schema. If schema validation fails,
+ a response with problem details in RFC 9457 format will be returned. In this case,
+ the response's content type will be application/problem+json.
+
+
Requires permission VULNERABILITY_ANALYSIS
"""
)
@ApiResponses(value = {
@ApiResponse(code = 400, message = "Invalid VEX", response = InvalidBomProblemDetails.class),
@@ -167,11 +172,16 @@ public Response uploadVex(VexSubmitRequest request) {
@ApiOperation(
value = "Upload a supported VEX document",
notes = """
- Expects CycloneDX along and a valid project UUID. If a UUID is not specified, \
- then the projectName and projectVersion must be specified.
- The VEX will be validated against the CycloneDX schema. If schema validation fails, \
- a response with problem details in RFC 9457 format will be returned. In this case, \
- the response's content type will be application/problem+json."""
+
+ Expects CycloneDX and a valid project UUID. If a UUID is not specified,
+ then the projectName and projectVersion must be specified.
+
+
+ The VEX will be validated against the CycloneDX schema. If schema validation fails,
+ a response with problem details in RFC 9457 format will be returned. In this case,
+ the response's content type will be application/problem+json.
+
+
Requires permission VULNERABILITY_ANALYSIS
"""
)
@ApiResponses(value = {
@ApiResponse(code = 400, message = "Invalid VEX", response = InvalidBomProblemDetails.class),
@@ -183,9 +193,7 @@ public Response uploadVex(VexSubmitRequest request) {
public Response uploadVex(@FormDataParam("project") String projectUuid,
@FormDataParam("projectName") String projectName,
@FormDataParam("projectVersion") String projectVersion,
- final FormDataMultiPart multiPart) {
-
- final List artifactParts = multiPart.getFields("vex");
+ @ApiParam(type = "string") @FormDataParam("vex") final List artifactParts) {
if (projectUuid != null) {
try (QueryManager qm = new QueryManager()) {
final Project project = qm.getObjectByUuid(Project.class, projectUuid);
diff --git a/src/main/java/org/dependencytrack/resources/v1/ViolationAnalysisResource.java b/src/main/java/org/dependencytrack/resources/v1/ViolationAnalysisResource.java
index ff01201fa4..8c4df02d4c 100644
--- a/src/main/java/org/dependencytrack/resources/v1/ViolationAnalysisResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/ViolationAnalysisResource.java
@@ -66,7 +66,8 @@ public class ViolationAnalysisResource extends AlpineResource {
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Retrieves a violation analysis trail",
- response = ViolationAnalysis.class
+ response = ViolationAnalysis.class,
+ notes = "
Requires permission VIEW_POLICY_VIOLATION
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -100,7 +101,8 @@ public Response retrieveAnalysis(@ApiParam(value = "The UUID of the component",
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Records a violation analysis decision",
- response = ViolationAnalysis.class
+ response = ViolationAnalysis.class,
+ notes = "
Requires permission POLICY_VIOLATION_ANALYSIS
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
diff --git a/src/main/java/org/dependencytrack/resources/v1/VulnerabilityResource.java b/src/main/java/org/dependencytrack/resources/v1/VulnerabilityResource.java
index 5116150781..dac3bbdfc1 100644
--- a/src/main/java/org/dependencytrack/resources/v1/VulnerabilityResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/VulnerabilityResource.java
@@ -79,7 +79,8 @@ public class VulnerabilityResource extends AlpineResource {
value = "Returns a list of all vulnerabilities for a specific component",
response = Vulnerability.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of vulnerabilities")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of vulnerabilities"),
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -112,7 +113,8 @@ public Response getVulnerabilitiesByComponent(@PathParam("uuid") String uuid,
value = "Returns a list of all vulnerabilities for a specific project",
response = Vulnerability.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of vulnerabilities")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of vulnerabilities"),
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -143,7 +145,8 @@ public Response getVulnerabilitiesByProject(@PathParam("uuid") String uuid,
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Returns a specific vulnerability",
- response = Vulnerability.class
+ response = Vulnerability.class,
+ notes = "
Requires permission VULNERABILITY_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -167,7 +170,8 @@ public Response getVulnerabilityByUuid(@ApiParam(value = "The UUID of the vulner
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
value = "Returns a specific vulnerability",
- response = Vulnerability.class
+ response = Vulnerability.class,
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -201,7 +205,8 @@ public Response getVulnerabilityByVulnId(@PathParam("source") String source,
value = "Returns a list of all projects affected by a specific vulnerability",
response = Project.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of projects")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of projects"),
+ notes = "
Requires permission VIEW_PORTFOLIO
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -235,7 +240,8 @@ public Response getAffectedProject(@PathParam("source") String source,
value = "Returns a list of all vulnerabilities",
response = Vulnerability.class,
responseContainer = "List",
- responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of vulnerabilities")
+ responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of vulnerabilities"),
+ notes = "
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized")
@@ -493,7 +503,8 @@ public void recalculateScoresAndSeverityFromVectors(Vulnerability vuln) throws M
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
- value = "Assigns a vulnerability to a component"
+ value = "Assigns a vulnerability to a component",
+ notes = "
Requires permission PORTFOLIO_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -531,7 +542,8 @@ public Response assignVulnerability(@ApiParam(value = "The vulnerability source"
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
- value = "Assigns a vulnerability to a component"
+ value = "Assigns a vulnerability to a component",
+ notes = "
Requires permission PORTFOLIO_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -567,7 +579,8 @@ public Response assignVulnerability(@ApiParam(value = "The UUID of the vulnerabi
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
- value = "Removes assignment of a vulnerability from a component"
+ value = "Removes assignment of a vulnerability from a component",
+ notes = "
Requires permission PORTFOLIO_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@@ -605,7 +618,8 @@ public Response unassignVulnerability(@ApiParam(value = "The vulnerability sourc
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
- value = "Removes assignment of a vulnerability from a component"
+ value = "Removes assignment of a vulnerability from a component",
+ notes = "
Requires permission PORTFOLIO_MANAGEMENT
"
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
From 753924d050aa928e8698b27b5a433ef7583703a7 Mon Sep 17 00:00:00 2001
From: nscuro
Date: Sun, 17 Mar 2024 17:43:46 +0100
Subject: [PATCH 015/412] Add OpenAPI example values to request objects
Signed-off-by: nscuro
---
docs/_posts/2024-xx-xx-v4.11.0.md | 6 +++-
.../resources/v1/problems/ProblemDetails.java | 6 ++--
.../resources/v1/vo/BomSubmitRequest.java | 30 ++++++++++++++-----
3 files changed, 32 insertions(+), 10 deletions(-)
diff --git a/docs/_posts/2024-xx-xx-v4.11.0.md b/docs/_posts/2024-xx-xx-v4.11.0.md
index fb5c51d3a8..91402695c7 100644
--- a/docs/_posts/2024-xx-xx-v4.11.0.md
+++ b/docs/_posts/2024-xx-xx-v4.11.0.md
@@ -47,6 +47,7 @@ environment variable `BOM_VALIDATION_ENABLED` to `false`.
* Add auto-generated changelog to GitHub releases - [apiserver/#3502]
* Bump SPDX license list to v3.23 - [apiserver/#3508]
* Validate uploaded BOMs against CycloneDX schema prior to processing them - [apiserver/#3522]
+* Add *required permissions* to OpenAPI descriptions of endpoints - [apiserver/#3557]
* Show component count in projects list - [frontend/#683]
* Add current *fail*, *warn*, and *info* values to bottom of policy violation metrics - [frontend/#707]
* Remove unused policy violation widget - [frontend/#710]
@@ -76,6 +77,7 @@ environment variable `BOM_VALIDATION_ENABLED` to `false`.
* Fix Cargo repository metadata analyzer not being invoked - [apiserver/#3511]
* Fix type of `purl` fields in Swagger docs - [apiserver/#3512]
* Fix CI build status badge - [apiserver/#3513]
+* Fix `bom` and `vex` request fields not being visible in OpenAPI spec - [apiserver/#3557]
* Fix `VUE_APP_SERVER_URL` being ignored - [frontend/#682]
* Fix visibility of "Vulnerabilities" and "Policy Violations" columns not being toggle-able individually - [frontend/#686]
* Fix finding search routes - [frontend/#689]
@@ -117,7 +119,7 @@ For a complete list of changes, refer to the respective GitHub milestones:
We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.
Special thanks to everyone who contributed code to implement enhancements and fix defects:
-[@acdha], [@AnthonyMastrean], [@LaVibeX], [@VithikaS], [@baburkin], [@fnxpt], [@kepten], [@leec94],
+[@a5a351e7], [@acdha], [@AnthonyMastrean], [@LaVibeX], [@VithikaS], [@baburkin], [@fnxpt], [@kepten], [@leec94],
[@lukas-braune], [@malice00], [@mehab], [@mge-mm], [@mikkeschiren], [@mykter], [@rbt-mm],
[@rkg-mm], [@sahibamittal], [@sebD], [@setchy]
@@ -177,6 +179,7 @@ Special thanks to everyone who contributed code to implement enhancements and fi
[apiserver/#3512]: https://github.com/DependencyTrack/dependency-track/pull/3512
[apiserver/#3513]: https://github.com/DependencyTrack/dependency-track/pull/3513
[apiserver/#3522]: https://github.com/DependencyTrack/dependency-track/pull/3522
+[apiserver/#3557]: https://github.com/DependencyTrack/dependency-track/pull/3557
[frontend/#682]: https://github.com/DependencyTrack/frontend/pull/682
[frontend/#683]: https://github.com/DependencyTrack/frontend/pull/683
@@ -202,6 +205,7 @@ Special thanks to everyone who contributed code to implement enhancements and fi
[frontend/#752]: https://github.com/DependencyTrack/frontend/pull/752
[frontend/#768]: https://github.com/DependencyTrack/frontend/pull/768
+[@a5a351e7]: https://github.com/a5a351e7
[@acdha]: https://github.com/acdha
[@AnthonyMastrean]: https://github.com/AnthonyMastrean
[@LaVibeX]: https://github.com/LaVibeX
diff --git a/src/main/java/org/dependencytrack/resources/v1/problems/ProblemDetails.java b/src/main/java/org/dependencytrack/resources/v1/problems/ProblemDetails.java
index b8ce606da4..acb7f88b36 100644
--- a/src/main/java/org/dependencytrack/resources/v1/problems/ProblemDetails.java
+++ b/src/main/java/org/dependencytrack/resources/v1/problems/ProblemDetails.java
@@ -45,7 +45,8 @@ public class ProblemDetails {
@ApiModelProperty(
value = "HTTP status code generated by the origin server for this occurrence of the problem",
- example = "400"
+ example = "400",
+ required = true
)
private Integer status;
@@ -58,7 +59,8 @@ public class ProblemDetails {
@ApiModelProperty(
value = "Human-readable explanation specific to this occurrence of the problem",
- example = "Example detail"
+ example = "Example detail",
+ required = true
)
private String detail;
diff --git a/src/main/java/org/dependencytrack/resources/v1/vo/BomSubmitRequest.java b/src/main/java/org/dependencytrack/resources/v1/vo/BomSubmitRequest.java
index 7021bca27c..0f6b8b9109 100644
--- a/src/main/java/org/dependencytrack/resources/v1/vo/BomSubmitRequest.java
+++ b/src/main/java/org/dependencytrack/resources/v1/vo/BomSubmitRequest.java
@@ -23,6 +23,7 @@
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import io.swagger.annotations.ApiModelProperty;
import javax.validation.constraints.NotBlank;
import javax.validation.constraints.NotNull;
@@ -76,13 +77,13 @@ public BomSubmitRequest(String project,
}
@JsonCreator
- public BomSubmitRequest(@JsonProperty(value = "project", required = false) String project,
- @JsonProperty(value = "projectName", required = false) String projectName,
- @JsonProperty(value = "projectVersion", required = false) String projectVersion,
- @JsonProperty(value = "autoCreate", required = false) boolean autoCreate,
- @JsonProperty(value = "parentUUID", required = false) String parentUUID,
- @JsonProperty(value = "parentName", required = false) String parentName,
- @JsonProperty(value = "parentVersion", required = false) String parentVersion,
+ public BomSubmitRequest(@JsonProperty(value = "project") String project,
+ @JsonProperty(value = "projectName") String projectName,
+ @JsonProperty(value = "projectVersion") String projectVersion,
+ @JsonProperty(value = "autoCreate") boolean autoCreate,
+ @JsonProperty(value = "parentUUID") String parentUUID,
+ @JsonProperty(value = "parentName") String parentName,
+ @JsonProperty(value = "parentVersion") String parentVersion,
@JsonProperty(value = "bom", required = true) String bom) {
this.project = project;
this.projectName = projectName;
@@ -94,26 +95,32 @@ public BomSubmitRequest(@JsonProperty(value = "project", required = false) Strin
this.bom = bom;
}
+ @ApiModelProperty(example = "38640b33-4ba9-4733-bdab-cbfc40c6f8aa")
public String getProject() {
return project;
}
+ @ApiModelProperty(example = "Example Application")
public String getProjectName() {
return projectName;
}
+ @ApiModelProperty(example = "1.0.0")
public String getProjectVersion() {
return projectVersion;
}
+ @ApiModelProperty(example = "5341f53c-611b-4388-9d9c-731026dc5eec")
public String getParentUUID() {
return parentUUID;
}
+ @ApiModelProperty(example = "Example Application Parent")
public String getParentName() {
return parentName;
}
+ @ApiModelProperty(example = "1.0.0")
public String getParentVersion() {
return parentVersion;
}
@@ -122,6 +129,15 @@ public boolean isAutoCreate() {
return autoCreate;
}
+ @ApiModelProperty(
+ value = "Base64 encoded BOM",
+ required = true,
+ example = """
+ ewogICJib21Gb3JtYXQiOiAiQ3ljbG9uZURYIiwKICAic3BlY1ZlcnNpb24iOiAi\
+ MS40IiwKICAiY29tcG9uZW50cyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAibGli\
+ cmFyeSIsCiAgICAgICJuYW1lIjogImFjbWUtbGliIiwKICAgICAgInZlcnNpb24i\
+ OiAiMS4wLjAiCiAgICB9CiAgXQp9"""
+ )
public String getBom() {
return bom;
}
From a6804a49960ada72bc38cee4b36d52d949d4e6f3 Mon Sep 17 00:00:00 2001
From: nscuro
Date: Sun, 17 Mar 2024 19:36:13 +0100
Subject: [PATCH 016/412] Provide meaningful error message for `bom` and `vex`
exceeding Jackson's character limit
Also document the limitation in the OpenAPI spec of the respective `PUT` methods that accept JSON payloads.
Fixes #3182
Signed-off-by: nscuro
---
docs/_posts/2024-xx-xx-v4.11.0.md | 2 +
.../resources/v1/BomResource.java | 5 ++
.../resources/v1/VexResource.java | 5 ++
.../exception/JsonMappingExceptionMapper.java | 86 +++++++++++++++++++
.../resources/v1/BomResourceTest.java | 36 +++++++-
.../resources/v1/VexResourceTest.java | 35 +++++++-
6 files changed, 166 insertions(+), 3 deletions(-)
create mode 100644 src/main/java/org/dependencytrack/resources/v1/exception/JsonMappingExceptionMapper.java
diff --git a/docs/_posts/2024-xx-xx-v4.11.0.md b/docs/_posts/2024-xx-xx-v4.11.0.md
index 91402695c7..36612d2fb3 100644
--- a/docs/_posts/2024-xx-xx-v4.11.0.md
+++ b/docs/_posts/2024-xx-xx-v4.11.0.md
@@ -78,6 +78,7 @@ environment variable `BOM_VALIDATION_ENABLED` to `false`.
* Fix type of `purl` fields in Swagger docs - [apiserver/#3512]
* Fix CI build status badge - [apiserver/#3513]
* Fix `bom` and `vex` request fields not being visible in OpenAPI spec - [apiserver/#3557]
+* Fix unclear error response when base64 encoded `bom` and `vex` values exceed character limit - [apiserver/#3558]
* Fix `VUE_APP_SERVER_URL` being ignored - [frontend/#682]
* Fix visibility of "Vulnerabilities" and "Policy Violations" columns not being toggle-able individually - [frontend/#686]
* Fix finding search routes - [frontend/#689]
@@ -180,6 +181,7 @@ Special thanks to everyone who contributed code to implement enhancements and fi
[apiserver/#3513]: https://github.com/DependencyTrack/dependency-track/pull/3513
[apiserver/#3522]: https://github.com/DependencyTrack/dependency-track/pull/3522
[apiserver/#3557]: https://github.com/DependencyTrack/dependency-track/pull/3557
+[apiserver/#3558]: https://github.com/DependencyTrack/dependency-track/pull/3558
[frontend/#682]: https://github.com/DependencyTrack/frontend/pull/682
[frontend/#683]: https://github.com/DependencyTrack/frontend/pull/683
diff --git a/src/main/java/org/dependencytrack/resources/v1/BomResource.java b/src/main/java/org/dependencytrack/resources/v1/BomResource.java
index 37b22a5f74..0170cdd07c 100644
--- a/src/main/java/org/dependencytrack/resources/v1/BomResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/BomResource.java
@@ -221,6 +221,11 @@ public Response exportComponentAsCycloneDx (
a response with problem details in RFC 9457 format will be returned. In this case,
the response's content type will be application/problem+json.
+
+ The maximum allowed length of the bom value is 20'000'000 characters.
+ When uploading large BOMs, the POST endpoint is preferred,
+ as it does not have this limit.
+
Requires permission BOM_UPLOAD
""",
response = BomUploadResponse.class,
nickname = "UploadBomBase64Encoded"
diff --git a/src/main/java/org/dependencytrack/resources/v1/VexResource.java b/src/main/java/org/dependencytrack/resources/v1/VexResource.java
index aa47764584..beb76c6667 100644
--- a/src/main/java/org/dependencytrack/resources/v1/VexResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/VexResource.java
@@ -133,6 +133,11 @@ public Response exportProjectAsCycloneDx (
a response with problem details in RFC 9457 format will be returned. In this case,
the response's content type will be application/problem+json.
+
+ The maximum allowed length of the vex value is 20'000'000 characters.
+ When uploading large VEX files, the POST endpoint is preferred,
+ as it does not have this limit.
+
Requires permission VULNERABILITY_ANALYSIS
"""
)
@ApiResponses(value = {
diff --git a/src/main/java/org/dependencytrack/resources/v1/exception/JsonMappingExceptionMapper.java b/src/main/java/org/dependencytrack/resources/v1/exception/JsonMappingExceptionMapper.java
new file mode 100644
index 0000000000..d431391478
--- /dev/null
+++ b/src/main/java/org/dependencytrack/resources/v1/exception/JsonMappingExceptionMapper.java
@@ -0,0 +1,86 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) Steve Springett. All Rights Reserved.
+ */
+package org.dependencytrack.resources.v1.exception;
+
+import com.fasterxml.jackson.core.exc.StreamConstraintsException;
+import com.fasterxml.jackson.databind.JsonMappingException;
+import org.dependencytrack.resources.v1.problems.ProblemDetails;
+import org.dependencytrack.resources.v1.vo.BomSubmitRequest;
+import org.dependencytrack.resources.v1.vo.VexSubmitRequest;
+
+import javax.annotation.Priority;
+import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.container.ResourceInfo;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.ext.ExceptionMapper;
+import javax.ws.rs.ext.Provider;
+import java.util.Objects;
+
+/**
+ * @since 4.11.0
+ */
+@Provider
+@Priority(1)
+public class JsonMappingExceptionMapper implements ExceptionMapper {
+
+ @Context
+ private HttpServletRequest request;
+
+ @Context
+ private ResourceInfo resourceInfo;
+
+ @Override
+ public Response toResponse(final JsonMappingException exception) {
+ final var problemDetails = new ProblemDetails();
+ problemDetails.setStatus(400);
+ problemDetails.setTitle("The provided JSON payload could not be mapped");
+ problemDetails.setDetail(createDetail(exception));
+
+ return Response
+ .status(Response.Status.BAD_REQUEST)
+ .type(ProblemDetails.MEDIA_TYPE_JSON)
+ .entity(problemDetails)
+ .build();
+ }
+
+ private static String createDetail(final JsonMappingException exception) {
+ if (!(exception.getCause() instanceof StreamConstraintsException)) {
+ return exception.getMessage();
+ }
+
+ final JsonMappingException.Reference reference = exception.getPath().get(0);
+ if (Objects.equals(reference.getFrom(), BomSubmitRequest.class)
+ && "bom".equals(reference.getFieldName())) {
+ return """
+ The BOM is too large to be transmitted safely via Base64 encoded JSON value. \
+ Please use the "POST /api/v1/bom" endpoint with Content-Type "multipart/form-data" instead. \
+ Original cause: %s""".formatted(exception.getMessage());
+ } else if (Objects.equals(reference.getFrom(), VexSubmitRequest.class)
+ && "vex".equals(reference.getFieldName())) {
+ return """
+ The VEX is too large to be transmitted safely via Base64 encoded JSON value. \
+ Please use the "POST /api/v1/vex" endpoint with Content-Type "multipart/form-data" instead. \
+ Original cause: %s""".formatted(exception.getMessage());
+ }
+
+ return exception.getMessage();
+ }
+
+}
diff --git a/src/test/java/org/dependencytrack/resources/v1/BomResourceTest.java b/src/test/java/org/dependencytrack/resources/v1/BomResourceTest.java
index dbea0b351b..6f817307fb 100644
--- a/src/test/java/org/dependencytrack/resources/v1/BomResourceTest.java
+++ b/src/test/java/org/dependencytrack/resources/v1/BomResourceTest.java
@@ -21,6 +21,7 @@
import alpine.common.util.UuidUtil;
import alpine.server.filters.ApiFilter;
import alpine.server.filters.AuthenticationFilter;
+import com.fasterxml.jackson.core.StreamReadConstraints;
import org.apache.http.HttpStatus;
import org.dependencytrack.ResourceTest;
import org.dependencytrack.auth.Permissions;
@@ -35,6 +36,7 @@
import org.dependencytrack.model.Severity;
import org.dependencytrack.model.Vulnerability;
import org.dependencytrack.parser.cyclonedx.CycloneDxValidator;
+import org.dependencytrack.resources.v1.exception.JsonMappingExceptionMapper;
import org.dependencytrack.resources.v1.vo.BomSubmitRequest;
import org.dependencytrack.tasks.scanners.AnalyzerIdentity;
import org.glassfish.jersey.media.multipart.MultiPartFeature;
@@ -68,7 +70,8 @@ protected DeploymentContext configureDeployment() {
new ResourceConfig(BomResource.class)
.register(ApiFilter.class)
.register(AuthenticationFilter.class)
- .register(MultiPartFeature.class)))
+ .register(MultiPartFeature.class)
+ .register(JsonMappingExceptionMapper.class)))
.build();
}
@@ -930,4 +933,35 @@ public void uploadBomInvalidXmlTest() {
""");
}
+ @Test
+ public void uploadBomTooLargeViaPutTest() {
+ initializeWithPermissions(Permissions.BOM_UPLOAD);
+
+ final var project = new Project();
+ project.setName("acme-app");
+ project.setVersion("1.0.0");
+ qm.persist(project);
+
+ final String bom = "a".repeat(StreamReadConstraints.DEFAULT_MAX_STRING_LEN + 1);
+
+ final Response response = target(V1_BOM).request()
+ .header(X_API_KEY, apiKey)
+ .put(Entity.entity("""
+ {
+ "projectName": "acme-app",
+ "projectVersion": "1.0.0",
+ "bom": "%s"
+ }
+ """.formatted(bom), MediaType.APPLICATION_JSON));
+ assertThat(response.getStatus()).isEqualTo(400);
+ assertThat(response.getHeaderString("Content-Type")).isEqualTo("application/problem+json");
+ assertThatJson(getPlainTextBody(response)).isEqualTo("""
+ {
+ "status": 400,
+ "title": "The provided JSON payload could not be mapped",
+ "detail": "The BOM is too large to be transmitted safely via Base64 encoded JSON value. Please use the \\"POST /api/v1/bom\\" endpoint with Content-Type \\"multipart/form-data\\" instead. Original cause: String length (20000001) exceeds the maximum length (20000000) (through reference chain: org.dependencytrack.resources.v1.vo.BomSubmitRequest[\\"bom\\"])"
+ }
+ """);
+ }
+
}
diff --git a/src/test/java/org/dependencytrack/resources/v1/VexResourceTest.java b/src/test/java/org/dependencytrack/resources/v1/VexResourceTest.java
index f15fcbe067..089c744ad6 100644
--- a/src/test/java/org/dependencytrack/resources/v1/VexResourceTest.java
+++ b/src/test/java/org/dependencytrack/resources/v1/VexResourceTest.java
@@ -20,6 +20,7 @@
import alpine.server.filters.ApiFilter;
import alpine.server.filters.AuthenticationFilter;
+import com.fasterxml.jackson.core.StreamReadConstraints;
import org.dependencytrack.ResourceTest;
import org.dependencytrack.auth.Permissions;
import org.dependencytrack.model.AnalysisResponse;
@@ -30,6 +31,7 @@
import org.dependencytrack.model.Severity;
import org.dependencytrack.model.Vulnerability;
import org.dependencytrack.parser.cyclonedx.CycloneDxValidator;
+import org.dependencytrack.resources.v1.exception.JsonMappingExceptionMapper;
import org.dependencytrack.tasks.scanners.AnalyzerIdentity;
import org.glassfish.jersey.media.multipart.MultiPartFeature;
import org.glassfish.jersey.server.ResourceConfig;
@@ -41,7 +43,6 @@
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
-
import java.util.Base64;
import static net.javacrumbs.jsonunit.assertj.JsonAssertions.assertThatJson;
@@ -57,7 +58,8 @@ protected DeploymentContext configureDeployment() {
new ResourceConfig(VexResource.class)
.register(ApiFilter.class)
.register(AuthenticationFilter.class)
- .register(MultiPartFeature.class)))
+ .register(MultiPartFeature.class)
+ .register(JsonMappingExceptionMapper.class)))
.build();
}
@@ -306,4 +308,33 @@ public void uploadVexInvalidXmlTest() {
""");
}
+ @Test
+ public void uploadVexTooLargeViaPutTest() {
+ final var project = new Project();
+ project.setName("acme-app");
+ project.setVersion("1.0.0");
+ qm.persist(project);
+
+ final String vex = "a".repeat(StreamReadConstraints.DEFAULT_MAX_STRING_LEN + 1);
+
+ final Response response = target(V1_VEX).request()
+ .header(X_API_KEY, apiKey)
+ .put(Entity.entity("""
+ {
+ "projectName": "acme-app",
+ "projectVersion": "1.0.0",
+ "vex": "%s"
+ }
+ """.formatted(vex), MediaType.APPLICATION_JSON));
+ assertThat(response.getStatus()).isEqualTo(400);
+ assertThat(response.getHeaderString("Content-Type")).isEqualTo("application/problem+json");
+ assertThatJson(getPlainTextBody(response)).isEqualTo("""
+ {
+ "status": 400,
+ "title": "The provided JSON payload could not be mapped",
+ "detail": "The VEX is too large to be transmitted safely via Base64 encoded JSON value. Please use the \\"POST /api/v1/vex\\" endpoint with Content-Type \\"multipart/form-data\\" instead. Original cause: String length (20000001) exceeds the maximum length (20000000) (through reference chain: org.dependencytrack.resources.v1.vo.VexSubmitRequest[\\"vex\\"])"
+ }
+ """);
+ }
+
}
\ No newline at end of file
From d97856eedb7ddab59a46ed5e0215ebff65bf96bc Mon Sep 17 00:00:00 2001
From: nscuro
Date: Sun, 17 Mar 2024 19:49:03 +0100
Subject: [PATCH 017/412] Fix unhandled `NotFoundException`s causing a `HTTP
500` response
Previously, requests to routes that had no explicit servlet mapping ended up being handled by the `GlobalExceptionHandler` of Alpine, which logs the exception as `error`, and returns a `HTTP 500 Internal Server Error` response. This behavior was misleading and could flood the logs unnecessarily.
We now only return a `HTTP 404 Not Found` response, without emitting any logs.
Signed-off-by: nscuro
---
docs/_posts/2024-xx-xx-v4.11.0.md | 2 +
.../v1/exception/NotFoundExceptionMapper.java | 42 +++++++++++++++++++
.../NotFoundExceptionMapperTest.java | 38 +++++++++++++++++
3 files changed, 82 insertions(+)
create mode 100644 src/main/java/org/dependencytrack/resources/v1/exception/NotFoundExceptionMapper.java
create mode 100644 src/test/java/org/dependencytrack/resources/v1/exception/NotFoundExceptionMapperTest.java
diff --git a/docs/_posts/2024-xx-xx-v4.11.0.md b/docs/_posts/2024-xx-xx-v4.11.0.md
index 36612d2fb3..4077ff63c5 100644
--- a/docs/_posts/2024-xx-xx-v4.11.0.md
+++ b/docs/_posts/2024-xx-xx-v4.11.0.md
@@ -79,6 +79,7 @@ environment variable `BOM_VALIDATION_ENABLED` to `false`.
* Fix CI build status badge - [apiserver/#3513]
* Fix `bom` and `vex` request fields not being visible in OpenAPI spec - [apiserver/#3557]
* Fix unclear error response when base64 encoded `bom` and `vex` values exceed character limit - [apiserver/#3558]
+* Fix unhandled `NotFoundException`s causing a `HTTP 500` response - [apiserver/#3559]
* Fix `VUE_APP_SERVER_URL` being ignored - [frontend/#682]
* Fix visibility of "Vulnerabilities" and "Policy Violations" columns not being toggle-able individually - [frontend/#686]
* Fix finding search routes - [frontend/#689]
@@ -182,6 +183,7 @@ Special thanks to everyone who contributed code to implement enhancements and fi
[apiserver/#3522]: https://github.com/DependencyTrack/dependency-track/pull/3522
[apiserver/#3557]: https://github.com/DependencyTrack/dependency-track/pull/3557
[apiserver/#3558]: https://github.com/DependencyTrack/dependency-track/pull/3558
+[apiserver/#3559]: https://github.com/DependencyTrack/dependency-track/pull/3559
[frontend/#682]: https://github.com/DependencyTrack/frontend/pull/682
[frontend/#683]: https://github.com/DependencyTrack/frontend/pull/683
diff --git a/src/main/java/org/dependencytrack/resources/v1/exception/NotFoundExceptionMapper.java b/src/main/java/org/dependencytrack/resources/v1/exception/NotFoundExceptionMapper.java
new file mode 100644
index 0000000000..0bd2fcff08
--- /dev/null
+++ b/src/main/java/org/dependencytrack/resources/v1/exception/NotFoundExceptionMapper.java
@@ -0,0 +1,42 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) Steve Springett. All Rights Reserved.
+ */
+package org.dependencytrack.resources.v1.exception;
+
+import alpine.server.resources.GlobalExceptionHandler;
+
+import javax.ws.rs.NotFoundException;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.ext.ExceptionMapper;
+import javax.ws.rs.ext.Provider;
+
+/**
+ * An {@link ExceptionMapper} to handle {@link NotFoundException}, that would otherwise be
+ * handled by Alpine's {@link GlobalExceptionHandler}, resulting in a misleading {@code HTTP 500} response.
+ *
+ * @since 4.11.0
+ */
+@Provider
+public class NotFoundExceptionMapper implements ExceptionMapper {
+
+ @Override
+ public Response toResponse(final NotFoundException exception) {
+ return Response.status(Response.Status.NOT_FOUND).build();
+ }
+
+}
diff --git a/src/test/java/org/dependencytrack/resources/v1/exception/NotFoundExceptionMapperTest.java b/src/test/java/org/dependencytrack/resources/v1/exception/NotFoundExceptionMapperTest.java
new file mode 100644
index 0000000000..3230c080d6
--- /dev/null
+++ b/src/test/java/org/dependencytrack/resources/v1/exception/NotFoundExceptionMapperTest.java
@@ -0,0 +1,38 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) Steve Springett. All Rights Reserved.
+ */
+package org.dependencytrack.resources.v1.exception;
+
+import org.junit.Test;
+
+import javax.ws.rs.NotFoundException;
+import javax.ws.rs.core.Response;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+public class NotFoundExceptionMapperTest {
+
+ @Test
+ @SuppressWarnings("resource")
+ public void testToResponse() {
+ final Response response = new NotFoundExceptionMapper().toResponse(new NotFoundException());
+ assertThat(response.getStatus()).isEqualTo(404);
+ assertThat(response.getEntity()).isNull();
+ }
+
+}
\ No newline at end of file
From 72121d6680d2ee553792ea7b5f83d1eecb7f87a3 Mon Sep 17 00:00:00 2001
From: nscuro
Date: Sun, 17 Mar 2024 21:27:19 +0100
Subject: [PATCH 018/412] Extend length of `PURL` and `PURLCOORDINATES` columns
from 255 to 786
Because PURLs are also used to populate the `TARGET` column of `COMPONENTANALYSISCACHE`, that column's length also has to be extended.
Fixes #2076
Signed-off-by: nscuro
---
docs/_posts/2024-xx-xx-v4.11.0.md | 7 +++
.../org/dependencytrack/model/Component.java | 6 +-
.../model/ComponentAnalysisCache.java | 2 +-
.../org/dependencytrack/model/Project.java | 3 +-
.../upgrade/v4110/v4110Updater.java | 56 ++++++++++++++++++-
5 files changed, 68 insertions(+), 6 deletions(-)
diff --git a/docs/_posts/2024-xx-xx-v4.11.0.md b/docs/_posts/2024-xx-xx-v4.11.0.md
index 4077ff63c5..7c91914d7d 100644
--- a/docs/_posts/2024-xx-xx-v4.11.0.md
+++ b/docs/_posts/2024-xx-xx-v4.11.0.md
@@ -80,6 +80,7 @@ environment variable `BOM_VALIDATION_ENABLED` to `false`.
* Fix `bom` and `vex` request fields not being visible in OpenAPI spec - [apiserver/#3557]
* Fix unclear error response when base64 encoded `bom` and `vex` values exceed character limit - [apiserver/#3558]
* Fix unhandled `NotFoundException`s causing a `HTTP 500` response - [apiserver/#3559]
+* Fix inability to store PURLs longer than 255 characters - [apiserver/#3560]
* Fix `VUE_APP_SERVER_URL` being ignored - [frontend/#682]
* Fix visibility of "Vulnerabilities" and "Policy Violations" columns not being toggle-able individually - [frontend/#686]
* Fix finding search routes - [frontend/#689]
@@ -112,6 +113,11 @@ and updated automatically upon upgrade, based on CVSSv2, CVSSv3, and OWASP Risk
* The following default values for configuration properties have changed:
* `ossindex.retry.backoff.max.duration.ms`: 600000ms (10min) → 60000ms (1min)
* The `name` tag of the `resilience4j_retry_calls_total` for OSS Index has changed from `ossIndexRetryer` to `ossindex-api`
+* The types of the following columns are changed from `VARCHAR(255)` to `VARCHAR(786)` automatically upon upgrade:
+ * `COMPONENT.PURL`
+ * `COMPONENT.PURLCOORDINATES`
+ * `COMPONENTANALYSISCACHE.TARGET`
+ * `PROJECT.PURL`
For a complete list of changes, refer to the respective GitHub milestones:
@@ -184,6 +190,7 @@ Special thanks to everyone who contributed code to implement enhancements and fi
[apiserver/#3557]: https://github.com/DependencyTrack/dependency-track/pull/3557
[apiserver/#3558]: https://github.com/DependencyTrack/dependency-track/pull/3558
[apiserver/#3559]: https://github.com/DependencyTrack/dependency-track/pull/3559
+[apiserver/#3560]: https://github.com/DependencyTrack/dependency-track/pull/3560
[frontend/#682]: https://github.com/DependencyTrack/frontend/pull/682
[frontend/#683]: https://github.com/DependencyTrack/frontend/pull/683
diff --git a/src/main/java/org/dependencytrack/model/Component.java b/src/main/java/org/dependencytrack/model/Component.java
index fcba320057..efe02b6149 100644
--- a/src/main/java/org/dependencytrack/model/Component.java
+++ b/src/main/java/org/dependencytrack/model/Component.java
@@ -248,7 +248,8 @@ public enum FetchGroup {
@Persistent(defaultFetchGroup = "true")
@Index(name = "COMPONENT_PURL_IDX")
- @Size(max = 255)
+ @Column(name = "PURL", length = 786)
+ @Size(max = 786)
@com.github.packageurl.validator.PackageURL
@JsonDeserialize(using = TrimmedStringDeserializer.class)
@ApiModelProperty(dataType = "string")
@@ -256,7 +257,8 @@ public enum FetchGroup {
@Persistent(defaultFetchGroup = "true")
@Index(name = "COMPONENT_PURL_COORDINATES_IDX")
- @Size(max = 255)
+ @Column(name = "PURLCOORDINATES", length = 786)
+ @Size(max = 786)
@com.github.packageurl.validator.PackageURL
@JsonDeserialize(using = TrimmedStringDeserializer.class)
private String purlCoordinates; // Field should contain only type, namespace, name, and version. Everything up to the qualifiers
diff --git a/src/main/java/org/dependencytrack/model/ComponentAnalysisCache.java b/src/main/java/org/dependencytrack/model/ComponentAnalysisCache.java
index f935eb0ad3..96e7383d32 100644
--- a/src/main/java/org/dependencytrack/model/ComponentAnalysisCache.java
+++ b/src/main/java/org/dependencytrack/model/ComponentAnalysisCache.java
@@ -84,7 +84,7 @@ public enum CacheType {
private String targetType;
@Persistent
- @Column(name = "TARGET", allowsNull = "false")
+ @Column(name = "TARGET", allowsNull = "false", length = 786)
@NotNull
private String target;
diff --git a/src/main/java/org/dependencytrack/model/Project.java b/src/main/java/org/dependencytrack/model/Project.java
index 1f8964b9b4..b234845f10 100644
--- a/src/main/java/org/dependencytrack/model/Project.java
+++ b/src/main/java/org/dependencytrack/model/Project.java
@@ -195,7 +195,8 @@ public enum FetchGroup {
@Persistent
@Index(name = "PROJECT_PURL_IDX")
- @Size(max = 255)
+ @Column(name = "PURL", length = 786)
+ @Size(max = 786)
@com.github.packageurl.validator.PackageURL
@JsonDeserialize(using = TrimmedStringDeserializer.class)
@ApiModelProperty(dataType = "string")
diff --git a/src/main/java/org/dependencytrack/upgrade/v4110/v4110Updater.java b/src/main/java/org/dependencytrack/upgrade/v4110/v4110Updater.java
index aed0b8c6a8..66ee37efc3 100644
--- a/src/main/java/org/dependencytrack/upgrade/v4110/v4110Updater.java
+++ b/src/main/java/org/dependencytrack/upgrade/v4110/v4110Updater.java
@@ -21,6 +21,7 @@
import alpine.common.logging.Logger;
import alpine.persistence.AlpineQueryManager;
import alpine.server.upgrade.AbstractUpgradeItem;
+import alpine.server.util.DbUtil;
import org.dependencytrack.model.Severity;
import org.dependencytrack.util.VulnerabilityUtil;
@@ -42,6 +43,7 @@ public String getSchemaVersion() {
public void executeUpgrade(final AlpineQueryManager qm, final Connection connection) throws Exception {
dropCweTable(connection);
computeVulnerabilitySeverities(connection);
+ extendPurlColumnLengths(connection);
}
private static void dropCweTable(final Connection connection) throws Exception {
@@ -59,10 +61,17 @@ private static void dropCweTable(final Connection connection) throws Exception {
ALTER TABLE "VULNERABILITY" DROP CONSTRAINT IF EXISTS "VULNERABILITY_FK1"
""");
- LOGGER.info("Dropping index \"VULNERABILITY\".\"VULNERABILITY_CWE_IDX\"");
- stmt.executeUpdate("""
+ if (DbUtil.isH2()) {
+ LOGGER.info("Dropping index \"VULNERABILITY_CWE_IDX\"");
+ stmt.executeUpdate("""
+ DROP INDEX IF EXISTS "VULNERABILITY_CWE_IDX"
+ """);
+ } else {
+ LOGGER.info("Dropping index \"VULNERABILITY\".\"VULNERABILITY_CWE_IDX\"");
+ stmt.executeUpdate("""
DROP INDEX IF EXISTS "VULNERABILITY"."VULNERABILITY_CWE_IDX"
""");
+ }
LOGGER.info("Dropping column \"VULNERABILITY\".\"CWE\"");
stmt.executeUpdate("""
@@ -139,4 +148,47 @@ private static void computeVulnerabilitySeverities(final Connection connection)
}
}
+ private static void extendPurlColumnLengths(final Connection connection) throws Exception {
+ LOGGER.info("Extending length of PURL and PURLCOORDINATES columns from 255 to 786");
+ if (DbUtil.isH2() || DbUtil.isPostgreSQL()) {
+ try (final Statement statement = connection.createStatement()) {
+ statement.addBatch("""
+ ALTER TABLE "COMPONENT" ALTER COLUMN "PURL" SET DATA TYPE VARCHAR(786)""");
+ statement.addBatch("""
+ ALTER TABLE "COMPONENT" ALTER COLUMN "PURLCOORDINATES" SET DATA TYPE VARCHAR(786)""");
+ statement.addBatch("""
+ ALTER TABLE "COMPONENTANALYSISCACHE" ALTER COLUMN "TARGET" SET DATA TYPE VARCHAR(786)""");
+ statement.addBatch("""
+ ALTER TABLE "PROJECT" ALTER COLUMN "PURL" SET DATA TYPE VARCHAR(786)""");
+ statement.executeBatch();
+ }
+ } else if (DbUtil.isMssql()) {
+ try (final Statement statement = connection.createStatement()) {
+ statement.addBatch("""
+ ALTER TABLE "COMPONENT" ALTER COLUMN "PURL" VARCHAR(786) NULL""");
+ statement.addBatch("""
+ ALTER TABLE "COMPONENT" ALTER COLUMN "PURLCOORDINATES" VARCHAR(786) NULL""");
+ statement.addBatch("""
+ ALTER TABLE "COMPONENTANALYSISCACHE" ALTER COLUMN "TARGET" VARCHAR(786) NOT NULL""");
+ statement.addBatch("""
+ ALTER TABLE "PROJECT" ALTER COLUMN "PURL" VARCHAR(786) NULL""");
+ statement.executeBatch();
+ }
+ } else if (DbUtil.isMysql()) {
+ try (final Statement statement = connection.createStatement()) {
+ statement.addBatch("""
+ ALTER TABLE "COMPONENT" MODIFY COLUMN "PURL" VARCHAR(786)""");
+ statement.addBatch("""
+ ALTER TABLE "COMPONENT" MODIFY COLUMN "PURLCOORDINATES" VARCHAR(786)""");
+ statement.addBatch("""
+ ALTER TABLE "COMPONENTANALYSISCACHE" MODIFY COLUMN "TARGET" VARCHAR(786)""");
+ statement.addBatch("""
+ ALTER TABLE "PROJECT" MODIFY COLUMN "PURL" VARCHAR(786)""");
+ statement.executeBatch();
+ }
+ } else {
+ throw new IllegalStateException("Unrecognized database type");
+ }
+ }
+
}
From 8069b36742dcca64a63ef134019428b9338d57e4 Mon Sep 17 00:00:00 2001
From: Aravind Parappil
Date: Mon, 18 Mar 2024 01:14:53 -0400
Subject: [PATCH 019/412] Generate SARIF File Of Project Vulnerability Findings
If request header `Accept: application/sarif+json` is provided to the GET
Finding By Project UUID API, it will now return a SARIF file with the vulnerability findings
in that project.
SARIF file is generated based on a pebble template
Signed-off-by: Aravind Parappil
---
.../resources/v1/FindingResource.java | 41 ++++++++++++--
.../resources/templates/findings/sarif.peb | 54 +++++++++++++++++++
.../resources/v1/FindingResourceTest.java | 43 +++++++++++++++
3 files changed, 135 insertions(+), 3 deletions(-)
create mode 100644 src/main/resources/templates/findings/sarif.peb
diff --git a/src/main/java/org/dependencytrack/resources/v1/FindingResource.java b/src/main/java/org/dependencytrack/resources/v1/FindingResource.java
index cec9c4cecb..b76526526f 100644
--- a/src/main/java/org/dependencytrack/resources/v1/FindingResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/FindingResource.java
@@ -20,9 +20,12 @@
import alpine.common.logging.Logger;
import alpine.event.framework.Event;
+import alpine.model.About;
import alpine.persistence.PaginatedResult;
import alpine.server.auth.PermissionRequired;
import alpine.server.resources.AlpineResource;
+import io.pebbletemplates.pebble.PebbleEngine;
+import io.pebbletemplates.pebble.template.PebbleTemplate;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import io.swagger.annotations.ApiParam;
@@ -30,6 +33,11 @@
import io.swagger.annotations.ApiResponses;
import io.swagger.annotations.Authorization;
import io.swagger.annotations.ResponseHeader;
+import java.io.IOException;
+import java.io.StringWriter;
+import java.io.Writer;
+import javax.ws.rs.HeaderParam;
+import javax.ws.rs.core.Response.Status;
import org.dependencytrack.auth.Permissions;
import org.dependencytrack.event.PolicyEvaluationEvent;
import org.dependencytrack.event.RepositoryMetaEvent;
@@ -67,12 +75,13 @@
public class FindingResource extends AlpineResource {
private static final Logger LOGGER = Logger.getLogger(FindingResource.class);
+ public static final String MEDIA_TYPE_SARIF_JSON = "application/sarif+json";
@GET
@Path("/project/{uuid}")
- @Produces(MediaType.APPLICATION_JSON)
+ @Produces({MediaType.APPLICATION_JSON, MEDIA_TYPE_SARIF_JSON})
@ApiOperation(
- value = "Returns a list of all findings for a specific project",
+ value = "Returns a list of all findings for a specific project or generates SARIF file if Accept: application/sarif+json header is provided",
response = Finding.class,
responseContainer = "List",
responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of findings")
@@ -87,13 +96,24 @@ public Response getFindingsByProject(@PathParam("uuid") String uuid,
@ApiParam(value = "Optionally includes suppressed findings")
@QueryParam("suppressed") boolean suppressed,
@ApiParam(value = "Optionally limit findings to specific sources of vulnerability intelligence")
- @QueryParam("source") Vulnerability.Source source) {
+ @QueryParam("source") Vulnerability.Source source,
+ @HeaderParam("accept") String acceptHeader) {
try (QueryManager qm = new QueryManager(getAlpineRequest())) {
final Project project = qm.getObjectByUuid(Project.class, uuid);
if (project != null) {
if (qm.hasAccess(super.getPrincipal(), project)) {
//final long totalCount = qm.getVulnerabilityCount(project, suppressed);
final List findings = qm.getFindings(project, suppressed);
+ if (acceptHeader != null && acceptHeader.contains(MEDIA_TYPE_SARIF_JSON)) {
+ try {
+ return Response.ok(generateSARIF(findings), MEDIA_TYPE_SARIF_JSON)
+ .header("content-disposition","attachment; filename=\"findings-" + uuid + ".sarif\"")
+ .build();
+ } catch (IOException ioException) {
+ LOGGER.error(ioException.getMessage(), ioException);
+ return Response.status(Status.INTERNAL_SERVER_ERROR).entity("An error occurred while generating SARIF file").build();
+ }
+ }
if (source != null) {
final List filteredList = findings.stream().filter(finding -> source.name().equals(finding.getVulnerability().get("source"))).collect(Collectors.toList());
return Response.ok(filteredList).header(TOTAL_COUNT_HEADER, filteredList.size()).build();
@@ -298,4 +318,19 @@ public Response getAllFindings(@ApiParam(value = "Show inactive projects")
}
}
+ private String generateSARIF(List findings) throws IOException {
+ final PebbleEngine engine = new PebbleEngine.Builder().newLineTrimming(false).build();
+ final PebbleTemplate sarifTemplate = engine.getTemplate("templates/findings/sarif.peb");
+
+ final Map context = new HashMap<>();
+ final About about = new About();
+ context.put("findings", findings);
+ context.put("dependencyTrackVersion", about.getVersion());
+
+ try (final Writer writer = new StringWriter()) {
+ sarifTemplate.evaluate(writer, context);
+ return writer.toString();
+ }
+ }
+
}
diff --git a/src/main/resources/templates/findings/sarif.peb b/src/main/resources/templates/findings/sarif.peb
new file mode 100644
index 0000000000..6c4e600841
--- /dev/null
+++ b/src/main/resources/templates/findings/sarif.peb
@@ -0,0 +1,54 @@
+{
+ "version": "2.1.0",
+ "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0.json",
+ "runs": [
+ {
+ "tool": {
+ "driver": {
+ "name": "OWASP Dependency-Track",
+ "version": "{{ dependencyTrackVersion }}",
+ "informationUri": "https://dependencytrack.org/",
+ "rules": [{% for finding in findings %}
+ {
+ "id": "{{ finding.vulnerability.vulnId }}",
+ "name": "{{ finding.component.name }} - {{ finding.vulnerability.cweName }}",
+ "shortDescription": {
+ "text": "{{ finding.vulnerability.description | split('\n') | join(' ') | trim }}"
+ }
+ }{% if not loop.last %},{% endif %}{% endfor %}
+ ]
+ }
+ },
+ "results": [{% for finding in findings %}
+ {
+ "ruleId": "{{ finding.vulnerability.vulnId }}",
+ "message": {
+ "text": "{{ finding.vulnerability.description | split('\n') | join(' ') | trim }}"
+ },
+ "locations": [
+ {
+ "physicalLocation": {
+ "artifactLocation": {
+ "uri": "{{ finding.component.purl }}"
+ }
+ }
+ }
+ ],
+ "level": {% if ['LOW', 'INFO'] contains finding.vulnerability.severity %}"note",{% elseif finding.vulnerability.severity == 'MEDIUM' %}"warning",{% elseif ['HIGH', 'CRITICAL'] contains finding.vulnerability.severity %}"error",{% else %}"none",{% endif %}
+ "properties": {
+ "name": "{{ finding.component.name }}",
+ "group": "{{ finding.component.group }}",
+ "version": "{{ finding.component.version }}",
+ "source": "{{ finding.vulnerability.source }}",
+ "cweId": "{{ finding.vulnerability.cweId }}",
+ "cvssV3BaseScore": "{{ finding.vulnerability.cvssV3BaseScore }}",
+ "epssScore": "{{ finding.vulnerability.epssScore }}",
+ "epssPercentile": "{{ finding.vulnerability.epssPercentile }}",
+ "severityRank": "{{ finding.vulnerability.severityRank }}",
+ "recommendation": "{{ finding.vulnerability.recommendation | split('\n') | join(' ') | trim }}"
+ }
+ }{% if not loop.last %},{% endif %}{% endfor %}
+ ]
+ }
+ ]
+}
diff --git a/src/test/java/org/dependencytrack/resources/v1/FindingResourceTest.java b/src/test/java/org/dependencytrack/resources/v1/FindingResourceTest.java
index 278a190268..96079b4304 100644
--- a/src/test/java/org/dependencytrack/resources/v1/FindingResourceTest.java
+++ b/src/test/java/org/dependencytrack/resources/v1/FindingResourceTest.java
@@ -18,11 +18,15 @@
*/
package org.dependencytrack.resources.v1;
+import static org.dependencytrack.resources.v1.FindingResource.MEDIA_TYPE_SARIF_JSON;
+
import alpine.Config;
+import alpine.model.About;
import alpine.model.ConfigProperty;
import alpine.model.Team;
import alpine.server.filters.ApiFilter;
import alpine.server.filters.AuthenticationFilter;
+import javax.ws.rs.core.HttpHeaders;
import org.dependencytrack.ResourceTest;
import org.dependencytrack.model.Component;
import org.dependencytrack.model.ConfigPropertyConstants;
@@ -589,6 +593,45 @@ public void getAllFindingsGroupedByVulnerabilityWithAclEnabled() {
Assert.assertEquals(1, json.getJsonObject(2).getJsonObject("vulnerability").getInt("affectedProjectCount"));
}
+ @Test
+ public void getSARIFFindingsByProjectTest() {
+ Project p1 = qm.createProject("Acme Example", null, "1.0", null, null, null, true, false);
+ Component c1 = createComponent(p1, "Component A", "1.0");
+ Component c2 = createComponent(p1, "Component B", "1.0");
+ Component c3 = createComponent(p1, "Component C", "1.0");
+ Vulnerability v1 = createVulnerability("Vuln-1", Severity.CRITICAL);
+ Vulnerability v2 = createVulnerability("Vuln-2", Severity.HIGH);
+ Vulnerability v3 = createVulnerability("Vuln-3", Severity.MEDIUM);
+ Vulnerability v4 = createVulnerability("Vuln-4", Severity.LOW);
+ qm.addVulnerability(v1, c1, AnalyzerIdentity.NONE);
+ qm.addVulnerability(v2, c1, AnalyzerIdentity.NONE);
+ qm.addVulnerability(v3, c2, AnalyzerIdentity.NONE);
+ qm.addVulnerability(v4, c3, AnalyzerIdentity.NONE);
+
+ Response response = target(V1_FINDING + "/project/" + p1.getUuid().toString()).request()
+ .header(HttpHeaders.ACCEPT, MEDIA_TYPE_SARIF_JSON)
+ .header(X_API_KEY, apiKey)
+ .get(Response.class);
+
+ Assert.assertEquals(200, response.getStatus(), 0);
+ Assert.assertEquals(MEDIA_TYPE_SARIF_JSON, response.getHeaderString(HttpHeaders.CONTENT_TYPE));
+
+ JsonObject json = parseJsonObject(response);
+ Assert.assertNotNull(json);
+
+ JsonArray runs = json.getJsonArray("runs");
+ Assert.assertNotNull(runs);
+ JsonObject runsJson = runs.getJsonObject(0);
+ Assert.assertNotNull(runsJson);
+ Assert.assertEquals("OWASP Dependency-Track", runsJson.getJsonObject("tool").getJsonObject("driver").getString("name"));
+ Assert.assertEquals(new About().getVersion(), runsJson.getJsonObject("tool").getJsonObject("driver").getString("version"));
+ Assert.assertNotNull(runsJson.getJsonObject("tool").getJsonObject("driver").getJsonArray("rules"));
+ Assert.assertEquals("Vuln-1", runsJson.getJsonObject("tool").getJsonObject("driver").getJsonArray("rules").getJsonObject(0).getString("id"));
+ Assert.assertNotNull(runsJson.getJsonArray("results"));
+ Assert.assertEquals("error", runsJson.getJsonArray("results").getJsonObject(0).getString("level"));
+ Assert.assertEquals("Vuln-1", runsJson.getJsonArray("results").getJsonObject(0).getString("ruleId"));
+ }
+
private Component createComponent(Project project, String name, String version) {
Component component = new Component();
component.setProject(project);
From c8db7f30169e350e200d3974bdbfc20ea6370d08 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 18 Mar 2024 08:03:20 +0000
Subject: [PATCH 020/412] Bump docker/setup-buildx-action from 3.1.0 to 3.2.0
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.1.0 to 3.2.0.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](https://github.com/docker/setup-buildx-action/compare/0d103c3126aa41d772a8362f6aa67afac040f80c...2b51285047da1547ffb1b2203d8be4c0af6b1f20)
---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot]
---
.github/workflows/_meta-build.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/_meta-build.yaml b/.github/workflows/_meta-build.yaml
index f19f5ff0c3..4cf069eb86 100644
--- a/.github/workflows/_meta-build.yaml
+++ b/.github/workflows/_meta-build.yaml
@@ -86,7 +86,7 @@ jobs:
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # tag=v3.0.0
- name: Set up Docker Buildx
- uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c # tag=v3.1.0
+ uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # tag=v3.2.0
id: buildx
with:
install: true
From 73c0d40ebbd123d288ee3dce2e6f486558ee0cab Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 18 Mar 2024 08:03:24 +0000
Subject: [PATCH 021/412] Bump actions/checkout from 4.1.1 to 4.1.2
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.1 to 4.1.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/b4ffde65f46336ab88eb53be808477a3936bae11...9bb56186c3b09b4f86b1c65136769dd318469633)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot]
---
.github/workflows/_meta-build.yaml | 4 ++--
.github/workflows/ci-publish.yaml | 4 ++--
.github/workflows/ci-release.yaml | 6 +++---
.github/workflows/ci-test.yaml | 2 +-
.github/workflows/dependency-review.yaml | 2 +-
5 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/.github/workflows/_meta-build.yaml b/.github/workflows/_meta-build.yaml
index f19f5ff0c3..e033bb2d82 100644
--- a/.github/workflows/_meta-build.yaml
+++ b/.github/workflows/_meta-build.yaml
@@ -24,7 +24,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+ uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag=v4.1.2
- name: Set up JDK
uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # tag=v4.1.0
@@ -74,7 +74,7 @@ jobs:
steps:
- name: Checkout Repository
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+ uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag=v4.1.2
- name: Download Artifacts
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # tag=v4.1.4
diff --git a/.github/workflows/ci-publish.yaml b/.github/workflows/ci-publish.yaml
index 89ebf9c36a..326f46ec7f 100644
--- a/.github/workflows/ci-publish.yaml
+++ b/.github/workflows/ci-publish.yaml
@@ -23,7 +23,7 @@ jobs:
exit 1
fi
- name: Checkout Repository
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+ uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag=v4.1.2
- name: Parse Version from POM
id: parse
@@ -51,7 +51,7 @@ jobs:
- call-build
steps:
- name: Checkout Repository
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+ uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag=v4.1.2
- name: Download Artifacts
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # tag=v4.1.4
diff --git a/.github/workflows/ci-release.yaml b/.github/workflows/ci-release.yaml
index d25a97a1cf..cc4847816b 100644
--- a/.github/workflows/ci-release.yaml
+++ b/.github/workflows/ci-release.yaml
@@ -20,7 +20,7 @@ jobs:
release-branch: ${{ steps.variables.outputs.release-branch }}
steps:
- name: Checkout Repository
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+ uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag=v4.1.2
- name: Setup Environment
id: variables
@@ -51,7 +51,7 @@ jobs:
steps:
- name: Checkout Repository
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+ uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag=v4.1.2
- name: Set up JDK
uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # tag=v4.1.0
@@ -118,7 +118,7 @@ jobs:
steps:
- name: Checkout Repository
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+ uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag=v4.1.2
with:
ref: ${{ needs.prepare-release.outputs.release-branch }}
diff --git a/.github/workflows/ci-test.yaml b/.github/workflows/ci-test.yaml
index d8aa8b2039..b044c613bb 100644
--- a/.github/workflows/ci-test.yaml
+++ b/.github/workflows/ci-test.yaml
@@ -31,7 +31,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+ uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag=v4.1.2
- name: Set up JDK
uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # tag=v4.1.0
diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
index 330a7a6d67..3a321cedbc 100644
--- a/.github/workflows/dependency-review.yaml
+++ b/.github/workflows/dependency-review.yaml
@@ -9,7 +9,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+ uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag=v4.1.2
- name: Dependency Review
uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # tag=v4.1.3
From 939e634ddeaea8a0d74d1e33533f6d5fbd22a608 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 18 Mar 2024 08:03:27 +0000
Subject: [PATCH 022/412] Bump docker/build-push-action from 5.2.0 to 5.3.0
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 5.2.0 to 5.3.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/af5a7ed5ba88268d5278f7203fb52cd833f66d6e...2cdde995de11925a030ce8070c3d77a52ffcf1c0)
---
updated-dependencies:
- dependency-name: docker/build-push-action
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot]
---
.github/workflows/_meta-build.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/_meta-build.yaml b/.github/workflows/_meta-build.yaml
index f19f5ff0c3..359706c128 100644
--- a/.github/workflows/_meta-build.yaml
+++ b/.github/workflows/_meta-build.yaml
@@ -109,7 +109,7 @@ jobs:
echo "tags=${TAGS}" >> $GITHUB_OUTPUT
- name: Build multi-arch Container Image
- uses: docker/build-push-action@af5a7ed5ba88268d5278f7203fb52cd833f66d6e # tag=v5.2.0
+ uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # tag=v5.3.0
with:
tags: ${{ steps.tags.outputs.tags }}
build-args: |-
From aed6f46a09a86f701bb37a64a1ae7ab2a680cd7c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 18 Mar 2024 09:42:47 +0000
Subject: [PATCH 023/412] Bump actions/setup-java from 4.1.0 to 4.2.1
Bumps [actions/setup-java](https://github.com/actions/setup-java) from 4.1.0 to 4.2.1.
- [Release notes](https://github.com/actions/setup-java/releases)
- [Commits](https://github.com/actions/setup-java/compare/9704b39bf258b59bc04b50fa2dd55e9ed76b47a8...99b8673ff64fbf99d8d325f52d9a5bdedb8483e9)
---
updated-dependencies:
- dependency-name: actions/setup-java
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot]
---
.github/workflows/_meta-build.yaml | 2 +-
.github/workflows/ci-release.yaml | 2 +-
.github/workflows/ci-test.yaml | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/.github/workflows/_meta-build.yaml b/.github/workflows/_meta-build.yaml
index ab6eef0753..0f45dfb3a4 100644
--- a/.github/workflows/_meta-build.yaml
+++ b/.github/workflows/_meta-build.yaml
@@ -27,7 +27,7 @@ jobs:
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag=v4.1.2
- name: Set up JDK
- uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # tag=v4.1.0
+ uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # tag=v4.2.1
with:
distribution: 'temurin'
java-version: '17'
diff --git a/.github/workflows/ci-release.yaml b/.github/workflows/ci-release.yaml
index cc4847816b..626bfe8eb6 100644
--- a/.github/workflows/ci-release.yaml
+++ b/.github/workflows/ci-release.yaml
@@ -54,7 +54,7 @@ jobs:
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag=v4.1.2
- name: Set up JDK
- uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # tag=v4.1.0
+ uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # tag=v4.2.1
with:
distribution: 'temurin'
java-version: '17'
diff --git a/.github/workflows/ci-test.yaml b/.github/workflows/ci-test.yaml
index b044c613bb..318967a927 100644
--- a/.github/workflows/ci-test.yaml
+++ b/.github/workflows/ci-test.yaml
@@ -34,7 +34,7 @@ jobs:
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag=v4.1.2
- name: Set up JDK
- uses: actions/setup-java@9704b39bf258b59bc04b50fa2dd55e9ed76b47a8 # tag=v4.1.0
+ uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # tag=v4.2.1
with:
distribution: 'temurin'
java-version: '17'
From 965fbc3025bcbcd0a4da918c9b1953d5520eb8de Mon Sep 17 00:00:00 2001
From: Magnus Viernickel
Date: Mon, 18 Mar 2024 11:51:07 +0100
Subject: [PATCH 024/412] [fix] fix test
Signed-off-by: Magnus Viernickel
---
pom.xml | 8 ++++-
.../repositories/NixpkgsMetaAnalyzer.java | 31 ++++++++++---------
2 files changed, 23 insertions(+), 16 deletions(-)
diff --git a/pom.xml b/pom.xml
index 538365180b..cdcf8f110f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -267,6 +267,13 @@
compile
+
+
+ org.brotli
+ dec
+ 0.1.2
+
+
org.apache.httpcomponentshttpmime
@@ -410,7 +417,6 @@
2.35.2test
-
com.github.stefanbirknersystem-rules
diff --git a/src/main/java/org/dependencytrack/tasks/repositories/NixpkgsMetaAnalyzer.java b/src/main/java/org/dependencytrack/tasks/repositories/NixpkgsMetaAnalyzer.java
index c884aea58e..7a67fc8659 100644
--- a/src/main/java/org/dependencytrack/tasks/repositories/NixpkgsMetaAnalyzer.java
+++ b/src/main/java/org/dependencytrack/tasks/repositories/NixpkgsMetaAnalyzer.java
@@ -24,16 +24,20 @@
import org.apache.hc.client5.http.impl.classic.CloseableHttpResponse;
import org.apache.hc.client5.http.impl.classic.HttpClients;
import org.apache.hc.core5.http.HttpStatus;
-import org.apache.hc.core5.http.io.entity.EntityUtils;
import org.apache.http.client.utils.URIBuilder;
+import org.brotli.dec.BrotliInputStream;
import org.dependencytrack.exception.MetaAnalyzerException;
import org.dependencytrack.model.Component;
import org.dependencytrack.model.RepositoryType;
import org.json.JSONObject;
+import org.json.JSONTokener;
+import java.io.BufferedReader;
import java.io.IOException;
+import java.io.InputStreamReader;
import java.net.URISyntaxException;
import java.util.HashMap;
+import java.util.stream.Collectors;
public class NixpkgsMetaAnalyzer extends AbstractMetaAnalyzer {
private static final Logger LOGGER = Logger.getLogger(NixpkgsMetaAnalyzer.class);
@@ -51,20 +55,17 @@ private NixpkgsMetaAnalyzer() {
try (final CloseableHttpClient client = HttpClients.createDefault()) {
try (final CloseableHttpResponse packagesResponse = processHttpRequest5(client)) {
if (packagesResponse != null && packagesResponse.getCode() == HttpStatus.SC_OK) {
- final var entity = packagesResponse.getEntity();
- if (entity != null) {
- // TODO(mangoiv): is this the fastest way we can do this?
- final var entityString = EntityUtils.toString(entity);
- final var packages = new JSONObject(entityString).getJSONObject("packages").toMap().values();
- packages.forEach(pkg -> {
- // FUTUREWORK(mangoiv): there are potentially packages with the same pname
- if (pkg instanceof HashMap jsonPkg) {
- final var pname = jsonPkg.get("pname");
- final var version = jsonPkg.get("version");
- newLatestVersion.putIfAbsent((String) pname, (String) version);
- }
- });
- }
+ var reader = new BufferedReader(new InputStreamReader(packagesResponse.getEntity().getContent()));
+ var packages = new JSONObject(new JSONTokener(reader)).getJSONObject("packages").toMap().values();
+ packages.forEach(pkg -> {
+ // FUTUREWORK(mangoiv): there are potentially packages with the same pname
+ if (pkg instanceof HashMap jsonPkg) {
+ final var pname = jsonPkg.get("pname");
+ final var version = jsonPkg.get("version");
+ newLatestVersion.putIfAbsent((String) pname, (String) version);
+ }
+ });
+
}
}
From 93573e0663f5bc9e6a6b2370e96524b21b0d78f7 Mon Sep 17 00:00:00 2001
From: Magnus Viernickel
Date: Mon, 18 Mar 2024 11:58:18 +0100
Subject: [PATCH 025/412] [chore] reformat
Signed-off-by: Magnus Viernickel
---
.../dependencytrack/tasks/repositories/NixpkgsMetaAnalyzer.java | 2 --
1 file changed, 2 deletions(-)
diff --git a/src/main/java/org/dependencytrack/tasks/repositories/NixpkgsMetaAnalyzer.java b/src/main/java/org/dependencytrack/tasks/repositories/NixpkgsMetaAnalyzer.java
index 7a67fc8659..0825937bbb 100644
--- a/src/main/java/org/dependencytrack/tasks/repositories/NixpkgsMetaAnalyzer.java
+++ b/src/main/java/org/dependencytrack/tasks/repositories/NixpkgsMetaAnalyzer.java
@@ -25,7 +25,6 @@
import org.apache.hc.client5.http.impl.classic.HttpClients;
import org.apache.hc.core5.http.HttpStatus;
import org.apache.http.client.utils.URIBuilder;
-import org.brotli.dec.BrotliInputStream;
import org.dependencytrack.exception.MetaAnalyzerException;
import org.dependencytrack.model.Component;
import org.dependencytrack.model.RepositoryType;
@@ -37,7 +36,6 @@
import java.io.InputStreamReader;
import java.net.URISyntaxException;
import java.util.HashMap;
-import java.util.stream.Collectors;
public class NixpkgsMetaAnalyzer extends AbstractMetaAnalyzer {
private static final Logger LOGGER = Logger.getLogger(NixpkgsMetaAnalyzer.class);
From ec636cb951869a5eaa84a061eb682f8aca80c306 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 19 Mar 2024 08:29:36 +0000
Subject: [PATCH 026/412] Bump
com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver
Bumps com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.17.0 to 1.17.1.
---
updated-dependencies:
- dependency-name: com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot]
---
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index bd5133effb..4d31f6842a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -85,7 +85,7 @@
${project.parent.version}4.2.010.12.5
- 1.17.0
+ 1.17.11.16.01.16.02.1.0
From c5eda9271e3b55e7a55b8d60615816cdfe585916 Mon Sep 17 00:00:00 2001
From: nscuro
Date: Wed, 20 Mar 2024 18:39:35 +0100
Subject: [PATCH 027/412] Transfer copyright from Steve Springett to OWASP
Foundation
Signed-off-by: nscuro
---
.checkstyle-header | 2 +-
README.md | 2 +-
dev/docker-compose.monitoring.yml | 2 +-
dev/docker-compose.mssql.yml | 2 +-
dev/docker-compose.postgres.yml | 2 +-
dev/docker-compose.yml | 2 +-
dev/scripts/cwe-dictionary-generate.py | 2 +-
docs/images/dt-logo.svg | 2 +-
pom.xml | 2 +-
src/main/java/org/dependencytrack/RequirementsVerifier.java | 2 +-
src/main/java/org/dependencytrack/auth/Permissions.java | 2 +-
src/main/java/org/dependencytrack/auth/package-info.java | 2 +-
.../org/dependencytrack/common/AlpineHttpProxySelector.java | 2 +-
src/main/java/org/dependencytrack/common/ConfigKey.java | 2 +-
src/main/java/org/dependencytrack/common/HttpClientPool.java | 2 +-
src/main/java/org/dependencytrack/common/ManagedHttpClient.java | 2 +-
.../org/dependencytrack/common/ManagedHttpClientFactory.java | 2 +-
src/main/java/org/dependencytrack/common/MdcKeys.java | 2 +-
.../event/AbstractVulnerabilityManagementUploadEvent.java | 2 +-
src/main/java/org/dependencytrack/event/BomUploadEvent.java | 2 +-
src/main/java/org/dependencytrack/event/CallbackEvent.java | 2 +-
.../dependencytrack/event/ClearComponentAnalysisCacheEvent.java | 2 +-
src/main/java/org/dependencytrack/event/CloneProjectEvent.java | 2 +-
.../org/dependencytrack/event/ComponentMetricsUpdateEvent.java | 2 +-
.../dependencytrack/event/DefectDojoUploadEventAbstract.java | 2 +-
src/main/java/org/dependencytrack/event/EpssMirrorEvent.java | 2 +-
.../org/dependencytrack/event/EventSubsystemInitializer.java | 2 +-
.../dependencytrack/event/FortifySscUploadEventAbstract.java | 2 +-
.../org/dependencytrack/event/GitHubAdvisoryMirrorEvent.java | 2 +-
src/main/java/org/dependencytrack/event/IndexEvent.java | 2 +-
.../java/org/dependencytrack/event/InternalAnalysisEvent.java | 2 +-
.../event/InternalComponentIdentificationEvent.java | 2 +-
.../dependencytrack/event/KennaSecurityUploadEventAbstract.java | 2 +-
.../event/NewVulnerableDependencyAnalysisEvent.java | 2 +-
src/main/java/org/dependencytrack/event/NistApiMirrorEvent.java | 2 +-
src/main/java/org/dependencytrack/event/NistMirrorEvent.java | 2 +-
.../java/org/dependencytrack/event/OssIndexAnalysisEvent.java | 2 +-
src/main/java/org/dependencytrack/event/OsvMirrorEvent.java | 2 +-
.../java/org/dependencytrack/event/PolicyEvaluationEvent.java | 2 +-
.../org/dependencytrack/event/PortfolioMetricsUpdateEvent.java | 2 +-
.../event/PortfolioVulnerabilityAnalysisEvent.java | 2 +-
.../org/dependencytrack/event/ProjectMetricsUpdateEvent.java | 2 +-
.../java/org/dependencytrack/event/RepositoryMetaEvent.java | 2 +-
src/main/java/org/dependencytrack/event/SnykAnalysisEvent.java | 2 +-
src/main/java/org/dependencytrack/event/TrivyAnalysisEvent.java | 2 +-
src/main/java/org/dependencytrack/event/VexUploadEvent.java | 2 +-
.../java/org/dependencytrack/event/VulnDbAnalysisEvent.java | 2 +-
src/main/java/org/dependencytrack/event/VulnDbSyncEvent.java | 2 +-
.../org/dependencytrack/event/VulnerabilityAnalysisEvent.java | 2 +-
.../dependencytrack/event/VulnerabilityMetricsUpdateEvent.java | 2 +-
src/main/java/org/dependencytrack/event/package-info.java | 2 +-
.../org/dependencytrack/exception/MetaAnalyzerException.java | 2 +-
src/main/java/org/dependencytrack/exception/ParseException.java | 2 +-
.../java/org/dependencytrack/exception/PolicyException.java | 2 +-
.../java/org/dependencytrack/exception/PublisherException.java | 2 +-
.../org/dependencytrack/exception/RequirementsException.java | 2 +-
src/main/java/org/dependencytrack/exception/package-info.java | 2 +-
.../java/org/dependencytrack/health/HealthCheckInitializer.java | 2 +-
.../dependencytrack/integrations/AbstractIntegrationPoint.java | 2 +-
.../dependencytrack/integrations/FindingPackagingFormat.java | 2 +-
.../java/org/dependencytrack/integrations/FindingUploader.java | 2 +-
.../java/org/dependencytrack/integrations/IntegrationPoint.java | 2 +-
.../dependencytrack/integrations/PortfolioFindingUploader.java | 2 +-
.../dependencytrack/integrations/ProjectFindingUploader.java | 2 +-
.../integrations/defectdojo/DefectDojoClient.java | 2 +-
.../integrations/defectdojo/DefectDojoUploader.java | 2 +-
.../integrations/fortifyssc/FortifySscClient.java | 2 +-
.../integrations/fortifyssc/FortifySscUploader.java | 2 +-
.../integrations/kenna/KennaDataTransformer.java | 2 +-
.../integrations/kenna/KennaSecurityUploader.java | 2 +-
src/main/java/org/dependencytrack/metrics/Metrics.java | 2 +-
src/main/java/org/dependencytrack/metrics/package-info.java | 2 +-
.../org/dependencytrack/model/AffectedVersionAttribution.java | 2 +-
src/main/java/org/dependencytrack/model/Analysis.java | 2 +-
src/main/java/org/dependencytrack/model/AnalysisComment.java | 2 +-
.../java/org/dependencytrack/model/AnalysisJustification.java | 2 +-
src/main/java/org/dependencytrack/model/AnalysisResponse.java | 2 +-
src/main/java/org/dependencytrack/model/AnalysisState.java | 2 +-
src/main/java/org/dependencytrack/model/Bom.java | 2 +-
src/main/java/org/dependencytrack/model/Classifier.java | 2 +-
src/main/java/org/dependencytrack/model/Component.java | 2 +-
.../java/org/dependencytrack/model/ComponentAnalysisCache.java | 2 +-
src/main/java/org/dependencytrack/model/ComponentIdentity.java | 2 +-
.../java/org/dependencytrack/model/ConfigPropertyConstants.java | 2 +-
src/main/java/org/dependencytrack/model/Coordinates.java | 2 +-
src/main/java/org/dependencytrack/model/Cwe.java | 2 +-
src/main/java/org/dependencytrack/model/DataClassification.java | 2 +-
src/main/java/org/dependencytrack/model/DependencyMetrics.java | 2 +-
src/main/java/org/dependencytrack/model/ExternalReference.java | 2 +-
src/main/java/org/dependencytrack/model/Finding.java | 2 +-
src/main/java/org/dependencytrack/model/FindingAttribution.java | 2 +-
src/main/java/org/dependencytrack/model/GroupedFinding.java | 2 +-
src/main/java/org/dependencytrack/model/ICpe.java | 2 +-
src/main/java/org/dependencytrack/model/IdentifiableObject.java | 2 +-
src/main/java/org/dependencytrack/model/License.java | 2 +-
src/main/java/org/dependencytrack/model/LicenseGroup.java | 2 +-
.../java/org/dependencytrack/model/NotificationPublisher.java | 2 +-
src/main/java/org/dependencytrack/model/NotificationRule.java | 2 +-
.../java/org/dependencytrack/model/OrganizationalContact.java | 2 +-
.../java/org/dependencytrack/model/OrganizationalEntity.java | 2 +-
src/main/java/org/dependencytrack/model/Policy.java | 2 +-
src/main/java/org/dependencytrack/model/PolicyCondition.java | 2 +-
src/main/java/org/dependencytrack/model/PolicyViolation.java | 2 +-
src/main/java/org/dependencytrack/model/PortfolioMetrics.java | 2 +-
src/main/java/org/dependencytrack/model/Project.java | 2 +-
src/main/java/org/dependencytrack/model/ProjectMetadata.java | 2 +-
src/main/java/org/dependencytrack/model/ProjectMetrics.java | 2 +-
src/main/java/org/dependencytrack/model/ProjectProperty.java | 2 +-
src/main/java/org/dependencytrack/model/ProjectVersion.java | 2 +-
src/main/java/org/dependencytrack/model/Repository.java | 2 +-
.../java/org/dependencytrack/model/RepositoryMetaComponent.java | 2 +-
src/main/java/org/dependencytrack/model/RepositoryType.java | 2 +-
src/main/java/org/dependencytrack/model/ServiceComponent.java | 2 +-
src/main/java/org/dependencytrack/model/Severity.java | 2 +-
src/main/java/org/dependencytrack/model/SnykCvssSource.java | 2 +-
src/main/java/org/dependencytrack/model/Tag.java | 2 +-
src/main/java/org/dependencytrack/model/Vex.java | 2 +-
src/main/java/org/dependencytrack/model/ViolationAnalysis.java | 2 +-
.../org/dependencytrack/model/ViolationAnalysisComment.java | 2 +-
.../java/org/dependencytrack/model/ViolationAnalysisState.java | 2 +-
src/main/java/org/dependencytrack/model/Vulnerability.java | 2 +-
src/main/java/org/dependencytrack/model/VulnerabilityAlias.java | 2 +-
.../org/dependencytrack/model/VulnerabilityAnalysisLevel.java | 2 +-
.../java/org/dependencytrack/model/VulnerabilityMetrics.java | 2 +-
src/main/java/org/dependencytrack/model/VulnerableSoftware.java | 2 +-
src/main/java/org/dependencytrack/model/package-info.java | 2 +-
.../model/validation/SpdxExpressionValidator.java | 2 +-
.../dependencytrack/model/validation/ValidSpdxExpression.java | 2 +-
.../org/dependencytrack/notification/NotificationConstants.java | 2 +-
.../org/dependencytrack/notification/NotificationGroup.java | 2 +-
.../org/dependencytrack/notification/NotificationRouter.java | 2 +-
.../org/dependencytrack/notification/NotificationScope.java | 2 +-
.../notification/NotificationSubsystemInitializer.java | 2 +-
.../notification/publisher/AbstractWebhookPublisher.java | 2 +-
.../notification/publisher/ConsolePublisher.java | 2 +-
.../notification/publisher/CsWebexPublisher.java | 2 +-
.../notification/publisher/DefaultNotificationPublishers.java | 2 +-
.../dependencytrack/notification/publisher/JiraPublisher.java | 2 +-
.../notification/publisher/MattermostPublisher.java | 2 +-
.../notification/publisher/MsTeamsPublisher.java | 2 +-
.../dependencytrack/notification/publisher/PublishContext.java | 2 +-
.../org/dependencytrack/notification/publisher/Publisher.java | 2 +-
.../notification/publisher/SendMailPublisher.java | 2 +-
.../dependencytrack/notification/publisher/SlackPublisher.java | 2 +-
.../notification/publisher/WebhookPublisher.java | 2 +-
.../dependencytrack/notification/vo/AnalysisDecisionChange.java | 2 +-
.../dependencytrack/notification/vo/BomConsumedOrProcessed.java | 2 +-
.../dependencytrack/notification/vo/BomProcessingFailed.java | 2 +-
.../notification/vo/NewVulnerabilityIdentified.java | 2 +-
.../notification/vo/NewVulnerableDependency.java | 2 +-
.../notification/vo/PolicyViolationIdentified.java | 2 +-
.../dependencytrack/notification/vo/VexConsumedOrProcessed.java | 2 +-
.../notification/vo/ViolationAnalysisDecisionChange.java | 2 +-
.../dependencytrack/parser/common/resolver/CweDictionary.java | 2 +-
.../org/dependencytrack/parser/common/resolver/CweResolver.java | 2 +-
.../org/dependencytrack/parser/cyclonedx/CycloneDXExporter.java | 2 +-
.../dependencytrack/parser/cyclonedx/CycloneDXVexImporter.java | 2 +-
.../dependencytrack/parser/cyclonedx/CycloneDxValidator.java | 2 +-
.../dependencytrack/parser/cyclonedx/InvalidBomException.java | 2 +-
.../java/org/dependencytrack/parser/cyclonedx/package-info.java | 2 +-
.../dependencytrack/parser/cyclonedx/util/ModelConverter.java | 2 +-
src/main/java/org/dependencytrack/parser/epss/EpssParser.java | 2 +-
.../parser/github/graphql/GitHubSecurityAdvisoryParser.java | 2 +-
.../parser/github/graphql/model/GitHubSecurityAdvisory.java | 2 +-
.../parser/github/graphql/model/GitHubVulnerability.java | 2 +-
.../parser/github/graphql/model/PageableList.java | 2 +-
.../java/org/dependencytrack/parser/nvd/ModelConverter.java | 2 +-
src/main/java/org/dependencytrack/parser/nvd/NvdParser.java | 2 +-
.../org/dependencytrack/parser/nvd/api20/ModelConverter.java | 2 +-
src/main/java/org/dependencytrack/parser/nvd/package-info.java | 2 +-
.../org/dependencytrack/parser/ossindex/OssIndexParser.java | 2 +-
.../dependencytrack/parser/ossindex/model/ComponentReport.java | 2 +-
.../parser/ossindex/model/ComponentReportVulnerability.java | 2 +-
.../java/org/dependencytrack/parser/osv/OsvAdvisoryParser.java | 2 +-
.../java/org/dependencytrack/parser/osv/model/OsvAdvisory.java | 2 +-
.../dependencytrack/parser/osv/model/OsvAffectedPackage.java | 2 +-
src/main/java/org/dependencytrack/parser/package-info.java | 2 +-
src/main/java/org/dependencytrack/parser/snyk/SnykParser.java | 2 +-
.../java/org/dependencytrack/parser/snyk/model/SnykError.java | 2 +-
.../parser/spdx/expression/SpdxExpressionParser.java | 2 +-
.../parser/spdx/expression/model/SpdxExpression.java | 2 +-
.../parser/spdx/expression/model/SpdxExpressionOperation.java | 2 +-
.../parser/spdx/expression/model/SpdxOperator.java | 2 +-
.../dependencytrack/parser/spdx/expression/package-info.java | 2 +-
.../parser/spdx/json/SpdxLicenseDetailParser.java | 2 +-
.../java/org/dependencytrack/parser/spdx/json/package-info.java | 2 +-
src/main/java/org/dependencytrack/parser/spdx/package-info.java | 2 +-
src/main/java/org/dependencytrack/parser/trivy/TrivyParser.java | 2 +-
.../org/dependencytrack/parser/trivy/model/Application.java | 2 +-
.../java/org/dependencytrack/parser/trivy/model/BlobInfo.java | 2 +-
src/main/java/org/dependencytrack/parser/trivy/model/CVSS.java | 2 +-
.../java/org/dependencytrack/parser/trivy/model/DataSource.java | 2 +-
.../org/dependencytrack/parser/trivy/model/DeleteRequest.java | 2 +-
src/main/java/org/dependencytrack/parser/trivy/model/Layer.java | 2 +-
.../java/org/dependencytrack/parser/trivy/model/Library.java | 2 +-
src/main/java/org/dependencytrack/parser/trivy/model/OS.java | 2 +-
.../java/org/dependencytrack/parser/trivy/model/Options.java | 2 +-
.../java/org/dependencytrack/parser/trivy/model/Package.java | 2 +-
.../org/dependencytrack/parser/trivy/model/PackageInfo.java | 2 +-
.../java/org/dependencytrack/parser/trivy/model/PurlType.java | 2 +-
.../java/org/dependencytrack/parser/trivy/model/PutRequest.java | 2 +-
.../java/org/dependencytrack/parser/trivy/model/Result.java | 2 +-
.../org/dependencytrack/parser/trivy/model/ScanRequest.java | 2 +-
.../org/dependencytrack/parser/trivy/model/TrivyResponse.java | 2 +-
.../org/dependencytrack/parser/trivy/model/Vulnerability.java | 2 +-
.../java/org/dependencytrack/parser/vulndb/ModelConverter.java | 2 +-
.../java/org/dependencytrack/parser/vulndb/VulnDbClient.java | 2 +-
.../java/org/dependencytrack/parser/vulndb/VulnDbParser.java | 2 +-
.../java/org/dependencytrack/parser/vulndb/model/ApiObject.java | 2 +-
.../java/org/dependencytrack/parser/vulndb/model/Author.java | 2 +-
.../org/dependencytrack/parser/vulndb/model/Classification.java | 2 +-
src/main/java/org/dependencytrack/parser/vulndb/model/Cpe.java | 2 +-
.../org/dependencytrack/parser/vulndb/model/CvssV2Metric.java | 2 +-
.../org/dependencytrack/parser/vulndb/model/CvssV3Metric.java | 2 +-
.../dependencytrack/parser/vulndb/model/ExternalReference.java | 2 +-
.../org/dependencytrack/parser/vulndb/model/ExternalText.java | 2 +-
.../dependencytrack/parser/vulndb/model/NvdAdditionalInfo.java | 2 +-
.../java/org/dependencytrack/parser/vulndb/model/Product.java | 2 +-
.../java/org/dependencytrack/parser/vulndb/model/Results.java | 2 +-
.../java/org/dependencytrack/parser/vulndb/model/Status.java | 2 +-
.../java/org/dependencytrack/parser/vulndb/model/Vendor.java | 2 +-
.../java/org/dependencytrack/parser/vulndb/model/Version.java | 2 +-
.../org/dependencytrack/parser/vulndb/model/Vulnerability.java | 2 +-
.../java/org/dependencytrack/persistence/BomQueryManager.java | 2 +-
.../java/org/dependencytrack/persistence/CacheQueryManager.java | 2 +-
.../dependencytrack/persistence/CollectionIntegerConverter.java | 2 +-
.../org/dependencytrack/persistence/ComponentQueryManager.java | 2 +-
.../org/dependencytrack/persistence/DefaultObjectGenerator.java | 2 +-
.../org/dependencytrack/persistence/FindingsQueryManager.java | 2 +-
.../dependencytrack/persistence/FindingsSearchQueryManager.java | 2 +-
.../dependencytrack/persistence/H2WebConsoleInitializer.java | 2 +-
.../java/org/dependencytrack/persistence/IQueryManager.java | 2 +-
.../org/dependencytrack/persistence/LicenseQueryManager.java | 2 +-
.../org/dependencytrack/persistence/MetricsQueryManager.java | 2 +-
.../dependencytrack/persistence/NotificationQueryManager.java | 2 +-
.../dependencytrack/persistence/PackageURLStringConverter.java | 2 +-
.../org/dependencytrack/persistence/PolicyQueryManager.java | 2 +-
.../dependencytrack/persistence/ProjectQueryFilterBuilder.java | 2 +-
.../org/dependencytrack/persistence/ProjectQueryManager.java | 2 +-
src/main/java/org/dependencytrack/persistence/QueryManager.java | 2 +-
.../org/dependencytrack/persistence/RepositoryQueryManager.java | 2 +-
.../persistence/ServiceComponentQueryManager.java | 2 +-
.../java/org/dependencytrack/persistence/TagQueryManager.java | 2 +-
.../java/org/dependencytrack/persistence/VexQueryManager.java | 2 +-
.../dependencytrack/persistence/VulnerabilityQueryManager.java | 2 +-
.../persistence/VulnerableSoftwareQueryManager.java | 2 +-
.../persistence/converter/AbstractJsonConverter.java | 2 +-
.../converter/OrganizationalContactsJsonConverter.java | 2 +-
.../converter/OrganizationalEntityJsonConverter.java | 2 +-
.../persistence/defaults/DefaultLicenseGroupImporter.java | 2 +-
.../persistence/defaults/IDefaultObjectImporter.java | 2 +-
.../persistence/listener/IndexingInstanceLifecycleListener.java | 2 +-
.../listener/L2CacheEvictingInstanceLifecycleListener.java | 2 +-
src/main/java/org/dependencytrack/persistence/package-info.java | 2 +-
.../org/dependencytrack/policy/AbstractPolicyEvaluator.java | 2 +-
.../org/dependencytrack/policy/ComponentAgePolicyEvaluator.java | 2 +-
.../dependencytrack/policy/ComponentHashPolicyEvaluator.java | 2 +-
.../org/dependencytrack/policy/CoordinatesPolicyEvaluator.java | 2 +-
.../java/org/dependencytrack/policy/CpePolicyEvaluator.java | 2 +-
.../java/org/dependencytrack/policy/CwePolicyEvaluator.java | 2 +-
.../org/dependencytrack/policy/LicenseGroupPolicyEvaluator.java | 2 +-
.../java/org/dependencytrack/policy/LicensePolicyEvaluator.java | 2 +-
src/main/java/org/dependencytrack/policy/Matcher.java | 2 +-
.../org/dependencytrack/policy/PackageURLPolicyEvaluator.java | 2 +-
.../org/dependencytrack/policy/PolicyConditionViolation.java | 2 +-
src/main/java/org/dependencytrack/policy/PolicyEngine.java | 2 +-
src/main/java/org/dependencytrack/policy/PolicyEvaluator.java | 2 +-
.../org/dependencytrack/policy/SeverityPolicyEvaluator.java | 2 +-
.../org/dependencytrack/policy/SwidTagIdPolicyEvaluator.java | 2 +-
.../dependencytrack/policy/VersionDistancePolicyEvaluator.java | 2 +-
.../java/org/dependencytrack/policy/VersionPolicyEvaluator.java | 2 +-
.../dependencytrack/policy/VulnerabilityIdPolicyEvaluator.java | 2 +-
src/main/java/org/dependencytrack/resources/package-info.java | 2 +-
.../resources/v1/AbstractConfigPropertyResource.java | 2 +-
.../org/dependencytrack/resources/v1/AccessControlResource.java | 2 +-
.../java/org/dependencytrack/resources/v1/AnalysisResource.java | 2 +-
.../java/org/dependencytrack/resources/v1/BadgeResource.java | 2 +-
src/main/java/org/dependencytrack/resources/v1/BomResource.java | 2 +-
.../org/dependencytrack/resources/v1/CalculatorResource.java | 2 +-
.../org/dependencytrack/resources/v1/ComponentResource.java | 2 +-
.../dependencytrack/resources/v1/ConfigPropertyResource.java | 2 +-
src/main/java/org/dependencytrack/resources/v1/CweResource.java | 2 +-
.../dependencytrack/resources/v1/DependencyGraphResource.java | 2 +-
.../java/org/dependencytrack/resources/v1/EventResource.java | 2 +-
.../java/org/dependencytrack/resources/v1/FindingResource.java | 2 +-
.../org/dependencytrack/resources/v1/IntegrationResource.java | 2 +-
.../java/org/dependencytrack/resources/v1/LdapResource.java | 2 +-
.../org/dependencytrack/resources/v1/LicenseGroupResource.java | 2 +-
.../java/org/dependencytrack/resources/v1/LicenseResource.java | 2 +-
.../java/org/dependencytrack/resources/v1/MetricsResource.java | 2 +-
.../resources/v1/NotificationPublisherResource.java | 2 +-
.../dependencytrack/resources/v1/NotificationRuleResource.java | 2 +-
.../java/org/dependencytrack/resources/v1/OidcResource.java | 2 +-
.../org/dependencytrack/resources/v1/PermissionResource.java | 2 +-
.../dependencytrack/resources/v1/PolicyConditionResource.java | 2 +-
.../java/org/dependencytrack/resources/v1/PolicyResource.java | 2 +-
.../dependencytrack/resources/v1/PolicyViolationResource.java | 2 +-
.../dependencytrack/resources/v1/ProjectPropertyResource.java | 2 +-
.../java/org/dependencytrack/resources/v1/ProjectResource.java | 2 +-
.../org/dependencytrack/resources/v1/RepositoryResource.java | 2 +-
.../java/org/dependencytrack/resources/v1/SearchResource.java | 2 +-
.../java/org/dependencytrack/resources/v1/ServiceResource.java | 2 +-
src/main/java/org/dependencytrack/resources/v1/TagResource.java | 2 +-
.../java/org/dependencytrack/resources/v1/TeamResource.java | 2 +-
.../java/org/dependencytrack/resources/v1/UserResource.java | 2 +-
src/main/java/org/dependencytrack/resources/v1/VexResource.java | 2 +-
.../dependencytrack/resources/v1/ViolationAnalysisResource.java | 2 +-
.../org/dependencytrack/resources/v1/VulnerabilityResource.java | 2 +-
.../resources/v1/exception/JsonMappingExceptionMapper.java | 2 +-
.../resources/v1/exception/NotFoundExceptionMapper.java | 2 +-
src/main/java/org/dependencytrack/resources/v1/misc/Badger.java | 2 +-
.../java/org/dependencytrack/resources/v1/package-info.java | 2 +-
.../resources/v1/problems/InvalidBomProblemDetails.java | 2 +-
.../dependencytrack/resources/v1/problems/ProblemDetails.java | 2 +-
.../resources/v1/serializers/CustomPackageURLSerializer.java | 2 +-
.../resources/v1/serializers/CweDeserializer.java | 2 +-
.../dependencytrack/resources/v1/serializers/CweSerializer.java | 2 +-
.../resources/v1/serializers/Iso8601DateSerializer.java | 2 +-
.../org/dependencytrack/resources/v1/vo/AclMappingRequest.java | 2 +-
.../org/dependencytrack/resources/v1/vo/AffectedComponent.java | 2 +-
.../org/dependencytrack/resources/v1/vo/AffectedProject.java | 2 +-
.../org/dependencytrack/resources/v1/vo/AnalysisRequest.java | 2 +-
.../org/dependencytrack/resources/v1/vo/BomSubmitRequest.java | 2 +-
.../org/dependencytrack/resources/v1/vo/BomUploadResponse.java | 2 +-
.../dependencytrack/resources/v1/vo/CloneProjectRequest.java | 2 +-
.../resources/v1/vo/DependencyGraphResponse.java | 2 +-
.../org/dependencytrack/resources/v1/vo/DependencyRequest.java | 2 +-
.../resources/v1/vo/IsTokenBeingProcessedResponse.java | 2 +-
.../dependencytrack/resources/v1/vo/MappedLdapGroupRequest.java | 2 +-
.../dependencytrack/resources/v1/vo/MappedOidcGroupRequest.java | 2 +-
.../org/dependencytrack/resources/v1/vo/TeamSelfResponse.java | 2 +-
.../org/dependencytrack/resources/v1/vo/VexSubmitRequest.java | 2 +-
.../resources/v1/vo/ViolationAnalysisRequest.java | 2 +-
.../java/org/dependencytrack/resources/v1/vo/package-info.java | 2 +-
src/main/java/org/dependencytrack/search/ComponentIndexer.java | 2 +-
.../search/FuzzyVulnerableSoftwareSearchManager.java | 2 +-
src/main/java/org/dependencytrack/search/IndexConstants.java | 2 +-
src/main/java/org/dependencytrack/search/IndexManager.java | 2 +-
.../java/org/dependencytrack/search/IndexManagerFactory.java | 2 +-
.../org/dependencytrack/search/IndexSubsystemInitializer.java | 2 +-
src/main/java/org/dependencytrack/search/LicenseIndexer.java | 2 +-
src/main/java/org/dependencytrack/search/ObjectIndexer.java | 2 +-
src/main/java/org/dependencytrack/search/ProjectIndexer.java | 2 +-
src/main/java/org/dependencytrack/search/SearchManager.java | 2 +-
src/main/java/org/dependencytrack/search/SearchResult.java | 2 +-
.../org/dependencytrack/search/ServiceComponentIndexer.java | 2 +-
.../java/org/dependencytrack/search/VulnerabilityIndexer.java | 2 +-
.../org/dependencytrack/search/VulnerableSoftwareIndexer.java | 2 +-
.../org/dependencytrack/search/document/ComponentDocument.java | 2 +-
.../java/org/dependencytrack/search/document/DummyDocument.java | 2 +-
.../org/dependencytrack/search/document/LicenseDocument.java | 2 +-
.../org/dependencytrack/search/document/ProjectDocument.java | 2 +-
.../org/dependencytrack/search/document/SearchDocument.java | 2 +-
.../search/document/ServiceComponentDocument.java | 2 +-
.../dependencytrack/search/document/VulnerabilityDocument.java | 2 +-
.../search/document/VulnerableSoftwareDocument.java | 2 +-
src/main/java/org/dependencytrack/search/package-info.java | 2 +-
.../java/org/dependencytrack/servlets/NvdMirrorServlet.java | 2 +-
.../java/org/dependencytrack/tasks/BomUploadProcessingTask.java | 2 +-
.../org/dependencytrack/tasks/BomUploadProcessingTaskV2.java | 2 +-
src/main/java/org/dependencytrack/tasks/CallbackTask.java | 2 +-
.../dependencytrack/tasks/ClearComponentAnalysisCacheTask.java | 2 +-
src/main/java/org/dependencytrack/tasks/CloneProjectTask.java | 2 +-
.../java/org/dependencytrack/tasks/DefectDojoUploadTask.java | 2 +-
src/main/java/org/dependencytrack/tasks/EpssMirrorTask.java | 2 +-
.../java/org/dependencytrack/tasks/FortifySscUploadTask.java | 2 +-
.../org/dependencytrack/tasks/GitHubAdvisoryMirrorTask.java | 2 +-
src/main/java/org/dependencytrack/tasks/IndexTask.java | 2 +-
.../tasks/InternalComponentIdentificationTask.java | 2 +-
.../java/org/dependencytrack/tasks/KennaSecurityUploadTask.java | 2 +-
.../tasks/NewVulnerableDependencyAnalysisTask.java | 2 +-
src/main/java/org/dependencytrack/tasks/NistApiMirrorTask.java | 2 +-
src/main/java/org/dependencytrack/tasks/NistMirrorTask.java | 2 +-
src/main/java/org/dependencytrack/tasks/OsvDownloadTask.java | 2 +-
.../java/org/dependencytrack/tasks/PolicyEvaluationTask.java | 2 +-
src/main/java/org/dependencytrack/tasks/TaskScheduler.java | 2 +-
.../java/org/dependencytrack/tasks/VexUploadProcessingTask.java | 2 +-
src/main/java/org/dependencytrack/tasks/VulnDbSyncTask.java | 2 +-
.../org/dependencytrack/tasks/VulnerabilityAnalysisTask.java | 2 +-
.../tasks/VulnerabilityManagementUploadTask.java | 2 +-
.../tasks/metrics/ComponentMetricsUpdateTask.java | 2 +-
src/main/java/org/dependencytrack/tasks/metrics/Counters.java | 2 +-
.../tasks/metrics/PortfolioMetricsUpdateTask.java | 2 +-
.../dependencytrack/tasks/metrics/ProjectMetricsUpdateTask.java | 2 +-
.../tasks/metrics/VulnerabilityMetricsUpdateTask.java | 2 +-
.../java/org/dependencytrack/tasks/metrics/YearMonthMetric.java | 2 +-
src/main/java/org/dependencytrack/tasks/package-info.java | 2 +-
.../tasks/repositories/AbstractMetaAnalyzer.java | 2 +-
.../dependencytrack/tasks/repositories/CargoMetaAnalyzer.java | 2 +-
.../tasks/repositories/ComposerMetaAnalyzer.java | 2 +-
.../dependencytrack/tasks/repositories/CpanMetaAnalyzer.java | 2 +-
.../org/dependencytrack/tasks/repositories/GemMetaAnalyzer.java | 2 +-
.../dependencytrack/tasks/repositories/GithubMetaAnalyzer.java | 2 +-
.../tasks/repositories/GoModulesMetaAnalyzer.java | 2 +-
.../org/dependencytrack/tasks/repositories/HexMetaAnalyzer.java | 2 +-
.../org/dependencytrack/tasks/repositories/IMetaAnalyzer.java | 2 +-
.../dependencytrack/tasks/repositories/MavenMetaAnalyzer.java | 2 +-
.../java/org/dependencytrack/tasks/repositories/MetaModel.java | 2 +-
.../org/dependencytrack/tasks/repositories/NpmMetaAnalyzer.java | 2 +-
.../dependencytrack/tasks/repositories/NugetMetaAnalyzer.java | 2 +-
.../dependencytrack/tasks/repositories/PypiMetaAnalyzer.java | 2 +-
.../tasks/repositories/RepositoryMetaAnalyzerTask.java | 2 +-
.../tasks/scanners/AbstractVulnerableSoftwareAnalysisTask.java | 2 +-
.../org/dependencytrack/tasks/scanners/AnalyzerIdentity.java | 2 +-
.../tasks/scanners/BaseComponentAnalyzerTask.java | 2 +-
.../org/dependencytrack/tasks/scanners/CacheableScanTask.java | 2 +-
.../dependencytrack/tasks/scanners/InternalAnalysisTask.java | 2 +-
.../dependencytrack/tasks/scanners/OssIndexAnalysisTask.java | 2 +-
src/main/java/org/dependencytrack/tasks/scanners/ScanTask.java | 2 +-
.../org/dependencytrack/tasks/scanners/SnykAnalysisTask.java | 2 +-
.../org/dependencytrack/tasks/scanners/TrivyAnalysisTask.java | 2 +-
.../org/dependencytrack/tasks/scanners/VulnDbAnalysisTask.java | 2 +-
.../java/org/dependencytrack/upgrade/UpgradeInitializer.java | 2 +-
src/main/java/org/dependencytrack/upgrade/UpgradeItems.java | 2 +-
src/main/java/org/dependencytrack/upgrade/v400/v400Updater.java | 2 +-
src/main/java/org/dependencytrack/upgrade/v410/v410Updater.java | 2 +-
.../java/org/dependencytrack/upgrade/v4100/v4100Updater.java | 2 +-
.../java/org/dependencytrack/upgrade/v4110/v4110Updater.java | 2 +-
src/main/java/org/dependencytrack/upgrade/v420/v420Updater.java | 2 +-
src/main/java/org/dependencytrack/upgrade/v440/v440Updater.java | 2 +-
src/main/java/org/dependencytrack/upgrade/v450/v450Updater.java | 2 +-
src/main/java/org/dependencytrack/upgrade/v460/v460Updater.java | 2 +-
src/main/java/org/dependencytrack/upgrade/v463/v463Updater.java | 2 +-
src/main/java/org/dependencytrack/upgrade/v470/v470Updater.java | 2 +-
src/main/java/org/dependencytrack/upgrade/v480/v480Updater.java | 2 +-
src/main/java/org/dependencytrack/upgrade/v490/v490Updater.java | 2 +-
src/main/java/org/dependencytrack/util/AnalysisCommentUtil.java | 2 +-
.../java/org/dependencytrack/util/CacheStampedeBlocker.java | 2 +-
.../org/dependencytrack/util/ComponentIdentificationUtil.java | 2 +-
src/main/java/org/dependencytrack/util/ComponentVersion.java | 2 +-
src/main/java/org/dependencytrack/util/CompressUtil.java | 2 +-
src/main/java/org/dependencytrack/util/DateUtil.java | 2 +-
src/main/java/org/dependencytrack/util/HashUtil.java | 2 +-
src/main/java/org/dependencytrack/util/HttpUtil.java | 2 +-
.../util/InternalComponentIdentificationUtil.java | 2 +-
.../org/dependencytrack/util/InternalComponentIdentifier.java | 2 +-
src/main/java/org/dependencytrack/util/JsonUtil.java | 2 +-
src/main/java/org/dependencytrack/util/NotificationUtil.java | 2 +-
src/main/java/org/dependencytrack/util/PersistenceUtil.java | 2 +-
src/main/java/org/dependencytrack/util/PurlUtil.java | 2 +-
src/main/java/org/dependencytrack/util/RetryUtil.java | 2 +-
src/main/java/org/dependencytrack/util/RoundRobinAccessor.java | 2 +-
src/main/java/org/dependencytrack/util/VersionDistance.java | 2 +-
src/main/java/org/dependencytrack/util/VulnerabilityUtil.java | 2 +-
src/main/java/org/dependencytrack/util/XmlUtil.java | 2 +-
src/main/resources/META-INF/persistence.xml | 2 +-
src/main/webapp/WEB-INF/web.xml | 2 +-
src/test/java/org/dependencytrack/PersistenceCapableTest.java | 2 +-
src/test/java/org/dependencytrack/ResourceTest.java | 2 +-
src/test/java/org/dependencytrack/auth/PermissionsTest.java | 2 +-
.../org/dependencytrack/common/AlpineHttpProxySelectorTest.java | 2 +-
.../java/org/dependencytrack/common/HttpClientPoolTest.java | 2 +-
.../dependencytrack/common/ManagedHttpClientFactoryTest.java | 2 +-
.../java/org/dependencytrack/common/ManagedHttpClientTest.java | 2 +-
src/test/java/org/dependencytrack/event/BomUploadEventTest.java | 2 +-
.../java/org/dependencytrack/event/CloneProjectEventTest.java | 2 +-
.../org/dependencytrack/event/FortifySscUploadEventTest.java | 2 +-
src/test/java/org/dependencytrack/event/IndexEventTest.java | 2 +-
.../org/dependencytrack/event/InternalAnalysisEventTest.java | 2 +-
.../org/dependencytrack/event/KennaSecurityUploadEventTest.java | 2 +-
.../java/org/dependencytrack/event/NistMirrorEventTest.java | 2 +-
.../org/dependencytrack/event/OssIndexAnalysisEventTest.java | 2 +-
.../org/dependencytrack/event/PolicyEvaluationEventTest.java | 2 +-
.../java/org/dependencytrack/event/RepositoryMetaEventTest.java | 2 +-
.../java/org/dependencytrack/event/VulnDbSyncEventTest.java | 2 +-
.../dependencytrack/event/VulnerabilityAnalysisEventTest.java | 2 +-
.../java/org/dependencytrack/exception/ParseExceptionTest.java | 2 +-
.../integrations/AbstractIntegrationPointTest.java | 2 +-
.../integrations/FindingPackagingFormatTest.java | 2 +-
.../org/dependencytrack/integrations/FindingUploaderTest.java | 2 +-
.../org/dependencytrack/integrations/IntegrationPointTest.java | 2 +-
.../integrations/PortfolioFindingUploaderTest.java | 2 +-
.../integrations/ProjectFindingUploaderTest.java | 2 +-
.../integrations/defectdojo/DefectDojoUploaderTest.java | 2 +-
.../integrations/fortifyssc/FortifySscClientTest.java | 2 +-
.../integrations/fortifyssc/FortifySscUploaderTest.java | 2 +-
.../integrations/kenna/KennaSecurityUploaderTest.java | 2 +-
src/test/java/org/dependencytrack/metrics/MetricsTest.java | 2 +-
.../java/org/dependencytrack/model/AnalysisCommentTest.java | 2 +-
src/test/java/org/dependencytrack/model/AnalysisStateTest.java | 2 +-
src/test/java/org/dependencytrack/model/AnalysisTest.java | 2 +-
src/test/java/org/dependencytrack/model/BomTest.java | 2 +-
src/test/java/org/dependencytrack/model/ClassifierTest.java | 2 +-
.../java/org/dependencytrack/model/ComponentIdentityTest.java | 2 +-
src/test/java/org/dependencytrack/model/ComponentTest.java | 2 +-
src/test/java/org/dependencytrack/model/CweTest.java | 2 +-
.../java/org/dependencytrack/model/DependencyMetricsTest.java | 2 +-
src/test/java/org/dependencytrack/model/FindingTest.java | 2 +-
src/test/java/org/dependencytrack/model/GroupedFindingTest.java | 2 +-
src/test/java/org/dependencytrack/model/LicenseGroupTest.java | 2 +-
src/test/java/org/dependencytrack/model/LicenseTest.java | 2 +-
.../org/dependencytrack/model/NotificationPublisherTest.java | 2 +-
.../java/org/dependencytrack/model/NotificationRuleTest.java | 2 +-
.../java/org/dependencytrack/model/PolicyConditionTest.java | 2 +-
src/test/java/org/dependencytrack/model/PolicyTest.java | 2 +-
.../java/org/dependencytrack/model/PortfolioMetricsTest.java | 2 +-
src/test/java/org/dependencytrack/model/ProjectMetricsTest.java | 2 +-
.../java/org/dependencytrack/model/ProjectPropertyTest.java | 2 +-
src/test/java/org/dependencytrack/model/ProjectTest.java | 2 +-
.../org/dependencytrack/model/RepositoryMetaComponentTest.java | 2 +-
src/test/java/org/dependencytrack/model/RepositoryTest.java | 2 +-
src/test/java/org/dependencytrack/model/RepositoryTypeTest.java | 2 +-
src/test/java/org/dependencytrack/model/SeverityTest.java | 2 +-
src/test/java/org/dependencytrack/model/TagTest.java | 2 +-
.../org/dependencytrack/model/VulnerabilityMetricsTest.java | 2 +-
src/test/java/org/dependencytrack/model/VulnerabilityTest.java | 2 +-
.../java/org/dependencytrack/model/VulnerableSoftwareTest.java | 2 +-
.../model/validation/SpdxExpressionValidatorTest.java | 2 +-
.../dependencytrack/notification/NotificationConstantsTest.java | 2 +-
.../org/dependencytrack/notification/NotificationGroupTest.java | 2 +-
.../dependencytrack/notification/NotificationRouterTest.java | 2 +-
.../org/dependencytrack/notification/NotificationScopeTest.java | 2 +-
.../notification/NotificationSubsystemInitializerTest.java | 2 +-
.../notification/publisher/AbstractPublisherTest.java | 2 +-
.../notification/publisher/AbstractWebhookPublisherTest.java | 2 +-
.../notification/publisher/ConsolePublisherTest.java | 2 +-
.../notification/publisher/CsWebexPublisherTest.java | 2 +-
.../publisher/DefaultNotificationPublishersTest.java | 2 +-
.../notification/publisher/JiraPublisherTest.java | 2 +-
.../notification/publisher/MattermostPublisherTest.java | 2 +-
.../notification/publisher/MsTeamsPublisherTest.java | 2 +-
.../notification/publisher/NotificationTestConfigProvider.java | 2 +-
.../notification/publisher/SlackPublisherTest.java | 2 +-
.../notification/publisher/WebhookPublisherTest.java | 2 +-
.../notification/vo/AnalysisDecisionChangeTest.java | 2 +-
.../notification/vo/NewVulnerabilityIdentifiedTest.java | 2 +-
.../notification/vo/NewVulnerableDependencyTest.java | 2 +-
.../dependencytrack/parser/common/resolver/CweResolverTest.java | 2 +-
.../parser/cyclonedx/CycloneDxValidatorTest.java | 2 +-
.../java/org/dependencytrack/parser/snyk/SnykParserTest.java | 2 +-
.../dependencytrack/persistence/DefaultObjectGeneratorTest.java | 2 +-
.../persistence/PackageURLStringConverterTest.java | 2 +-
.../org/dependencytrack/persistence/PolicyQueryManagerTest.java | 2 +-
.../dependencytrack/persistence/ProjectQueryManagerTest.java | 2 +-
.../persistence/VulnerabilityQueryManagerTest.java | 2 +-
.../converter/OrganizationalContactsJsonConverterTest.java | 2 +-
.../converter/OrganizationalEntityJsonConverterTest.java | 2 +-
.../dependencytrack/policy/ComponentAgePolicyEvaluatorTest.java | 2 +-
.../policy/ComponentHashPolicyEvaluatorTest.java | 2 +-
.../dependencytrack/policy/CoordinatesPolicyEvaluatorTest.java | 2 +-
.../java/org/dependencytrack/policy/CpePolicyEvaluatorTest.java | 2 +-
.../java/org/dependencytrack/policy/CwePolicyEvaluatorTest.java | 2 +-
.../dependencytrack/policy/LicenseGroupPolicyEvaluatorTest.java | 2 +-
.../org/dependencytrack/policy/LicensePolicyEvaluatorTest.java | 2 +-
src/test/java/org/dependencytrack/policy/MatcherTest.java | 2 +-
.../dependencytrack/policy/PackageURLPolicyEvaluatorTest.java | 2 +-
src/test/java/org/dependencytrack/policy/PolicyEngineTest.java | 2 +-
.../org/dependencytrack/policy/SeverityPolicyEvaluatorTest.java | 2 +-
.../dependencytrack/policy/SwidTagIdPolicyEvaluatorTest.java | 2 +-
.../policy/VersionDistancePolicyEvaluatorTest.java | 2 +-
.../policy/VulnerabilityIdPolicyEvaluatorTest.java | 2 +-
.../org/dependencytrack/resources/v1/AnalysisResourceTest.java | 2 +-
.../org/dependencytrack/resources/v1/BadgeResourceTest.java | 2 +-
.../java/org/dependencytrack/resources/v1/BomResourceTest.java | 2 +-
.../dependencytrack/resources/v1/CalculatorResourceTest.java | 2 +-
.../org/dependencytrack/resources/v1/ComponentResourceTest.java | 2 +-
.../resources/v1/ConfigPropertyResourceTest.java | 2 +-
.../java/org/dependencytrack/resources/v1/CweResourceTest.java | 2 +-
.../resources/v1/DependencyGraphResourceTest.java | 2 +-
.../org/dependencytrack/resources/v1/FindingResourceTest.java | 2 +-
.../dependencytrack/resources/v1/IntegrationResourceTest.java | 2 +-
.../java/org/dependencytrack/resources/v1/LdapResourceTest.java | 2 +-
.../dependencytrack/resources/v1/LicenseGroupResourceTest.java | 2 +-
.../org/dependencytrack/resources/v1/LicenseResourceTest.java | 2 +-
.../resources/v1/NotificationPublisherResourceTest.java | 2 +-
.../resources/v1/NotificationRuleResourceTest.java | 2 +-
.../dependencytrack/resources/v1/PermissionResourceTest.java | 2 +-
.../org/dependencytrack/resources/v1/PolicyResourceTest.java | 2 +-
.../resources/v1/PolicyViolationResourceTest.java | 2 +-
.../resources/v1/ProjectPropertyResourceTest.java | 2 +-
.../org/dependencytrack/resources/v1/ProjectResourceTest.java | 2 +-
.../dependencytrack/resources/v1/RepositoryResourceTest.java | 2 +-
.../org/dependencytrack/resources/v1/SearchResourceTest.java | 2 +-
.../java/org/dependencytrack/resources/v1/TeamResourceTest.java | 2 +-
.../resources/v1/UserResourceAuthenticatedTest.java | 2 +-
.../resources/v1/UserResourceUnauthenticatedTest.java | 2 +-
.../java/org/dependencytrack/resources/v1/VexResourceTest.java | 2 +-
.../resources/v1/ViolationAnalysisResourceTest.java | 2 +-
.../dependencytrack/resources/v1/VulnerabilityResourceTest.java | 2 +-
.../resources/v1/exception/NotFoundExceptionMapperTest.java | 2 +-
.../java/org/dependencytrack/resources/v1/misc/BadgerTest.java | 2 +-
.../java/org/dependencytrack/search/ComponentIndexerTest.java | 2 +-
.../java/org/dependencytrack/search/LicenseIndexerTest.java | 2 +-
.../java/org/dependencytrack/search/ProjectIndexerTest.java | 2 +-
.../org/dependencytrack/search/ServiceComponentIndexerTest.java | 2 +-
.../org/dependencytrack/search/VulnerabilityIndexerTest.java | 2 +-
.../dependencytrack/search/VulnerableSoftwareIndexerTest.java | 2 +-
.../java/org/dependencytrack/servlet/NvdMirrorServletTest.java | 2 +-
.../org/dependencytrack/tasks/BomUploadProcessingTaskTest.java | 2 +-
.../org/dependencytrack/tasks/GitHubAdvisoryMirrorTaskTest.java | 2 +-
.../tasks/InternalComponentIdentificationTaskTest.java | 2 +-
.../java/org/dependencytrack/tasks/NistApiMirrorTaskTest.java | 2 +-
.../tasks/metrics/AbstractMetricsUpdateTaskTest.java | 2 +-
.../tasks/metrics/ComponentMetricsUpdateTaskTest.java | 2 +-
.../tasks/metrics/PortfolioMetricsUpdateTaskTest.java | 2 +-
.../tasks/metrics/ProjectMetricsUpdateTaskTest.java | 2 +-
.../tasks/metrics/VulnerabilityMetricsUpdateTaskTest.java | 2 +-
.../tasks/repositories/CargoMetaAnalyzerTest.java | 2 +-
.../tasks/repositories/ComposerMetaAnalyzerTest.java | 2 +-
.../tasks/repositories/CpanMetaAnalyzerTest.java | 2 +-
.../dependencytrack/tasks/repositories/GemMetaAnalyzerTest.java | 2 +-
.../tasks/repositories/GitHubMetaAnalyzerTest.java | 2 +-
.../tasks/repositories/GoModulesMetaAnalyzerTest.java | 2 +-
.../dependencytrack/tasks/repositories/HexMetaAnalyzerTest.java | 2 +-
.../tasks/repositories/MavenMetaAnalyzerTest.java | 2 +-
.../dependencytrack/tasks/repositories/NpmMetaAnalyzerTest.java | 2 +-
.../tasks/repositories/NugetMetaAnalyzerTest.java | 2 +-
.../tasks/repositories/PypiMetaAnalyzerTest.java | 2 +-
.../tasks/scanners/InternalAnalysisTaskCpeMatchingTest.java | 2 +-
.../dependencytrack/tasks/scanners/SnykAnalysisTaskTest.java | 2 +-
.../tasks/scanners/TrivyAnalysisTaskIntegrationTest.java | 2 +-
.../dependencytrack/tasks/scanners/TrivyAnalysisTaskTest.java | 2 +-
.../dependencytrack/tasks/scanners/VulnDBAnalysisTaskTest.java | 2 +-
src/test/java/org/dependencytrack/util/DateUtilTest.java | 2 +-
src/test/java/org/dependencytrack/util/HashUtilTest.java | 2 +-
src/test/java/org/dependencytrack/util/HttpUtilTest.java | 2 +-
src/test/java/org/dependencytrack/util/PersistenceUtilTest.java | 2 +-
.../java/org/dependencytrack/util/RoundRobinAccessorTest.java | 2 +-
618 files changed, 618 insertions(+), 618 deletions(-)
diff --git a/.checkstyle-header b/.checkstyle-header
index c773577a1f..a89578d349 100644
--- a/.checkstyle-header
+++ b/.checkstyle-header
@@ -14,5 +14,5 @@
* limitations under the License.
*
* SPDX-License-Identifier: Apache-2.0
- * Copyright (c) Steve Springett. All Rights Reserved.
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
*/
\ No newline at end of file
diff --git a/README.md b/README.md
index b49618376c..9a76912cf9 100644
--- a/README.md
+++ b/README.md
@@ -205,7 +205,7 @@ Interested in contributing to Dependency-Track? Please check [`CONTRIBUTING.md`]
* Discussion (Groups.io):
## Copyright & License
-Dependency-Track is Copyright (c) Steve Springett. All Rights Reserved.
+Dependency-Track is Copyright (c) OWASP Foundation. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the
[Apache License 2.0].
diff --git a/dev/docker-compose.monitoring.yml b/dev/docker-compose.monitoring.yml
index 1c2c5874b1..872f2a19e6 100644
--- a/dev/docker-compose.monitoring.yml
+++ b/dev/docker-compose.monitoring.yml
@@ -13,7 +13,7 @@
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
-# Copyright (c) Steve Springett. All Rights Reserved.
+# Copyright (c) OWASP Foundation. All Rights Reserved.
services:
apiserver:
environment:
diff --git a/dev/docker-compose.mssql.yml b/dev/docker-compose.mssql.yml
index a7d354ee80..1257b99c13 100644
--- a/dev/docker-compose.mssql.yml
+++ b/dev/docker-compose.mssql.yml
@@ -13,7 +13,7 @@
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
-# Copyright (c) Steve Springett. All Rights Reserved.
+# Copyright (c) OWASP Foundation. All Rights Reserved.
services:
apiserver:
depends_on:
diff --git a/dev/docker-compose.postgres.yml b/dev/docker-compose.postgres.yml
index 561247a195..28fe4592b2 100644
--- a/dev/docker-compose.postgres.yml
+++ b/dev/docker-compose.postgres.yml
@@ -13,7 +13,7 @@
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
-# Copyright (c) Steve Springett. All Rights Reserved.
+# Copyright (c) OWASP Foundation. All Rights Reserved.
services:
apiserver:
depends_on:
diff --git a/dev/docker-compose.yml b/dev/docker-compose.yml
index 20343ee6dd..91e8abc42c 100644
--- a/dev/docker-compose.yml
+++ b/dev/docker-compose.yml
@@ -13,7 +13,7 @@
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
-# Copyright (c) Steve Springett. All Rights Reserved.
+# Copyright (c) OWASP Foundation. All Rights Reserved.
name: "dependency-track"
services:
diff --git a/dev/scripts/cwe-dictionary-generate.py b/dev/scripts/cwe-dictionary-generate.py
index 3eea75aa47..c9ee30d205 100644
--- a/dev/scripts/cwe-dictionary-generate.py
+++ b/dev/scripts/cwe-dictionary-generate.py
@@ -33,7 +33,7 @@
* limitations under the License.
*
* SPDX-License-Identifier: Apache-2.0
- * Copyright (c) Steve Springett. All Rights Reserved.
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
*/
package {{ package }};
diff --git a/docs/images/dt-logo.svg b/docs/images/dt-logo.svg
index 0b6bebfa1a..234369bea2 100644
--- a/docs/images/dt-logo.svg
+++ b/docs/images/dt-logo.svg
@@ -15,7 +15,7 @@
- limitations under the License.
-
- SPDX-License-Identifier: Apache-2.0
- - Copyright (c) Steve Springett. All Rights Reserved.
+ - Copyright (c) OWASP Foundation. All Rights Reserved.
-->
diff --git a/pom.xml b/pom.xml
index 4d31f6842a..218cc9f77e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -15,7 +15,7 @@
~ limitations under the License.
~
~ SPDX-License-Identifier: Apache-2.0
- ~ Copyright (c) Steve Springett. All Rights Reserved.
+ ~ Copyright (c) OWASP Foundation. All Rights Reserved.
-->
Date: Wed, 20 Mar 2024 20:43:07 -0400
Subject: [PATCH 028/412] Keep Only Unique Rules In SARIF And Other Minor
Changes
The rules array in the generated SARIF should contain only unique values, so that the same rule
can be referenced by multiple results.
Rule name in the SARIF should be PascalCased. Using WordUtils from apache commons library to convert cweName to PascalCase.
Set default escape strategy to the Pebble Engine to json, to escape linebreaks and double quotes in vulnerability description.
Update test case to assert whole SARIF json.
Signed-off-by: Aravind Parappil
---
.../resources/v1/FindingResource.java | 29 +-
.../resources/templates/findings/sarif.peb | 20 +-
.../resources/v1/FindingResourceTest.java | 247 ++++++++++++++++--
3 files changed, 260 insertions(+), 36 deletions(-)
diff --git a/src/main/java/org/dependencytrack/resources/v1/FindingResource.java b/src/main/java/org/dependencytrack/resources/v1/FindingResource.java
index b76526526f..73ef81a39c 100644
--- a/src/main/java/org/dependencytrack/resources/v1/FindingResource.java
+++ b/src/main/java/org/dependencytrack/resources/v1/FindingResource.java
@@ -38,6 +38,7 @@
import java.io.Writer;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.core.Response.Status;
+import org.apache.commons.lang3.text.WordUtils;
import org.dependencytrack.auth.Permissions;
import org.dependencytrack.event.PolicyEvaluationEvent;
import org.dependencytrack.event.RepositoryMetaEvent;
@@ -319,13 +320,29 @@ public Response getAllFindings(@ApiParam(value = "Show inactive projects")
}
private String generateSARIF(List findings) throws IOException {
- final PebbleEngine engine = new PebbleEngine.Builder().newLineTrimming(false).build();
+ final PebbleEngine engine = new PebbleEngine.Builder()
+ .newLineTrimming(false)
+ .defaultEscapingStrategy("json")
+ .build();
final PebbleTemplate sarifTemplate = engine.getTemplate("templates/findings/sarif.peb");
final Map context = new HashMap<>();
final About about = new About();
+
+ // Using "vulnId" as key, forming a list of unique vulnerabilities across all findings
+ // Also converts cweName to PascalCase, since it will be used as rule.name in the SARIF file
+ List