Merge branch 'main' into issue-1092-replace-custom-vers

.checkstyle-header

@@ -14,5 +14,5 @@
  * limitations under the License.
  *
  * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) Steve Springett. All Rights Reserved.
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
  */

.github/workflows/_meta-build.yaml

@@ -27,10 +27,10 @@ jobs:
         uses: actions/[email protected]
 
       - name: Set up JDK
-        uses: actions/setup-java@v4.0.0
+        uses: actions/setup-java@v4.2.1
         with:
           distribution: 'temurin'
-          java-version: '17'
+          java-version: '21'
           cache: 'maven'
 
       - name: Setup CycloneDX CLI
@@ -70,7 +70,7 @@ jobs:
         uses: actions/[email protected]
 
       - name: Download Artifacts
-        uses: actions/[email protected].2
+        uses: actions/[email protected].4
         with:
           name: assembled-wars
           path: target
@@ -79,13 +79,13 @@ jobs:
         uses: docker/[email protected]
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3.0.0
+        uses: docker/setup-buildx-action@v3.2.0
         id: buildx
         with:
           install: true
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3.0.0
+        uses: docker/login-action@v3.1.0
         if: ${{ inputs.publish-container }}
         with:
           registry: ghcr.io
@@ -102,7 +102,7 @@ jobs:
           echo "tags=${TAGS}" >> $GITHUB_OUTPUT
 
       - name: Build multi-arch Container Image
-        uses: docker/build-push-action@v5.1.0
+        uses: docker/build-push-action@v5.3.0
         with:
           tags: ${{ steps.tags.outputs.tags }}
           build-args: |-
@@ -116,7 +116,7 @@ jobs:
 
       - name: Run Trivy Vulnerability Scanner
         if: ${{ inputs.publish-container }}
-        uses: aquasecurity/trivy-action@0.17.0
+        uses: aquasecurity/trivy-action@0.18.0
         with:
           image-ref: ghcr.io/dependencytrack/hyades-apiserver:${{ inputs.app-version }}
           format: 'sarif'

.github/workflows/buf.yml

@@ -15,7 +15,7 @@ jobs:
     - name: Checkout Repository
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
     - name: Setup buf
-      uses: bufbuild/buf-setup-action@88db93f5d74ffa329bb43e42aa95cd822697d214 # tag=v1.29.0
+      uses: bufbuild/buf-setup-action@517ee23296d5caf38df31c21945e6a54bbc8a89f # tag=v1.30.0
       with:
         github_token: ${{ github.token }}
     - name: Lint Protobuf

.github/workflows/ci-publish.yaml

@@ -55,7 +55,7 @@ jobs:
         uses: actions/[email protected]
 
       - name: Download Artifacts
-        uses: actions/[email protected].2
+        uses: actions/[email protected].4
         with:
           name: assembled-wars
           path: target

.github/workflows/ci-release.yaml

@@ -54,10 +54,10 @@ jobs:
         uses: actions/[email protected]
 
       - name: Set up JDK
-        uses: actions/setup-java@v4.0.0
+        uses: actions/setup-java@v4.2.1
         with:
           distribution: 'temurin'
-          java-version: '17'
+          java-version: '21'
           cache: 'maven'
 
       - name: Set Version

.github/workflows/ci-test-pr-coverage.yml

@@ -0,0 +1,32 @@
+name: Report PR Test Coverage
+
+on:
+  workflow_run:
+    workflows:
+    - Tests CI
+    types:
+    - completed
+
+permissions: { }
+
+jobs:
+  publish:
+    name: Report Coverage
+    runs-on: ubuntu-latest
+    if: |-
+      github.event.workflow_run.event == 'pull_request'
+        && github.event.workflow_run.conclusion == 'success'
+    steps:
+    - name: Download PR test coverage report
+      uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # tag=v4.1.4
+      with:
+        name: pr-test-coverage-report
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        run-id: ${{ github.event.workflow_run.id }}
+    - name: Report Coverage to Codacy
+      run: |-
+        bash <(curl -Ls https://coverage.codacy.com/get.sh) report \
+          --project-token ${{ secrets.CODACY_PROJECT_TOKEN }} \
+          --commit-uuid ${{ github.event.workflow_run.head_sha }} \
+          --coverage-reports ./target/jacoco-ut/jacoco.xml \
+          --language Java

.github/workflows/ci-test.yaml

@@ -34,10 +34,10 @@ jobs:
         uses: actions/[email protected]
 
       - name: Set up JDK
-        uses: actions/setup-java@v4.0.0
+        uses: actions/setup-java@v4.2.1
         with:
           distribution: 'temurin'
-          java-version: '17'
+          java-version: '21'
           cache: 'maven'
 
       - name: Execute unit tests
@@ -47,3 +47,30 @@ jobs:
         run: |-
           mvn clean
           mvn test -P enhance
+
+      # Publishing coverage to Codacy is only possible for builds of push events.
+      # PRs from forks do not get access to repository secrets.
+      # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+      - name: Publish test coverage
+        if: ${{ github.event_name != 'pull_request' && github.repository_owner == 'DependencyTrack' }}
+        uses: codacy/[email protected]
+        with:
+          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
+          language: Java
+          coverage-reports: target/jacoco-ut/jacoco.xml
+
+      - name: Save PR details
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |-
+          echo ${{ github.sha }} > pr-commit.txt
+          echo ${{ github.event.number }} > pr-number.txt
+
+      - name: Upload PR test coverage report
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # tag=v4.3.1
+        with:
+          name: pr-test-coverage-report
+          path: |-
+            pr-commit.txt
+            pr-number.txt
+            target/jacoco-ut/jacoco.xml

pom.xml

@@ -15,7 +15,7 @@
   ~ limitations under the License.
   ~
   ~ SPDX-License-Identifier: Apache-2.0
-  ~ Copyright (c) Steve Springett. All Rights Reserved.
+  ~ Copyright (c) OWASP Foundation. All Rights Reserved.
   -->
 <project xmlns="http://maven.apache.org/POM/4.0.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -24,14 +24,14 @@
     <parent>
         <groupId>us.springett</groupId>
         <artifactId>alpine-parent</artifactId>
-        <version>2.2.4</version>
+        <version>2.2.5</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>
     <groupId>org.dependencytrack</groupId>
     <artifactId>dependency-track</artifactId>
     <packaging>war</packaging>
-    <version>5.4.0-SNAPSHOT</version>
+    <version>5.5.0-SNAPSHOT</version>
 
     <name>Dependency-Track</name>
     <url>https://dependencytrack.org/</url>
@@ -82,13 +82,16 @@
     </ciManagement>
 
     <properties>
+        <maven.compiler.source>21</maven.compiler.source>
+        <maven.compiler.target>21</maven.compiler.target>
+
         <!-- Dependency Versions -->
         <lib.alpine.version>${project.parent.version}</lib.alpine.version>
         <lib.awaitility.version>4.2.0</lib.awaitility.version>
         <lib.cel-tools.version>0.4.4</lib.cel-tools.version>
         <lib.checkstyle.version>10.13.0</lib.checkstyle.version>
         <lib.cloud-sql-postgres-socket-factory.version>1.16.0</lib.cloud-sql-postgres-socket-factory.version>
-        <lib.commons-compress.version>1.26.0</lib.commons-compress.version>
+        <lib.commons-compress.version>1.26.1</lib.commons-compress.version>
         <lib.cpe-parser.version>2.1.0</lib.cpe-parser.version>
         <lib.cvss-calculator.version>1.4.2</lib.cvss-calculator.version>
         <lib.owasp-rr-calculator.version>1.0.1</lib.owasp-rr-calculator.version>
@@ -102,22 +105,22 @@
         <lib.kafka-junit.version>3.6.0</lib.kafka-junit.version>
         <lib.liquibase.version>4.26.0</lib.liquibase.version>
         <lib.micrometer-jvm-extras.version>0.2.2</lib.micrometer-jvm-extras.version>
-        <lib.minio.version>8.5.8</lib.minio.version>
+        <lib.minio.version>8.5.9</lib.minio.version>
         <lib.packageurl.version>1.5.0</lib.packageurl.version>
         <lib.parallel-consumer.version>0.5.2.8</lib.parallel-consumer.version>
         <lib.pebble.version>3.2.2</lib.pebble.version>
         <lib.protobuf-java.version>3.25.3</lib.protobuf-java.version>
-        <lib.testcontainers.version>1.19.6</lib.testcontainers.version>
+        <lib.testcontainers.version>1.19.7</lib.testcontainers.version>
         <lib.resilience4j.version>2.2.0</lib.resilience4j.version>
         <lib.system-rules.version>1.19.0</lib.system-rules.version>
         <lib.versatile.version>0.6.0</lib.versatile.version>
         <lib.woodstox.version>6.6.0</lib.woodstox.version>
         <lib.junit-params.version>1.1.1</lib.junit-params.version>
         <lib.log4j-over-slf4j.version>2.0.12</lib.log4j-over-slf4j.version>
         <lib.httpclient.version>4.5.14</lib.httpclient.version>
-        <lib.net.javacrumbs.shedlock.version>5.11.0</lib.net.javacrumbs.shedlock.version>
+        <lib.net.javacrumbs.shedlock.version>5.12.0</lib.net.javacrumbs.shedlock.version>
         <lib.javacron.version>1.4.0</lib.javacron.version>
-        <lib.jdbc-driver.postgresql.version>42.7.1</lib.jdbc-driver.postgresql.version>
+        <lib.jdbc-driver.postgresql.version>42.7.2</lib.jdbc-driver.postgresql.version>
         <!-- Maven Plugin Properties -->
         <plugin.cyclonedx.projectType>application</plugin.cyclonedx.projectType>
         <plugin.cyclonedx.outputFormat>json</plugin.cyclonedx.outputFormat>
@@ -257,7 +260,7 @@
         <dependency>
             <groupId>org.json</groupId>
             <artifactId>json</artifactId>
-            <version>20240205</version>
+            <version>20240303</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.datatype</groupId>
@@ -635,6 +638,16 @@
                     </dependency>
                 </dependencies>
             </plugin>
+            <plugin>
+                <groupId>org.jacoco</groupId>
+                <artifactId>jacoco-maven-plugin</artifactId>
+                <configuration>
+                    <excludes>
+                        <exclude>org/cyclonedx/proto/**/*</exclude>
+                        <exclude>org/dependencytrack/proto/**/*</exclude>
+                    </excludes>
+                </configuration>
+            </plugin>
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>exec-maven-plugin</artifactId>

src/main/docker/Dockerfile

@@ -1,6 +1,6 @@
-FROM eclipse-temurin:21.0.2_13-jre-jammy@sha256:636b9a74a45bd1845bb49d1aca8763a2477b50717f831bf0818d0acab2cb5e1d AS jre-build
+FROM eclipse-temurin:21.0.2_13-jre-jammy@sha256:d9f7b8326b9d396d070432982a998015a04ffb8885b145e97777a5ae324a8df1 AS jre-build
 
-FROM debian:stable-slim@sha256:435ba09b2e259426c0552a041eef609b01d4655d9c8467d75be390801068baf3
+FROM debian:stable-slim@sha256:d10f0545d14bad5f4d230301f7e4fd904384f2dd16fda16d708f936c2fa1db3e
 
 # Arguments that can be passed at build time
 # Directory names must end with / to avoid errors when ADDing and COPYing

src/main/java/alpine/server/persistence/PersistenceInitializer.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  *
  * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) Steve Springett. All Rights Reserved.
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
  */
 package alpine.server.persistence;
 

src/main/java/org/dependencytrack/auth/Permissions.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  *
  * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) Steve Springett. All Rights Reserved.
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
  */
 package org.dependencytrack.auth;
 

src/main/java/org/dependencytrack/auth/package-info.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  *
  * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) Steve Springett. All Rights Reserved.
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
  */
 
 /**

src/main/java/org/dependencytrack/common/HttpClientPool.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  *
  * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) Steve Springett. All Rights Reserved.
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
  */
 package org.dependencytrack.common;
 

src/main/java/org/dependencytrack/common/ManagedHttpClient.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  *
  * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) Steve Springett. All Rights Reserved.
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
  */
 package org.dependencytrack.common;
 

src/main/java/org/dependencytrack/common/ManagedHttpClientFactory.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  *
  * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) Steve Springett. All Rights Reserved.
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
  */
 package org.dependencytrack.common;
 

src/main/java/org/dependencytrack/event/AbstractVulnerabilityManagementUploadEvent.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  *
  * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) Steve Springett. All Rights Reserved.
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
  */
 package org.dependencytrack.event;
 

src/main/java/org/dependencytrack/event/BomUploadEvent.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  *
  * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) Steve Springett. All Rights Reserved.
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
  */
 package org.dependencytrack.event;
 

src/main/java/org/dependencytrack/event/CallbackEvent.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  *
  * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) Steve Springett. All Rights Reserved.
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
  */
 package org.dependencytrack.event;
 

src/main/java/org/dependencytrack/event/CloneProjectEvent.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  *
  * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) Steve Springett. All Rights Reserved.
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
  */
 package org.dependencytrack.event;
 

src/main/java/org/dependencytrack/event/ComponentMetricsUpdateEvent.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  *
  * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) Steve Springett. All Rights Reserved.
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
  */
 package org.dependencytrack.event;
 

src/main/java/org/dependencytrack/event/DefectDojoUploadEventAbstract.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  *
  * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) Steve Springett. All Rights Reserved.
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
  */
 package org.dependencytrack.event;
 

src/main/java/org/dependencytrack/event/EpssMirrorEvent.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  *
  * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) Steve Springett. All Rights Reserved.
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
  */
 package org.dependencytrack.event;