Proto commits in DependencyTrack/dependency-track

These 91 commits are when the Protocol Buffers files have changed:

Commit:281086b
Author:nscuro
Committer:nscuro

Include KEV flag in notifications Adds an `is_kev` flag to vulnerability messages in notifications. Besides the information being useful to receivers, it also allows users to leverage notification filter expressions to, for example, only receive notifications for KEV vulns. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:2ab8e63
Author:nscuro

Make KEV usable in component and vulnerability policies Exposes a new `is_kev` boolean field on the `Vulnerability` policy proto message. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:7ec8d1f
Author:nscuro
Committer:nscuro

Implement initial KEV support Adds support for Known Exploited Vulnerabilities (KEV), as outlined in ADR-030: * Introduces a new `KevDataSource` extension point, with two builtin extensions for CISA KEV and ENISA KEV. * Exposes a new `isKev` boolean field in findings and vulnerabilities API endpoints. Intentionally does NOT (yet): * Make KEV status usable in policies * Expose KEV counters in time series metrics * Extend SVG badges with KEV counter * Exposition of API endpoint for manual triggering of KEV mirroring * Support VulnCheck KEV Those are deferred to follow-up PRs to keep each change bearable in size. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:651a68e
Author:nscuro

Make latest version publish timestamp available to CEL policy engine Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:5fc453d
Author:nscuro
Committer:nscuro

Support component hash mismatch policy conditions Adds a new `has_package_artifact_hash_mismatch` CEL policy function that evaluates to `true` if and only if at least one component hash does not match what is reported by the upstream repository. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:fd561db
Author:nscuro

Bump CycloneDX proto to v1.7.1 Per https://github.com/CycloneDX/specification/releases/tag/1.7.1 Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:0d6411d
Author:Sahiba Mittal

Remove PROJECT_VULN_ANALYSIS_COMPLETE notifications Remove support for the PROJECT_VULN_ANALYSIS_COMPLETE notification and related plumbing. This is a focused cleanup to eliminate the project vulnerability-analysis-complete notification path and associated tests/resources.

Commit:e29bcc0
Author:nscuro
Committer:nscuro

Leverage conditional revalidation for package metadata resolution Significantly reduces load on upstream repositories, while also simplifying resolver code because caching and GZIP-decoding concerns are now centralized. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:ac5660d
Author:nscuro
Committer:nscuro

Migrate VEX import to dex Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:d89508f
Author:nscuro
Committer:nscuro

Bump CycloneDX Protobuf schema to v1.7 The schema is wire compatible with v1.6, so doing this in-place is fine. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:222f6db
Author:nscuro
Committer:nscuro

Remove partial CSAF implementation The CSAF implementation that was contributed is in a partial state, where only a data model and API endpoints exist. No frontend and nothing that makes use of the data. If we include this in the v5 GA release, we're bound to it WRT backward compatibility and stability guarantees. This is risky because we don't even know whether the targeted use case can be achieved with it. We're lacking the resources to complete implementation ourselves. The pragmatic approach is to remove the partial implementation. The code is not lost, it was part of multiple (pre-)releases and could be recovered if necessary. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:8ab53c3
Author:nscuro
Committer:nscuro

Implement user-managed vuln policies * Allows users to manage vulnerability policies via REST API (and consequently REST API). Previously, vuln policies could only be used with bundles, which required an external file server. * Paves the way for support of multiple bundles. Introduces a default bundle to bridge the gap with the previous behaviour. * Adds the concept of priorities to enable deterministic evaluation order. * Simplifies vuln policy management by switching from multiple conditions to only a single condition per policy. Having multiple conditions is largely useless given CEL is more expressive for combining multiple conditions. * Removes S3 support for bundle retrieval. We have no actual requirement for this yet. * Migrates all endpoints related to vuln policies to API v2. * Refactors the sync task to a dex workflow. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:2b3c183
Author:nscuro
Committer:nscuro

Support component properties in CEL policies Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:8e080ba
Author:nscuro
Committer:nscuro

Add support for scheduled summary notifications Ports https://github.com/DependencyTrack/dependency-track/pull/4783 Co-authored-by: Max Schiller <msr@mm-software.com> Co-authored-by: Marlon Gäthje <mge@mm-software.com> Co-authored-by: Richard Bickert <rbt@mm-software.com> Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:b860b2b
Author:nscuro
Committer:nscuro

Migrate portfolio metrics update to dex workflow Replaces the custom concurrency mechanism in PortfolioMetricsUpdateTask.java with a dex workflow. This allows project metrics updates to be worked on by multiple nodes in the cluster, instead of just one. Modifies /refresh REST endpoints for component and project metrics such that they invoke the corresponding stored procedures directly, instead of spawning an asynchronous task. Also fixes incorrect required permissions for those endpoints. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:9feb527
Author:nscuro
Committer:nscuro

Port Trivy vulnerability analyzer Ports the Trivy analyzer from Dependency-Track v4. Note that it was not previously ported to hyades and thus wasn't part of the initial vuln-analyzer service decommission work. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:887dd58
Author:nscuro

Migrate vuln data source mirroring to dex This makes mirroring crash- and restart-proof, provides transparent retry support, and removes a lot of boilerplate from the legacy implementation. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:358f3dd
Author:nscuro
Committer:nscuro

Implement package metadata resolution and remove Kafka requirement * Implements durable workflow to resolve package metadata. * Migrates legacy RepositoryMetaComponent and IntegrityMetaComponent models to PackageMetadata and PackageArtifactMetadata, in accordance with ADR-015. * Replaces dedicated integrity analysis task with ad-hoc checks. This is enabled by PackageArtifactMetadata being joinable with Component. * Removes all Kafka-related infrastructure. Only remaining use of Kafka is for notification publishing, which is entirely optional. This concludes our quest to remove the Kafka requirement for good. The whole platform can now sustain itself with only Postgres. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:23eb4cb
Author:nscuro
Committer:nscuro

Migrate BOM processing to dex workflow Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:dd28d81
Author:nscuro

Update Trivy protos Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:db48979
Author:nscuro
Committer:nscuro

Introduce project analysis dex workflow The workflow is intended to replace the legacy workflow state tracking mechanism, which is used primarily for BOM uploads. It encapsulates: * Vulnerability analysis * Policy evaluation * Metrics update This makes the whole "analysis pipeline" a single unit-of-work, and enables reuse. The new workflow is not yet triggered anywhere, so there's no change in behaviour yet. That will be done in a future change. VulnAnalysisTrigger has been renamed to simply AnalysisTrigger to better reflect this change. It's not technically a breaking change because we didn't cut a release since it got introduced. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:bc999a8
Author:Niklas
Committer:GitHub

Migrate vuln analysis to dex workflow (#1752) * Migrate vuln analysis to dex workflow Also ports the following from v4: * https://github.com/DependencyTrack/dependency-track/pull/5280 * https://github.com/DependencyTrack/dependency-track/pull/5418 * https://github.com/DependencyTrack/dependency-track/pull/5420 Signed-off-by: nscuro <nscuro@protonmail.com> * Refactor vulnerability policy evaluation for batch processing Signed-off-by: nscuro <nscuro@protonmail.com> * Emit PROJECT_AUDIT_CHANGE notification during finding reconciliation * Refactors query for PROJECT_AUDIT_CHANGE notification subject to use batching. * Extends analysis reconciler to track whether the analysis state or the suppression changed. Signed-off-by: nscuro <nscuro@protonmail.com> * Handle un-application of stale vuln policy analyses Closes a gap with the previous implementation where analyses that were previously applied by a vulnerability policy were un-applied if no policy matches the corresponding finding anymore. Signed-off-by: nscuro <nscuro@protonmail.com> * Reduce contention during batch vuln synchronization INSERT ... ON CONFLICT still acquires row locks even when the respective records are not being modified. Vulnerabilities being unchanged, or unable to be updated by the analyzer that reported them, is a very common scenario. This change adds a small optimization for avoiding vulns being scheduled for upserting in those cases. Note that contention was not strictly an issue during testing, but it *could* become a problem as concurrency is cranked up. Signed-off-by: nscuro <nscuro@protonmail.com> * Simplify query for existing finding attributions The joins with `COMPONENT` and `COMPONENTS_VULNERABILITIES` were unnecessary since `FINDINGATTRIBUTION` already holds all required information. Signed-off-by: nscuro <nscuro@protonmail.com> * Fix matching criteria query of internal analyzer * Fixes erroneous duble index increment that caused fewer queries being built than expected. * Reduces the partition size from 100 to a more reasonable 25, since the matching criteria queries were getting quite large. Signed-off-by: nscuro <nscuro@protonmail.com> * Add tests for OSS Index vuln analyzer Signed-off-by: nscuro <nscuro@protonmail.com> * Handle completion of legacy workflow steps Adds dex event listeners that complete VULN_ANALYSIS steps of legacy workflows when a new VulnAnalysisWorkflow run completes. This ensures that the legacy workflow logic keeps working until it is replaced entirely. Also adds an event listener that takes care of emitting delayed BOM_PROCESSED notifications, which was previously handled by ProcessedVulnerabilityScanResultProcessor. As a result, WorkflowMaintenanceTask no longer needs to check for timed out vulnerability analyses. The entire vuln analysis lifecycle is managed by dex now. Signed-off-by: nscuro <nscuro@protonmail.com> * Re-introduce PROJECT_VULN_ANALYSIS_COMPLETE notification The notification was previously emitted by ProcessedVulnerabilityScanResultProcessor, which no longer exists. Signed-off-by: nscuro <nscuro@protonmail.com> * Add JavaDoc for VulnAnalyzer extension point Signed-off-by: nscuro <nscuro@protonmail.com> * Port Snyk vuln analyzer Signed-off-by: nscuro <nscuro@protonmail.com> * Fix finding attribution inconsistencies Ensures that we properly deal with potentially multiple attributions per finding, which we introduced in ADR-013 (https://dependencytrack.github.io/hyades/snapshot/architecture/decisions/013-finding-status/). Signed-off-by: nscuro <nscuro@protonmail.com> * Populate finding attribution reference URL Enables vuln analyzers to communicate an optional reference URL for the findings they produce. This URL will be rendered as clickable link in the UI. Note that this was an existing functionality that was temporarily removed earlier as part of the vuln analysis refactoring. Signed-off-by: nscuro <nscuro@protonmail.com> * Re-introduce emission of NEW_VULNERABLE_DEPENDENCY notification Uses an optional context proto message for the vuln-analysis workflow, which carries the IDs of newly added components. This is required for us to be able to identify for which components we should emit NEW_VULNERABLE_DEPENDENCY notification during vuln analysis result reconciliation. The context is stored in file storage and passed around as file metadata. It was not a reasonable alternative to pass component IDs directly as workflow argument, because large BOM uploads can have 10s of thousands of new components. Signed-off-by: nscuro <nscuro@protonmail.com> * Improve vulnerability synchronization logic * Processes results of vuln analyzers in deterministic order. * Introduces VulnerabilityUpdatePolicy in an attempt to centralize the logic as to whether a vulnerability can be updated if it already exists. Still not optimal but a better solution is a bigger undertaking. * Removes redundant ConvertedVulnerability class. Signed-off-by: nscuro <nscuro@protonmail.com> * Fix CVSSv4 fields not being considered during vuln sync Signed-off-by: nscuro <nscuro@protonmail.com> * Fix no ANALYZER_ERROR notification being emitted when vuln analyzers failed Signed-off-by: nscuro <nscuro@protonmail.com> * Introduce vuln analysis trigger notification field We previously used a field called "vulnerabilityAnalysisLevel" to communicate *what* triggered a vulnerability analysis. This was temporarily removed during the vuln analysis refactoring, but is now re-introduced. The old string field is still populated, but deprecated for removal. Instead, a new "analysisTrigger" field is introduced, which is defined as enum rather than free text string. "level" has always been ambiguous, and the string type meant that consumers never really knew what possible values they could expect. Signed-off-by: nscuro <nscuro@protonmail.com> * Re-introduce alias sync for vulns reported by analyzers Signed-off-by: nscuro <nscuro@protonmail.com> * Adjust excessive retry policy of analyzer invocations The previous policy could lead to retry windows of up to 40min. We already handle analyzer failures gracefully, so there's no point in retrying for so long. Signed-off-by: nscuro <nscuro@protonmail.com> * Remove outdated TODO Signed-off-by: nscuro <nscuro@protonmail.com> * Fix incorrect table aliases in ordering columns Signed-off-by: nscuro <nscuro@protonmail.com> * Emit VULNERABILITY_RETRACTED notification when findings become inactive ... and emit NEW_VULNERABILITY notifications when findings are re-activated. This accounts for users who need to be notified when a finding is no longer applicable. Decided against introducing new notification groups like FINDING_STATUS_CHANGE, because it didn't align well with the notification groups we already have, and that users likely have built workflows around already. Whether a finding is active or inactive is really only an implementation detail and shouldn't be surfaced to users directly. Signed-off-by: nscuro <nscuro@protonmail.com> * Make vuln analyzers interruptible * Propagates InterruptedException to the caller. * Checks for interruption at strategic places (i.e. in loops before processing the next batch of items). This ensures that interruptions are detectable by the dex engine, and activity tasks can be cleanly abandoned. Signed-off-by: nscuro <nscuro@protonmail.com> * Fix redundant analysis comments on policy un-application or removal Fixes comments such as: "Justification: NOT_SET → NOT_SET". Signed-off-by: nscuro <nscuro@protonmail.com> * Support new vuln analysis workflow in legacy workflow status endpoint Signed-off-by: nscuro <nscuro@protonmail.com> * Run vuln analysis reconciliation on separate task queue Reconciliation is quite I/O intensive and excessive concurrency can actually hurt here. Running it on a separate queue allows for more granular concurrency control. Signed-off-by: nscuro <nscuro@protonmail.com> * Fail vuln analysis workflow when all analyzers failed Signed-off-by: nscuro <nscuro@protonmail.com> * Remove debug logging for vulnanalysis package Signed-off-by: nscuro <nscuro@protonmail.com> * Reduce dex buffer flush intervals for tests Signed-off-by: nscuro <nscuro@protonmail.com> * Simplify alias deduplication in metrics calculation We now have alias group IDs that we can de-dupe on. No need to track individual source-vulnId pairs anymore. Signed-off-by: nscuro <nscuro@protonmail.com> * Ensure vuln analyzer result reconciliation is interruptible Adds interruption checks before I/O intensive work to enable timely shutdown. The entire activity is idempotent so it's safe to abandon it at any of these points. Signed-off-by: nscuro <nscuro@protonmail.com> * Simplify and streamline component metrics calculation * Replace vulnerability loop with batched queries. * Collapse multiple separate queries into one. * Only update LAST_RISKSCORE of components when it actually changed, avoiding unnecessary I/O overhead. * Reformat the SQL to match the rest of the project's style. Signed-off-by: nscuro <nscuro@protonmail.com> * Fix wrong exception thrown for invalid analyzer configs Signed-off-by: nscuro <nscuro@protonmail.com> * Populate project UUID MDC key in vuln analysis workflow Signed-off-by: nscuro <nscuro@protonmail.com> * Remove noisy logging from vuln analysis reconciliation Signed-off-by: nscuro <nscuro@protonmail.com> * Remove redundant method overrides Signed-off-by: nscuro <nscuro@protonmail.com> * Add missing vuln analyzer config docs Signed-off-by: nscuro <nscuro@protonmail.com> * Bump parent version of vuln-analysis modules Signed-off-by: nscuro <nscuro@protonmail.com> * Remove unused code Signed-off-by: nscuro <nscuro@protonmail.com> --------- Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:1462160
Author:Sahiba Mittal
Committer:GitHub

Add CVSSv4 support (#1687) * WIP upgrading cvss calculator version * Add CVSSv4 support to vulnerability model Adds CVSSv4 fields to the Vulnerability and Analysis models, database schema, and API. Updates logic for severity calculation to consider CVSSv4, adjusts related utility methods and tests, and ensures migration and cloning procedures handle the new fields. * Remove Impact and Exploitability SubScore for CVSS V4 * Update policy.proto * Add CVSSv4 to Finding model * Refactor vulnerability processing for cvssV4 * Fix notification mapping * Fix test and remove comment * Rename cvssV4BaseScore to cvssV4Score * Update procedure_update-component-metrics.sql * Update procedure_update-component-metrics.sql * Update VulnerabilityScanResultProcessorTest.java * Remove cvssV2 from Github model mapping

Commit:0b11324
Author:nscuro
Committer:nscuro

Convert CSAF tasks to workflows Enables provider discovery and document import to be addressable by workflow instance ID, while also effectively prevent multiple instances for the same aggregator / provider to run concurrently. https://github.com/DependencyTrack/hyades-apiserver/blob/main/dex/docs/PATTERNS.md#singletons Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:3bba529
Author:nscuro
Committer:nscuro

Complete notification publishing migration * Enables notification router and removes feature flag. * Implements dex workflow for publishing. * Removes direct publishing to Kafka. * Adds partial rule filtering at notification emission time. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:601200c
Author:nscuro
Committer:nscuro

Isolate plugin API * Removes proto dependency from plugin-api. * Move vuln data source API to separate module, similar to file-storage-api and notification-api. This is necessary to retain clear responsibilities and avoid circular module dependencies. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:3126b90
Author:nscuro
Committer:nscuro

Merge -api and -proto modules The separation is not really justified given they depend so tightly on another. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:3550286
Author:nscuro
Committer:nscuro

Use British spelling for CANCELLED workflow run status Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:d499281
Author:nscuro
Committer:nscuro

Separate file storage API & proto modules * The core proto module contains internal proto definitions that shouldn't be required by the plugin API. Separating the file storage protos is a step towards removing that dependency. * The file storage API shouldn't be part of the core plugin API. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:2089920
Author:nscuro
Committer:nscuro

Move notification API and protos to separate modules This is a preparation for https://github.com/DependencyTrack/hyades/issues/1860 and was extracted from https://github.com/DependencyTrack/hyades-apiserver/pull/1489. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:1210dd5
Author:Niklas
Committer:GitHub

Add durable execution engine implementation (#1138)

Commit:1717fe0
Author:Christian Banse
Committer:GitHub

Implement CSAF support (#1462) Co-authored-by: Lawrence Dean <lawrence.dean@aisec.fraunhofer.de> Co-authored-by: Niklas <nscuro@protonmail.com>

Commit:0dbe529
Author:nscuro
Committer:nscuro

Implement transactional notification emission and relay Introduces a mechanism to emit and relay notifications using the transactional outbox pattern. Notifications are still sent to Kafka for now. This will change soon when we re-introduce notification routing back into the API server and decommission the separate notification-publisher service. This implementation differs from the original ADR-003 in that it does not use PostgreSQL's logical replication. While that would have made the solution better performing, it would have required separate connection management, as well as elevated privileges (i.e., the `REPLICATION` role attribute). Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:3ac8eed
Author:nscuro
Committer:nscuro

Migrate EPSS mirroring from hyades mirror-service * Modifies `EpssMirrorTask` to no longer emit Kafka events, but instead perform the mirroring itself. * Moves from open-vulnerability-clients' `EpssDataFeed` to a streaming and batching mechanism that is more memory-efficient. * Leverages `UNNEST` for efficient bulk upserts. This doesn't leverage the `VulnDataSource` extension point, because it doesn't emit complete vulnerability records. Relevant references: * https://www.tigerdata.com/blog/boosting-postgres-insert-performance Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:b42ea44
Author:Sahiba Mittal
Committer:GitHub

Issue-1837 : Log more details when timing out and failing workflow steps (#1386)

Commit:d7bcd2b
Author:nscuro

Fix file storage package name Just a cosmetic change for better consistency in naming. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:a70e716
Author:nscuro
Committer:nscuro

Move Protobuf files into separate Maven module Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:30819d7
Author:nscuro
Committer:nscuro

Convert to multi-module Maven project Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:ed7a392
Author:nscuro
Committer:nscuro

Implement file storage plugin Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:af64eef
Author:nscuro
Committer:nscuro

Migrate Trivy integration to use Protobuf instead of JSON Closes #4065 Signed-off-by: nscuro <nscuro@protonmail.com>

The documentation is generated from this commit.

Commit:3ec305f
Author:Sahiba Mittal

refactor BomValidationFailedSubject proto

Commit:aa81527
Author:Sahiba Mittal

Add Notification For BOM_VALIDATION_FAILED Co-Authored-By: Aravind Parappil <aravindparappil@gmail.com>

Commit:8b49ca8
Author:Sahiba Mittal

remove proto cdx 1.4

Commit:fb75e6b
Author:Sahiba Mittal

update cdx version to 1.6

Commit:a32b45f
Author:Sahiba Mittal

refactor user subject

Commit:db0fc12
Author:Sahiba Mittal

user notifications added Co-Authored-By: Marlon Pina Tojal <1815240+fnxpt@users.noreply.github.com>

Commit:c48de6c
Author:vithikashukla

add vector string to other notifications involving vulnerability Signed-off-by: vithikashukla <vithika.shukla@citi.com>

Commit:2cc7a46
Author:vithikashukla

add cvss vector to vulnerability Signed-off-by: vithikashukla <vithika.shukla@citi.com>

Commit:f776608
Author:Sahiba Mittal

Revert "Merge branch 'main' into epss-mirroring" This reverts commit 1215204644089410513c15dad52dce3c603705b5, reversing changes made to d65f9bf6b842538d6c2c6227473107d5f8b399a5.

Commit:1215204
Author:Sahiba Mittal

Merge branch 'main' into epss-mirroring

This commit does not contain any .proto files.

Commit:b3e82f1
Author:Sahiba Mittal

Merge branch 'main' into epss-mirroring

Commit:b21f573
Author:Sahiba Mittal

ingest bom generated from cdx

Commit:1a8f6c9
Author:Sahiba Mittal

WIP

Commit:beb34ed
Author:nscuro
Committer:nscuro

Ingest `metadata.tools` from BOMs and make it available in CEL policies The internal model is aligned with CycloneDX v1.5, in that it differentiates between tools that are components, and tools that are services: https://cyclonedx.org/docs/1.5/json/#tab-pane_metadata_tools_oneOf_i0 When ingesting BOMs following v1.4 or older of the CycloneDX specification, `metadata.tools` array items will be converted to `metadata.tools.components`. For the time being, tools are persisted as JSON column in the `PROJECT_METADATA` table. As such, tools will not be analyzed for vulnerabilities or other kinds of risk. Tool components and services are treated as subsets of the internal `Component` and `ServiceComponent` models. This subset property is enforced via Jackson's `@JsonView`s, such that only specific fields are considered when serializing and deserializing to and from JSON. Tools are made available in CEL policy expressions under `project.metadata.tools.components`. Tool components use the existing `v1.Component` type, which means that functions like `matches_version` can be used on them. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:a0a43c7
Author:vithikashukla

replace json string with proto Signed-off-by: vithikashukla <vithika.shukla@citi.com>

Commit:783d6a3
Author:meha
Committer:GitHub

Rename package `org.hyades` to `org.dependencytrack` (#454) * renamed org.hyades to org.dependencytrack Signed-off-by: mehab <meha.bhargava@citi.com> * reverting application.properties Signed-off-by: mehab <meha.bhargava@citi.com> --------- Signed-off-by: mehab <meha.bhargava@citi.com>

Commit:fc932c7
Author:meha
Committer:GitHub

Add support for version distance policies in CEL (#401) * version distance policy added Signed-off-by: mehab <meha.bhargava@citi.com> * pr fix Signed-off-by: mehab <meha.bhargava@citi.com> * fixed unit tests Signed-off-by: mehab <meha.bhargava@citi.com> * fixed formatting Signed-off-by: mehab <meha.bhargava@citi.com> * PR review changes Signed-off-by: mehab <meha.bhargava@citi.com> * PR review changes complete Signed-off-by: mehab <meha.bhargava@citi.com> * fixed broken test Signed-off-by: mehab <meha.bhargava@citi.com> * pr review changes Signed-off-by: mehab <meha.bhargava@citi.com> * pr review changes Signed-off-by: mehab <meha.bhargava@citi.com> * removed unused import Signed-off-by: mehab <meha.bhargava@citi.com> --------- Signed-off-by: mehab <meha.bhargava@citi.com>

Commit:d150510
Author:meha
Committer:GitHub

Add component age policy condition (#358) * intermediate commit Signed-off-by: mehab <meha.bhargava@citi.com> * custom function added Signed-off-by: mehab <meha.bhargava@citi.com> * component age cell policy working Signed-off-by: mehab <meha.bhargava@citi.com> * removed unused property Signed-off-by: mehab <meha.bhargava@citi.com> * fixed unit tests. Updated existing componentAgePolicyEvaluator to use integrity meta info. Added tests for cel expression for age Signed-off-by: mehab <meha.bhargava@citi.com> * addressed PR review comments Signed-off-by: mehab <meha.bhargava@citi.com> * cleanup Signed-off-by: mehab <meha.bhargava@citi.com> --------- Signed-off-by: mehab <meha.bhargava@citi.com>

Commit:aad3042
Author:VithikaS
Committer:GitHub

Integrity check (#355) * initial commit Signed-off-by: vithikashukla <vithika.shukla@citi.com> * Added integrity check Signed-off-by: vithikashukla <vithika.shukla@citi.com> * revert unwanted changes Signed-off-by: vithikashukla <vithika.shukla@citi.com> * added more assertions Signed-off-by: vithikashukla <vithika.shukla@citi.com> * check if component exists before getting metadata Signed-off-by: vithikashukla <vithika.shukla@citi.com> --------- Signed-off-by: vithikashukla <vithika.shukla@citi.com> Co-authored-by: vithikashukla <vithika.shukla@citi.com>

Commit:a32f94c
Author:meha
Committer:GitHub

added integrity analysis event on apiserver (#339) * added integrity analysis event on apiserver Signed-off-by: mehab <meha.bhargava@citi.com> * fixed unit tests Signed-off-by: mehab <meha.bhargava@citi.com> * fixed unit test for repometaanalysistask Signed-off-by: mehab <meha.bhargava@citi.com> * fixed tests for bomupload Signed-off-by: mehab <meha.bhargava@citi.com> * fixed tests for bomupload Signed-off-by: mehab <meha.bhargava@citi.com> * PR review fixes Signed-off-by: mehab <meha.bhargava@citi.com> * end to end test successful Signed-off-by: mehab <meha.bhargava@citi.com> * fixed broken test Signed-off-by: mehab <meha.bhargava@citi.com> --------- Signed-off-by: mehab <meha.bhargava@citi.com>

Commit:07521dd
Author:meha
Committer:GitHub

Incoming events with hash information for apiserver (#343) * added logic for processing incoming hash information as part of repo meta analysis Signed-off-by: mehab <meha.bhargava@citi.com> * sha512 added Signed-off-by: mehab <meha.bhargava@citi.com> * added sha512 to the list of hashes Signed-off-by: mehab <meha.bhargava@citi.com> * removed for loop not required for integrity analysis results Signed-off-by: mehab <meha.bhargava@citi.com> --------- Signed-off-by: mehab <meha.bhargava@citi.com>

Commit:5400bc5
Author:Niklas
Committer:GitHub

Add support for CEL policy conditions (#316) * Initial commit of CEL policy work Signed-off-by: nscuro <nscuro@protonmail.com> * Add a few custom CEL functions Signed-off-by: nscuro <nscuro@protonmail.com> * Make policies work with legacy way of reporting violations Signed-off-by: nscuro <nscuro@protonmail.com> * Implement `is_dependency_of` CEL function Signed-off-by: nscuro <nscuro@protonmail.com> * Support vuln aliases in CEL policies Signed-off-by: nscuro <nscuro@protonmail.com> * Few minor adjustments Signed-off-by: nscuro <nscuro@protonmail.com> * Return CEL errors in API response Signed-off-by: nscuro <nscuro@protonmail.com> * Fix some vulnerability fields not being fetched for policies Signed-off-by: nscuro <nscuro@protonmail.com> * Bump `versatile` to `0.3.0` Signed-off-by: nscuro <nscuro@protonmail.com> * Use AST visitor to determine which fields are accessed for any given type Signed-off-by: nscuro <nscuro@protonmail.com> * Cleanup Signed-off-by: nscuro <nscuro@protonmail.com> * Cleanup Signed-off-by: nscuro <nscuro@protonmail.com> * WIP: Loading of required fields; Project policy evaluation Signed-off-by: nscuro <nscuro@protonmail.com> * Improve violation reconciliation for projects Signed-off-by: nscuro <nscuro@protonmail.com> * Add test with bloated BOM to debug performance bottlenecks Signed-off-by: nscuro <nscuro@protonmail.com> * Disable DataNucleus L1 cache for policy reconciliation Signed-off-by: nscuro <nscuro@protonmail.com> * Add field mapping tests Signed-off-by: nscuro <nscuro@protonmail.com> * Handle implicit policy script requirements for custom functions Signed-off-by: nscuro <nscuro@protonmail.com> * Minor readability and code documentation improvements Signed-off-by: nscuro <nscuro@protonmail.com> * Fetch data for policy violation notifications in a single query DataNucleus on its own loads too much data, and does so using too many queries. Signed-off-by: nscuro <nscuro@protonmail.com> * Perform violation reconciliation using direct JDBC access Signed-off-by: nscuro <nscuro@protonmail.com> * Include strings library in CEL policy environment Signed-off-by: nscuro <nscuro@protonmail.com> * Cleanup; Support project properties, tags, and vulnerability aliases Signed-off-by: nscuro <nscuro@protonmail.com> * Add test to verify that all fields can be loaded Signed-off-by: nscuro <nscuro@protonmail.com> * Add remaining fields to `testWithAllFields` Signed-off-by: nscuro <nscuro@protonmail.com> * Add test for vuln severity evaluation Signed-off-by: nscuro <nscuro@protonmail.com> * Remove un-implemented `depends_on` function; Add proper logging for custom functions Signed-off-by: nscuro <nscuro@protonmail.com> * Handle invalid scripts and script runtime failures Signed-off-by: nscuro <nscuro@protonmail.com> * Add `escapeQuotes` for CEL script builders Using `escapeJson` doesn't work quite right when special characters / regular expressions are provided. All we need is prevention of "breaking out" of strings, so escaping double quotes alone is sufficient. Signed-off-by: nscuro <nscuro@protonmail.com> * Add tests for some legacy conditions Signed-off-by: nscuro <nscuro@protonmail.com> * More tests for `CelPolicyEngine` Signed-off-by: nscuro <nscuro@protonmail.com> * Add more tests; Implement script cache bypass for REST API interactions Signed-off-by: nscuro <nscuro@protonmail.com> * Add tests for hash policy (#326) * added tests for hash policy Signed-off-by: mehab <meha.bhargava@citi.com> * updated tests Signed-off-by: mehab <meha.bhargava@citi.com> --------- Signed-off-by: mehab <meha.bhargava@citi.com> * Add version cel policy script builder (#324) * Add version cel policy script builder Signed-off-by: vithikashukla <vithika.shukla@citi.com> * add version support for coordinates cel policy Signed-off-by: vithikashukla <vithika.shukla@citi.com> * Added unit test for version policy script builder Signed-off-by: vithikashukla <vithika.shukla@citi.com> * added coordninates condition test Signed-off-by: vithikashukla <vithika.shukla@citi.com> * added coordinates condition test Signed-off-by: vithikashukla <vithika.shukla@citi.com> --------- Signed-off-by: vithikashukla <vithika.shukla@citi.com> Co-authored-by: vithikashukla <vithika.shukla@citi.com> * Fix new UNIQUE constraint breaking existing behavior Signed-off-by: nscuro <nscuro@protonmail.com> * Add feature flag for CEL policy engine Signed-off-by: nscuro <nscuro@protonmail.com> * Add `UpgradeItem` to update type of `"POLICYCONDITION"."VALUE"` to `TEXT` Signed-off-by: nscuro <nscuro@protonmail.com> * Handle policy evaluation for individual components Signed-off-by: nscuro <nscuro@protonmail.com> * added unit tests for cwe cel policy Signed-off-by: mehab <meha.bhargava@citi.com> * Add license condition test (#332) * Add version cel policy script builder Signed-off-by: vithikashukla <vithika.shukla@citi.com> * add version support for coordinates cel policy Signed-off-by: vithikashukla <vithika.shukla@citi.com> * Added unit test for version policy script builder Signed-off-by: vithikashukla <vithika.shukla@citi.com> * added coordninates condition test Signed-off-by: vithikashukla <vithika.shukla@citi.com> * added coordinates condition test Signed-off-by: vithikashukla <vithika.shukla@citi.com> * added more conditions to test Signed-off-by: vithikashukla <vithika.shukla@citi.com> * Added license condition test Signed-off-by: vithikashukla <vithika.shukla@citi.com> * Update src/main/java/org/dependencytrack/policy/cel/CelPolicyEngine.java Co-authored-by: Niklas <nscuro@protonmail.com> Signed-off-by: VithikaS <122881935+VithikaS@users.noreply.github.com> * Added license group condition test Signed-off-by: vithikashukla <vithika.shukla@citi.com> * updated comment Signed-off-by: vithikashukla <vithika.shukla@citi.com> --------- Signed-off-by: vithikashukla <vithika.shukla@citi.com> Signed-off-by: VithikaS <122881935+VithikaS@users.noreply.github.com> Co-authored-by: vithikashukla <vithika.shukla@citi.com> Co-authored-by: Niklas <nscuro@protonmail.com> * Fix projection mapping for `Double` / `BigDecimal` fields Signed-off-by: nscuro <nscuro@protonmail.com> * support wildcard Signed-off-by: vithikashukla <vithika.shukla@citi.com> * Add `buf` config and workflow Signed-off-by: nscuro <nscuro@protonmail.com> * Change Proto package from `hyades` to `dependencytrack` As this feature will be backported, we need to make sure policies will be compatible once folks start upgrading to Hyades. Signed-off-by: nscuro <nscuro@protonmail.com> * Fix failing tests due to Proto package change Signed-off-by: nscuro <nscuro@protonmail.com> * Un-ignore `cyclonedx.proto` from breaking changes check Signed-off-by: Niklas <nscuro@protonmail.com> --------- Signed-off-by: nscuro <nscuro@protonmail.com> Signed-off-by: mehab <meha.bhargava@citi.com> Signed-off-by: vithikashukla <vithika.shukla@citi.com> Signed-off-by: VithikaS <122881935+VithikaS@users.noreply.github.com> Signed-off-by: Niklas <nscuro@protonmail.com> Co-authored-by: meha <meha.bhargava2@gmail.com> Co-authored-by: VithikaS <122881935+VithikaS@users.noreply.github.com> Co-authored-by: vithikashukla <vithika.shukla@citi.com> Co-authored-by: mehab <meha.bhargava@citi.com>

Commit:9009411
Author:Sahiba Mittal

token added in workflow notification subjects

Commit:f0f5a14
Author:nscuro

Fix grammatical number of `vulnerabilities` in `ProjectVulnAnalysisCompleteSubject` Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:89f10c6
Author:nscuro

Fix more JSON field names deviating from vanilla DT's https://github.com/DependencyTrack/dependency-track/blob/6ede8fcd433bc5f57bf5eff03b964172fb02a4e0/src/main/java/org/dependencytrack/util/NotificationUtil.java#L289-L334 Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:d7b2046
Author:nscuro

Fix breaking change in `NEW_VULNERABILITY` notification JSON format The breaking change was introduced for https://github.com/DependencyTrack/hyades/issues/467, and is causing issues for consumers of Webhook notifications that expect the `affectedProjects` field to be an array of projects. Whereas now it is an object holding references. To fix the JSON representation, an array field named `affectedProjects` is added again. It will be populated with the same value that the `project` field holds. Because only the field *name* is changed in the Protobuf schema, this is not a breaking change for the notification publisher. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:c9d90d4
Author:nscuro

Remove unused `org.hyades.vuln.v1` proto As of https://github.com/DependencyTrack/hyades/issues/352, we use CycloneDX BOVs to communicate vulnerability information. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:1122ad5
Author:Sahiba Mittal
Committer:GitHub

Implement workflow state for vulnerability analysis step (#252) * vuln analysis workflow WIP * Update BomUploadProcessingTaskTest.java * refactor WIP * test fixed * more test added * Update VulnerabilityScanResultProcessor.java * add failure reason for vuln-analysis * Update WorkflowStateQueryManager.java * Update BomUploadProcessingTaskTest.java * refactor state flow * trigger metrics update event for NA vuln-analysis * empty commit * Update BomUploadProcessingTaskTest.java * refactor * notification proto enum update * buf fix * Update notification.proto * Update NotificationModelConverterTest.java

Commit:7105503
Author:Sahiba Mittal
Committer:GitHub

Issue-352 : CDX for vuln analysis result (#236)

Commit:0717746
Author:nscuro
Committer:nscuro

Remove Lucene Method signatures accepting a `boolean commitIndex` flag have not been modified to avoid a larger refactoring. Invocations of index updates via `Event.dispatch(new IndexEvent(...))` are just commented out so that the information of *when* those updates are supposed to happen is not lost when we re-implement indexing again. Closes https://github.com/DependencyTrack/hyades/issues/661 Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:422cb14
Author:meha
Committer:GitHub

renamed variable (#209) Signed-off-by: mehab <meha.bhargava@citi.com>

Commit:695bfd6
Author:meha
Committer:GitHub

Feature/vuln analysis complete notify (#192)

Commit:7ff4f09
Author:Sahiba Mittal

Squashed commit of the following: commit 1e1a2190241c973b77c6f087e6a2e082bbc9999f Merge: bc3ca720 650b1004 Author: Niklas <nscuro@protonmail.com> Date: Mon May 22 20:58:02 2023 +0200 Merge pull request #180 from DependencyTrack/dependabot/maven/org.apache.maven.plugins-maven-checkstyle-plugin-3.3.0 Bump maven-checkstyle-plugin from 3.2.2 to 3.3.0 commit bc3ca720ae0e9042b114a272609be1ba80260969 Merge: 4c978abd 2617f781 Author: Niklas <nscuro@protonmail.com> Date: Mon May 22 20:57:48 2023 +0200 Merge pull request #181 from DependencyTrack/dependabot/maven/net.javacrumbs.json-unit-json-unit-assertj-2.38.0 Bump json-unit-assertj from 2.37.0 to 2.38.0 commit 4c978abd35a300266ec9f4736bb5d3c19d5655a6 Merge: e90be305 ef88d663 Author: Niklas <nscuro@protonmail.com> Date: Mon May 22 18:34:39 2023 +0200 Merge pull request #179 from DependencyTrack/issue-554-merge-notification-topics commit ef88d663d68dae52a58f0416a2daf3cff1baed22 Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Mon May 22 16:29:18 2023 +0100 Update NotificationUtil.java commit 2617f781c2a8e913ac5b85472647f140787a7c8b Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon May 22 15:10:14 2023 +0000 Bump json-unit-assertj from 2.37.0 to 2.38.0 Bumps [json-unit-assertj](https://github.com/lukas-krecan/JsonUnit) from 2.37.0 to 2.38.0. - [Commits](https://github.com/lukas-krecan/JsonUnit/compare/json-unit-parent-2.37.0...json-unit-parent-2.38.0) --- updated-dependencies: - dependency-name: net.javacrumbs.json-unit:json-unit-assertj dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> commit 650b1004daf0b10d7d6e4ed680a043878eb40d39 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon May 22 15:08:57 2023 +0000 Bump maven-checkstyle-plugin from 3.2.2 to 3.3.0 Bumps [maven-checkstyle-plugin](https://github.com/apache/maven-checkstyle-plugin) from 3.2.2 to 3.3.0. - [Commits](https://github.com/apache/maven-checkstyle-plugin/compare/maven-checkstyle-plugin-3.2.2...maven-checkstyle-plugin-3.3.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-checkstyle-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> commit c1cd2d3b45490f837a8b3dfa38693d675e4bfdac Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Mon May 22 14:47:11 2023 +0100 Update KafkaEventDispatcher.java commit d2fee4753511df5375d0ae01bd84f98e5d14a7ff Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Mon May 22 14:15:26 2023 +0100 merge notification topics and added project uuid as event key commit e90be305b48899b1f784ce74711056f8275cfa74 Merge: 29490eed ade9cda5 Author: Niklas <nscuro@protonmail.com> Date: Mon May 22 13:20:38 2023 +0200 Merge pull request #178 from DependencyTrack/skip-vuln-scan-result-repartition Skip unnecessary repartition of vuln scan results commit ade9cda5ffb072af71f44d941212723997f6a89f Author: nscuro <nscuro@protonmail.com> Date: Sun May 21 19:25:48 2023 +0200 Skip unnecessary repartition of vuln scan results The intention behind the repartition was to avoid race conditions when results for the same component would be processed in parallel. However, this case should be rather rare, and we already perform retries should a transaction fail due to a unique constraint violation. It had the ugly side effect of doubling the partition count necessary to process vuln scan results, without adding much benefit. Additionally, the re-keying of results to scan tokens also causes a repartition. This repartition included the scanner results, despite them not being needed by any of the following processing steps. To save some overhead, we now strip the scanner results before performing the repartition. Signed-off-by: nscuro <nscuro@protonmail.com> commit 29490eed3098d02da34ff641db09349cb39725c3 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri May 19 16:04:02 2023 +0100 Bump lib.protobuf-java.version from 3.23.0 to 3.23.1 (#177) commit 506caebe0e580d8c1d111d5dd771ac7d23a53f4c Merge: b9826155 e4b6efc1 Author: Niklas <nscuro@protonmail.com> Date: Fri May 19 12:41:14 2023 +0200 Merge pull request #173 from DependencyTrack/dependabot/maven/net.mguenther.kafka-kafka-junit-3.4.0 Bump kafka-junit from 3.3.0 to 3.4.0 commit b9826155e95d1c4fdfe932e6e044c2a95229b570 Merge: f087c8cb cd84a6d7 Author: Niklas <nscuro@protonmail.com> Date: Fri May 19 12:40:48 2023 +0200 Merge pull request #176 from DependencyTrack/port-changes-from-4.8.2 Add externalReferences to PATCH project commit f087c8cb6f6c1fe2751057ccfdced0554b507bb1 Merge: fefef15f e9d76a29 Author: Niklas <nscuro@protonmail.com> Date: Fri May 19 12:40:24 2023 +0200 Merge pull request #175 from DependencyTrack/fix-SIGTERM-container-handling Port changes from upstream API server 4.8.1 and 4.8.2 commit e9d76a2919f517267459b07971098be483619beb Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Thu May 18 17:31:59 2023 +0100 Fix broken pagination in DefectDojo integration Co-Authored-By: Niklas <scuro@protonmail.com> commit 59628eb3999ef6ec8244ba26ce711e76e42960c6 Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Thu May 18 15:53:42 2023 +0100 Fix policy violation search Co-Authored-By: Jakub Rak <7059008+jakubrak@users.noreply.github.com> commit cd84a6d78e057b5e64a4892789c8047a090250af Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Thu May 18 15:35:14 2023 +0100 Add externalReferences to PATCH project Co-Authored-By: Florian Heubeck <40993644+heubeck@users.noreply.github.com> commit be87060729fbd5260d2c143ddcc2f20b6458475c Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Thu May 18 13:19:51 2023 +0100 Fix NPE in DefectDojoClient when scan_type of a test is null Co-Authored-By: Niklas <scuro@protonmail.com> commit d2b13f4d06151750a2d2220b31929080e71b6aa4 Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Thu May 18 11:45:27 2023 +0100 Upgrade alpine parent Co-Authored-By: Niklas <scuro@protonmail.com> commit f1757ae0929baf21b8f7335b460e3099895143ef Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Thu May 18 11:21:42 2023 +0100 Add missing config docs for alpine.oidc.client.id Co-Authored-By: Niklas <scuro@protonmail.com> commit 0a24b66d1beb6799373e2368a072d99ad9f40c44 Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Thu May 18 11:12:55 2023 +0100 Fix missing project filter for /api/v1/violation/project Co-Authored-By: Niklas <scuro@protonmail.com> commit 36a30dfd71d1bf5fd8604928f6edc0bcac71d3d0 Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Thu May 18 10:36:12 2023 +0100 fix SIGTERM signal Co-Authored-By: Niklas <scuro@protonmail.com> commit fefef15f84f971cd85e634adcd1acf8026ce008f Merge: 107327cb a2da39d6 Author: Niklas <nscuro@protonmail.com> Date: Wed May 17 21:06:22 2023 +0200 Merge pull request #174 from DependencyTrack/issue-559-use-object-for-bom use object for bom commit a2da39d6732f7d84247ffb6d49fc57bef578928f Author: vithikashukla <vithika.shukla14@gmail.com> Date: Wed May 17 16:12:19 2023 +0100 use object for bom Signed-off-by: vithikashukla <vithika.shukla14@gmail.com> commit e4b6efc1fb913545a2ff58304c89e7f399e03153 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed May 17 15:03:33 2023 +0000 Bump kafka-junit from 3.3.0 to 3.4.0 Bumps [kafka-junit](https://github.com/mguenther/kafka-junit) from 3.3.0 to 3.4.0. - [Release notes](https://github.com/mguenther/kafka-junit/releases) - [Commits](https://github.com/mguenther/kafka-junit/compare/3.3.0...3.4.0) --- updated-dependencies: - dependency-name: net.mguenther.kafka:kafka-junit dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> commit 107327cbbb824d3d1a8306f53ac7ae0457673e2e Author: Niklas <nscuro@protonmail.com> Date: Mon May 15 18:06:42 2023 +0200 Fix `ArrayIndexOutOfBoundsException` in `MirrorVulnerabilityProcessor` (#170) Also, catch all exceptions in the processor to prevent it from causing Kafka Streams to be shut down. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:a2da39d
Author:vithikashukla

use object for bom Signed-off-by: vithikashukla <vithika.shukla14@gmail.com>

Commit:f2f3248
Author:Sahiba Mittal
Committer:GitHub

Map recommendation for analyzers and update temurin base image version (#122)

Commit:80d0c95
Author:Niklas
Committer:GitHub

Merge pull request #83 from DependencyTrack/single-vuln-analysis-result-event Process vulnerability analysis results from a single event per component

Commit:05fd759
Author:Niklas
Committer:GitHub

Merge pull request #81 from DependencyTrack/hyades-issue-467 Use back references instead of including all affected projects in notification subject

Commit:9be466b
Author:nscuro

Backport https://github.com/DependencyTrack/dependency-track/pull/2600 Co-authored-by: RBickert <rbt@mm-software.com> Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:63da1bd
Author:nscuro
Committer:nscuro

Remove `COMPLETE` from `ScanStatus` enum Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:d9bcf59
Author:nscuro
Committer:nscuro

Process vuln scan results from a single event Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:f0cb828
Author:nscuro

Use common `BackReference` message Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:0a92da1
Author:nscuro

Send URIs instead of complete list of affected projects in `NEW_VULNERABILITY` notifications Addresses https://github.com/DependencyTrack/hyades/issues/467 Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:ffcc42c
Author:Sahiba Mittal

added cycloneDx protobuf

Commit:90307de
Author:nscuro

Relax vuln analysis level field type Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:bd6514c
Author:nscuro
Committer:nscuro

Refactor notifications to use Protobuf schemas Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:2ff67ad
Author:nscuro

Port changes to Protobuf schemas from https://github.com/DependencyTrack/hyades/pull/414 Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:b302188
Author:Niklas
Committer:GitHub

Refactor repository meta analysis to use Protobuf schemas (#62) * Refactor repo meta analysis to use Protobuf schemas Signed-off-by: nscuro <nscuro@protonmail.com> * Fix tests Signed-off-by: nscuro <nscuro@protonmail.com> * Address Lift comment Signed-off-by: nscuro <nscuro@protonmail.com> * Fix RepositoryMetaAnalyzerTaskTest Signed-off-by: nscuro <nscuro@protonmail.com> --------- Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:3854ca9
Author:vithikashukla

Reverted metrics calculation Signed-off-by: vithikashukla <vithika.shukla14@gmail.com>

Commit:d492768
Author:Niklas
Committer:GitHub

Migrate Kafka metrics events to Protobuf schemas (#47) * Partial work to migrate Kafka metrics events to Protobuf schemas Signed-off-by: nscuro <nscuro@protonmail.com> * Correctly (de-)serialize `null` values using Protobuf Signed-off-by: nscuro <nscuro@protonmail.com> * Fix metrics unit tests; Minor refactoring Signed-off-by: nscuro <nscuro@protonmail.com> * Fix ProjectMetricsProcessorTest Signed-off-by: nscuro <nscuro@protonmail.com> * Fix PortfolioMetricsProcessorTest Signed-off-by: nscuro <nscuro@protonmail.com> * JavaDoc clarification Signed-off-by: nscuro <nscuro@protonmail.com> * Update metrics proto schema Signed-off-by: nscuro <nscuro@protonmail.com> --------- Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:4e2828a
Author:nscuro
Committer:nscuro

Fix timing issue in computation of vuln scan completion In the previous implementation, it was possible that the number of received scan results was equal to the number of sent scan commands, BEFORE all scan commands for a given scan key had been processed. Scans were thus marked as COMPLETE, despite that not being the case. We now track the completion in a database table. A row in the table is created before emitting events to Kafka, and it's initialized with the expected number of scan results. As updates to the tracking table are done in serial fashion, thanks to Kafka's ordering guarantees, it's safe to use optimistic locking. It also simplifies the Kafka Streams topology. Signed-off-by: nscuro <nscuro@protonmail.com>

Commit:efc2827
Author:Niklas
Committer:GitHub

Use Protobuf for processing vuln analysis results (#32) * Use Protobuf for processing vuln analysis results Signed-off-by: nscuro <nscuro@protonmail.com> * Define serdes on a per-topic basis As some topics use Protobuf now, while others continue to use `String` / `UUID` / JSON, the Kafka producer has to support multiple serialization formats. Signed-off-by: nscuro <nscuro@protonmail.com> * Remove unused DTOs Signed-off-by: nscuro <nscuro@protonmail.com> * Add Hyades ModelConverter test Signed-off-by: nscuro <nscuro@protonmail.com> * Include expected & received result counts in scan status message Signed-off-by: nscuro <nscuro@protonmail.com> * Allow custom `ObjectMapper` to be used for `JacksonSerde` Signed-off-by: nscuro <nscuro@protonmail.com> * Make switch statements exhaustive Signed-off-by: nscuro <nscuro@protonmail.com> * Fix portfolio vulnerability analysis test Signed-off-by: nscuro <nscuro@protonmail.com> * Port changes from #38 to new `KafkaTopics` class Signed-off-by: nscuro <nscuro@protonmail.com> * `correlationId` -> `scanToken` Signed-off-by: nscuro <nscuro@protonmail.com> --------- Signed-off-by: nscuro <nscuro@protonmail.com>