These 91 commits are when the Protocol Buffers files have changed:
| Commit: | 281086b | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Include KEV flag in notifications Adds an `is_kev` flag to vulnerability messages in notifications. Besides the information being useful to receivers, it also allows users to leverage notification filter expressions to, for example, only receive notifications for KEV vulns. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 2ab8e63 | |
|---|---|---|
| Author: | nscuro | |
Make KEV usable in component and vulnerability policies Exposes a new `is_kev` boolean field on the `Vulnerability` policy proto message. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 7ec8d1f | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Implement initial KEV support Adds support for Known Exploited Vulnerabilities (KEV), as outlined in ADR-030: * Introduces a new `KevDataSource` extension point, with two builtin extensions for CISA KEV and ENISA KEV. * Exposes a new `isKev` boolean field in findings and vulnerabilities API endpoints. Intentionally does NOT (yet): * Make KEV status usable in policies * Expose KEV counters in time series metrics * Extend SVG badges with KEV counter * Exposition of API endpoint for manual triggering of KEV mirroring * Support VulnCheck KEV Those are deferred to follow-up PRs to keep each change bearable in size. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 651a68e | |
|---|---|---|
| Author: | nscuro | |
Make latest version publish timestamp available to CEL policy engine Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 5fc453d | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Support component hash mismatch policy conditions Adds a new `has_package_artifact_hash_mismatch` CEL policy function that evaluates to `true` if and only if at least one component hash does not match what is reported by the upstream repository. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | fd561db | |
|---|---|---|
| Author: | nscuro | |
Bump CycloneDX proto to v1.7.1 Per https://github.com/CycloneDX/specification/releases/tag/1.7.1 Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 0d6411d | |
|---|---|---|
| Author: | Sahiba Mittal | |
Remove PROJECT_VULN_ANALYSIS_COMPLETE notifications Remove support for the PROJECT_VULN_ANALYSIS_COMPLETE notification and related plumbing. This is a focused cleanup to eliminate the project vulnerability-analysis-complete notification path and associated tests/resources.
| Commit: | e29bcc0 | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Leverage conditional revalidation for package metadata resolution Significantly reduces load on upstream repositories, while also simplifying resolver code because caching and GZIP-decoding concerns are now centralized. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | ac5660d | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Migrate VEX import to dex Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | d89508f | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Bump CycloneDX Protobuf schema to v1.7 The schema is wire compatible with v1.6, so doing this in-place is fine. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 222f6db | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Remove partial CSAF implementation The CSAF implementation that was contributed is in a partial state, where only a data model and API endpoints exist. No frontend and nothing that makes use of the data. If we include this in the v5 GA release, we're bound to it WRT backward compatibility and stability guarantees. This is risky because we don't even know whether the targeted use case can be achieved with it. We're lacking the resources to complete implementation ourselves. The pragmatic approach is to remove the partial implementation. The code is not lost, it was part of multiple (pre-)releases and could be recovered if necessary. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 8ab53c3 | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Implement user-managed vuln policies * Allows users to manage vulnerability policies via REST API (and consequently REST API). Previously, vuln policies could only be used with bundles, which required an external file server. * Paves the way for support of multiple bundles. Introduces a default bundle to bridge the gap with the previous behaviour. * Adds the concept of priorities to enable deterministic evaluation order. * Simplifies vuln policy management by switching from multiple conditions to only a single condition per policy. Having multiple conditions is largely useless given CEL is more expressive for combining multiple conditions. * Removes S3 support for bundle retrieval. We have no actual requirement for this yet. * Migrates all endpoints related to vuln policies to API v2. * Refactors the sync task to a dex workflow. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 2b3c183 | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Support component properties in CEL policies Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 8e080ba | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Add support for scheduled summary notifications Ports https://github.com/DependencyTrack/dependency-track/pull/4783 Co-authored-by: Max Schiller <msr@mm-software.com> Co-authored-by: Marlon Gäthje <mge@mm-software.com> Co-authored-by: Richard Bickert <rbt@mm-software.com> Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | b860b2b | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Migrate portfolio metrics update to dex workflow Replaces the custom concurrency mechanism in PortfolioMetricsUpdateTask.java with a dex workflow. This allows project metrics updates to be worked on by multiple nodes in the cluster, instead of just one. Modifies /refresh REST endpoints for component and project metrics such that they invoke the corresponding stored procedures directly, instead of spawning an asynchronous task. Also fixes incorrect required permissions for those endpoints. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 9feb527 | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Port Trivy vulnerability analyzer Ports the Trivy analyzer from Dependency-Track v4. Note that it was not previously ported to hyades and thus wasn't part of the initial vuln-analyzer service decommission work. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 887dd58 | |
|---|---|---|
| Author: | nscuro | |
Migrate vuln data source mirroring to dex This makes mirroring crash- and restart-proof, provides transparent retry support, and removes a lot of boilerplate from the legacy implementation. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 358f3dd | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Implement package metadata resolution and remove Kafka requirement * Implements durable workflow to resolve package metadata. * Migrates legacy RepositoryMetaComponent and IntegrityMetaComponent models to PackageMetadata and PackageArtifactMetadata, in accordance with ADR-015. * Replaces dedicated integrity analysis task with ad-hoc checks. This is enabled by PackageArtifactMetadata being joinable with Component. * Removes all Kafka-related infrastructure. Only remaining use of Kafka is for notification publishing, which is entirely optional. This concludes our quest to remove the Kafka requirement for good. The whole platform can now sustain itself with only Postgres. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 23eb4cb | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Migrate BOM processing to dex workflow Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | dd28d81 | |
|---|---|---|
| Author: | nscuro | |
Update Trivy protos Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | db48979 | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Introduce project analysis dex workflow The workflow is intended to replace the legacy workflow state tracking mechanism, which is used primarily for BOM uploads. It encapsulates: * Vulnerability analysis * Policy evaluation * Metrics update This makes the whole "analysis pipeline" a single unit-of-work, and enables reuse. The new workflow is not yet triggered anywhere, so there's no change in behaviour yet. That will be done in a future change. VulnAnalysisTrigger has been renamed to simply AnalysisTrigger to better reflect this change. It's not technically a breaking change because we didn't cut a release since it got introduced. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | bc999a8 | |
|---|---|---|
| Author: | Niklas | |
| Committer: | GitHub | |
Migrate vuln analysis to dex workflow (#1752) * Migrate vuln analysis to dex workflow Also ports the following from v4: * https://github.com/DependencyTrack/dependency-track/pull/5280 * https://github.com/DependencyTrack/dependency-track/pull/5418 * https://github.com/DependencyTrack/dependency-track/pull/5420 Signed-off-by: nscuro <nscuro@protonmail.com> * Refactor vulnerability policy evaluation for batch processing Signed-off-by: nscuro <nscuro@protonmail.com> * Emit PROJECT_AUDIT_CHANGE notification during finding reconciliation * Refactors query for PROJECT_AUDIT_CHANGE notification subject to use batching. * Extends analysis reconciler to track whether the analysis state or the suppression changed. Signed-off-by: nscuro <nscuro@protonmail.com> * Handle un-application of stale vuln policy analyses Closes a gap with the previous implementation where analyses that were previously applied by a vulnerability policy were un-applied if no policy matches the corresponding finding anymore. Signed-off-by: nscuro <nscuro@protonmail.com> * Reduce contention during batch vuln synchronization INSERT ... ON CONFLICT still acquires row locks even when the respective records are not being modified. Vulnerabilities being unchanged, or unable to be updated by the analyzer that reported them, is a very common scenario. This change adds a small optimization for avoiding vulns being scheduled for upserting in those cases. Note that contention was not strictly an issue during testing, but it *could* become a problem as concurrency is cranked up. Signed-off-by: nscuro <nscuro@protonmail.com> * Simplify query for existing finding attributions The joins with `COMPONENT` and `COMPONENTS_VULNERABILITIES` were unnecessary since `FINDINGATTRIBUTION` already holds all required information. Signed-off-by: nscuro <nscuro@protonmail.com> * Fix matching criteria query of internal analyzer * Fixes erroneous duble index increment that caused fewer queries being built than expected. * Reduces the partition size from 100 to a more reasonable 25, since the matching criteria queries were getting quite large. Signed-off-by: nscuro <nscuro@protonmail.com> * Add tests for OSS Index vuln analyzer Signed-off-by: nscuro <nscuro@protonmail.com> * Handle completion of legacy workflow steps Adds dex event listeners that complete VULN_ANALYSIS steps of legacy workflows when a new VulnAnalysisWorkflow run completes. This ensures that the legacy workflow logic keeps working until it is replaced entirely. Also adds an event listener that takes care of emitting delayed BOM_PROCESSED notifications, which was previously handled by ProcessedVulnerabilityScanResultProcessor. As a result, WorkflowMaintenanceTask no longer needs to check for timed out vulnerability analyses. The entire vuln analysis lifecycle is managed by dex now. Signed-off-by: nscuro <nscuro@protonmail.com> * Re-introduce PROJECT_VULN_ANALYSIS_COMPLETE notification The notification was previously emitted by ProcessedVulnerabilityScanResultProcessor, which no longer exists. Signed-off-by: nscuro <nscuro@protonmail.com> * Add JavaDoc for VulnAnalyzer extension point Signed-off-by: nscuro <nscuro@protonmail.com> * Port Snyk vuln analyzer Signed-off-by: nscuro <nscuro@protonmail.com> * Fix finding attribution inconsistencies Ensures that we properly deal with potentially multiple attributions per finding, which we introduced in ADR-013 (https://dependencytrack.github.io/hyades/snapshot/architecture/decisions/013-finding-status/). Signed-off-by: nscuro <nscuro@protonmail.com> * Populate finding attribution reference URL Enables vuln analyzers to communicate an optional reference URL for the findings they produce. This URL will be rendered as clickable link in the UI. Note that this was an existing functionality that was temporarily removed earlier as part of the vuln analysis refactoring. Signed-off-by: nscuro <nscuro@protonmail.com> * Re-introduce emission of NEW_VULNERABLE_DEPENDENCY notification Uses an optional context proto message for the vuln-analysis workflow, which carries the IDs of newly added components. This is required for us to be able to identify for which components we should emit NEW_VULNERABLE_DEPENDENCY notification during vuln analysis result reconciliation. The context is stored in file storage and passed around as file metadata. It was not a reasonable alternative to pass component IDs directly as workflow argument, because large BOM uploads can have 10s of thousands of new components. Signed-off-by: nscuro <nscuro@protonmail.com> * Improve vulnerability synchronization logic * Processes results of vuln analyzers in deterministic order. * Introduces VulnerabilityUpdatePolicy in an attempt to centralize the logic as to whether a vulnerability can be updated if it already exists. Still not optimal but a better solution is a bigger undertaking. * Removes redundant ConvertedVulnerability class. Signed-off-by: nscuro <nscuro@protonmail.com> * Fix CVSSv4 fields not being considered during vuln sync Signed-off-by: nscuro <nscuro@protonmail.com> * Fix no ANALYZER_ERROR notification being emitted when vuln analyzers failed Signed-off-by: nscuro <nscuro@protonmail.com> * Introduce vuln analysis trigger notification field We previously used a field called "vulnerabilityAnalysisLevel" to communicate *what* triggered a vulnerability analysis. This was temporarily removed during the vuln analysis refactoring, but is now re-introduced. The old string field is still populated, but deprecated for removal. Instead, a new "analysisTrigger" field is introduced, which is defined as enum rather than free text string. "level" has always been ambiguous, and the string type meant that consumers never really knew what possible values they could expect. Signed-off-by: nscuro <nscuro@protonmail.com> * Re-introduce alias sync for vulns reported by analyzers Signed-off-by: nscuro <nscuro@protonmail.com> * Adjust excessive retry policy of analyzer invocations The previous policy could lead to retry windows of up to 40min. We already handle analyzer failures gracefully, so there's no point in retrying for so long. Signed-off-by: nscuro <nscuro@protonmail.com> * Remove outdated TODO Signed-off-by: nscuro <nscuro@protonmail.com> * Fix incorrect table aliases in ordering columns Signed-off-by: nscuro <nscuro@protonmail.com> * Emit VULNERABILITY_RETRACTED notification when findings become inactive ... and emit NEW_VULNERABILITY notifications when findings are re-activated. This accounts for users who need to be notified when a finding is no longer applicable. Decided against introducing new notification groups like FINDING_STATUS_CHANGE, because it didn't align well with the notification groups we already have, and that users likely have built workflows around already. Whether a finding is active or inactive is really only an implementation detail and shouldn't be surfaced to users directly. Signed-off-by: nscuro <nscuro@protonmail.com> * Make vuln analyzers interruptible * Propagates InterruptedException to the caller. * Checks for interruption at strategic places (i.e. in loops before processing the next batch of items). This ensures that interruptions are detectable by the dex engine, and activity tasks can be cleanly abandoned. Signed-off-by: nscuro <nscuro@protonmail.com> * Fix redundant analysis comments on policy un-application or removal Fixes comments such as: "Justification: NOT_SET → NOT_SET". Signed-off-by: nscuro <nscuro@protonmail.com> * Support new vuln analysis workflow in legacy workflow status endpoint Signed-off-by: nscuro <nscuro@protonmail.com> * Run vuln analysis reconciliation on separate task queue Reconciliation is quite I/O intensive and excessive concurrency can actually hurt here. Running it on a separate queue allows for more granular concurrency control. Signed-off-by: nscuro <nscuro@protonmail.com> * Fail vuln analysis workflow when all analyzers failed Signed-off-by: nscuro <nscuro@protonmail.com> * Remove debug logging for vulnanalysis package Signed-off-by: nscuro <nscuro@protonmail.com> * Reduce dex buffer flush intervals for tests Signed-off-by: nscuro <nscuro@protonmail.com> * Simplify alias deduplication in metrics calculation We now have alias group IDs that we can de-dupe on. No need to track individual source-vulnId pairs anymore. Signed-off-by: nscuro <nscuro@protonmail.com> * Ensure vuln analyzer result reconciliation is interruptible Adds interruption checks before I/O intensive work to enable timely shutdown. The entire activity is idempotent so it's safe to abandon it at any of these points. Signed-off-by: nscuro <nscuro@protonmail.com> * Simplify and streamline component metrics calculation * Replace vulnerability loop with batched queries. * Collapse multiple separate queries into one. * Only update LAST_RISKSCORE of components when it actually changed, avoiding unnecessary I/O overhead. * Reformat the SQL to match the rest of the project's style. Signed-off-by: nscuro <nscuro@protonmail.com> * Fix wrong exception thrown for invalid analyzer configs Signed-off-by: nscuro <nscuro@protonmail.com> * Populate project UUID MDC key in vuln analysis workflow Signed-off-by: nscuro <nscuro@protonmail.com> * Remove noisy logging from vuln analysis reconciliation Signed-off-by: nscuro <nscuro@protonmail.com> * Remove redundant method overrides Signed-off-by: nscuro <nscuro@protonmail.com> * Add missing vuln analyzer config docs Signed-off-by: nscuro <nscuro@protonmail.com> * Bump parent version of vuln-analysis modules Signed-off-by: nscuro <nscuro@protonmail.com> * Remove unused code Signed-off-by: nscuro <nscuro@protonmail.com> --------- Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 1462160 | |
|---|---|---|
| Author: | Sahiba Mittal | |
| Committer: | GitHub | |
Add CVSSv4 support (#1687) * WIP upgrading cvss calculator version * Add CVSSv4 support to vulnerability model Adds CVSSv4 fields to the Vulnerability and Analysis models, database schema, and API. Updates logic for severity calculation to consider CVSSv4, adjusts related utility methods and tests, and ensures migration and cloning procedures handle the new fields. * Remove Impact and Exploitability SubScore for CVSS V4 * Update policy.proto * Add CVSSv4 to Finding model * Refactor vulnerability processing for cvssV4 * Fix notification mapping * Fix test and remove comment * Rename cvssV4BaseScore to cvssV4Score * Update procedure_update-component-metrics.sql * Update procedure_update-component-metrics.sql * Update VulnerabilityScanResultProcessorTest.java * Remove cvssV2 from Github model mapping
| Commit: | 0b11324 | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Convert CSAF tasks to workflows Enables provider discovery and document import to be addressable by workflow instance ID, while also effectively prevent multiple instances for the same aggregator / provider to run concurrently. https://github.com/DependencyTrack/hyades-apiserver/blob/main/dex/docs/PATTERNS.md#singletons Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 3bba529 | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Complete notification publishing migration * Enables notification router and removes feature flag. * Implements dex workflow for publishing. * Removes direct publishing to Kafka. * Adds partial rule filtering at notification emission time. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 601200c | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Isolate plugin API * Removes proto dependency from plugin-api. * Move vuln data source API to separate module, similar to file-storage-api and notification-api. This is necessary to retain clear responsibilities and avoid circular module dependencies. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 3126b90 | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Merge -api and -proto modules The separation is not really justified given they depend so tightly on another. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 3550286 | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Use British spelling for CANCELLED workflow run status Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | d499281 | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Separate file storage API & proto modules * The core proto module contains internal proto definitions that shouldn't be required by the plugin API. Separating the file storage protos is a step towards removing that dependency. * The file storage API shouldn't be part of the core plugin API. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 2089920 | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Move notification API and protos to separate modules This is a preparation for https://github.com/DependencyTrack/hyades/issues/1860 and was extracted from https://github.com/DependencyTrack/hyades-apiserver/pull/1489. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 1210dd5 | |
|---|---|---|
| Author: | Niklas | |
| Committer: | GitHub | |
Add durable execution engine implementation (#1138)
| Commit: | 1717fe0 | |
|---|---|---|
| Author: | Christian Banse | |
| Committer: | GitHub | |
Implement CSAF support (#1462) Co-authored-by: Lawrence Dean <lawrence.dean@aisec.fraunhofer.de> Co-authored-by: Niklas <nscuro@protonmail.com>
| Commit: | 0dbe529 | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Implement transactional notification emission and relay Introduces a mechanism to emit and relay notifications using the transactional outbox pattern. Notifications are still sent to Kafka for now. This will change soon when we re-introduce notification routing back into the API server and decommission the separate notification-publisher service. This implementation differs from the original ADR-003 in that it does not use PostgreSQL's logical replication. While that would have made the solution better performing, it would have required separate connection management, as well as elevated privileges (i.e., the `REPLICATION` role attribute). Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 3ac8eed | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Migrate EPSS mirroring from hyades mirror-service * Modifies `EpssMirrorTask` to no longer emit Kafka events, but instead perform the mirroring itself. * Moves from open-vulnerability-clients' `EpssDataFeed` to a streaming and batching mechanism that is more memory-efficient. * Leverages `UNNEST` for efficient bulk upserts. This doesn't leverage the `VulnDataSource` extension point, because it doesn't emit complete vulnerability records. Relevant references: * https://www.tigerdata.com/blog/boosting-postgres-insert-performance Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | b42ea44 | |
|---|---|---|
| Author: | Sahiba Mittal | |
| Committer: | GitHub | |
Issue-1837 : Log more details when timing out and failing workflow steps (#1386)
| Commit: | d7bcd2b | |
|---|---|---|
| Author: | nscuro | |
Fix file storage package name Just a cosmetic change for better consistency in naming. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | a70e716 | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Move Protobuf files into separate Maven module Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 30819d7 | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Convert to multi-module Maven project Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | ed7a392 | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Implement file storage plugin Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | af64eef | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Migrate Trivy integration to use Protobuf instead of JSON Closes #4065 Signed-off-by: nscuro <nscuro@protonmail.com>
The documentation is generated from this commit.
| Commit: | 3ec305f | |
|---|---|---|
| Author: | Sahiba Mittal | |
refactor BomValidationFailedSubject proto
| Commit: | aa81527 | |
|---|---|---|
| Author: | Sahiba Mittal | |
Add Notification For BOM_VALIDATION_FAILED Co-Authored-By: Aravind Parappil <aravindparappil@gmail.com>
| Commit: | 8b49ca8 | |
|---|---|---|
| Author: | Sahiba Mittal | |
remove proto cdx 1.4
| Commit: | fb75e6b | |
|---|---|---|
| Author: | Sahiba Mittal | |
update cdx version to 1.6
| Commit: | a32b45f | |
|---|---|---|
| Author: | Sahiba Mittal | |
refactor user subject
| Commit: | db0fc12 | |
|---|---|---|
| Author: | Sahiba Mittal | |
user notifications added Co-Authored-By: Marlon Pina Tojal <1815240+fnxpt@users.noreply.github.com>
| Commit: | c48de6c | |
|---|---|---|
| Author: | vithikashukla | |
add vector string to other notifications involving vulnerability Signed-off-by: vithikashukla <vithika.shukla@citi.com>
| Commit: | 2cc7a46 | |
|---|---|---|
| Author: | vithikashukla | |
add cvss vector to vulnerability Signed-off-by: vithikashukla <vithika.shukla@citi.com>
| Commit: | f776608 | |
|---|---|---|
| Author: | Sahiba Mittal | |
Revert "Merge branch 'main' into epss-mirroring" This reverts commit 1215204644089410513c15dad52dce3c603705b5, reversing changes made to d65f9bf6b842538d6c2c6227473107d5f8b399a5.
| Commit: | 1215204 | |
|---|---|---|
| Author: | Sahiba Mittal | |
Merge branch 'main' into epss-mirroring
This commit does not contain any .proto files.
| Commit: | b3e82f1 | |
|---|---|---|
| Author: | Sahiba Mittal | |
Merge branch 'main' into epss-mirroring
| Commit: | b21f573 | |
|---|---|---|
| Author: | Sahiba Mittal | |
ingest bom generated from cdx
| Commit: | 1a8f6c9 | |
|---|---|---|
| Author: | Sahiba Mittal | |
WIP
| Commit: | beb34ed | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Ingest `metadata.tools` from BOMs and make it available in CEL policies The internal model is aligned with CycloneDX v1.5, in that it differentiates between tools that are components, and tools that are services: https://cyclonedx.org/docs/1.5/json/#tab-pane_metadata_tools_oneOf_i0 When ingesting BOMs following v1.4 or older of the CycloneDX specification, `metadata.tools` array items will be converted to `metadata.tools.components`. For the time being, tools are persisted as JSON column in the `PROJECT_METADATA` table. As such, tools will not be analyzed for vulnerabilities or other kinds of risk. Tool components and services are treated as subsets of the internal `Component` and `ServiceComponent` models. This subset property is enforced via Jackson's `@JsonView`s, such that only specific fields are considered when serializing and deserializing to and from JSON. Tools are made available in CEL policy expressions under `project.metadata.tools.components`. Tool components use the existing `v1.Component` type, which means that functions like `matches_version` can be used on them. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | a0a43c7 | |
|---|---|---|
| Author: | vithikashukla | |
replace json string with proto Signed-off-by: vithikashukla <vithika.shukla@citi.com>
| Commit: | 783d6a3 | |
|---|---|---|
| Author: | meha | |
| Committer: | GitHub | |
Rename package `org.hyades` to `org.dependencytrack` (#454) * renamed org.hyades to org.dependencytrack Signed-off-by: mehab <meha.bhargava@citi.com> * reverting application.properties Signed-off-by: mehab <meha.bhargava@citi.com> --------- Signed-off-by: mehab <meha.bhargava@citi.com>
| Commit: | fc932c7 | |
|---|---|---|
| Author: | meha | |
| Committer: | GitHub | |
Add support for version distance policies in CEL (#401) * version distance policy added Signed-off-by: mehab <meha.bhargava@citi.com> * pr fix Signed-off-by: mehab <meha.bhargava@citi.com> * fixed unit tests Signed-off-by: mehab <meha.bhargava@citi.com> * fixed formatting Signed-off-by: mehab <meha.bhargava@citi.com> * PR review changes Signed-off-by: mehab <meha.bhargava@citi.com> * PR review changes complete Signed-off-by: mehab <meha.bhargava@citi.com> * fixed broken test Signed-off-by: mehab <meha.bhargava@citi.com> * pr review changes Signed-off-by: mehab <meha.bhargava@citi.com> * pr review changes Signed-off-by: mehab <meha.bhargava@citi.com> * removed unused import Signed-off-by: mehab <meha.bhargava@citi.com> --------- Signed-off-by: mehab <meha.bhargava@citi.com>
| Commit: | d150510 | |
|---|---|---|
| Author: | meha | |
| Committer: | GitHub | |
Add component age policy condition (#358) * intermediate commit Signed-off-by: mehab <meha.bhargava@citi.com> * custom function added Signed-off-by: mehab <meha.bhargava@citi.com> * component age cell policy working Signed-off-by: mehab <meha.bhargava@citi.com> * removed unused property Signed-off-by: mehab <meha.bhargava@citi.com> * fixed unit tests. Updated existing componentAgePolicyEvaluator to use integrity meta info. Added tests for cel expression for age Signed-off-by: mehab <meha.bhargava@citi.com> * addressed PR review comments Signed-off-by: mehab <meha.bhargava@citi.com> * cleanup Signed-off-by: mehab <meha.bhargava@citi.com> --------- Signed-off-by: mehab <meha.bhargava@citi.com>
| Commit: | aad3042 | |
|---|---|---|
| Author: | VithikaS | |
| Committer: | GitHub | |
Integrity check (#355) * initial commit Signed-off-by: vithikashukla <vithika.shukla@citi.com> * Added integrity check Signed-off-by: vithikashukla <vithika.shukla@citi.com> * revert unwanted changes Signed-off-by: vithikashukla <vithika.shukla@citi.com> * added more assertions Signed-off-by: vithikashukla <vithika.shukla@citi.com> * check if component exists before getting metadata Signed-off-by: vithikashukla <vithika.shukla@citi.com> --------- Signed-off-by: vithikashukla <vithika.shukla@citi.com> Co-authored-by: vithikashukla <vithika.shukla@citi.com>
| Commit: | a32f94c | |
|---|---|---|
| Author: | meha | |
| Committer: | GitHub | |
added integrity analysis event on apiserver (#339) * added integrity analysis event on apiserver Signed-off-by: mehab <meha.bhargava@citi.com> * fixed unit tests Signed-off-by: mehab <meha.bhargava@citi.com> * fixed unit test for repometaanalysistask Signed-off-by: mehab <meha.bhargava@citi.com> * fixed tests for bomupload Signed-off-by: mehab <meha.bhargava@citi.com> * fixed tests for bomupload Signed-off-by: mehab <meha.bhargava@citi.com> * PR review fixes Signed-off-by: mehab <meha.bhargava@citi.com> * end to end test successful Signed-off-by: mehab <meha.bhargava@citi.com> * fixed broken test Signed-off-by: mehab <meha.bhargava@citi.com> --------- Signed-off-by: mehab <meha.bhargava@citi.com>
| Commit: | 07521dd | |
|---|---|---|
| Author: | meha | |
| Committer: | GitHub | |
Incoming events with hash information for apiserver (#343) * added logic for processing incoming hash information as part of repo meta analysis Signed-off-by: mehab <meha.bhargava@citi.com> * sha512 added Signed-off-by: mehab <meha.bhargava@citi.com> * added sha512 to the list of hashes Signed-off-by: mehab <meha.bhargava@citi.com> * removed for loop not required for integrity analysis results Signed-off-by: mehab <meha.bhargava@citi.com> --------- Signed-off-by: mehab <meha.bhargava@citi.com>
| Commit: | 5400bc5 | |
|---|---|---|
| Author: | Niklas | |
| Committer: | GitHub | |
Add support for CEL policy conditions (#316) * Initial commit of CEL policy work Signed-off-by: nscuro <nscuro@protonmail.com> * Add a few custom CEL functions Signed-off-by: nscuro <nscuro@protonmail.com> * Make policies work with legacy way of reporting violations Signed-off-by: nscuro <nscuro@protonmail.com> * Implement `is_dependency_of` CEL function Signed-off-by: nscuro <nscuro@protonmail.com> * Support vuln aliases in CEL policies Signed-off-by: nscuro <nscuro@protonmail.com> * Few minor adjustments Signed-off-by: nscuro <nscuro@protonmail.com> * Return CEL errors in API response Signed-off-by: nscuro <nscuro@protonmail.com> * Fix some vulnerability fields not being fetched for policies Signed-off-by: nscuro <nscuro@protonmail.com> * Bump `versatile` to `0.3.0` Signed-off-by: nscuro <nscuro@protonmail.com> * Use AST visitor to determine which fields are accessed for any given type Signed-off-by: nscuro <nscuro@protonmail.com> * Cleanup Signed-off-by: nscuro <nscuro@protonmail.com> * Cleanup Signed-off-by: nscuro <nscuro@protonmail.com> * WIP: Loading of required fields; Project policy evaluation Signed-off-by: nscuro <nscuro@protonmail.com> * Improve violation reconciliation for projects Signed-off-by: nscuro <nscuro@protonmail.com> * Add test with bloated BOM to debug performance bottlenecks Signed-off-by: nscuro <nscuro@protonmail.com> * Disable DataNucleus L1 cache for policy reconciliation Signed-off-by: nscuro <nscuro@protonmail.com> * Add field mapping tests Signed-off-by: nscuro <nscuro@protonmail.com> * Handle implicit policy script requirements for custom functions Signed-off-by: nscuro <nscuro@protonmail.com> * Minor readability and code documentation improvements Signed-off-by: nscuro <nscuro@protonmail.com> * Fetch data for policy violation notifications in a single query DataNucleus on its own loads too much data, and does so using too many queries. Signed-off-by: nscuro <nscuro@protonmail.com> * Perform violation reconciliation using direct JDBC access Signed-off-by: nscuro <nscuro@protonmail.com> * Include strings library in CEL policy environment Signed-off-by: nscuro <nscuro@protonmail.com> * Cleanup; Support project properties, tags, and vulnerability aliases Signed-off-by: nscuro <nscuro@protonmail.com> * Add test to verify that all fields can be loaded Signed-off-by: nscuro <nscuro@protonmail.com> * Add remaining fields to `testWithAllFields` Signed-off-by: nscuro <nscuro@protonmail.com> * Add test for vuln severity evaluation Signed-off-by: nscuro <nscuro@protonmail.com> * Remove un-implemented `depends_on` function; Add proper logging for custom functions Signed-off-by: nscuro <nscuro@protonmail.com> * Handle invalid scripts and script runtime failures Signed-off-by: nscuro <nscuro@protonmail.com> * Add `escapeQuotes` for CEL script builders Using `escapeJson` doesn't work quite right when special characters / regular expressions are provided. All we need is prevention of "breaking out" of strings, so escaping double quotes alone is sufficient. Signed-off-by: nscuro <nscuro@protonmail.com> * Add tests for some legacy conditions Signed-off-by: nscuro <nscuro@protonmail.com> * More tests for `CelPolicyEngine` Signed-off-by: nscuro <nscuro@protonmail.com> * Add more tests; Implement script cache bypass for REST API interactions Signed-off-by: nscuro <nscuro@protonmail.com> * Add tests for hash policy (#326) * added tests for hash policy Signed-off-by: mehab <meha.bhargava@citi.com> * updated tests Signed-off-by: mehab <meha.bhargava@citi.com> --------- Signed-off-by: mehab <meha.bhargava@citi.com> * Add version cel policy script builder (#324) * Add version cel policy script builder Signed-off-by: vithikashukla <vithika.shukla@citi.com> * add version support for coordinates cel policy Signed-off-by: vithikashukla <vithika.shukla@citi.com> * Added unit test for version policy script builder Signed-off-by: vithikashukla <vithika.shukla@citi.com> * added coordninates condition test Signed-off-by: vithikashukla <vithika.shukla@citi.com> * added coordinates condition test Signed-off-by: vithikashukla <vithika.shukla@citi.com> --------- Signed-off-by: vithikashukla <vithika.shukla@citi.com> Co-authored-by: vithikashukla <vithika.shukla@citi.com> * Fix new UNIQUE constraint breaking existing behavior Signed-off-by: nscuro <nscuro@protonmail.com> * Add feature flag for CEL policy engine Signed-off-by: nscuro <nscuro@protonmail.com> * Add `UpgradeItem` to update type of `"POLICYCONDITION"."VALUE"` to `TEXT` Signed-off-by: nscuro <nscuro@protonmail.com> * Handle policy evaluation for individual components Signed-off-by: nscuro <nscuro@protonmail.com> * added unit tests for cwe cel policy Signed-off-by: mehab <meha.bhargava@citi.com> * Add license condition test (#332) * Add version cel policy script builder Signed-off-by: vithikashukla <vithika.shukla@citi.com> * add version support for coordinates cel policy Signed-off-by: vithikashukla <vithika.shukla@citi.com> * Added unit test for version policy script builder Signed-off-by: vithikashukla <vithika.shukla@citi.com> * added coordninates condition test Signed-off-by: vithikashukla <vithika.shukla@citi.com> * added coordinates condition test Signed-off-by: vithikashukla <vithika.shukla@citi.com> * added more conditions to test Signed-off-by: vithikashukla <vithika.shukla@citi.com> * Added license condition test Signed-off-by: vithikashukla <vithika.shukla@citi.com> * Update src/main/java/org/dependencytrack/policy/cel/CelPolicyEngine.java Co-authored-by: Niklas <nscuro@protonmail.com> Signed-off-by: VithikaS <122881935+VithikaS@users.noreply.github.com> * Added license group condition test Signed-off-by: vithikashukla <vithika.shukla@citi.com> * updated comment Signed-off-by: vithikashukla <vithika.shukla@citi.com> --------- Signed-off-by: vithikashukla <vithika.shukla@citi.com> Signed-off-by: VithikaS <122881935+VithikaS@users.noreply.github.com> Co-authored-by: vithikashukla <vithika.shukla@citi.com> Co-authored-by: Niklas <nscuro@protonmail.com> * Fix projection mapping for `Double` / `BigDecimal` fields Signed-off-by: nscuro <nscuro@protonmail.com> * support wildcard Signed-off-by: vithikashukla <vithika.shukla@citi.com> * Add `buf` config and workflow Signed-off-by: nscuro <nscuro@protonmail.com> * Change Proto package from `hyades` to `dependencytrack` As this feature will be backported, we need to make sure policies will be compatible once folks start upgrading to Hyades. Signed-off-by: nscuro <nscuro@protonmail.com> * Fix failing tests due to Proto package change Signed-off-by: nscuro <nscuro@protonmail.com> * Un-ignore `cyclonedx.proto` from breaking changes check Signed-off-by: Niklas <nscuro@protonmail.com> --------- Signed-off-by: nscuro <nscuro@protonmail.com> Signed-off-by: mehab <meha.bhargava@citi.com> Signed-off-by: vithikashukla <vithika.shukla@citi.com> Signed-off-by: VithikaS <122881935+VithikaS@users.noreply.github.com> Signed-off-by: Niklas <nscuro@protonmail.com> Co-authored-by: meha <meha.bhargava2@gmail.com> Co-authored-by: VithikaS <122881935+VithikaS@users.noreply.github.com> Co-authored-by: vithikashukla <vithika.shukla@citi.com> Co-authored-by: mehab <meha.bhargava@citi.com>
| Commit: | 9009411 | |
|---|---|---|
| Author: | Sahiba Mittal | |
token added in workflow notification subjects
| Commit: | f0f5a14 | |
|---|---|---|
| Author: | nscuro | |
Fix grammatical number of `vulnerabilities` in `ProjectVulnAnalysisCompleteSubject` Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 89f10c6 | |
|---|---|---|
| Author: | nscuro | |
Fix more JSON field names deviating from vanilla DT's https://github.com/DependencyTrack/dependency-track/blob/6ede8fcd433bc5f57bf5eff03b964172fb02a4e0/src/main/java/org/dependencytrack/util/NotificationUtil.java#L289-L334 Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | d7b2046 | |
|---|---|---|
| Author: | nscuro | |
Fix breaking change in `NEW_VULNERABILITY` notification JSON format The breaking change was introduced for https://github.com/DependencyTrack/hyades/issues/467, and is causing issues for consumers of Webhook notifications that expect the `affectedProjects` field to be an array of projects. Whereas now it is an object holding references. To fix the JSON representation, an array field named `affectedProjects` is added again. It will be populated with the same value that the `project` field holds. Because only the field *name* is changed in the Protobuf schema, this is not a breaking change for the notification publisher. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | c9d90d4 | |
|---|---|---|
| Author: | nscuro | |
Remove unused `org.hyades.vuln.v1` proto As of https://github.com/DependencyTrack/hyades/issues/352, we use CycloneDX BOVs to communicate vulnerability information. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 1122ad5 | |
|---|---|---|
| Author: | Sahiba Mittal | |
| Committer: | GitHub | |
Implement workflow state for vulnerability analysis step (#252) * vuln analysis workflow WIP * Update BomUploadProcessingTaskTest.java * refactor WIP * test fixed * more test added * Update VulnerabilityScanResultProcessor.java * add failure reason for vuln-analysis * Update WorkflowStateQueryManager.java * Update BomUploadProcessingTaskTest.java * refactor state flow * trigger metrics update event for NA vuln-analysis * empty commit * Update BomUploadProcessingTaskTest.java * refactor * notification proto enum update * buf fix * Update notification.proto * Update NotificationModelConverterTest.java
| Commit: | 7105503 | |
|---|---|---|
| Author: | Sahiba Mittal | |
| Committer: | GitHub | |
Issue-352 : CDX for vuln analysis result (#236)
| Commit: | 0717746 | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Remove Lucene Method signatures accepting a `boolean commitIndex` flag have not been modified to avoid a larger refactoring. Invocations of index updates via `Event.dispatch(new IndexEvent(...))` are just commented out so that the information of *when* those updates are supposed to happen is not lost when we re-implement indexing again. Closes https://github.com/DependencyTrack/hyades/issues/661 Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 422cb14 | |
|---|---|---|
| Author: | meha | |
| Committer: | GitHub | |
renamed variable (#209) Signed-off-by: mehab <meha.bhargava@citi.com>
| Commit: | 695bfd6 | |
|---|---|---|
| Author: | meha | |
| Committer: | GitHub | |
Feature/vuln analysis complete notify (#192)
| Commit: | 7ff4f09 | |
|---|---|---|
| Author: | Sahiba Mittal | |
Squashed commit of the following: commit 1e1a2190241c973b77c6f087e6a2e082bbc9999f Merge: bc3ca720 650b1004 Author: Niklas <nscuro@protonmail.com> Date: Mon May 22 20:58:02 2023 +0200 Merge pull request #180 from DependencyTrack/dependabot/maven/org.apache.maven.plugins-maven-checkstyle-plugin-3.3.0 Bump maven-checkstyle-plugin from 3.2.2 to 3.3.0 commit bc3ca720ae0e9042b114a272609be1ba80260969 Merge: 4c978abd 2617f781 Author: Niklas <nscuro@protonmail.com> Date: Mon May 22 20:57:48 2023 +0200 Merge pull request #181 from DependencyTrack/dependabot/maven/net.javacrumbs.json-unit-json-unit-assertj-2.38.0 Bump json-unit-assertj from 2.37.0 to 2.38.0 commit 4c978abd35a300266ec9f4736bb5d3c19d5655a6 Merge: e90be305 ef88d663 Author: Niklas <nscuro@protonmail.com> Date: Mon May 22 18:34:39 2023 +0200 Merge pull request #179 from DependencyTrack/issue-554-merge-notification-topics commit ef88d663d68dae52a58f0416a2daf3cff1baed22 Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Mon May 22 16:29:18 2023 +0100 Update NotificationUtil.java commit 2617f781c2a8e913ac5b85472647f140787a7c8b Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon May 22 15:10:14 2023 +0000 Bump json-unit-assertj from 2.37.0 to 2.38.0 Bumps [json-unit-assertj](https://github.com/lukas-krecan/JsonUnit) from 2.37.0 to 2.38.0. - [Commits](https://github.com/lukas-krecan/JsonUnit/compare/json-unit-parent-2.37.0...json-unit-parent-2.38.0) --- updated-dependencies: - dependency-name: net.javacrumbs.json-unit:json-unit-assertj dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> commit 650b1004daf0b10d7d6e4ed680a043878eb40d39 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon May 22 15:08:57 2023 +0000 Bump maven-checkstyle-plugin from 3.2.2 to 3.3.0 Bumps [maven-checkstyle-plugin](https://github.com/apache/maven-checkstyle-plugin) from 3.2.2 to 3.3.0. - [Commits](https://github.com/apache/maven-checkstyle-plugin/compare/maven-checkstyle-plugin-3.2.2...maven-checkstyle-plugin-3.3.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-checkstyle-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> commit c1cd2d3b45490f837a8b3dfa38693d675e4bfdac Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Mon May 22 14:47:11 2023 +0100 Update KafkaEventDispatcher.java commit d2fee4753511df5375d0ae01bd84f98e5d14a7ff Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Mon May 22 14:15:26 2023 +0100 merge notification topics and added project uuid as event key commit e90be305b48899b1f784ce74711056f8275cfa74 Merge: 29490eed ade9cda5 Author: Niklas <nscuro@protonmail.com> Date: Mon May 22 13:20:38 2023 +0200 Merge pull request #178 from DependencyTrack/skip-vuln-scan-result-repartition Skip unnecessary repartition of vuln scan results commit ade9cda5ffb072af71f44d941212723997f6a89f Author: nscuro <nscuro@protonmail.com> Date: Sun May 21 19:25:48 2023 +0200 Skip unnecessary repartition of vuln scan results The intention behind the repartition was to avoid race conditions when results for the same component would be processed in parallel. However, this case should be rather rare, and we already perform retries should a transaction fail due to a unique constraint violation. It had the ugly side effect of doubling the partition count necessary to process vuln scan results, without adding much benefit. Additionally, the re-keying of results to scan tokens also causes a repartition. This repartition included the scanner results, despite them not being needed by any of the following processing steps. To save some overhead, we now strip the scanner results before performing the repartition. Signed-off-by: nscuro <nscuro@protonmail.com> commit 29490eed3098d02da34ff641db09349cb39725c3 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri May 19 16:04:02 2023 +0100 Bump lib.protobuf-java.version from 3.23.0 to 3.23.1 (#177) commit 506caebe0e580d8c1d111d5dd771ac7d23a53f4c Merge: b9826155 e4b6efc1 Author: Niklas <nscuro@protonmail.com> Date: Fri May 19 12:41:14 2023 +0200 Merge pull request #173 from DependencyTrack/dependabot/maven/net.mguenther.kafka-kafka-junit-3.4.0 Bump kafka-junit from 3.3.0 to 3.4.0 commit b9826155e95d1c4fdfe932e6e044c2a95229b570 Merge: f087c8cb cd84a6d7 Author: Niklas <nscuro@protonmail.com> Date: Fri May 19 12:40:48 2023 +0200 Merge pull request #176 from DependencyTrack/port-changes-from-4.8.2 Add externalReferences to PATCH project commit f087c8cb6f6c1fe2751057ccfdced0554b507bb1 Merge: fefef15f e9d76a29 Author: Niklas <nscuro@protonmail.com> Date: Fri May 19 12:40:24 2023 +0200 Merge pull request #175 from DependencyTrack/fix-SIGTERM-container-handling Port changes from upstream API server 4.8.1 and 4.8.2 commit e9d76a2919f517267459b07971098be483619beb Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Thu May 18 17:31:59 2023 +0100 Fix broken pagination in DefectDojo integration Co-Authored-By: Niklas <scuro@protonmail.com> commit 59628eb3999ef6ec8244ba26ce711e76e42960c6 Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Thu May 18 15:53:42 2023 +0100 Fix policy violation search Co-Authored-By: Jakub Rak <7059008+jakubrak@users.noreply.github.com> commit cd84a6d78e057b5e64a4892789c8047a090250af Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Thu May 18 15:35:14 2023 +0100 Add externalReferences to PATCH project Co-Authored-By: Florian Heubeck <40993644+heubeck@users.noreply.github.com> commit be87060729fbd5260d2c143ddcc2f20b6458475c Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Thu May 18 13:19:51 2023 +0100 Fix NPE in DefectDojoClient when scan_type of a test is null Co-Authored-By: Niklas <scuro@protonmail.com> commit d2b13f4d06151750a2d2220b31929080e71b6aa4 Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Thu May 18 11:45:27 2023 +0100 Upgrade alpine parent Co-Authored-By: Niklas <scuro@protonmail.com> commit f1757ae0929baf21b8f7335b460e3099895143ef Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Thu May 18 11:21:42 2023 +0100 Add missing config docs for alpine.oidc.client.id Co-Authored-By: Niklas <scuro@protonmail.com> commit 0a24b66d1beb6799373e2368a072d99ad9f40c44 Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Thu May 18 11:12:55 2023 +0100 Fix missing project filter for /api/v1/violation/project Co-Authored-By: Niklas <scuro@protonmail.com> commit 36a30dfd71d1bf5fd8604928f6edc0bcac71d3d0 Author: Sahiba Mittal <sahibamittal98@gmail.com> Date: Thu May 18 10:36:12 2023 +0100 fix SIGTERM signal Co-Authored-By: Niklas <scuro@protonmail.com> commit fefef15f84f971cd85e634adcd1acf8026ce008f Merge: 107327cb a2da39d6 Author: Niklas <nscuro@protonmail.com> Date: Wed May 17 21:06:22 2023 +0200 Merge pull request #174 from DependencyTrack/issue-559-use-object-for-bom use object for bom commit a2da39d6732f7d84247ffb6d49fc57bef578928f Author: vithikashukla <vithika.shukla14@gmail.com> Date: Wed May 17 16:12:19 2023 +0100 use object for bom Signed-off-by: vithikashukla <vithika.shukla14@gmail.com> commit e4b6efc1fb913545a2ff58304c89e7f399e03153 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed May 17 15:03:33 2023 +0000 Bump kafka-junit from 3.3.0 to 3.4.0 Bumps [kafka-junit](https://github.com/mguenther/kafka-junit) from 3.3.0 to 3.4.0. - [Release notes](https://github.com/mguenther/kafka-junit/releases) - [Commits](https://github.com/mguenther/kafka-junit/compare/3.3.0...3.4.0) --- updated-dependencies: - dependency-name: net.mguenther.kafka:kafka-junit dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> commit 107327cbbb824d3d1a8306f53ac7ae0457673e2e Author: Niklas <nscuro@protonmail.com> Date: Mon May 15 18:06:42 2023 +0200 Fix `ArrayIndexOutOfBoundsException` in `MirrorVulnerabilityProcessor` (#170) Also, catch all exceptions in the processor to prevent it from causing Kafka Streams to be shut down. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | a2da39d | |
|---|---|---|
| Author: | vithikashukla | |
use object for bom Signed-off-by: vithikashukla <vithika.shukla14@gmail.com>
| Commit: | f2f3248 | |
|---|---|---|
| Author: | Sahiba Mittal | |
| Committer: | GitHub | |
Map recommendation for analyzers and update temurin base image version (#122)
| Commit: | 80d0c95 | |
|---|---|---|
| Author: | Niklas | |
| Committer: | GitHub | |
Merge pull request #83 from DependencyTrack/single-vuln-analysis-result-event Process vulnerability analysis results from a single event per component
| Commit: | 05fd759 | |
|---|---|---|
| Author: | Niklas | |
| Committer: | GitHub | |
Merge pull request #81 from DependencyTrack/hyades-issue-467 Use back references instead of including all affected projects in notification subject
| Commit: | 9be466b | |
|---|---|---|
| Author: | nscuro | |
Backport https://github.com/DependencyTrack/dependency-track/pull/2600 Co-authored-by: RBickert <rbt@mm-software.com> Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 63da1bd | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Remove `COMPLETE` from `ScanStatus` enum Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | d9bcf59 | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Process vuln scan results from a single event Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | f0cb828 | |
|---|---|---|
| Author: | nscuro | |
Use common `BackReference` message Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 0a92da1 | |
|---|---|---|
| Author: | nscuro | |
Send URIs instead of complete list of affected projects in `NEW_VULNERABILITY` notifications Addresses https://github.com/DependencyTrack/hyades/issues/467 Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | ffcc42c | |
|---|---|---|
| Author: | Sahiba Mittal | |
added cycloneDx protobuf
| Commit: | 90307de | |
|---|---|---|
| Author: | nscuro | |
Relax vuln analysis level field type Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | bd6514c | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Refactor notifications to use Protobuf schemas Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 2ff67ad | |
|---|---|---|
| Author: | nscuro | |
Port changes to Protobuf schemas from https://github.com/DependencyTrack/hyades/pull/414 Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | b302188 | |
|---|---|---|
| Author: | Niklas | |
| Committer: | GitHub | |
Refactor repository meta analysis to use Protobuf schemas (#62) * Refactor repo meta analysis to use Protobuf schemas Signed-off-by: nscuro <nscuro@protonmail.com> * Fix tests Signed-off-by: nscuro <nscuro@protonmail.com> * Address Lift comment Signed-off-by: nscuro <nscuro@protonmail.com> * Fix RepositoryMetaAnalyzerTaskTest Signed-off-by: nscuro <nscuro@protonmail.com> --------- Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 3854ca9 | |
|---|---|---|
| Author: | vithikashukla | |
Reverted metrics calculation Signed-off-by: vithikashukla <vithika.shukla14@gmail.com>
| Commit: | d492768 | |
|---|---|---|
| Author: | Niklas | |
| Committer: | GitHub | |
Migrate Kafka metrics events to Protobuf schemas (#47) * Partial work to migrate Kafka metrics events to Protobuf schemas Signed-off-by: nscuro <nscuro@protonmail.com> * Correctly (de-)serialize `null` values using Protobuf Signed-off-by: nscuro <nscuro@protonmail.com> * Fix metrics unit tests; Minor refactoring Signed-off-by: nscuro <nscuro@protonmail.com> * Fix ProjectMetricsProcessorTest Signed-off-by: nscuro <nscuro@protonmail.com> * Fix PortfolioMetricsProcessorTest Signed-off-by: nscuro <nscuro@protonmail.com> * JavaDoc clarification Signed-off-by: nscuro <nscuro@protonmail.com> * Update metrics proto schema Signed-off-by: nscuro <nscuro@protonmail.com> --------- Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | 4e2828a | |
|---|---|---|
| Author: | nscuro | |
| Committer: | nscuro | |
Fix timing issue in computation of vuln scan completion In the previous implementation, it was possible that the number of received scan results was equal to the number of sent scan commands, BEFORE all scan commands for a given scan key had been processed. Scans were thus marked as COMPLETE, despite that not being the case. We now track the completion in a database table. A row in the table is created before emitting events to Kafka, and it's initialized with the expected number of scan results. As updates to the tracking table are done in serial fashion, thanks to Kafka's ordering guarantees, it's safe to use optimistic locking. It also simplifies the Kafka Streams topology. Signed-off-by: nscuro <nscuro@protonmail.com>
| Commit: | efc2827 | |
|---|---|---|
| Author: | Niklas | |
| Committer: | GitHub | |
Use Protobuf for processing vuln analysis results (#32) * Use Protobuf for processing vuln analysis results Signed-off-by: nscuro <nscuro@protonmail.com> * Define serdes on a per-topic basis As some topics use Protobuf now, while others continue to use `String` / `UUID` / JSON, the Kafka producer has to support multiple serialization formats. Signed-off-by: nscuro <nscuro@protonmail.com> * Remove unused DTOs Signed-off-by: nscuro <nscuro@protonmail.com> * Add Hyades ModelConverter test Signed-off-by: nscuro <nscuro@protonmail.com> * Include expected & received result counts in scan status message Signed-off-by: nscuro <nscuro@protonmail.com> * Allow custom `ObjectMapper` to be used for `JacksonSerde` Signed-off-by: nscuro <nscuro@protonmail.com> * Make switch statements exhaustive Signed-off-by: nscuro <nscuro@protonmail.com> * Fix portfolio vulnerability analysis test Signed-off-by: nscuro <nscuro@protonmail.com> * Port changes from #38 to new `KafkaTopics` class Signed-off-by: nscuro <nscuro@protonmail.com> * `correlationId` -> `scanToken` Signed-off-by: nscuro <nscuro@protonmail.com> --------- Signed-off-by: nscuro <nscuro@protonmail.com>