Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue-2557 : add vulnerability id in policy condition #2570

Merged

Conversation

sahibamittal
Copy link
Contributor

@sahibamittal sahibamittal commented Mar 7, 2023

Description

The policy feature should support the vulnerability ID in a policy so that organisations can create policy related to particular vulnerability ID.

Addressed Issue

#2557

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have added corresponding update logic
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

Signed-off-by: sahibamittal <sahiba.mittal@citi.com>
@nscuro nscuro assigned nscuro and unassigned nscuro Mar 7, 2023
Signed-off-by: sahibamittal <sahiba.mittal@citi.com>
Copy link
Contributor

@mehab mehab left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Signed-off-by: sahibamittal <sahiba.mittal@citi.com>
@valentijnscholten
Copy link
Contributor

What about aliases? Vulnerabilities can have different ids (aliases) and depending on the available data (cpe/purl) components can match against different aliases, for example via cpe might match NVD/CVE and via purl it might match GHSA.
Should the policy also match on any aliases?

@sahibamittal
Copy link
Contributor Author

What about aliases? Vulnerabilities can have different ids (aliases) and depending on the available data (cpe/purl) components can match against different aliases, for example via cpe might match NVD/CVE and via purl it might match GHSA.
Should the policy also match on any aliases?

Currently, the vulnerability alias data is not completely reliable wrt the sources, so yes it's definitely to be considered once we have achieved it. I can add it for future scope. Thanks Valentijn for the suggestion.

@nscuro nscuro merged commit 3d208f6 into DependencyTrack:master Mar 8, 2023
@sahibamittal sahibamittal deleted the Issue-2557-vuln-id-in-policy-condition branch March 8, 2023 13:47
sahibamittal added a commit to sahibamittal/dependency-track that referenced this pull request Mar 8, 2023
commit 3d208f6
Author: Sahiba Mittal <sahiba.mittal@citi.com>
Date:   Wed Mar 8 13:12:26 2023 +0000

    Add support for vulnerability ID policy condition (DependencyTrack#2570)

    * add vulnerability id in policy condition

    Signed-off-by: sahibamittal <sahiba.mittal@citi.com>

    * fix test

    Signed-off-by: sahibamittal <sahiba.mittal@citi.com>

    * update violation type

    Signed-off-by: sahibamittal <sahiba.mittal@citi.com>

    ---------

    Signed-off-by: sahibamittal <sahiba.mittal@citi.com>

    Closes DependencyTrack#2557

commit 416f824
Merge: f35b129 e49d539
Author: Niklas <nscuro@protonmail.com>
Date:   Wed Mar 8 13:10:46 2023 +0000

    Merge pull request DependencyTrack#2576 from syalioune/fix/issue-2420-empty-mail-content

    Fix: Null subject on project audit change notification mails

    Closes DependencyTrack#2420

commit e49d539
Author: syalioune <sy_alioune@yahoo.fr>
Date:   Wed Mar 8 09:51:07 2023 +0100

    Fix: Null subject on project audit change notification mails

    See DependencyTrack#2420 for details

    Signed-off-by: syalioune <sy_alioune@yahoo.fr>

commit f35b129
Merge: 64e0f99 8e72253
Author: Niklas <nscuro@protonmail.com>
Date:   Tue Mar 7 15:54:39 2023 +0000

    Merge pull request DependencyTrack#2532 from lme-nca/bugfix/issue_2424_add_do_not_reactivate_flag

    add DefectDojo "do not reactivate" flag, fixes issue 2424

    Closes DependencyTrack#2424

commit 8e72253
Author: Lars Meijers <Lars.Meijers@netcetera.com>
Date:   Fri Mar 3 16:39:59 2023 +0100

    do not reactivate flag documentation

    Signed-off-by: Lars Meijers <Lars.Meijers@netcetera.com>

commit c480335
Author: Lars Meijers <Lars.Meijers@netcetera.com>
Date:   Mon Feb 27 11:46:56 2023 +0100

    add do not reactivate flag

    Signed-off-by: Lars Meijers <Lars.Meijers@netcetera.com>
sahibamittal added a commit to sahibamittal/dependency-track that referenced this pull request Mar 24, 2023
commit 09d3492
Merge: 8a4b59a 946ff0f
Author: Niklas <nscuro@protonmail.com>
Date:   Thu Mar 23 10:56:28 2023 +0100

    Merge pull request DependencyTrack#2617 from nscuro/issue-2494

    Prevent dependency graph deletion during CycloneDX export

commit 8a4b59a
Merge: 7a6de03 0e82216
Author: Niklas <nscuro@protonmail.com>
Date:   Wed Mar 22 20:15:42 2023 +0100

    Merge pull request DependencyTrack#2610 from Mvld3r/issue-2313-move-jira-configuration

    Fix: Move jira configuration

commit 7a6de03
Merge: 2295e35 ef4f026
Author: Niklas <nscuro@protonmail.com>
Date:   Wed Mar 22 20:13:20 2023 +0100

    Merge pull request DependencyTrack#2608 from DependencyTrack/dependabot/github_actions/actions/checkout-3.4.0

    Bump actions/checkout from 3.3.0 to 3.4.0

commit 2295e35
Merge: 0f14594 9118e2d
Author: Niklas <nscuro@protonmail.com>
Date:   Wed Mar 22 20:13:08 2023 +0100

    Merge pull request DependencyTrack#2607 from DependencyTrack/dependabot/maven/org.slf4j-log4j-over-slf4j-2.0.7

    Bump log4j-over-slf4j from 2.0.6 to 2.0.7

commit 0f14594
Merge: 7a789d5 615141c
Author: Niklas <nscuro@protonmail.com>
Date:   Wed Mar 22 20:12:46 2023 +0100

    Merge pull request DependencyTrack#2606 from DependencyTrack/dependabot/maven/org.apache.maven-maven-artifact-3.9.1

    Bump maven-artifact from 3.9.0 to 3.9.1

commit 7a789d5
Author: rbt-mm <113189967+rbt-mm@users.noreply.github.com>
Date:   Wed Mar 22 20:11:36 2023 +0100

    Add `BOM_PROCESSING_FAILED` notification (DependencyTrack#2600)

    * Add BOM_PROCESSING_FAILED notification

    A new notification is sent if the notification rule includes the
    notification group BOM_PROCESSING_FAILED and if an error happens during
    the upload of a BOM.

    Signed-off-by: RBickert <rbt@mm-software.com>

    * Add project url and exception to new notification

    Signed-off-by: RBickert <rbt@mm-software.com>

    * Add BOM format and specVersion

    Detach `bomProcessingFailedProject`

    Rename `exception` to `cause`

    Signed-off-by: RBickert <rbt@mm-software.com>

    ---------

    Signed-off-by: RBickert <rbt@mm-software.com>

commit 7fd47cd
Merge: 5c7200c 2226f41
Author: Niklas <nscuro@protonmail.com>
Date:   Wed Mar 22 20:07:58 2023 +0100

    Merge pull request DependencyTrack#2561 from nscuro/db-inspect-dev-docs

    Add developer docs for database inspection

commit 2226f41
Author: nscuro <nscuro@protonmail.com>
Date:   Wed Mar 22 19:38:47 2023 +0100

    Update docs with h2 console instructions

    Signed-off-by: nscuro <nscuro@protonmail.com>

commit 946ff0f
Author: nscuro <nscuro@protonmail.com>
Date:   Wed Mar 22 18:57:11 2023 +0100

    Prevent dependency graph deletion during CycloneDX export

    Fixes DependencyTrack#2494
    Fixes DependencyTrack#2546

    Signed-off-by: nscuro <nscuro@protonmail.com>

commit 0e82216
Author: Enora Germond <enora.germond@deveryware.com>
Date:   Thu Mar 16 14:06:30 2023 +0100

    Fix: Move jira configuration

    Signed-off-by: Enora Germond <enora.germond@deveryware.com>

commit ef4f026
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Mar 20 09:00:38 2023 +0000

    Bump actions/checkout from 3.3.0 to 3.4.0

    Bumps [actions/checkout](https://github.com/actions/checkout) from 3.3.0 to 3.4.0.
    - [Release notes](https://github.com/actions/checkout/releases)
    - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
    - [Commits](actions/checkout@v3.3.0...v3.4.0)

    ---
    updated-dependencies:
    - dependency-name: actions/checkout
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <support@github.com>

commit 9118e2d
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Mar 20 08:57:39 2023 +0000

    Bump log4j-over-slf4j from 2.0.6 to 2.0.7

    Bumps [log4j-over-slf4j](https://github.com/qos-ch/slf4j) from 2.0.6 to 2.0.7.
    - [Release notes](https://github.com/qos-ch/slf4j/releases)
    - [Commits](https://github.com/qos-ch/slf4j/commits)

    ---
    updated-dependencies:
    - dependency-name: org.slf4j:log4j-over-slf4j
      dependency-type: direct:production
      update-type: version-update:semver-patch
    ...

    Signed-off-by: dependabot[bot] <support@github.com>

commit 615141c
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Mar 20 08:57:27 2023 +0000

    Bump maven-artifact from 3.9.0 to 3.9.1

    Bumps [maven-artifact](https://github.com/apache/maven) from 3.9.0 to 3.9.1.
    - [Release notes](https://github.com/apache/maven/releases)
    - [Commits](apache/maven@maven-3.9.0...maven-3.9.1)

    ---
    updated-dependencies:
    - dependency-name: org.apache.maven:maven-artifact
      dependency-type: direct:production
      update-type: version-update:semver-patch
    ...

    Signed-off-by: dependabot[bot] <support@github.com>

commit 5c7200c
Merge: f7ad3b1 fabed3e
Author: Niklas <nscuro@protonmail.com>
Date:   Sun Mar 19 22:03:17 2023 +0100

    Merge pull request DependencyTrack#2592 from syalioune/feature/enabling-h2-web-console-usage

    Feature: Allow H2 web console usage for dev purposes

commit fabed3e
Author: syalioune <sy_alioune@yahoo.fr>
Date:   Sun Mar 19 16:16:16 2023 +0100

    Feature: Allow H2 web console usage for dev purposes

    Taking into account review comments : conditional activation based on a maven profile

    Signed-off-by: syalioune <sy_alioune@yahoo.fr>

commit f7ad3b1
Merge: 56e41f0 54e30e0
Author: Niklas <nscuro@protonmail.com>
Date:   Thu Mar 16 21:35:49 2023 +0100

    Merge pull request DependencyTrack#2593 from walterdeboer/feature/639

    Support for CPAN repository

commit 56e41f0
Merge: e94cf55 467c81d
Author: Niklas <nscuro@protonmail.com>
Date:   Thu Mar 16 21:34:31 2023 +0100

    Merge pull request DependencyTrack#2597 from DependencyTrack/dependabot/github_actions/docker/setup-buildx-action-2.5.0

    Bump docker/setup-buildx-action from 2.4.1 to 2.5.0

commit e94cf55
Merge: 3f5bbcd 0971956
Author: Niklas <nscuro@protonmail.com>
Date:   Thu Mar 16 21:34:08 2023 +0100

    Merge pull request DependencyTrack#2598 from DependencyTrack/dependabot/github_actions/aquasecurity/trivy-action-0.9.2

    Bump aquasecurity/trivy-action from 0.9.1 to 0.9.2

commit 3f5bbcd
Merge: 3a5989a 61c9369
Author: Niklas <nscuro@protonmail.com>
Date:   Thu Mar 16 21:33:53 2023 +0100

    Merge pull request DependencyTrack#2603 from Mvld3r/issue-2488-component-author-length

    Fix: Allow component author to be larger than 255 characters

commit 61c9369
Author: Enora Germond <enora.germond@deveryware.com>
Date:   Tue Mar 14 18:24:30 2023 +0100

    Fix: Allow component author to be larger than 255 characters

    Signed-off-by: Enora Germond <enora.germond@deveryware.com>

commit 54e30e0
Author: Walter de Boer <walterdeboer@dbso.nl>
Date:   Mon Mar 13 08:33:29 2023 +0100

    Removed invallid cpan support from SnykAnalysisTask

    Signed-off-by: Walter de Boer <walterdeboer@dbso.nl>

commit 0971956
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Mar 13 08:59:02 2023 +0000

    Bump aquasecurity/trivy-action from 0.9.1 to 0.9.2

    Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.9.1 to 0.9.2.
    - [Release notes](https://github.com/aquasecurity/trivy-action/releases)
    - [Commits](aquasecurity/trivy-action@0.9.1...0.9.2)

    ---
    updated-dependencies:
    - dependency-name: aquasecurity/trivy-action
      dependency-type: direct:production
      update-type: version-update:semver-patch
    ...

    Signed-off-by: dependabot[bot] <support@github.com>

commit 467c81d
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Mar 13 08:58:57 2023 +0000

    Bump docker/setup-buildx-action from 2.4.1 to 2.5.0

    Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.4.1 to 2.5.0.
    - [Release notes](https://github.com/docker/setup-buildx-action/releases)
    - [Commits](docker/setup-buildx-action@v2.4.1...v2.5.0)

    ---
    updated-dependencies:
    - dependency-name: docker/setup-buildx-action
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <support@github.com>

commit d324a67
Author: Walter de Boer <walterdeboer@dbso.nl>
Date:   Sun Mar 12 00:34:31 2023 +0100

    Support for CPAN repository

    Signed-off-by: Walter de Boer <walterdeboer@dbso.nl>

commit 3a5989a
Merge: e47c1d2 3a71894
Author: Niklas <nscuro@protonmail.com>
Date:   Sat Mar 11 21:11:58 2023 +0100

    Merge pull request DependencyTrack#2563 from syalioune/feature/2456-handle-analyzer-errors-gracefully

    Feature: Handle repository meta analyzers errors gracefully

commit e47c1d2
Merge: 48adb8b ca74c26
Author: Niklas <nscuro@protonmail.com>
Date:   Sat Mar 11 21:07:47 2023 +0100

    Merge pull request DependencyTrack#2584 from nscuro/issue-2583

    Fix invalid query filter assembly

commit 48adb8b
Merge: c486415 d3cc980
Author: Niklas <nscuro@protonmail.com>
Date:   Sat Mar 11 21:07:24 2023 +0100

    Merge pull request DependencyTrack#2585 from Citi/Issue-2571-map-snyk-remedies

    Issue-2571 : map Snyk remedies to recommendation

    Closes DependencyTrack#2571

commit c486415
Merge: 97121d4 16cf3d6
Author: Niklas <nscuro@protonmail.com>
Date:   Sat Mar 11 21:06:49 2023 +0100

    Merge pull request DependencyTrack#2586 from Citi/feature/fixPolicyEngineIssue

    Minor bugfix for PolicyEngine

commit 97121d4
Merge: 9a5645a 37fb7c3
Author: Niklas <nscuro@protonmail.com>
Date:   Sat Mar 11 21:06:00 2023 +0100

    Merge pull request DependencyTrack#2594 from walterdeboer/issues/2587

    Match null values

commit 37fb7c3
Author: Walter de Boer <walterdeboer@dbso.nl>
Date:   Sat Mar 11 16:24:41 2023 +0100

    Match null tags

    Signed-off-by: Walter de Boer <walterdeboer@dbso.nl>

commit 91fa7e5
Author: Walter de Boer <walterdeboer@dbso.nl>
Date:   Sat Mar 11 16:10:08 2023 +0100

    Match null values

    Signed-off-by: Walter de Boer <walterdeboer@dbso.nl>

commit d36df15
Author: syalioune <sy_alioune@yahoo.fr>
Date:   Fri Mar 10 22:05:42 2023 +0100

    Feature: Allow H2 web console usage for dev purposes

    Toggle H2 web servlet exposure and alpine web filters related configuration for dev environment

    Signed-off-by: syalioune <sy_alioune@yahoo.fr>

commit 16cf3d6
Author: mehab <meha.bhargava@citi.com>
Date:   Thu Mar 9 15:06:41 2023 +0000

    addressing review comments

    Signed-off-by: mehab <meha.bhargava@citi.com>

commit d3cc980
Author: sahibamittal <sahiba.mittal@citi.com>
Date:   Thu Mar 9 12:11:01 2023 +0000

    map Snyk remedies to recommendation

    Signed-off-by: sahibamittal <sahiba.mittal@citi.com>

commit 1adb397
Author: mehab <meha.bhargava@citi.com>
Date:   Thu Mar 9 11:28:54 2023 +0000

    added bugfix for isPolicyAssignedToProjectTag to scan through all project tags

    Signed-off-by: mehab <meha.bhargava@citi.com>

commit ca74c26
Author: nscuro <nscuro@protonmail.com>
Date:   Thu Mar 9 11:46:41 2023 +0100

    Fix invalid query filter assembly

    Fixes DependencyTrack#2583

    Signed-off-by: nscuro <nscuro@protonmail.com>

commit 9a5645a
Merge: 3d208f6 066ec81
Author: Niklas <nscuro@protonmail.com>
Date:   Wed Mar 8 17:27:13 2023 +0000

    Merge pull request DependencyTrack#2564 from DependencyTrack/dependabot/docker/src/main/docker/debian-bullseye-20230227-slim

    Bump debian from bullseye-20230208-slim to bullseye-20230227-slim in /src/main/docker

commit 3d208f6
Author: Sahiba Mittal <sahiba.mittal@citi.com>
Date:   Wed Mar 8 13:12:26 2023 +0000

    Add support for vulnerability ID policy condition (DependencyTrack#2570)

    * add vulnerability id in policy condition

    Signed-off-by: sahibamittal <sahiba.mittal@citi.com>

    * fix test

    Signed-off-by: sahibamittal <sahiba.mittal@citi.com>

    * update violation type

    Signed-off-by: sahibamittal <sahiba.mittal@citi.com>

    ---------

    Signed-off-by: sahibamittal <sahiba.mittal@citi.com>

    Closes DependencyTrack#2557

commit 416f824
Merge: f35b129 e49d539
Author: Niklas <nscuro@protonmail.com>
Date:   Wed Mar 8 13:10:46 2023 +0000

    Merge pull request DependencyTrack#2576 from syalioune/fix/issue-2420-empty-mail-content

    Fix: Null subject on project audit change notification mails

    Closes DependencyTrack#2420

commit 3a71894
Author: syalioune <sy_alioune@yahoo.fr>
Date:   Wed Mar 8 10:28:07 2023 +0100

    Feature: Handle repository meta analyzers errors gracefully

    Taking review comments into account : logic inversion. Retryable exceptions should be explicitly declared.

    Signed-off-by: syalioune <sy_alioune@yahoo.fr>

commit e49d539
Author: syalioune <sy_alioune@yahoo.fr>
Date:   Wed Mar 8 09:51:07 2023 +0100

    Fix: Null subject on project audit change notification mails

    See DependencyTrack#2420 for details

    Signed-off-by: syalioune <sy_alioune@yahoo.fr>

commit f35b129
Merge: 64e0f99 8e72253
Author: Niklas <nscuro@protonmail.com>
Date:   Tue Mar 7 15:54:39 2023 +0000

    Merge pull request DependencyTrack#2532 from lme-nca/bugfix/issue_2424_add_do_not_reactivate_flag

    add DefectDojo "do not reactivate" flag, fixes issue 2424

    Closes DependencyTrack#2424

commit 066ec81
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Mar 6 09:00:00 2023 +0000

    Bump debian in /src/main/docker

    Bumps debian from bullseye-20230208-slim to bullseye-20230227-slim.

    ---
    updated-dependencies:
    - dependency-name: debian
      dependency-type: direct:production
    ...

    Signed-off-by: dependabot[bot] <support@github.com>

commit baf9b37
Author: syalioune <sy_alioune@yahoo.fr>
Date:   Sun Mar 5 12:53:08 2023 +0100

    Feature: Handle repository meta analyzers errors gracefully

    See DependencyTrack#2456. Allowing CacheStampedeBlocker to not retry on specific exceptions and applying that on repometa analyzer.

    Signed-off-by: syalioune <sy_alioune@yahoo.fr>

commit 52b2f01
Author: nscuro <nscuro@protonmail.com>
Date:   Sat Mar 4 20:57:17 2023 +0100

    Add developer docs for database inspection

    Signed-off-by: nscuro <nscuro@protonmail.com>

commit 8e72253
Author: Lars Meijers <Lars.Meijers@netcetera.com>
Date:   Fri Mar 3 16:39:59 2023 +0100

    do not reactivate flag documentation

    Signed-off-by: Lars Meijers <Lars.Meijers@netcetera.com>

commit c480335
Author: Lars Meijers <Lars.Meijers@netcetera.com>
Date:   Mon Feb 27 11:46:56 2023 +0100

    add do not reactivate flag

    Signed-off-by: Lars Meijers <Lars.Meijers@netcetera.com>
sahibamittal added a commit to sahibamittal/dependency-track that referenced this pull request Apr 6, 2023
commit d29ab68
Merge: 43be7bb e867283
Author: Niklas <nscuro@protonmail.com>
Date:   Tue Apr 4 18:28:30 2023 +0200

    Merge pull request DependencyTrack#2633 from nscuro/health-check

    Add health endpoint

commit 43be7bb
Merge: 8c825bd ea693f9
Author: Niklas <nscuro@protonmail.com>
Date:   Tue Apr 4 18:28:08 2023 +0200

    Merge pull request DependencyTrack#2635 from DependencyTrack/dependabot/github_actions/actions/setup-java-3.11.0

    Bump actions/setup-java from 3.10.0 to 3.11.0

commit ea693f9
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Apr 3 08:58:34 2023 +0000

    Bump actions/setup-java from 3.10.0 to 3.11.0

    Bumps [actions/setup-java](https://github.com/actions/setup-java) from 3.10.0 to 3.11.0.
    - [Release notes](https://github.com/actions/setup-java/releases)
    - [Commits](actions/setup-java@v3.10.0...v3.11.0)

    ---
    updated-dependencies:
    - dependency-name: actions/setup-java
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <support@github.com>

commit 8c825bd
Merge: 83c8e89 d78826b
Author: Niklas <nscuro@protonmail.com>
Date:   Sat Apr 1 23:19:33 2023 +0200

    Merge pull request DependencyTrack#2631 from ch8matt/master

    fix project URL in mail & cisco webex

commit e867283
Author: nscuro <nscuro@protonmail.com>
Date:   Sat Apr 1 16:21:19 2023 +0200

    Add health check documentation

    Signed-off-by: nscuro <nscuro@protonmail.com>

commit 9c9cb4c
Author: nscuro <nscuro@protonmail.com>
Date:   Fri Mar 31 21:18:33 2023 +0200

    Add health endpoint

    Also reduce default health check interval in Dockerfile from 5m to 30s

    Signed-off-by: nscuro <nscuro@protonmail.com>

commit d78826b
Author: ch8matt <g.matthieu49@gmail.com>
Date:   Tue Mar 28 18:10:53 2023 +0200

    fix project URL in mail & cisco webex

    Signed-off-by: ch8matt <g.matthieu49@gmail.com>

commit 83c8e89
Merge: 6c752b9 cc888ba
Author: Niklas <nscuro@protonmail.com>
Date:   Mon Mar 27 19:56:19 2023 +0200

    Merge pull request DependencyTrack#2618 from DependencyTrack/dependabot/maven/org.apache.commons-commons-compress-1.23.0

    Bump commons-compress from 1.22 to 1.23.0

commit 6c752b9
Merge: 485abde 3136353
Author: Niklas <nscuro@protonmail.com>
Date:   Mon Mar 27 19:54:44 2023 +0200

    Merge pull request DependencyTrack#2620 from DependencyTrack/dependabot/maven/net.javacrumbs.json-unit-json-unit-assertj-2.37.0

    Bump json-unit-assertj from 2.36.1 to 2.37.0

commit 485abde
Merge: 6dc7244 298497b
Author: Niklas <nscuro@protonmail.com>
Date:   Mon Mar 27 19:54:28 2023 +0200

    Merge pull request DependencyTrack#2624 from DependencyTrack/dependabot/github_actions/actions/checkout-3.5.0

    Bump actions/checkout from 3.4.0 to 3.5.0

commit 6dc7244
Merge: 61c6538 c092419
Author: Niklas <nscuro@protonmail.com>
Date:   Mon Mar 27 19:54:11 2023 +0200

    Merge pull request DependencyTrack#2625 from DependencyTrack/dependabot/docker/src/main/docker/debian-bullseye-20230320-slim

    Bump debian from bullseye-20230227-slim to bullseye-20230320-slim in /src/main/docker

commit 61c6538
Merge: 09d3492 09ee0b0
Author: Niklas <nscuro@protonmail.com>
Date:   Mon Mar 27 19:53:57 2023 +0200

    Merge pull request DependencyTrack#2626 from Citi/map-published-date-snyk-parsing

    Map Snyk publication time

commit 09ee0b0
Author: sahibamittal <sahiba.mittal@citi.com>
Date:   Mon Mar 27 13:21:57 2023 +0100

    map Snyk publication time

    Signed-off-by: sahibamittal <sahiba.mittal@citi.com>

commit c092419
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Mar 27 08:59:06 2023 +0000

    Bump debian in /src/main/docker

    Bumps debian from bullseye-20230227-slim to bullseye-20230320-slim.

    ---
    updated-dependencies:
    - dependency-name: debian
      dependency-type: direct:production
    ...

    Signed-off-by: dependabot[bot] <support@github.com>

commit 298497b
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Mar 27 08:58:32 2023 +0000

    Bump actions/checkout from 3.4.0 to 3.5.0

    Bumps [actions/checkout](https://github.com/actions/checkout) from 3.4.0 to 3.5.0.
    - [Release notes](https://github.com/actions/checkout/releases)
    - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
    - [Commits](actions/checkout@v3.4.0...v3.5.0)

    ---
    updated-dependencies:
    - dependency-name: actions/checkout
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <support@github.com>

commit 3136353
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Fri Mar 24 08:57:10 2023 +0000

    Bump json-unit-assertj from 2.36.1 to 2.37.0

    Bumps [json-unit-assertj](https://github.com/lukas-krecan/JsonUnit) from 2.36.1 to 2.37.0.
    - [Release notes](https://github.com/lukas-krecan/JsonUnit/releases)
    - [Commits](lukas-krecan/JsonUnit@json-unit-parent-2.36.1...json-unit-parent-2.37.0)

    ---
    updated-dependencies:
    - dependency-name: net.javacrumbs.json-unit:json-unit-assertj
      dependency-type: direct:development
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <support@github.com>

commit 09d3492
Merge: 8a4b59a 946ff0f
Author: Niklas <nscuro@protonmail.com>
Date:   Thu Mar 23 10:56:28 2023 +0100

    Merge pull request DependencyTrack#2617 from nscuro/issue-2494

    Prevent dependency graph deletion during CycloneDX export

commit cc888ba
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Thu Mar 23 08:58:52 2023 +0000

    Bump commons-compress from 1.22 to 1.23.0

    Bumps commons-compress from 1.22 to 1.23.0.

    ---
    updated-dependencies:
    - dependency-name: org.apache.commons:commons-compress
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <support@github.com>

commit 8a4b59a
Merge: 7a6de03 0e82216
Author: Niklas <nscuro@protonmail.com>
Date:   Wed Mar 22 20:15:42 2023 +0100

    Merge pull request DependencyTrack#2610 from Mvld3r/issue-2313-move-jira-configuration

    Fix: Move jira configuration

commit 7a6de03
Merge: 2295e35 ef4f026
Author: Niklas <nscuro@protonmail.com>
Date:   Wed Mar 22 20:13:20 2023 +0100

    Merge pull request DependencyTrack#2608 from DependencyTrack/dependabot/github_actions/actions/checkout-3.4.0

    Bump actions/checkout from 3.3.0 to 3.4.0

commit 2295e35
Merge: 0f14594 9118e2d
Author: Niklas <nscuro@protonmail.com>
Date:   Wed Mar 22 20:13:08 2023 +0100

    Merge pull request DependencyTrack#2607 from DependencyTrack/dependabot/maven/org.slf4j-log4j-over-slf4j-2.0.7

    Bump log4j-over-slf4j from 2.0.6 to 2.0.7

commit 0f14594
Merge: 7a789d5 615141c
Author: Niklas <nscuro@protonmail.com>
Date:   Wed Mar 22 20:12:46 2023 +0100

    Merge pull request DependencyTrack#2606 from DependencyTrack/dependabot/maven/org.apache.maven-maven-artifact-3.9.1

    Bump maven-artifact from 3.9.0 to 3.9.1

commit 7a789d5
Author: rbt-mm <113189967+rbt-mm@users.noreply.github.com>
Date:   Wed Mar 22 20:11:36 2023 +0100

    Add `BOM_PROCESSING_FAILED` notification (DependencyTrack#2600)

    * Add BOM_PROCESSING_FAILED notification

    A new notification is sent if the notification rule includes the
    notification group BOM_PROCESSING_FAILED and if an error happens during
    the upload of a BOM.

    Signed-off-by: RBickert <rbt@mm-software.com>

    * Add project url and exception to new notification

    Signed-off-by: RBickert <rbt@mm-software.com>

    * Add BOM format and specVersion

    Detach `bomProcessingFailedProject`

    Rename `exception` to `cause`

    Signed-off-by: RBickert <rbt@mm-software.com>

    ---------

    Signed-off-by: RBickert <rbt@mm-software.com>

commit 7fd47cd
Merge: 5c7200c 2226f41
Author: Niklas <nscuro@protonmail.com>
Date:   Wed Mar 22 20:07:58 2023 +0100

    Merge pull request DependencyTrack#2561 from nscuro/db-inspect-dev-docs

    Add developer docs for database inspection

commit 2226f41
Author: nscuro <nscuro@protonmail.com>
Date:   Wed Mar 22 19:38:47 2023 +0100

    Update docs with h2 console instructions

    Signed-off-by: nscuro <nscuro@protonmail.com>

commit 946ff0f
Author: nscuro <nscuro@protonmail.com>
Date:   Wed Mar 22 18:57:11 2023 +0100

    Prevent dependency graph deletion during CycloneDX export

    Fixes DependencyTrack#2494
    Fixes DependencyTrack#2546

    Signed-off-by: nscuro <nscuro@protonmail.com>

commit 0e82216
Author: Enora Germond <enora.germond@deveryware.com>
Date:   Thu Mar 16 14:06:30 2023 +0100

    Fix: Move jira configuration

    Signed-off-by: Enora Germond <enora.germond@deveryware.com>

commit ef4f026
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Mar 20 09:00:38 2023 +0000

    Bump actions/checkout from 3.3.0 to 3.4.0

    Bumps [actions/checkout](https://github.com/actions/checkout) from 3.3.0 to 3.4.0.
    - [Release notes](https://github.com/actions/checkout/releases)
    - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
    - [Commits](actions/checkout@v3.3.0...v3.4.0)

    ---
    updated-dependencies:
    - dependency-name: actions/checkout
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <support@github.com>

commit 9118e2d
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Mar 20 08:57:39 2023 +0000

    Bump log4j-over-slf4j from 2.0.6 to 2.0.7

    Bumps [log4j-over-slf4j](https://github.com/qos-ch/slf4j) from 2.0.6 to 2.0.7.
    - [Release notes](https://github.com/qos-ch/slf4j/releases)
    - [Commits](https://github.com/qos-ch/slf4j/commits)

    ---
    updated-dependencies:
    - dependency-name: org.slf4j:log4j-over-slf4j
      dependency-type: direct:production
      update-type: version-update:semver-patch
    ...

    Signed-off-by: dependabot[bot] <support@github.com>

commit 615141c
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Mar 20 08:57:27 2023 +0000

    Bump maven-artifact from 3.9.0 to 3.9.1

    Bumps [maven-artifact](https://github.com/apache/maven) from 3.9.0 to 3.9.1.
    - [Release notes](https://github.com/apache/maven/releases)
    - [Commits](apache/maven@maven-3.9.0...maven-3.9.1)

    ---
    updated-dependencies:
    - dependency-name: org.apache.maven:maven-artifact
      dependency-type: direct:production
      update-type: version-update:semver-patch
    ...

    Signed-off-by: dependabot[bot] <support@github.com>

commit 5c7200c
Merge: f7ad3b1 fabed3e
Author: Niklas <nscuro@protonmail.com>
Date:   Sun Mar 19 22:03:17 2023 +0100

    Merge pull request DependencyTrack#2592 from syalioune/feature/enabling-h2-web-console-usage

    Feature: Allow H2 web console usage for dev purposes

commit fabed3e
Author: syalioune <sy_alioune@yahoo.fr>
Date:   Sun Mar 19 16:16:16 2023 +0100

    Feature: Allow H2 web console usage for dev purposes

    Taking into account review comments : conditional activation based on a maven profile

    Signed-off-by: syalioune <sy_alioune@yahoo.fr>

commit f7ad3b1
Merge: 56e41f0 54e30e0
Author: Niklas <nscuro@protonmail.com>
Date:   Thu Mar 16 21:35:49 2023 +0100

    Merge pull request DependencyTrack#2593 from walterdeboer/feature/639

    Support for CPAN repository

commit 56e41f0
Merge: e94cf55 467c81d
Author: Niklas <nscuro@protonmail.com>
Date:   Thu Mar 16 21:34:31 2023 +0100

    Merge pull request DependencyTrack#2597 from DependencyTrack/dependabot/github_actions/docker/setup-buildx-action-2.5.0

    Bump docker/setup-buildx-action from 2.4.1 to 2.5.0

commit e94cf55
Merge: 3f5bbcd 0971956
Author: Niklas <nscuro@protonmail.com>
Date:   Thu Mar 16 21:34:08 2023 +0100

    Merge pull request DependencyTrack#2598 from DependencyTrack/dependabot/github_actions/aquasecurity/trivy-action-0.9.2

    Bump aquasecurity/trivy-action from 0.9.1 to 0.9.2

commit 3f5bbcd
Merge: 3a5989a 61c9369
Author: Niklas <nscuro@protonmail.com>
Date:   Thu Mar 16 21:33:53 2023 +0100

    Merge pull request DependencyTrack#2603 from Mvld3r/issue-2488-component-author-length

    Fix: Allow component author to be larger than 255 characters

commit 61c9369
Author: Enora Germond <enora.germond@deveryware.com>
Date:   Tue Mar 14 18:24:30 2023 +0100

    Fix: Allow component author to be larger than 255 characters

    Signed-off-by: Enora Germond <enora.germond@deveryware.com>

commit 54e30e0
Author: Walter de Boer <walterdeboer@dbso.nl>
Date:   Mon Mar 13 08:33:29 2023 +0100

    Removed invallid cpan support from SnykAnalysisTask

    Signed-off-by: Walter de Boer <walterdeboer@dbso.nl>

commit 0971956
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Mar 13 08:59:02 2023 +0000

    Bump aquasecurity/trivy-action from 0.9.1 to 0.9.2

    Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.9.1 to 0.9.2.
    - [Release notes](https://github.com/aquasecurity/trivy-action/releases)
    - [Commits](aquasecurity/trivy-action@0.9.1...0.9.2)

    ---
    updated-dependencies:
    - dependency-name: aquasecurity/trivy-action
      dependency-type: direct:production
      update-type: version-update:semver-patch
    ...

    Signed-off-by: dependabot[bot] <support@github.com>

commit 467c81d
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Mar 13 08:58:57 2023 +0000

    Bump docker/setup-buildx-action from 2.4.1 to 2.5.0

    Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.4.1 to 2.5.0.
    - [Release notes](https://github.com/docker/setup-buildx-action/releases)
    - [Commits](docker/setup-buildx-action@v2.4.1...v2.5.0)

    ---
    updated-dependencies:
    - dependency-name: docker/setup-buildx-action
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <support@github.com>

commit d324a67
Author: Walter de Boer <walterdeboer@dbso.nl>
Date:   Sun Mar 12 00:34:31 2023 +0100

    Support for CPAN repository

    Signed-off-by: Walter de Boer <walterdeboer@dbso.nl>

commit 3a5989a
Merge: e47c1d2 3a71894
Author: Niklas <nscuro@protonmail.com>
Date:   Sat Mar 11 21:11:58 2023 +0100

    Merge pull request DependencyTrack#2563 from syalioune/feature/2456-handle-analyzer-errors-gracefully

    Feature: Handle repository meta analyzers errors gracefully

commit e47c1d2
Merge: 48adb8b ca74c26
Author: Niklas <nscuro@protonmail.com>
Date:   Sat Mar 11 21:07:47 2023 +0100

    Merge pull request DependencyTrack#2584 from nscuro/issue-2583

    Fix invalid query filter assembly

commit 48adb8b
Merge: c486415 d3cc980
Author: Niklas <nscuro@protonmail.com>
Date:   Sat Mar 11 21:07:24 2023 +0100

    Merge pull request DependencyTrack#2585 from Citi/Issue-2571-map-snyk-remedies

    Issue-2571 : map Snyk remedies to recommendation

    Closes DependencyTrack#2571

commit c486415
Merge: 97121d4 16cf3d6
Author: Niklas <nscuro@protonmail.com>
Date:   Sat Mar 11 21:06:49 2023 +0100

    Merge pull request DependencyTrack#2586 from Citi/feature/fixPolicyEngineIssue

    Minor bugfix for PolicyEngine

commit 97121d4
Merge: 9a5645a 37fb7c3
Author: Niklas <nscuro@protonmail.com>
Date:   Sat Mar 11 21:06:00 2023 +0100

    Merge pull request DependencyTrack#2594 from walterdeboer/issues/2587

    Match null values

commit 37fb7c3
Author: Walter de Boer <walterdeboer@dbso.nl>
Date:   Sat Mar 11 16:24:41 2023 +0100

    Match null tags

    Signed-off-by: Walter de Boer <walterdeboer@dbso.nl>

commit 91fa7e5
Author: Walter de Boer <walterdeboer@dbso.nl>
Date:   Sat Mar 11 16:10:08 2023 +0100

    Match null values

    Signed-off-by: Walter de Boer <walterdeboer@dbso.nl>

commit d36df15
Author: syalioune <sy_alioune@yahoo.fr>
Date:   Fri Mar 10 22:05:42 2023 +0100

    Feature: Allow H2 web console usage for dev purposes

    Toggle H2 web servlet exposure and alpine web filters related configuration for dev environment

    Signed-off-by: syalioune <sy_alioune@yahoo.fr>

commit 16cf3d6
Author: mehab <meha.bhargava@citi.com>
Date:   Thu Mar 9 15:06:41 2023 +0000

    addressing review comments

    Signed-off-by: mehab <meha.bhargava@citi.com>

commit d3cc980
Author: sahibamittal <sahiba.mittal@citi.com>
Date:   Thu Mar 9 12:11:01 2023 +0000

    map Snyk remedies to recommendation

    Signed-off-by: sahibamittal <sahiba.mittal@citi.com>

commit 1adb397
Author: mehab <meha.bhargava@citi.com>
Date:   Thu Mar 9 11:28:54 2023 +0000

    added bugfix for isPolicyAssignedToProjectTag to scan through all project tags

    Signed-off-by: mehab <meha.bhargava@citi.com>

commit ca74c26
Author: nscuro <nscuro@protonmail.com>
Date:   Thu Mar 9 11:46:41 2023 +0100

    Fix invalid query filter assembly

    Fixes DependencyTrack#2583

    Signed-off-by: nscuro <nscuro@protonmail.com>

commit 9a5645a
Merge: 3d208f6 066ec81
Author: Niklas <nscuro@protonmail.com>
Date:   Wed Mar 8 17:27:13 2023 +0000

    Merge pull request DependencyTrack#2564 from DependencyTrack/dependabot/docker/src/main/docker/debian-bullseye-20230227-slim

    Bump debian from bullseye-20230208-slim to bullseye-20230227-slim in /src/main/docker

commit 3d208f6
Author: Sahiba Mittal <sahiba.mittal@citi.com>
Date:   Wed Mar 8 13:12:26 2023 +0000

    Add support for vulnerability ID policy condition (DependencyTrack#2570)

    * add vulnerability id in policy condition

    Signed-off-by: sahibamittal <sahiba.mittal@citi.com>

    * fix test

    Signed-off-by: sahibamittal <sahiba.mittal@citi.com>

    * update violation type

    Signed-off-by: sahibamittal <sahiba.mittal@citi.com>

    ---------

    Signed-off-by: sahibamittal <sahiba.mittal@citi.com>

    Closes DependencyTrack#2557

commit 416f824
Merge: f35b129 e49d539
Author: Niklas <nscuro@protonmail.com>
Date:   Wed Mar 8 13:10:46 2023 +0000

    Merge pull request DependencyTrack#2576 from syalioune/fix/issue-2420-empty-mail-content

    Fix: Null subject on project audit change notification mails

    Closes DependencyTrack#2420

commit 3a71894
Author: syalioune <sy_alioune@yahoo.fr>
Date:   Wed Mar 8 10:28:07 2023 +0100

    Feature: Handle repository meta analyzers errors gracefully

    Taking review comments into account : logic inversion. Retryable exceptions should be explicitly declared.

    Signed-off-by: syalioune <sy_alioune@yahoo.fr>

commit e49d539
Author: syalioune <sy_alioune@yahoo.fr>
Date:   Wed Mar 8 09:51:07 2023 +0100

    Fix: Null subject on project audit change notification mails

    See DependencyTrack#2420 for details

    Signed-off-by: syalioune <sy_alioune@yahoo.fr>

commit f35b129
Merge: 64e0f99 8e72253
Author: Niklas <nscuro@protonmail.com>
Date:   Tue Mar 7 15:54:39 2023 +0000

    Merge pull request DependencyTrack#2532 from lme-nca/bugfix/issue_2424_add_do_not_reactivate_flag

    add DefectDojo "do not reactivate" flag, fixes issue 2424

    Closes DependencyTrack#2424

commit 066ec81
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Mar 6 09:00:00 2023 +0000

    Bump debian in /src/main/docker

    Bumps debian from bullseye-20230208-slim to bullseye-20230227-slim.

    ---
    updated-dependencies:
    - dependency-name: debian
      dependency-type: direct:production
    ...

    Signed-off-by: dependabot[bot] <support@github.com>

commit baf9b37
Author: syalioune <sy_alioune@yahoo.fr>
Date:   Sun Mar 5 12:53:08 2023 +0100

    Feature: Handle repository meta analyzers errors gracefully

    See DependencyTrack#2456. Allowing CacheStampedeBlocker to not retry on specific exceptions and applying that on repometa analyzer.

    Signed-off-by: syalioune <sy_alioune@yahoo.fr>

commit 52b2f01
Author: nscuro <nscuro@protonmail.com>
Date:   Sat Mar 4 20:57:17 2023 +0100

    Add developer docs for database inspection

    Signed-off-by: nscuro <nscuro@protonmail.com>

commit 8e72253
Author: Lars Meijers <Lars.Meijers@netcetera.com>
Date:   Fri Mar 3 16:39:59 2023 +0100

    do not reactivate flag documentation

    Signed-off-by: Lars Meijers <Lars.Meijers@netcetera.com>

commit c480335
Author: Lars Meijers <Lars.Meijers@netcetera.com>
Date:   Mon Feb 27 11:46:56 2023 +0100

    add do not reactivate flag

    Signed-off-by: Lars Meijers <Lars.Meijers@netcetera.com>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 8, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants