-
-
Notifications
You must be signed in to change notification settings - Fork 578
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue-2557 : add vulnerability id in policy condition #2570
Issue-2557 : add vulnerability id in policy condition #2570
Conversation
Signed-off-by: sahibamittal <sahiba.mittal@citi.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Signed-off-by: sahibamittal <sahiba.mittal@citi.com>
What about aliases? Vulnerabilities can have different ids (aliases) and depending on the available data (cpe/purl) components can match against different aliases, for example via cpe might match NVD/CVE and via purl it might match GHSA. |
Currently, the vulnerability alias data is not completely reliable wrt the sources, so yes it's definitely to be considered once we have achieved it. I can add it for future scope. Thanks Valentijn for the suggestion. |
commit 3d208f6 Author: Sahiba Mittal <sahiba.mittal@citi.com> Date: Wed Mar 8 13:12:26 2023 +0000 Add support for vulnerability ID policy condition (DependencyTrack#2570) * add vulnerability id in policy condition Signed-off-by: sahibamittal <sahiba.mittal@citi.com> * fix test Signed-off-by: sahibamittal <sahiba.mittal@citi.com> * update violation type Signed-off-by: sahibamittal <sahiba.mittal@citi.com> --------- Signed-off-by: sahibamittal <sahiba.mittal@citi.com> Closes DependencyTrack#2557 commit 416f824 Merge: f35b129 e49d539 Author: Niklas <nscuro@protonmail.com> Date: Wed Mar 8 13:10:46 2023 +0000 Merge pull request DependencyTrack#2576 from syalioune/fix/issue-2420-empty-mail-content Fix: Null subject on project audit change notification mails Closes DependencyTrack#2420 commit e49d539 Author: syalioune <sy_alioune@yahoo.fr> Date: Wed Mar 8 09:51:07 2023 +0100 Fix: Null subject on project audit change notification mails See DependencyTrack#2420 for details Signed-off-by: syalioune <sy_alioune@yahoo.fr> commit f35b129 Merge: 64e0f99 8e72253 Author: Niklas <nscuro@protonmail.com> Date: Tue Mar 7 15:54:39 2023 +0000 Merge pull request DependencyTrack#2532 from lme-nca/bugfix/issue_2424_add_do_not_reactivate_flag add DefectDojo "do not reactivate" flag, fixes issue 2424 Closes DependencyTrack#2424 commit 8e72253 Author: Lars Meijers <Lars.Meijers@netcetera.com> Date: Fri Mar 3 16:39:59 2023 +0100 do not reactivate flag documentation Signed-off-by: Lars Meijers <Lars.Meijers@netcetera.com> commit c480335 Author: Lars Meijers <Lars.Meijers@netcetera.com> Date: Mon Feb 27 11:46:56 2023 +0100 add do not reactivate flag Signed-off-by: Lars Meijers <Lars.Meijers@netcetera.com>
commit 09d3492 Merge: 8a4b59a 946ff0f Author: Niklas <nscuro@protonmail.com> Date: Thu Mar 23 10:56:28 2023 +0100 Merge pull request DependencyTrack#2617 from nscuro/issue-2494 Prevent dependency graph deletion during CycloneDX export commit 8a4b59a Merge: 7a6de03 0e82216 Author: Niklas <nscuro@protonmail.com> Date: Wed Mar 22 20:15:42 2023 +0100 Merge pull request DependencyTrack#2610 from Mvld3r/issue-2313-move-jira-configuration Fix: Move jira configuration commit 7a6de03 Merge: 2295e35 ef4f026 Author: Niklas <nscuro@protonmail.com> Date: Wed Mar 22 20:13:20 2023 +0100 Merge pull request DependencyTrack#2608 from DependencyTrack/dependabot/github_actions/actions/checkout-3.4.0 Bump actions/checkout from 3.3.0 to 3.4.0 commit 2295e35 Merge: 0f14594 9118e2d Author: Niklas <nscuro@protonmail.com> Date: Wed Mar 22 20:13:08 2023 +0100 Merge pull request DependencyTrack#2607 from DependencyTrack/dependabot/maven/org.slf4j-log4j-over-slf4j-2.0.7 Bump log4j-over-slf4j from 2.0.6 to 2.0.7 commit 0f14594 Merge: 7a789d5 615141c Author: Niklas <nscuro@protonmail.com> Date: Wed Mar 22 20:12:46 2023 +0100 Merge pull request DependencyTrack#2606 from DependencyTrack/dependabot/maven/org.apache.maven-maven-artifact-3.9.1 Bump maven-artifact from 3.9.0 to 3.9.1 commit 7a789d5 Author: rbt-mm <113189967+rbt-mm@users.noreply.github.com> Date: Wed Mar 22 20:11:36 2023 +0100 Add `BOM_PROCESSING_FAILED` notification (DependencyTrack#2600) * Add BOM_PROCESSING_FAILED notification A new notification is sent if the notification rule includes the notification group BOM_PROCESSING_FAILED and if an error happens during the upload of a BOM. Signed-off-by: RBickert <rbt@mm-software.com> * Add project url and exception to new notification Signed-off-by: RBickert <rbt@mm-software.com> * Add BOM format and specVersion Detach `bomProcessingFailedProject` Rename `exception` to `cause` Signed-off-by: RBickert <rbt@mm-software.com> --------- Signed-off-by: RBickert <rbt@mm-software.com> commit 7fd47cd Merge: 5c7200c 2226f41 Author: Niklas <nscuro@protonmail.com> Date: Wed Mar 22 20:07:58 2023 +0100 Merge pull request DependencyTrack#2561 from nscuro/db-inspect-dev-docs Add developer docs for database inspection commit 2226f41 Author: nscuro <nscuro@protonmail.com> Date: Wed Mar 22 19:38:47 2023 +0100 Update docs with h2 console instructions Signed-off-by: nscuro <nscuro@protonmail.com> commit 946ff0f Author: nscuro <nscuro@protonmail.com> Date: Wed Mar 22 18:57:11 2023 +0100 Prevent dependency graph deletion during CycloneDX export Fixes DependencyTrack#2494 Fixes DependencyTrack#2546 Signed-off-by: nscuro <nscuro@protonmail.com> commit 0e82216 Author: Enora Germond <enora.germond@deveryware.com> Date: Thu Mar 16 14:06:30 2023 +0100 Fix: Move jira configuration Signed-off-by: Enora Germond <enora.germond@deveryware.com> commit ef4f026 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon Mar 20 09:00:38 2023 +0000 Bump actions/checkout from 3.3.0 to 3.4.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 3.3.0 to 3.4.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3.3.0...v3.4.0) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> commit 9118e2d Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon Mar 20 08:57:39 2023 +0000 Bump log4j-over-slf4j from 2.0.6 to 2.0.7 Bumps [log4j-over-slf4j](https://github.com/qos-ch/slf4j) from 2.0.6 to 2.0.7. - [Release notes](https://github.com/qos-ch/slf4j/releases) - [Commits](https://github.com/qos-ch/slf4j/commits) --- updated-dependencies: - dependency-name: org.slf4j:log4j-over-slf4j dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> commit 615141c Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon Mar 20 08:57:27 2023 +0000 Bump maven-artifact from 3.9.0 to 3.9.1 Bumps [maven-artifact](https://github.com/apache/maven) from 3.9.0 to 3.9.1. - [Release notes](https://github.com/apache/maven/releases) - [Commits](apache/maven@maven-3.9.0...maven-3.9.1) --- updated-dependencies: - dependency-name: org.apache.maven:maven-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> commit 5c7200c Merge: f7ad3b1 fabed3e Author: Niklas <nscuro@protonmail.com> Date: Sun Mar 19 22:03:17 2023 +0100 Merge pull request DependencyTrack#2592 from syalioune/feature/enabling-h2-web-console-usage Feature: Allow H2 web console usage for dev purposes commit fabed3e Author: syalioune <sy_alioune@yahoo.fr> Date: Sun Mar 19 16:16:16 2023 +0100 Feature: Allow H2 web console usage for dev purposes Taking into account review comments : conditional activation based on a maven profile Signed-off-by: syalioune <sy_alioune@yahoo.fr> commit f7ad3b1 Merge: 56e41f0 54e30e0 Author: Niklas <nscuro@protonmail.com> Date: Thu Mar 16 21:35:49 2023 +0100 Merge pull request DependencyTrack#2593 from walterdeboer/feature/639 Support for CPAN repository commit 56e41f0 Merge: e94cf55 467c81d Author: Niklas <nscuro@protonmail.com> Date: Thu Mar 16 21:34:31 2023 +0100 Merge pull request DependencyTrack#2597 from DependencyTrack/dependabot/github_actions/docker/setup-buildx-action-2.5.0 Bump docker/setup-buildx-action from 2.4.1 to 2.5.0 commit e94cf55 Merge: 3f5bbcd 0971956 Author: Niklas <nscuro@protonmail.com> Date: Thu Mar 16 21:34:08 2023 +0100 Merge pull request DependencyTrack#2598 from DependencyTrack/dependabot/github_actions/aquasecurity/trivy-action-0.9.2 Bump aquasecurity/trivy-action from 0.9.1 to 0.9.2 commit 3f5bbcd Merge: 3a5989a 61c9369 Author: Niklas <nscuro@protonmail.com> Date: Thu Mar 16 21:33:53 2023 +0100 Merge pull request DependencyTrack#2603 from Mvld3r/issue-2488-component-author-length Fix: Allow component author to be larger than 255 characters commit 61c9369 Author: Enora Germond <enora.germond@deveryware.com> Date: Tue Mar 14 18:24:30 2023 +0100 Fix: Allow component author to be larger than 255 characters Signed-off-by: Enora Germond <enora.germond@deveryware.com> commit 54e30e0 Author: Walter de Boer <walterdeboer@dbso.nl> Date: Mon Mar 13 08:33:29 2023 +0100 Removed invallid cpan support from SnykAnalysisTask Signed-off-by: Walter de Boer <walterdeboer@dbso.nl> commit 0971956 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon Mar 13 08:59:02 2023 +0000 Bump aquasecurity/trivy-action from 0.9.1 to 0.9.2 Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.9.1 to 0.9.2. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](aquasecurity/trivy-action@0.9.1...0.9.2) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> commit 467c81d Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon Mar 13 08:58:57 2023 +0000 Bump docker/setup-buildx-action from 2.4.1 to 2.5.0 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.4.1 to 2.5.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@v2.4.1...v2.5.0) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> commit d324a67 Author: Walter de Boer <walterdeboer@dbso.nl> Date: Sun Mar 12 00:34:31 2023 +0100 Support for CPAN repository Signed-off-by: Walter de Boer <walterdeboer@dbso.nl> commit 3a5989a Merge: e47c1d2 3a71894 Author: Niklas <nscuro@protonmail.com> Date: Sat Mar 11 21:11:58 2023 +0100 Merge pull request DependencyTrack#2563 from syalioune/feature/2456-handle-analyzer-errors-gracefully Feature: Handle repository meta analyzers errors gracefully commit e47c1d2 Merge: 48adb8b ca74c26 Author: Niklas <nscuro@protonmail.com> Date: Sat Mar 11 21:07:47 2023 +0100 Merge pull request DependencyTrack#2584 from nscuro/issue-2583 Fix invalid query filter assembly commit 48adb8b Merge: c486415 d3cc980 Author: Niklas <nscuro@protonmail.com> Date: Sat Mar 11 21:07:24 2023 +0100 Merge pull request DependencyTrack#2585 from Citi/Issue-2571-map-snyk-remedies Issue-2571 : map Snyk remedies to recommendation Closes DependencyTrack#2571 commit c486415 Merge: 97121d4 16cf3d6 Author: Niklas <nscuro@protonmail.com> Date: Sat Mar 11 21:06:49 2023 +0100 Merge pull request DependencyTrack#2586 from Citi/feature/fixPolicyEngineIssue Minor bugfix for PolicyEngine commit 97121d4 Merge: 9a5645a 37fb7c3 Author: Niklas <nscuro@protonmail.com> Date: Sat Mar 11 21:06:00 2023 +0100 Merge pull request DependencyTrack#2594 from walterdeboer/issues/2587 Match null values commit 37fb7c3 Author: Walter de Boer <walterdeboer@dbso.nl> Date: Sat Mar 11 16:24:41 2023 +0100 Match null tags Signed-off-by: Walter de Boer <walterdeboer@dbso.nl> commit 91fa7e5 Author: Walter de Boer <walterdeboer@dbso.nl> Date: Sat Mar 11 16:10:08 2023 +0100 Match null values Signed-off-by: Walter de Boer <walterdeboer@dbso.nl> commit d36df15 Author: syalioune <sy_alioune@yahoo.fr> Date: Fri Mar 10 22:05:42 2023 +0100 Feature: Allow H2 web console usage for dev purposes Toggle H2 web servlet exposure and alpine web filters related configuration for dev environment Signed-off-by: syalioune <sy_alioune@yahoo.fr> commit 16cf3d6 Author: mehab <meha.bhargava@citi.com> Date: Thu Mar 9 15:06:41 2023 +0000 addressing review comments Signed-off-by: mehab <meha.bhargava@citi.com> commit d3cc980 Author: sahibamittal <sahiba.mittal@citi.com> Date: Thu Mar 9 12:11:01 2023 +0000 map Snyk remedies to recommendation Signed-off-by: sahibamittal <sahiba.mittal@citi.com> commit 1adb397 Author: mehab <meha.bhargava@citi.com> Date: Thu Mar 9 11:28:54 2023 +0000 added bugfix for isPolicyAssignedToProjectTag to scan through all project tags Signed-off-by: mehab <meha.bhargava@citi.com> commit ca74c26 Author: nscuro <nscuro@protonmail.com> Date: Thu Mar 9 11:46:41 2023 +0100 Fix invalid query filter assembly Fixes DependencyTrack#2583 Signed-off-by: nscuro <nscuro@protonmail.com> commit 9a5645a Merge: 3d208f6 066ec81 Author: Niklas <nscuro@protonmail.com> Date: Wed Mar 8 17:27:13 2023 +0000 Merge pull request DependencyTrack#2564 from DependencyTrack/dependabot/docker/src/main/docker/debian-bullseye-20230227-slim Bump debian from bullseye-20230208-slim to bullseye-20230227-slim in /src/main/docker commit 3d208f6 Author: Sahiba Mittal <sahiba.mittal@citi.com> Date: Wed Mar 8 13:12:26 2023 +0000 Add support for vulnerability ID policy condition (DependencyTrack#2570) * add vulnerability id in policy condition Signed-off-by: sahibamittal <sahiba.mittal@citi.com> * fix test Signed-off-by: sahibamittal <sahiba.mittal@citi.com> * update violation type Signed-off-by: sahibamittal <sahiba.mittal@citi.com> --------- Signed-off-by: sahibamittal <sahiba.mittal@citi.com> Closes DependencyTrack#2557 commit 416f824 Merge: f35b129 e49d539 Author: Niklas <nscuro@protonmail.com> Date: Wed Mar 8 13:10:46 2023 +0000 Merge pull request DependencyTrack#2576 from syalioune/fix/issue-2420-empty-mail-content Fix: Null subject on project audit change notification mails Closes DependencyTrack#2420 commit 3a71894 Author: syalioune <sy_alioune@yahoo.fr> Date: Wed Mar 8 10:28:07 2023 +0100 Feature: Handle repository meta analyzers errors gracefully Taking review comments into account : logic inversion. Retryable exceptions should be explicitly declared. Signed-off-by: syalioune <sy_alioune@yahoo.fr> commit e49d539 Author: syalioune <sy_alioune@yahoo.fr> Date: Wed Mar 8 09:51:07 2023 +0100 Fix: Null subject on project audit change notification mails See DependencyTrack#2420 for details Signed-off-by: syalioune <sy_alioune@yahoo.fr> commit f35b129 Merge: 64e0f99 8e72253 Author: Niklas <nscuro@protonmail.com> Date: Tue Mar 7 15:54:39 2023 +0000 Merge pull request DependencyTrack#2532 from lme-nca/bugfix/issue_2424_add_do_not_reactivate_flag add DefectDojo "do not reactivate" flag, fixes issue 2424 Closes DependencyTrack#2424 commit 066ec81 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon Mar 6 09:00:00 2023 +0000 Bump debian in /src/main/docker Bumps debian from bullseye-20230208-slim to bullseye-20230227-slim. --- updated-dependencies: - dependency-name: debian dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> commit baf9b37 Author: syalioune <sy_alioune@yahoo.fr> Date: Sun Mar 5 12:53:08 2023 +0100 Feature: Handle repository meta analyzers errors gracefully See DependencyTrack#2456. Allowing CacheStampedeBlocker to not retry on specific exceptions and applying that on repometa analyzer. Signed-off-by: syalioune <sy_alioune@yahoo.fr> commit 52b2f01 Author: nscuro <nscuro@protonmail.com> Date: Sat Mar 4 20:57:17 2023 +0100 Add developer docs for database inspection Signed-off-by: nscuro <nscuro@protonmail.com> commit 8e72253 Author: Lars Meijers <Lars.Meijers@netcetera.com> Date: Fri Mar 3 16:39:59 2023 +0100 do not reactivate flag documentation Signed-off-by: Lars Meijers <Lars.Meijers@netcetera.com> commit c480335 Author: Lars Meijers <Lars.Meijers@netcetera.com> Date: Mon Feb 27 11:46:56 2023 +0100 add do not reactivate flag Signed-off-by: Lars Meijers <Lars.Meijers@netcetera.com>
commit d29ab68 Merge: 43be7bb e867283 Author: Niklas <nscuro@protonmail.com> Date: Tue Apr 4 18:28:30 2023 +0200 Merge pull request DependencyTrack#2633 from nscuro/health-check Add health endpoint commit 43be7bb Merge: 8c825bd ea693f9 Author: Niklas <nscuro@protonmail.com> Date: Tue Apr 4 18:28:08 2023 +0200 Merge pull request DependencyTrack#2635 from DependencyTrack/dependabot/github_actions/actions/setup-java-3.11.0 Bump actions/setup-java from 3.10.0 to 3.11.0 commit ea693f9 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon Apr 3 08:58:34 2023 +0000 Bump actions/setup-java from 3.10.0 to 3.11.0 Bumps [actions/setup-java](https://github.com/actions/setup-java) from 3.10.0 to 3.11.0. - [Release notes](https://github.com/actions/setup-java/releases) - [Commits](actions/setup-java@v3.10.0...v3.11.0) --- updated-dependencies: - dependency-name: actions/setup-java dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> commit 8c825bd Merge: 83c8e89 d78826b Author: Niklas <nscuro@protonmail.com> Date: Sat Apr 1 23:19:33 2023 +0200 Merge pull request DependencyTrack#2631 from ch8matt/master fix project URL in mail & cisco webex commit e867283 Author: nscuro <nscuro@protonmail.com> Date: Sat Apr 1 16:21:19 2023 +0200 Add health check documentation Signed-off-by: nscuro <nscuro@protonmail.com> commit 9c9cb4c Author: nscuro <nscuro@protonmail.com> Date: Fri Mar 31 21:18:33 2023 +0200 Add health endpoint Also reduce default health check interval in Dockerfile from 5m to 30s Signed-off-by: nscuro <nscuro@protonmail.com> commit d78826b Author: ch8matt <g.matthieu49@gmail.com> Date: Tue Mar 28 18:10:53 2023 +0200 fix project URL in mail & cisco webex Signed-off-by: ch8matt <g.matthieu49@gmail.com> commit 83c8e89 Merge: 6c752b9 cc888ba Author: Niklas <nscuro@protonmail.com> Date: Mon Mar 27 19:56:19 2023 +0200 Merge pull request DependencyTrack#2618 from DependencyTrack/dependabot/maven/org.apache.commons-commons-compress-1.23.0 Bump commons-compress from 1.22 to 1.23.0 commit 6c752b9 Merge: 485abde 3136353 Author: Niklas <nscuro@protonmail.com> Date: Mon Mar 27 19:54:44 2023 +0200 Merge pull request DependencyTrack#2620 from DependencyTrack/dependabot/maven/net.javacrumbs.json-unit-json-unit-assertj-2.37.0 Bump json-unit-assertj from 2.36.1 to 2.37.0 commit 485abde Merge: 6dc7244 298497b Author: Niklas <nscuro@protonmail.com> Date: Mon Mar 27 19:54:28 2023 +0200 Merge pull request DependencyTrack#2624 from DependencyTrack/dependabot/github_actions/actions/checkout-3.5.0 Bump actions/checkout from 3.4.0 to 3.5.0 commit 6dc7244 Merge: 61c6538 c092419 Author: Niklas <nscuro@protonmail.com> Date: Mon Mar 27 19:54:11 2023 +0200 Merge pull request DependencyTrack#2625 from DependencyTrack/dependabot/docker/src/main/docker/debian-bullseye-20230320-slim Bump debian from bullseye-20230227-slim to bullseye-20230320-slim in /src/main/docker commit 61c6538 Merge: 09d3492 09ee0b0 Author: Niklas <nscuro@protonmail.com> Date: Mon Mar 27 19:53:57 2023 +0200 Merge pull request DependencyTrack#2626 from Citi/map-published-date-snyk-parsing Map Snyk publication time commit 09ee0b0 Author: sahibamittal <sahiba.mittal@citi.com> Date: Mon Mar 27 13:21:57 2023 +0100 map Snyk publication time Signed-off-by: sahibamittal <sahiba.mittal@citi.com> commit c092419 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon Mar 27 08:59:06 2023 +0000 Bump debian in /src/main/docker Bumps debian from bullseye-20230227-slim to bullseye-20230320-slim. --- updated-dependencies: - dependency-name: debian dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> commit 298497b Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon Mar 27 08:58:32 2023 +0000 Bump actions/checkout from 3.4.0 to 3.5.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 3.4.0 to 3.5.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3.4.0...v3.5.0) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> commit 3136353 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri Mar 24 08:57:10 2023 +0000 Bump json-unit-assertj from 2.36.1 to 2.37.0 Bumps [json-unit-assertj](https://github.com/lukas-krecan/JsonUnit) from 2.36.1 to 2.37.0. - [Release notes](https://github.com/lukas-krecan/JsonUnit/releases) - [Commits](lukas-krecan/JsonUnit@json-unit-parent-2.36.1...json-unit-parent-2.37.0) --- updated-dependencies: - dependency-name: net.javacrumbs.json-unit:json-unit-assertj dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> commit 09d3492 Merge: 8a4b59a 946ff0f Author: Niklas <nscuro@protonmail.com> Date: Thu Mar 23 10:56:28 2023 +0100 Merge pull request DependencyTrack#2617 from nscuro/issue-2494 Prevent dependency graph deletion during CycloneDX export commit cc888ba Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu Mar 23 08:58:52 2023 +0000 Bump commons-compress from 1.22 to 1.23.0 Bumps commons-compress from 1.22 to 1.23.0. --- updated-dependencies: - dependency-name: org.apache.commons:commons-compress dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> commit 8a4b59a Merge: 7a6de03 0e82216 Author: Niklas <nscuro@protonmail.com> Date: Wed Mar 22 20:15:42 2023 +0100 Merge pull request DependencyTrack#2610 from Mvld3r/issue-2313-move-jira-configuration Fix: Move jira configuration commit 7a6de03 Merge: 2295e35 ef4f026 Author: Niklas <nscuro@protonmail.com> Date: Wed Mar 22 20:13:20 2023 +0100 Merge pull request DependencyTrack#2608 from DependencyTrack/dependabot/github_actions/actions/checkout-3.4.0 Bump actions/checkout from 3.3.0 to 3.4.0 commit 2295e35 Merge: 0f14594 9118e2d Author: Niklas <nscuro@protonmail.com> Date: Wed Mar 22 20:13:08 2023 +0100 Merge pull request DependencyTrack#2607 from DependencyTrack/dependabot/maven/org.slf4j-log4j-over-slf4j-2.0.7 Bump log4j-over-slf4j from 2.0.6 to 2.0.7 commit 0f14594 Merge: 7a789d5 615141c Author: Niklas <nscuro@protonmail.com> Date: Wed Mar 22 20:12:46 2023 +0100 Merge pull request DependencyTrack#2606 from DependencyTrack/dependabot/maven/org.apache.maven-maven-artifact-3.9.1 Bump maven-artifact from 3.9.0 to 3.9.1 commit 7a789d5 Author: rbt-mm <113189967+rbt-mm@users.noreply.github.com> Date: Wed Mar 22 20:11:36 2023 +0100 Add `BOM_PROCESSING_FAILED` notification (DependencyTrack#2600) * Add BOM_PROCESSING_FAILED notification A new notification is sent if the notification rule includes the notification group BOM_PROCESSING_FAILED and if an error happens during the upload of a BOM. Signed-off-by: RBickert <rbt@mm-software.com> * Add project url and exception to new notification Signed-off-by: RBickert <rbt@mm-software.com> * Add BOM format and specVersion Detach `bomProcessingFailedProject` Rename `exception` to `cause` Signed-off-by: RBickert <rbt@mm-software.com> --------- Signed-off-by: RBickert <rbt@mm-software.com> commit 7fd47cd Merge: 5c7200c 2226f41 Author: Niklas <nscuro@protonmail.com> Date: Wed Mar 22 20:07:58 2023 +0100 Merge pull request DependencyTrack#2561 from nscuro/db-inspect-dev-docs Add developer docs for database inspection commit 2226f41 Author: nscuro <nscuro@protonmail.com> Date: Wed Mar 22 19:38:47 2023 +0100 Update docs with h2 console instructions Signed-off-by: nscuro <nscuro@protonmail.com> commit 946ff0f Author: nscuro <nscuro@protonmail.com> Date: Wed Mar 22 18:57:11 2023 +0100 Prevent dependency graph deletion during CycloneDX export Fixes DependencyTrack#2494 Fixes DependencyTrack#2546 Signed-off-by: nscuro <nscuro@protonmail.com> commit 0e82216 Author: Enora Germond <enora.germond@deveryware.com> Date: Thu Mar 16 14:06:30 2023 +0100 Fix: Move jira configuration Signed-off-by: Enora Germond <enora.germond@deveryware.com> commit ef4f026 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon Mar 20 09:00:38 2023 +0000 Bump actions/checkout from 3.3.0 to 3.4.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 3.3.0 to 3.4.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3.3.0...v3.4.0) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> commit 9118e2d Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon Mar 20 08:57:39 2023 +0000 Bump log4j-over-slf4j from 2.0.6 to 2.0.7 Bumps [log4j-over-slf4j](https://github.com/qos-ch/slf4j) from 2.0.6 to 2.0.7. - [Release notes](https://github.com/qos-ch/slf4j/releases) - [Commits](https://github.com/qos-ch/slf4j/commits) --- updated-dependencies: - dependency-name: org.slf4j:log4j-over-slf4j dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> commit 615141c Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon Mar 20 08:57:27 2023 +0000 Bump maven-artifact from 3.9.0 to 3.9.1 Bumps [maven-artifact](https://github.com/apache/maven) from 3.9.0 to 3.9.1. - [Release notes](https://github.com/apache/maven/releases) - [Commits](apache/maven@maven-3.9.0...maven-3.9.1) --- updated-dependencies: - dependency-name: org.apache.maven:maven-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> commit 5c7200c Merge: f7ad3b1 fabed3e Author: Niklas <nscuro@protonmail.com> Date: Sun Mar 19 22:03:17 2023 +0100 Merge pull request DependencyTrack#2592 from syalioune/feature/enabling-h2-web-console-usage Feature: Allow H2 web console usage for dev purposes commit fabed3e Author: syalioune <sy_alioune@yahoo.fr> Date: Sun Mar 19 16:16:16 2023 +0100 Feature: Allow H2 web console usage for dev purposes Taking into account review comments : conditional activation based on a maven profile Signed-off-by: syalioune <sy_alioune@yahoo.fr> commit f7ad3b1 Merge: 56e41f0 54e30e0 Author: Niklas <nscuro@protonmail.com> Date: Thu Mar 16 21:35:49 2023 +0100 Merge pull request DependencyTrack#2593 from walterdeboer/feature/639 Support for CPAN repository commit 56e41f0 Merge: e94cf55 467c81d Author: Niklas <nscuro@protonmail.com> Date: Thu Mar 16 21:34:31 2023 +0100 Merge pull request DependencyTrack#2597 from DependencyTrack/dependabot/github_actions/docker/setup-buildx-action-2.5.0 Bump docker/setup-buildx-action from 2.4.1 to 2.5.0 commit e94cf55 Merge: 3f5bbcd 0971956 Author: Niklas <nscuro@protonmail.com> Date: Thu Mar 16 21:34:08 2023 +0100 Merge pull request DependencyTrack#2598 from DependencyTrack/dependabot/github_actions/aquasecurity/trivy-action-0.9.2 Bump aquasecurity/trivy-action from 0.9.1 to 0.9.2 commit 3f5bbcd Merge: 3a5989a 61c9369 Author: Niklas <nscuro@protonmail.com> Date: Thu Mar 16 21:33:53 2023 +0100 Merge pull request DependencyTrack#2603 from Mvld3r/issue-2488-component-author-length Fix: Allow component author to be larger than 255 characters commit 61c9369 Author: Enora Germond <enora.germond@deveryware.com> Date: Tue Mar 14 18:24:30 2023 +0100 Fix: Allow component author to be larger than 255 characters Signed-off-by: Enora Germond <enora.germond@deveryware.com> commit 54e30e0 Author: Walter de Boer <walterdeboer@dbso.nl> Date: Mon Mar 13 08:33:29 2023 +0100 Removed invallid cpan support from SnykAnalysisTask Signed-off-by: Walter de Boer <walterdeboer@dbso.nl> commit 0971956 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon Mar 13 08:59:02 2023 +0000 Bump aquasecurity/trivy-action from 0.9.1 to 0.9.2 Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.9.1 to 0.9.2. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](aquasecurity/trivy-action@0.9.1...0.9.2) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> commit 467c81d Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon Mar 13 08:58:57 2023 +0000 Bump docker/setup-buildx-action from 2.4.1 to 2.5.0 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.4.1 to 2.5.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@v2.4.1...v2.5.0) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> commit d324a67 Author: Walter de Boer <walterdeboer@dbso.nl> Date: Sun Mar 12 00:34:31 2023 +0100 Support for CPAN repository Signed-off-by: Walter de Boer <walterdeboer@dbso.nl> commit 3a5989a Merge: e47c1d2 3a71894 Author: Niklas <nscuro@protonmail.com> Date: Sat Mar 11 21:11:58 2023 +0100 Merge pull request DependencyTrack#2563 from syalioune/feature/2456-handle-analyzer-errors-gracefully Feature: Handle repository meta analyzers errors gracefully commit e47c1d2 Merge: 48adb8b ca74c26 Author: Niklas <nscuro@protonmail.com> Date: Sat Mar 11 21:07:47 2023 +0100 Merge pull request DependencyTrack#2584 from nscuro/issue-2583 Fix invalid query filter assembly commit 48adb8b Merge: c486415 d3cc980 Author: Niklas <nscuro@protonmail.com> Date: Sat Mar 11 21:07:24 2023 +0100 Merge pull request DependencyTrack#2585 from Citi/Issue-2571-map-snyk-remedies Issue-2571 : map Snyk remedies to recommendation Closes DependencyTrack#2571 commit c486415 Merge: 97121d4 16cf3d6 Author: Niklas <nscuro@protonmail.com> Date: Sat Mar 11 21:06:49 2023 +0100 Merge pull request DependencyTrack#2586 from Citi/feature/fixPolicyEngineIssue Minor bugfix for PolicyEngine commit 97121d4 Merge: 9a5645a 37fb7c3 Author: Niklas <nscuro@protonmail.com> Date: Sat Mar 11 21:06:00 2023 +0100 Merge pull request DependencyTrack#2594 from walterdeboer/issues/2587 Match null values commit 37fb7c3 Author: Walter de Boer <walterdeboer@dbso.nl> Date: Sat Mar 11 16:24:41 2023 +0100 Match null tags Signed-off-by: Walter de Boer <walterdeboer@dbso.nl> commit 91fa7e5 Author: Walter de Boer <walterdeboer@dbso.nl> Date: Sat Mar 11 16:10:08 2023 +0100 Match null values Signed-off-by: Walter de Boer <walterdeboer@dbso.nl> commit d36df15 Author: syalioune <sy_alioune@yahoo.fr> Date: Fri Mar 10 22:05:42 2023 +0100 Feature: Allow H2 web console usage for dev purposes Toggle H2 web servlet exposure and alpine web filters related configuration for dev environment Signed-off-by: syalioune <sy_alioune@yahoo.fr> commit 16cf3d6 Author: mehab <meha.bhargava@citi.com> Date: Thu Mar 9 15:06:41 2023 +0000 addressing review comments Signed-off-by: mehab <meha.bhargava@citi.com> commit d3cc980 Author: sahibamittal <sahiba.mittal@citi.com> Date: Thu Mar 9 12:11:01 2023 +0000 map Snyk remedies to recommendation Signed-off-by: sahibamittal <sahiba.mittal@citi.com> commit 1adb397 Author: mehab <meha.bhargava@citi.com> Date: Thu Mar 9 11:28:54 2023 +0000 added bugfix for isPolicyAssignedToProjectTag to scan through all project tags Signed-off-by: mehab <meha.bhargava@citi.com> commit ca74c26 Author: nscuro <nscuro@protonmail.com> Date: Thu Mar 9 11:46:41 2023 +0100 Fix invalid query filter assembly Fixes DependencyTrack#2583 Signed-off-by: nscuro <nscuro@protonmail.com> commit 9a5645a Merge: 3d208f6 066ec81 Author: Niklas <nscuro@protonmail.com> Date: Wed Mar 8 17:27:13 2023 +0000 Merge pull request DependencyTrack#2564 from DependencyTrack/dependabot/docker/src/main/docker/debian-bullseye-20230227-slim Bump debian from bullseye-20230208-slim to bullseye-20230227-slim in /src/main/docker commit 3d208f6 Author: Sahiba Mittal <sahiba.mittal@citi.com> Date: Wed Mar 8 13:12:26 2023 +0000 Add support for vulnerability ID policy condition (DependencyTrack#2570) * add vulnerability id in policy condition Signed-off-by: sahibamittal <sahiba.mittal@citi.com> * fix test Signed-off-by: sahibamittal <sahiba.mittal@citi.com> * update violation type Signed-off-by: sahibamittal <sahiba.mittal@citi.com> --------- Signed-off-by: sahibamittal <sahiba.mittal@citi.com> Closes DependencyTrack#2557 commit 416f824 Merge: f35b129 e49d539 Author: Niklas <nscuro@protonmail.com> Date: Wed Mar 8 13:10:46 2023 +0000 Merge pull request DependencyTrack#2576 from syalioune/fix/issue-2420-empty-mail-content Fix: Null subject on project audit change notification mails Closes DependencyTrack#2420 commit 3a71894 Author: syalioune <sy_alioune@yahoo.fr> Date: Wed Mar 8 10:28:07 2023 +0100 Feature: Handle repository meta analyzers errors gracefully Taking review comments into account : logic inversion. Retryable exceptions should be explicitly declared. Signed-off-by: syalioune <sy_alioune@yahoo.fr> commit e49d539 Author: syalioune <sy_alioune@yahoo.fr> Date: Wed Mar 8 09:51:07 2023 +0100 Fix: Null subject on project audit change notification mails See DependencyTrack#2420 for details Signed-off-by: syalioune <sy_alioune@yahoo.fr> commit f35b129 Merge: 64e0f99 8e72253 Author: Niklas <nscuro@protonmail.com> Date: Tue Mar 7 15:54:39 2023 +0000 Merge pull request DependencyTrack#2532 from lme-nca/bugfix/issue_2424_add_do_not_reactivate_flag add DefectDojo "do not reactivate" flag, fixes issue 2424 Closes DependencyTrack#2424 commit 066ec81 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon Mar 6 09:00:00 2023 +0000 Bump debian in /src/main/docker Bumps debian from bullseye-20230208-slim to bullseye-20230227-slim. --- updated-dependencies: - dependency-name: debian dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> commit baf9b37 Author: syalioune <sy_alioune@yahoo.fr> Date: Sun Mar 5 12:53:08 2023 +0100 Feature: Handle repository meta analyzers errors gracefully See DependencyTrack#2456. Allowing CacheStampedeBlocker to not retry on specific exceptions and applying that on repometa analyzer. Signed-off-by: syalioune <sy_alioune@yahoo.fr> commit 52b2f01 Author: nscuro <nscuro@protonmail.com> Date: Sat Mar 4 20:57:17 2023 +0100 Add developer docs for database inspection Signed-off-by: nscuro <nscuro@protonmail.com> commit 8e72253 Author: Lars Meijers <Lars.Meijers@netcetera.com> Date: Fri Mar 3 16:39:59 2023 +0100 do not reactivate flag documentation Signed-off-by: Lars Meijers <Lars.Meijers@netcetera.com> commit c480335 Author: Lars Meijers <Lars.Meijers@netcetera.com> Date: Mon Feb 27 11:46:56 2023 +0100 add do not reactivate flag Signed-off-by: Lars Meijers <Lars.Meijers@netcetera.com>
Description
The policy feature should support the vulnerability ID in a policy so that organisations can create policy related to particular vulnerability ID.
Addressed Issue
#2557
Checklist