sw360-19.1.0
This minor release includes numerous features, corrections, and improvements across the SW360 project since the 19.0.0 release.
Highlight of the changes includes:
- Various vulnerabilities and security fixes.
- Multiple new REST API endpoints.
- Improvements on SBOM and CDX import.
Credits
The following GitHub users have contributed to the source code since the last release (in alphabetical order):
> Afsah Syeda <afsah.syeda@siemens-healthineers.com>
> Akshit Joshi <akshit.joshi@siemens-healthineers.com>
> Arun Azhakesan <arun.azhakesan@siemens-healthineers.com>
> dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
> duonglq-tsdv <duong1.lequy@toshiba.co.jp>
> Gaurav Mishra <mishra.gaurav@siemens.com>
> Helio Chissini de Castro <heliocastro@gmail.com>
> hoangnt2 <hoang2.nguyenthai@toshiba.co.jp>
> Keerthi B L <keerthi.bl@siemens.com>
> nikesh kumar <kumar.nikesh@siemens.com>
> Rudra Chopra <prabhuchopra@gmail.com>
> Sameed <sameed.ahmad@siemens-healthineers.com>
> Smruti Prakash Sahoo <smruti.sahoo@siemens.com>
> StepSecurity Bot <bot@stepsecurity.io>
> tuannn2 <tuan2.nguyennhu@toshiba.co.jp>
Please note that also many other persons usually contribute to the project with reviews, testing, documentations, conversations or presentations.
Features
2133694fafeat(rest) : Export Project Create Clearing Request36df4a611feat(spdx): Add API for feature SPDX Document tab719165516feat(rest): endpoint to get license info header text.c64470ff8feat(rest): Add documentation for new clearing size parameter.e02307383feat(rest) : Rest end point for project ECC Export Spreadsheet9cd8646c1feat(Component): Add new endpoint that allows user to subscribe and unsubscribe to a componenta3edc6ceefeat(Release): Add new endpoint for release subscription8d6315f31feat(FossologyTrigger): stop repetitive entries of attachment.3a48426c9feat(ImportCDX):Handle redirection of VCS URLs in SBOMbe8d94046feat(rest): Create new api's in schedule tab.f41b8927dfeat(importCDX): Add functionality to configure release creation when importing SBOM to an existing projectddec17e5dfeat(rest): Add size parameter to clearing request.be032e39cfeat(importCDX): enhance CDX importer to sanitize VCS URLs for non-GitHub domains646c4e1bbfeat(Project): Create new endpoint that allow to duplicate project with network68c1fb737feat(Release): Add new endpoint to check cyclic links between releases9b32525a3feat(Project): Add new endpoint that allow to compare project network with default network108ba6700feat(Project): Add new endpoint to fetch linked releases of linked projects067f9135bfeat(Release): Add new endpoint that allow to get linked releases of release466a8c6d7feat(Project): Create new endpoint that allow to get linked releases in dependency network of a project75e3bc899feat(rest): Add endpoint to handle updation of clearing requests.7bcedef6afeat(rest): endpoint to remove orphaned obligations from project.fa17c2fedfeat(rest): delete a vendor by id.453eff793feat: Add default user/pwd to couchdb connectione81031333feat: Add default admin user if database is emptyf98db4ff4feat(rest): Add pagination to get clearing requests endpoint and fix 403 forbidden error33012fdc2feat(REST):fetch releases that are in NEW_CLEARING state and have a SRC/SRS attachment using parameter isNewClearingWithSourceAvailable2621657cdfeat: Add logging to identify releases with corrupted attachments during license generation73d0576c7feat(rest): endpoint to get list of obligations depending upon obligation level.24b71c5e6feat: Update README.md with openssf scorecard badge
Corrections
802013389fix(openapi)!: add health endpoint to openapib39c71b5bfix(Cloudant): Fix Cloudant document creation error by setting id and rev to null instead of empty string during Java object conversionda677a677Revert "fix(importCDX): Resolved unnecessary update of component fields"8f9859955fix(docs): fix OpenAPI docs8164a1f48fix(rest): Fixed the reference to wrong db for oauthclients4918ecd85fix(test): Remove unused invalid entries7c4b647e9fix(test): Remove unused invalid entriesac410370cfix: Enable back client libraryc41cdedfcfix: Ignore SECURITY.md on license checkffd83c62ffix(Project): Add missing properties in network response849284e3bfix(Project): Unset unnecessory data before store network into database87bdf001efix(test): enable unauthorized request test519496118fix(Project): Fix vulnerability: Information exposure through an error message48eb7437efix(User): Fix XSS vulnerability due to a user-provided value89e67b7e9fix(Rest): component attachment deletion while updating externalIdsc35e05fbdfix: Create sw360oauthclients database9cfb2c16dfix(rest): Enhance the acceptRequest method to see the proposed changes in project/component/release pages.342145702fix: Restore target for Dockerfilee18227af9fix: Remove spotless dead codeec6d2bc18fix: Adjust pinned dependencies on Dockerfile73e682053fix: Update POI code to modern versiona2734ca50fix(StepSecurity): Apply security best practices
Infrastructure
8a0793ed5chore(deps): bump org.apache.maven.plugins:maven-gpg-plugin06426f8bbchore(deps): bump keycloak.version from 26.0.6 to 26.0.7385a8bc74chore(deps): bump tomcat from7ebc6c3to935ff51d24a5c32achore(deps): bump github/codeql-action from 3.27.6 to 3.27.9e38177ad1chore(deps-dev): bump com.tngtech.jgiven:jgiven-junit7277d0815chore(deps): bump org.apache.maven.plugins:maven-javadoc-plugine424549f5chore(deps): update wiremock to 3.10.0e35110da8chore(deps): use updated wiremockc5cbf16f4chore(deps): bump org.apache.httpcomponents.client5:httpclient5d59b81243chore(deps): bump actions/cache from 4.1.2 to 4.2.0e15aa510cchore(deps): bump maven from9ae8f00to85d505f97c483c04chore(deps): bump net.minidev:json-smart from 2.4.10 to 2.5.1862a08e73chore(deps): bump maven fromf401172to9ae8f00e0bec4851chore(deps): bump commons-io:commons-io from 2.17.0 to 2.18.0668953ad0chore(deps): bump org.mockito:mockito-core from 2.28.2 to 5.14.2684e0703cchore(deps): bump maven from5a44dfftof401172b80aaa302chore(deps): bump tomcat from2ade2b0to7ebc6c339bb1e985chore(deps): bump ubuntu from35b7fc7to80dd3c3f24cbc910chore(deps): bump github/codeql-action from 3.27.5 to 3.27.60db57d021chore(deps): bump ubuntu from278628fto35b7fc7db32f3bb8chore: Remove cache from java-setup action03dda4438chore(deps): bump org.codehaus.mojo:versions-maven-plugin2a4c3c3a6chore(deps): bump org.apache.maven.plugins:maven-assembly-plugin92f05513fchore(deps): bump org.apache.maven.plugins:maven-resources-plugin1c3aefe32chore(deps): bump jackson.version from 2.18.1 to 2.18.26d5b60f67chore(deps): bump org.springframework.security:spring-security-oauth2-authorization-server360f63268chore(deps): bump docker/build-push-action from 6.9.0 to 6.10.075b9565a2chore(deps): bump org.apache.maven.plugins:maven-dependency-plugin8589b49b9chore(deps-dev): bump com.github.tomakehurst:wiremock-jre8b4362b73dchore(deps): bump org.apache.commons:commons-lang3 from 3.12.0 to 3.17.0c0f95baabchore(deps): Fix Maven warning for deprecation values067a3025echore(deps): bump org.apache.commons:commons-csv from 1.10.0 to 1.12.041da93540chore(deps): Move versions to supperpom2dfa4afdbchore(deps): bump org.keycloak:keycloak-core from 26.0.5 to 26.0.690c1a4724chore(deps): bump log4j2.version from 2.24.1 to 2.24.2a2beaa41echore(deps-dev): bump net.bytebuddy:byte-buddy from 1.10.18 to 1.15.10cca5c12a9chore(deps-dev): bump org.ow2.asm:asm-commons from 7.1 to 9.7.1ec4e041f6chore(deps): bump springframework.version from 6.1.14 to 6.2.0bb9225664chore(deps): bump org.apache.maven.plugins:maven-enforcer-pluginc4b75cf53chore(deps): bump com.google.guava:guava from 32.0.0-jre to 33.3.1-jrec3c75c7dfchore(deps): bump spring-security.version from 6.3.3 to 6.4.1bca5bc337chore(deps): bump github/codeql-action from 3.27.4 to 3.27.5df9bf4801chore(deps): bump actions/dependency-review-action from 4.4.0 to 4.5.0eaf13a8d6chore(deps): bump docker/metadata-action from 5.5.1 to 5.6.19bf808d70chore(deps): bump org.apache.maven.plugins:maven-failsafe-plugina11f1830fchore(deps): Update apache.commons-compress3658d3970chore(deps): bump org.apache.commons:commons-text from 1.10.0 to 1.12.06cd1da38bchore(deps): bump com.tngtech.jgiven:jgiven-maven-plugin36398cfbbUpdate security.md filece6aa331cCreate SECURITY.mda2a88dc79chore(deps): bump step-security/harden-runner from 2.10.1 to 2.10.212bd1bf81chore(deps): bump org.projectlombok:lombok from 1.18.34 to 1.18.364d336c6adchore(deps): bump jackson.version from 2.17.1 to 2.18.1cce753580chore(deps-dev): bump nl.jqno.equalsverifier:equalsverifier6098b6723chore(deps): bump com.github.package-url:packageurl-java40ec24f69chore(deps): bump tomcat froma09d4c1to2ade2b0965ac8dc2chore(deps): bump ubuntu from99c3519to278628f49c3e574fchore(deps): bump maven from440a97ato5a44dffa91c6249cchore(deps): bump httpcore5.version from 5.2.5 to 5.3.1f2b202b7achore(docs): update the KeyCloak doc for 26.0.58f9492422chore(deps): bump keycloak.version from 25.0.6 to 26.0.56239843efchore(deps): Adjust Maven dependency declarations9fa14d2e3chore: Remove pre-commit checkstyle in favour of maven solution3f7153601chore: Remove mave source plugin duplcation3608ef514chore(deps): bump jakarta.servlet:jakarta.servlet-api1f7225b07chore(deps): bump github/codeql-action from 3.27.3 to 3.27.4952a11afdchore(deps): bump com.ibm.cloud:cloudant from 0.9.1 to 0.9.3dbf82f199chore(deps): bump com.jcraft:jsch from 0.1.54 to 0.1.55c972c7fc3chore(deps): bump github/codeql-action from 3.27.1 to 3.27.36985820ecchore: Update oudated migration Dockered71926a6chore(deps): bump org.codehaus.mojo:build-helper-maven-plugin1d148bf15chore(deps): bump org.apache.maven.plugins:maven-scm-pluginc72a1e2bbchore(deps): bump tomcat from7e26fc3toa09d4c178bd70065chore(deps): bump org.dom4j:dom4j from 2.1.3 to 2.1.4dcfdc9e41chore(deps): bump org.apache.maven.plugins:maven-jar-plugincc2f51ab2chore(deps): bump com.google.guava:failureaccess from 1.0.1 to 1.0.2a5ce63316chore(deps): bump github/codeql-action from 3.27.0 to 3.27.101b30091cchore(rest): reformat ModerationRequestService56ab42369chore(deps): bump com.google.code.gson:gson from 2.10.1 to 2.11.0f2b110dd0chore(deps): bump org.apache.maven.plugins:maven-source-plugin29fdca6fbchore(deps): bump org.apache.maven.plugins:maven-surefire-plugin4d34c09d2chore(deps): bump commons-io:commons-io from 2.16.1 to 2.17.0a4be46a19chore: update OpenAPI docs for ProjectController7478bd81achore: fix OpenAPI docs for VendorControllere892e5ed4chore: fix OpenAPI docs for DatabaseSanitationControllerb330354f4chore: fix OpenAPI docs for EccController671f39337chore: fix OpenAPI docs for UserControllerf88c820b9chore: fix openapi docs for LicenseControllerd5068fdeechore: fix swagger docs of ScheduleAdminController4a88eba4cchore(deps): bump tomcat frome19f9cato7e26fc3e84e66b03chore(deps): bump org.springframework.security:spring-security-oauth2-authorization-server038e12a64chore(deps): bump org.jetbrains:annotations from 26.0.0 to 26.0.1d026717e0chore(deps): bump log4j2.version from 2.19.0 to 2.24.10bbf1392fchore(deps): bump org.sonatype.plugins:nexus-staging-maven-pluginc41a3d0ddchore: Remove unused dead codec120a4cefchore(deps): bump org.glassfish.jaxb:jaxb-runtime from 2.3.9 to 4.0.534ab188c0chore(deps): bump version.keycloak from 25.0.4 to 26.0.54bd5a97fdchore(deps): bump poi.version from 4.1.2 to 5.3.0bb84e6eb0chore(deps): bump docker/build-push-action from 5.4.0 to 6.9.05901e9bacchore(deps): bump ossf/scorecard-action from 2.3.3 to 2.4.0b3de287b9chore: Update pre-commit with latest versionsd4c57b195chore: Extend gitignore047bff839chore(deps): bump org.json:json from 20231013 to 2024030306a65cdc1chore: Remove duplicate entries for vscode workspace75971bd42chore(scorecard): Update permissions on workflows416c9a4e7chore: Remove dead code from actions0be1b1889chore: No need validate for any of .github files1f3193529chore: Remove unmaintained and disabled workflowf95b3b5dachore(scorecard): Remove broad permissions allowance.0f7167b7dchore(deps): Update json0ea6cfb3echore(scorecard): Create initial codeql.yml setup