Merge branch 'master' into dependency-track-1732

Signed-off-by: mge-mm <[email protected]>
DependencyTrack · Nov 29, 2023 · 9db1ab5 · 9db1ab5
2 parents 38582f3 + 065e483
commit 9db1ab5
Show file tree

Hide file tree

Showing 167 changed files with 10,731 additions and 3,177 deletions.
diff --git a/.github/ISSUE_TEMPLATE/defect-report.yml b/.github/ISSUE_TEMPLATE/defect-report.yml
@@ -61,10 +61,10 @@ body:
       What version of Dependency-Track are you using?
     options:
     - 4.7.x
-    - 4.8.0
-    - 4.8.1
-    - 4.8.2
-    - 4.9.0-SNAPSHOT
+    - 4.8.x
+    - 4.9.0
+    - 4.9.1
+    - 4.10.0-SNAPSHOT
   validations:
     required: true
 - type: dropdown

diff --git a/.github/workflows/_meta-build.yaml b/.github/workflows/_meta-build.yaml
@@ -17,15 +17,17 @@ on:
       registry-0-psw:
         required: true
 
+permissions: { }
+
 jobs:
   build-java:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
-        uses: actions/[email protected].0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
 
       - name: Set up JDK
-        uses: actions/[email protected]
+        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # tag=v3.13.0
         with:
           distribution: 'temurin'
           java-version: '17'
@@ -49,7 +51,7 @@ jobs:
           mvn cyclonedx:makeBom -Dservices.bom.merge.skip=false org.codehaus.mojo:exec-maven-plugin:exec@merge-services-bom
 
       - name: Upload Artifacts
-        uses: actions/[email protected]
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # tag=v3.1.3
         with:
           name: assembled-wars
           path: |-
@@ -58,6 +60,8 @@ jobs:
 
   build-container:
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required to upload trivy's SARIF output
     needs:
       - build-java
 
@@ -70,25 +74,25 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/[email protected].0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
 
       - name: Download Artifacts
-        uses: actions/[email protected]
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # tag=v3.0.2
         with:
           name: assembled-wars
           path: target
 
       - name: Set up QEMU
-        uses: docker/[email protected]
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # tag=v3.0.0
 
       - name: Set up Docker Buildx
-        uses: docker/[email protected]
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # tag=v3.0.0
         id: buildx
         with:
           install: true
 
       - name: Login to Docker.io
-        uses: docker/[email protected]
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # tag=v3.0.0
         if: ${{ inputs.publish-container }}
         with:
           registry: docker.io
@@ -105,7 +109,7 @@ jobs:
           echo "tags=${TAGS}" >> $GITHUB_OUTPUT
 
       - name: Build multi-arch Container Image
-        uses: docker/build-push-action@v5.0.0
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # tag=v5.1.0
         with:
           tags: ${{ steps.tags.outputs.tags }}
           build-args: |-
@@ -119,7 +123,7 @@ jobs:
 
       - name: Run Trivy Vulnerability Scanner
         if: ${{ inputs.publish-container }}
-        uses: aquasecurity/trivy-action@0.12.0
+        uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 # tag=0.14.0
         with:
           image-ref: docker.io/dependencytrack/${{ matrix.distribution }}:${{ inputs.app-version }}
           format: 'sarif'
@@ -129,6 +133,6 @@ jobs:
 
       - name: Upload Trivy Scan Results to GitHub Security Tab
         if: ${{ inputs.publish-container }}
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # tag=v2.22.8
         with:
           sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml
@@ -16,12 +16,16 @@ on:
       - 'docs/**'
   workflow_dispatch:
 
+permissions: { }
+
 jobs:
   call-build:
     uses: ./.github/workflows/_meta-build.yaml
     with:
       app-version: "snapshot"
       publish-container: ${{ github.ref == 'refs/heads/master' }}
+    permissions:
+      security-events: write # Required to upload trivy's SARIF output
     secrets:
       registry-0-usr: ${{ secrets.HUB_USERNAME }}
       registry-0-psw: ${{ secrets.HUB_ACCESSS_TOKEN }}
diff --git a/.github/workflows/ci-publish.yaml b/.github/workflows/ci-publish.yaml
@@ -8,6 +8,8 @@ on:
       - released
   workflow_dispatch:
 
+permissions: { }
+
 jobs:
   read-version:
     runs-on: ubuntu-latest
@@ -21,7 +23,7 @@ jobs:
             exit 1
           fi
       - name: Checkout Repository
-        uses: actions/[email protected].0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
 
       - name: Parse Version from POM
         id: parse
@@ -36,6 +38,8 @@ jobs:
     with:
       app-version: ${{ needs.read-version.outputs.version }}
       publish-container: true
+    permissions:
+      security-events: write # Required to upload trivy's SARIF output
     secrets:
       registry-0-usr: ${{ secrets.HUB_USERNAME }}
       registry-0-psw: ${{ secrets.HUB_ACCESSS_TOKEN }}
@@ -47,10 +51,10 @@ jobs:
       - call-build
     steps:
       - name: Checkout Repository
-        uses: actions/[email protected].0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
 
       - name: Download Artifacts
-        uses: actions/[email protected]
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # tag=v3.0.2
         with:
           name: assembled-wars
           path: target

diff --git a/.github/workflows/ci-release.yaml b/.github/workflows/ci-release.yaml
@@ -9,6 +9,8 @@ on:
         description: 'Use this to overwrite the version number to release, otherwise uses the current SNAPSHOT version (expected format x.y.z)'
         type: string
 
+permissions: { }
+
 jobs:
   prepare-release:
     runs-on: ubuntu-latest
@@ -18,7 +20,7 @@ jobs:
       release-branch: ${{ steps.variables.outputs.release-branch }}
     steps:
       - name: Checkout Repository
-        uses: actions/[email protected].0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
 
       - name: Setup Environment
         id: variables
@@ -45,10 +47,10 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/[email protected].0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
 
       - name: Set up JDK
-        uses: actions/[email protected]
+        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # tag=v3.13.0
         with:
           distribution: 'temurin'
           java-version: '17'
@@ -112,7 +114,7 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/[email protected].0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
         with:
           ref: ${{ needs.prepare-release.outputs.release-branch }}
 

diff --git a/.github/workflows/ci-test.yaml b/.github/workflows/ci-test.yaml
@@ -24,15 +24,17 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions: { }
+
 jobs:
   test:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/[email protected].0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
 
       - name: Set up JDK
-        uses: actions/[email protected]
+        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # tag=v3.13.0
         with:
           distribution: 'temurin'
           java-version: '17'

diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
@@ -2,15 +2,14 @@ name: Dependency Review
 on:
   pull_request:
 
-permissions:
-  contents: read
+permissions: { }
 
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
-        uses: actions/[email protected].0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
 
       - name: Dependency Review
-        uses: actions/dependency-review-action@v3
+        uses: actions/dependency-review-action@7bbfa034e752445ea40215fff1c3bf9597993d3f # tag=v3.1.3
diff --git a/.github/workflows/lock.yaml b/.github/workflows/lock.yaml
@@ -4,17 +4,18 @@ on:
   schedule:
     - cron: '0 10 * * *'
 
-permissions:
-  issues: write
-  pull-requests: write
+permissions: { }
 
 jobs:
   action:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write # Required to lock issues
+      pull-requests: write # Required to lock PRs
     # don't run on forks
     if: ${{ contains(github.repository, 'DependencyTrack/') }}
     steps:
-      - uses: dessant/lock-threads@v4
+      - uses: dessant/lock-threads@be8aa5be94131386884a6da4189effda9b14aa21 # tag=v4.0.1
         with:
           github-token: ${{ github.token }}
           issue-inactive-days: '30'

diff --git a/dev/docker-compose.mssql.yml b/dev/docker-compose.mssql.yml
@@ -59,7 +59,7 @@ services:
     - -P
     - DTrack1234#
     - -Q
-    - CREATE DATABASE dtrack
+    - CREATE DATABASE dtrack; ALTER DATABASE dtrack SET READ_COMMITTED_SNAPSHOT ON;
     restart: on-failure
 
 volumes: