Merge remote-tracking branch 'upstream/master'

DependencyTrack · Mar 5, 2024 · 72b6131 · 72b6131
2 parents 7a64a9d + 502a768
commit 72b6131
Show file tree

Hide file tree

Showing 763 changed files with 459,449 additions and 3,048 deletions.
diff --git a/.github/release.yml b/.github/release.yml
@@ -0,0 +1,14 @@
+changelog:
+  categories:
+  - title: Enhancements 🚀
+    labels:
+    - enhancement
+  - title: Bug Fixes 🐛
+    labels:
+    - defect
+  - title: Dependency Updates 🤖
+    labels:
+    - dependencies
+  - title: Other Changes
+    labels:
+    - "*"
diff --git a/.github/workflows/_meta-build.yaml b/.github/workflows/_meta-build.yaml
@@ -77,7 +77,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
 
       - name: Download Artifacts
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # tag=v4.1.2
+        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # tag=v4.1.4
         with:
           name: assembled-wars
           path: target
@@ -86,7 +86,7 @@ jobs:
         uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # tag=v3.0.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # tag=v3.0.0
+        uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c # tag=v3.1.0
         id: buildx
         with:
           install: true
@@ -123,7 +123,7 @@ jobs:
 
       - name: Run Trivy Vulnerability Scanner
         if: ${{ inputs.publish-container }}
-        uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # tag=0.17.0
+        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # tag=0.18.0
         with:
           image-ref: docker.io/dependencytrack/${{ matrix.distribution }}:${{ inputs.app-version }}
           format: 'sarif'
@@ -133,6 +133,6 @@ jobs:
 
       - name: Upload Trivy Scan Results to GitHub Security Tab
         if: ${{ inputs.publish-container }}
-        uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # tag=v3.24.0
+        uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # tag=v3.24.6
         with:
           sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/ci-publish.yaml b/.github/workflows/ci-publish.yaml
@@ -54,7 +54,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
 
       - name: Download Artifacts
-        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # tag=v4.1.2
+        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # tag=v4.1.4
         with:
           name: assembled-wars
           path: target
@@ -79,6 +79,9 @@ jobs:
           $(cat target/checksums.txt)
           \`\`\`
           EOF
+          
+          gh release view ${{ needs.read-version.outputs.version }} \
+            --json body --jq .body >> .github/default-release-notes.md
 
           gh release edit ${{ needs.read-version.outputs.version }} \
             --notes-file ".github/default-release-notes.md"

diff --git a/.github/workflows/ci-release.yaml b/.github/workflows/ci-release.yaml
@@ -104,7 +104,7 @@ jobs:
           gh release create "${{ needs.prepare-release.outputs.version }}" \
             --target "${{ needs.prepare-release.outputs.release-branch }}" \
             --title "${{ needs.prepare-release.outputs.version }}" \
-            --notes-file ".github/default-release-notes.md"
+            --generate-notes
 
   post-release:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/ci-test-pr-coverage.yml b/.github/workflows/ci-test-pr-coverage.yml
@@ -0,0 +1,32 @@
+name: Report PR Test Coverage
+
+on:
+  workflow_run:
+    workflows:
+    - Tests CI
+    types:
+    - completed
+
+permissions: { }
+
+jobs:
+  publish:
+    name: Report Coverage
+    runs-on: ubuntu-latest
+    if: |-
+      github.event.workflow_run.event == 'pull_request'
+        && github.event.workflow_run.conclusion == 'success'
+    steps:
+    - name: Download PR test coverage report
+      uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # tag=v4.1.4
+      with:
+        name: pr-test-coverage-report
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        run-id: ${{ github.event.workflow_run.id }}
+    - name: Report Coverage to Codacy
+      run: |-
+        bash <(curl -Ls https://coverage.codacy.com/get.sh) report \
+          --project-token ${{ secrets.CODACY_PROJECT_TOKEN }} \
+          --commit-uuid ${{ github.event.workflow_run.head_sha }} \
+          --coverage-reports ./target/jacoco-ut/jacoco.xml \
+          --language Java
diff --git a/.github/workflows/ci-test.yaml b/.github/workflows/ci-test.yaml
@@ -45,10 +45,29 @@ jobs:
           mvn clean
           mvn test -P enhance
 
+      # Publishing coverage to Codacy is only possible for builds of push events.
+      # PRs from forks do not get access to repository secrets.
+      # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
       - name: Publish test coverage
-        if: ${{ github.ref == 'refs/heads/master' && contains(github.repository, 'DependencyTrack/') }}
+        if: ${{ github.event_name != 'pull_request' && github.repository_owner == 'DependencyTrack' }}
         uses: codacy/[email protected]
         with:
           project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
           language: Java
           coverage-reports: target/jacoco-ut/jacoco.xml
+
+      - name: Save PR details
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |-
+          echo ${{ github.sha }} > pr-commit.txt
+          echo ${{ github.event.number }} > pr-number.txt
+
+      - name: Upload PR test coverage report
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # tag=v4.3.1
+        with:
+          name: pr-test-coverage-report
+          path: |-
+            pr-commit.txt
+            pr-number.txt
+            target/jacoco-ut/jacoco.xml
diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
@@ -12,4 +12,4 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
 
       - name: Dependency Review
-        uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # tag=v4.0.0
+        uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # tag=v4.1.3
diff --git a/README.md b/README.md
@@ -57,6 +57,7 @@ CI/CD environments.
   * [GitHub Advisories]
   * [Sonatype OSS Index]
   * [Snyk]
+  * [Trivy]
   * [OSV]
   * [VulnDB] from [Risk Based Security]
   * More coming soon.
@@ -216,6 +217,7 @@ the [notices] file for more information.
   [GitHub Advisories]: https://www.github.com/advisories
   [Sonatype OSS Index]: https://ossindex.sonatype.org
   [Snyk]: https://snyk.io
+  [Trivy]: https://www.aquasec.com/products/trivy/
   [OSV]: https://osv.dev
   [VulnDB]: https://vulndb.cyberriskanalytics.com
   [Risk Based Security]: https://www.riskbasedsecurity.com