Support for summarized and scheduled notifications

.github/ISSUE_TEMPLATE/adopt-dependency-track.yaml

@@ -0,0 +1,65 @@
+name: Adopt Dependency Track
+description: Let the community know you have adopted Dependency Track.
+title: organization_name has adopted Dependency Track
+labels: "adopt-dependency-track"
+assignees: []
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for supporting the Dependency track project. Adding your organization to the list of adopters raises awareness for the project and is more help than you think!
+
+        Check the current list of adopters:
+        https://github.com/DependencyTrack/dependency-track/blob/master/ADOPTERS.md
+  - type: input
+    id: org-name
+    attributes:
+      label: Organization Name
+      description: Name of the organization.
+      placeholder: ex. OWASP, Inc.
+    validations:
+      required: false
+  - type: input
+    id: org-url
+    attributes:
+      label: Organization Website
+      description: Provide a link to the organization website.
+      placeholder: ex. https://dependencytrack.org/
+    validations:
+      required: false
+  - type: input
+    id: org-logo
+    attributes:
+      label: Organization Logo (optional)
+      description: Provide a link to the organization logo.
+      placeholder: ex. https://avatars.githubusercontent.com/u/40258585?s=200&v=4
+    validations:
+      required: false
+  - type: textarea
+    id: dependency-track-use-case
+    attributes:
+      label: How is your organization using Dependency Track?
+      description: 2 or 3 sentences about how your organization has incorporated Dependency Track.
+      placeholder: We secure all the things!
+    validations:
+      required: false
+  - type: input
+    id: source-code
+    attributes:
+      label: Source Code Link (optional)
+      description: Is your use case open source? Provide a link.
+      placeholder: ex. https://github.com/DependencyTrack/dependency-track
+    validations:
+      required: false
+  - type: textarea
+    id: content-links
+    attributes:
+      label: Want to link blogs or videos? Share them here.
+      description: Please copy and paste links to content that shows how you're using Dependency Track.
+  - type: checkboxes
+    id: existing-entry
+    attributes:
+      label: Update entry
+      options:
+        - label: Check this box if you want to update an existing entry.
+          required: false

.github/ISSUE_TEMPLATE/defect-report.yml

@@ -63,9 +63,12 @@ body:
     - 4.7.x
     - 4.8.x
     - 4.9.x
-    - 4.10.0
-    - 4.10.1
-    - 4.11.0-SNAPSHOT
+    - 4.10.x
+    - 4.11.0
+    - 4.11.1
+    - 4.11.2
+    - 4.11.3
+    - 4.12.0-SNAPSHOT
   validations:
     required: true
 - type: dropdown

.github/workflows/_meta-build.yaml

@@ -11,6 +11,10 @@ on:
         required: false
         default: false
         description: "publish and scan the container image once its built"
+      ref-name:
+        type: string
+        required: true
+        description: "Short ref name of the branch or tag that triggered the workflow run"
     secrets:
       registry-0-usr:
         required: true
@@ -24,13 +28,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # tag=v4.1.3
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # tag=v4.1.6
 
       - name: Set up JDK
         uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # tag=v4.2.1
         with:
           distribution: 'temurin'
-          java-version: '17'
+          java-version: '21'
           cache: 'maven'
 
       - name: Setup CycloneDX CLI
@@ -43,15 +47,15 @@ jobs:
 
       - name: Build with Maven
         run: |-
-          mvn clean
-          mvn package -Dmaven.test.skip=true -P enhance -P embedded-jetty -Dservices.bom.merge.skip=false -Dlogback.configuration.file=src/main/docker/logback.xml
-          mvn clean -P clean-exclude-wars
-          mvn package -Dmaven.test.skip=true -P enhance -P embedded-jetty -P bundle-ui -Dservices.bom.merge.skip=false -Dlogback.configuration.file=src/main/docker/logback.xml
-          mvn clean -P clean-exclude-wars
-          mvn cyclonedx:makeBom -Dservices.bom.merge.skip=false org.codehaus.mojo:exec-maven-plugin:exec@merge-services-bom
+          mvn -B --no-transfer-progress clean
+          mvn -B --no-transfer-progress package -Dmaven.test.skip=true -P enhance -P embedded-jetty -Dservices.bom.merge.skip=false -Dlogback.configuration.file=src/main/docker/logback.xml
+          mvn -B --no-transfer-progress clean -P clean-exclude-wars
+          mvn -B --no-transfer-progress package -Dmaven.test.skip=true -P enhance -P embedded-jetty -P bundle-ui -Dservices.bom.merge.skip=false -Dlogback.configuration.file=src/main/docker/logback.xml
+          mvn -B --no-transfer-progress clean -P clean-exclude-wars
+          mvn -B --no-transfer-progress cyclonedx:makeBom -Dservices.bom.merge.skip=false org.codehaus.mojo:exec-maven-plugin:exec@merge-services-bom
 
       - name: Upload Artifacts
-        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # tag=v4.3.2
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # tag=v4.3.3
         with:
           name: assembled-wars
           path: |-
@@ -74,10 +78,10 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # tag=v4.1.3
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # tag=v4.1.6
 
       - name: Download Artifacts
-        uses: actions/download-artifact@8caf195ad4b1dee92908e23f56eeb0696f1dd42d # tag=v4.1.5
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # tag=v4.1.7
         with:
           name: assembled-wars
           path: target
@@ -92,7 +96,7 @@ jobs:
           install: true
 
       - name: Login to Docker.io
-        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # tag=v3.1.0
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # tag=v3.2.0
         if: ${{ inputs.publish-container }}
         with:
           registry: docker.io
@@ -102,9 +106,17 @@ jobs:
       - name: Set Container Tags
         id: tags
         run: |-
-          TAGS="docker.io/dependencytrack/${{ matrix.distribution }}:${{ inputs.app-version }}"
-          if [[ "${{ inputs.app-version }}" != "snapshot" ]]; then
-            TAGS="${TAGS},docker.io/dependencytrack/${{ matrix.distribution }}:latest"
+          IMAGE_NAME="docker.io/dependencytrack/${{ matrix.distribution }}"
+          REF_NAME="${{ inputs.ref-name }}"
+          TAGS=""
+
+          if [[ $REF_NAME == feature-* ]]; then
+            TAGS="${IMAGE_NAME}:${REF_NAME,,}"
+          else
+            TAGS="${IMAGE_NAME}:${{ inputs.app-version }}"
+            if [[ "${{ inputs.app-version }}" != "snapshot" ]]; then
+              TAGS="${TAGS},${IMAGE_NAME}:latest"
+            fi
           fi
           echo "tags=${TAGS}" >> $GITHUB_OUTPUT
 
@@ -123,7 +135,7 @@ jobs:
 
       - name: Run Trivy Vulnerability Scanner
         if: ${{ inputs.publish-container }}
-        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # tag=0.19.0
+        uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # tag=0.22.0
         with:
           image-ref: docker.io/dependencytrack/${{ matrix.distribution }}:${{ inputs.app-version }}
           format: 'sarif'
@@ -133,6 +145,6 @@ jobs:
 
       - name: Upload Trivy Scan Results to GitHub Security Tab
         if: ${{ inputs.publish-container }}
-        uses: github/codeql-action/upload-sarif@c7f9125735019aa87cfc361530512d50ea439c71 # tag=v3.25.1
+        uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # tag=v3.25.8
         with:
           sarif_file: 'trivy-results.sarif'

.github/workflows/ci-build.yaml

@@ -4,13 +4,15 @@ on:
   push:
     branches:
       - 'master'          # Default branch
+      - 'feature-**'      # Feature branches
       - '[0-9]+.[0-9]+.x' # Release branches
     paths-ignore:
       - '**/*.md'
       - 'docs/**'
   pull_request:
     branches:
       - 'master'          # Default branch
+      - 'feature-**'      # Feature branches
     paths-ignore:
       - '**/*.md'
       - 'docs/**'
@@ -23,7 +25,8 @@ jobs:
     uses: ./.github/workflows/_meta-build.yaml
     with:
       app-version: "snapshot"
-      publish-container: ${{ github.ref == 'refs/heads/master' }}
+      publish-container: ${{ github.ref_name == 'master' || startsWith(github.ref_name, 'feature-') }}
+      ref-name: ${{ github.ref_name }}
     permissions:
       security-events: write # Required to upload trivy's SARIF output
     secrets:

.github/workflows/ci-publish.yaml

@@ -23,7 +23,7 @@ jobs:
             exit 1
           fi
       - name: Checkout Repository
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # tag=v4.1.3
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # tag=v4.1.6
 
       - name: Parse Version from POM
         id: parse
@@ -38,6 +38,7 @@ jobs:
     with:
       app-version: ${{ needs.read-version.outputs.version }}
       publish-container: true
+      ref-name: ${{ github.ref_name }}
     permissions:
       security-events: write # Required to upload trivy's SARIF output
     secrets:
@@ -51,10 +52,10 @@ jobs:
       - call-build
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # tag=v4.1.3
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # tag=v4.1.6
 
       - name: Download Artifacts
-        uses: actions/download-artifact@8caf195ad4b1dee92908e23f56eeb0696f1dd42d # tag=v4.1.5
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # tag=v4.1.7
         with:
           name: assembled-wars
           path: target

.github/workflows/ci-release.yaml

@@ -20,7 +20,7 @@ jobs:
       release-branch: ${{ steps.variables.outputs.release-branch }}
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # tag=v4.1.3
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # tag=v4.1.6
 
       - name: Setup Environment
         id: variables
@@ -51,17 +51,17 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # tag=v4.1.3
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # tag=v4.1.6
 
       - name: Set up JDK
         uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # tag=v4.2.1
         with:
           distribution: 'temurin'
-          java-version: '17'
+          java-version: '21'
           cache: 'maven'
 
       - name: Set Version
-        run: mvn versions:set -DnewVersion=${VERSION}
+        run: mvn -B --no-transfer-progress versions:set -DnewVersion=${VERSION}
 
       - name: Commit Version
         env:
@@ -118,12 +118,12 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # tag=v4.1.3
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # tag=v4.1.6
         with:
           ref: ${{ needs.prepare-release.outputs.release-branch }}
 
       - name: Set SNAPSHOT Version after Release
-        run: mvn versions:set -DnewVersion=${NEXT_VERSION}
+        run: mvn -B --no-transfer-progress versions:set -DnewVersion=${NEXT_VERSION}
 
       - name: Commit SNAPSHOT Version
         env:

.github/workflows/ci-test-pr-coverage.yml

@@ -18,7 +18,7 @@ jobs:
         && github.event.workflow_run.conclusion == 'success'
     steps:
     - name: Download PR test coverage report
-      uses: actions/download-artifact@8caf195ad4b1dee92908e23f56eeb0696f1dd42d # tag=v4.1.5
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # tag=v4.1.7
       with:
         name: pr-test-coverage-report
         github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ci-test.yaml

@@ -4,13 +4,15 @@ on:
   push:
     branches:
       - 'master'          # Default branch
+      - 'feature-**'      # Feature branches
       - '[0-9]+.[0-9]+.x' # Release branches
     paths-ignore:
       - '**/*.md'
       - 'docs/**'
   pull_request:
     branches:
       - 'master'          # Default branch
+      - 'feature-**'      # Feature branches
       - '[0-9]+.[0-9]+.x' # Release branches
     paths-ignore:
       - '**/*.md'
@@ -31,19 +33,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # tag=v4.1.3
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # tag=v4.1.6
 
       - name: Set up JDK
         uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # tag=v4.2.1
         with:
           distribution: 'temurin'
-          java-version: '17'
+          java-version: '21'
           cache: 'maven'
 
       - name: Execute unit tests
         run: |-
-          mvn clean
-          mvn test -P enhance
+          mvn -B --no-transfer-progress clean
+          mvn -B --no-transfer-progress test -P enhance
 
       # Publishing coverage to Codacy is only possible for builds of push events.
       # PRs from forks do not get access to repository secrets.
@@ -64,7 +66,7 @@ jobs:
 
       - name: Upload PR test coverage report
         if: ${{ github.event_name == 'pull_request' }}
-        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # tag=v4.3.2
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # tag=v4.3.3
         with:
           name: pr-test-coverage-report
           path: |-

.github/workflows/dependency-review.yaml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # tag=v4.1.3
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # tag=v4.1.6
 
       - name: Dependency Review
-        uses: actions/dependency-review-action@5bbc3ba658137598168acb2ab73b21c432dd411b # tag=v4.2.5
+        uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # tag=v4.3.3

ADOPTERS.md

@@ -0,0 +1,21 @@
+# Adopters
+
+<!-- Hello! If you are using OWASP Dependency Trtack and contributing to this file, thank you! -->
+<!-- Please keep lines shorter than 80 characters (or so.) Links can go long. -->
+
+This is a list of organizations that have spoken publicly about their adoption or
+production users that have added themselves (in alphabetical order):
+
+* [Coming Soon]
+
+
+
+This is a list of adopters in early stages of production or
+pre-production (in alphabetical order):
+
+* [Apex Fintech Solutions](https://apexfintechsolutions.com/) has integrated OWASP Dependency-Track into their CI/CD pipeline as part of the DevSecOps program. This integration allows for the upload of SBOMs (Software Bill of Materials) to the platform for comprehensive component analysis and a detailed understanding of the software inventory used in software applications. By analyzing the components in our monorepo, we enhance our vulnerability management program and gain valuable insights into transitive dependencies, which traditional SCA (Software Composition Analysis) tools often overlook.
+
+
+If you have adopted OWASP Depenency Track and would like to be included in this list,
+feel free to submit a PR updating this file or
+[open an issue](https://github.com/).