Add missing fields to example JSON#5902
Open
AndreVirtimo wants to merge 487 commits intoDependencyTrack:masterfrom
Open
Add missing fields to example JSON#5902AndreVirtimo wants to merge 487 commits intoDependencyTrack:masterfrom
AndreVirtimo wants to merge 487 commits intoDependencyTrack:masterfrom
Conversation
…-j-8 Bumps com.google.cloud.sql:mysql-socket-factory-connector-j-8 from 1.24.1 to 1.25.3. --- updated-dependencies: - dependency-name: com.google.cloud.sql:mysql-socket-factory-connector-j-8 dependency-version: 1.25.3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…hort Signed-off-by: Steffen Ohrendorf <steffen.ohrendorf@gmx.de>
Bumps [org.codehaus.mojo:exec-maven-plugin](https://github.com/mojohaus/exec-maven-plugin) from 3.5.1 to 3.6.0. - [Release notes](https://github.com/mojohaus/exec-maven-plugin/releases) - [Commits](mojohaus/exec-maven-plugin@3.5.1...3.6.0) --- updated-dependencies: - dependency-name: org.codehaus.mojo:exec-maven-plugin dependency-version: 3.6.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps debian from `0c80836` to `d6743b7`. --- updated-dependencies: - dependency-name: debian dependency-version: stable-slim dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [org.apache.httpcomponents.client5:httpclient5](https://github.com/apache/httpcomponents-client) from 5.5 to 5.5.1. - [Changelog](https://github.com/apache/httpcomponents-client/blob/rel/v5.5.1/RELEASE_NOTES.txt) - [Commits](apache/httpcomponents-client@rel/v5.5...rel/v5.5.1) --- updated-dependencies: - dependency-name: org.apache.httpcomponents.client5:httpclient5 dependency-version: 5.5.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [com.icegreen:greenmail-junit5](https://github.com/greenmail-mail-test/greenmail) from 2.1.5 to 2.1.6. - [Release notes](https://github.com/greenmail-mail-test/greenmail/releases) - [Commits](greenmail-mail-test/greenmail@release-2.1.5...release-2.1.6) --- updated-dependencies: - dependency-name: com.icegreen:greenmail-junit5 dependency-version: 2.1.6 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps org.metaeffekt.core:ae-security from 0.144.1 to 0.145.0. --- updated-dependencies: - dependency-name: org.metaeffekt.core:ae-security dependency-version: 0.145.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [io.github.ascopes:protobuf-maven-plugin](https://github.com/ascopes/protobuf-maven-plugin) from 3.9.1 to 3.10.0. - [Release notes](https://github.com/ascopes/protobuf-maven-plugin/releases) - [Commits](ascopes/protobuf-maven-plugin@v3.9.1...v3.10.0) --- updated-dependencies: - dependency-name: io.github.ascopes:protobuf-maven-plugin dependency-version: 3.10.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* Fixes Artifactory compatibility including outdated component detection * Drops the PackageBaseAddress / flat-container approach to version number retrieval. The old approach was simpler and faster but Artifactory didn't support it and it doesn't exclude unlisted versions * Can specify a "fully qualified" repository URL including "index.json" to support Artifactory and Nexus URLs (DependencyTrack#5040) * Suppresses pre-release versions (DependencyTrack#1711) unless no stable release versions exist in accordance with DependencyTrack#5075 behaviour * Suppresses unlisted versions to avoid recommending versions which may have been resolved due to critical bugs * Caches the RegistrationsBaseUrl for up to 15 minutes to remove the lookup overhead when performing bulk version checking * Replaces SUPPORTED_DATE_FORMATS with thread-safe DateTimeFormatter * Expanded test coverage, removed old flat-container based tests * Removed printStackTrace call from AbstractMetaAnalyzer - throwable is passed to logger.error call Signed-off-by: colinfyfe <colinfyfe@protonmail.com>
Bumps org.metaeffekt.core:ae-security from 0.145.0 to 0.145.2. --- updated-dependencies: - dependency-name: org.metaeffekt.core:ae-security dependency-version: 0.145.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [io.github.ascopes:protobuf-maven-plugin](https://github.com/ascopes/protobuf-maven-plugin) from 3.10.0 to 3.10.1. - [Release notes](https://github.com/ascopes/protobuf-maven-plugin/releases) - [Commits](ascopes/protobuf-maven-plugin@v3.10.0...v3.10.1) --- updated-dependencies: - dependency-name: io.github.ascopes:protobuf-maven-plugin dependency-version: 3.10.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.30.5 to 3.30.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@3599b3b...64d10c1) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.30.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [org.codehaus.mojo:exec-maven-plugin](https://github.com/mojohaus/exec-maven-plugin) from 3.6.0 to 3.6.1. - [Release notes](https://github.com/mojohaus/exec-maven-plugin/releases) - [Commits](mojohaus/exec-maven-plugin@3.6.0...3.6.1) --- updated-dependencies: - dependency-name: org.codehaus.mojo:exec-maven-plugin dependency-version: 3.6.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/login-action](https://github.com/docker/login-action) from 3.5.0 to 3.6.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@184bdaa...5e57cd1) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 3.6.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Niklas <nscuro@protonmail.com>
Signed-off-by: Niklas <nscuro@protonmail.com>
Signed-off-by: Niklas <nscuro@protonmail.com>
Signed-off-by: Niklas <nscuro@protonmail.com>
Bumps [com.puppycrawl.tools:checkstyle](https://github.com/checkstyle/checkstyle) from 11.1.0 to 12.0.0. - [Release notes](https://github.com/checkstyle/checkstyle/releases) - [Commits](checkstyle/checkstyle@checkstyle-11.1.0...checkstyle-12.0.0) --- updated-dependencies: - dependency-name: com.puppycrawl.tools:checkstyle dependency-version: 12.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps alpine from `4bcff63` to `4b7ce07`. --- updated-dependencies: - dependency-name: alpine dependency-version: '3.22' dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps org.eclipse.jetty.ee10:jetty-ee10-maven-plugin from 12.1.1 to 12.1.2. --- updated-dependencies: - dependency-name: org.eclipse.jetty.ee10:jetty-ee10-maven-plugin dependency-version: 12.1.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [com.icegreen:greenmail-junit5](https://github.com/greenmail-mail-test/greenmail) from 2.1.6 to 2.1.7. - [Release notes](https://github.com/greenmail-mail-test/greenmail/releases) - [Commits](greenmail-mail-test/greenmail@release-2.1.6...release-2.1.7) --- updated-dependencies: - dependency-name: com.icegreen:greenmail-junit5 dependency-version: 2.1.7 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.30.6 to 4.30.8. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@64d10c1...f443b60) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.30.8 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4.8.0 to 4.8.1. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@56339e5...40c09b7) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-version: 4.8.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [net.javacrumbs.json-unit:json-unit-assertj](https://github.com/lukas-krecan/JsonUnit) from 4.1.1 to 5.0.0. - [Changelog](https://github.com/lukas-krecan/JsonUnit/blob/master/RELEASES.md) - [Commits](lukas-krecan/JsonUnit@json-unit-parent-4.1.1...json-unit-parent-5.0.0) --- updated-dependencies: - dependency-name: net.javacrumbs.json-unit:json-unit-assertj dependency-version: 5.0.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [com.puppycrawl.tools:checkstyle](https://github.com/checkstyle/checkstyle) from 11.1.0 to 12.0.1. - [Release notes](https://github.com/checkstyle/checkstyle/releases) - [Commits](checkstyle/checkstyle@checkstyle-11.1.0...checkstyle-12.0.1) --- updated-dependencies: - dependency-name: com.puppycrawl.tools:checkstyle dependency-version: 12.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Arjav <arjavdongaonkar@gmail.com>
Signed-off-by: Arjav <arjavdongaonkar@gmail.com>
Signed-off-by: Arjav <arjavdongaonkar@gmail.com>
Bumps [org.testcontainers:testcontainers](https://github.com/testcontainers/testcontainers-java) from 1.21.3 to 2.0.0. - [Release notes](https://github.com/testcontainers/testcontainers-java/releases) - [Changelog](https://github.com/testcontainers/testcontainers-java/blob/main/CHANGELOG.md) - [Commits](testcontainers/testcontainers-java@1.21.3...2.0.0) --- updated-dependencies: - dependency-name: org.testcontainers:testcontainers dependency-version: 2.0.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
* Where possible, enriches an affected package's PURL with `distro` qualifier inferred from the package's `ecosystem`. e.g. `ecosystem=Debian:7` becomes `distro=debian-11`, `ecosystem=Ubuntu:20.04:LTS` becomes `distro=ubuntu-20.04` etc. * During vulnerability analysis, if both component and matching criteria have a PURL `distro` qualifier, ensures they match. Matching can handle codename <-> version comparisons, e.g. for Ubuntu `focal` would match `20.04` and vice versa. * Generally improves performance of OSV mirroring by using fewer transactions and disabling ORM features that caused expensive unnecessary queries. Currently Alpine, Debian, and Ubuntu distribution matching is implemented. These seem to work for SBOMs generated with Trivy and Syft. The codename <-> version mapping is currently hardcoded for Debian and Ubuntu. There is a fallback mechanism that will handle exact matches, such that when Debian publishes a hypothetical "foo" release, we can still match components with vulnerabilities if both `distro` qualifiers are exactly "foo". Debian and Ubuntu provide CSV which we could regularly fetch at runtime, but this involves more work to coordinate. Fixes DependencyTrack#1374 Fixes DependencyTrack#5776 Fixes DependencyTrack#4445 Fixes DependencyTrack#4725 Signed-off-by: nscuro <nscuro@protonmail.com>
Signed-off-by: nscuro <nscuro@protonmail.com>
* Removes preliminary update timestamp check. This prevents backfilling of existing vulnerabilities with new data (e.g. EPSS scores, CVSSv4). * Uses a diff-based approach when updating existing vulnerability records to avoid unnecessary DB writes triggered by the ORM. * Do not set vulnerableSoftware when updating or creating new vulnerability records. VS have their own lifecycle that requires attribution management. Passing them as-is to the ORM could cause undesired behaviour. Signed-off-by: nscuro <nscuro@protonmail.com>
Co-authored-by: Tobias Gies <tobias@tobiasgies.de> Signed-off-by: nscuro <nscuro@protonmail.com>
…yTrack#5829) * Add EPSS score support for GitHub Advisory (GHSA) vulnerabilities Resolves DependencyTrack#4330 - Map `percentage` (exploitation probability) and `percentile` (relative rank) from the GitHub EPSS API response to the `epssScore` and `epssPercentile` fields on GHSA Vulnerability records. - Extend `VulnerabilityQueryManager.hasChanges()` to also trigger an update when an advisory has EPSS data but the stored record does not, enabling backfill without relying on a changed `updatedAt` timestamp. - Add upgrade item `v4140Updater` that resets the GHSA mirror timestamp on first boot, causing the next mirror run to re-fetch all advisories and populate EPSS fields on existing records. - Add `ModelConverterTest` (unit) and extend `GitHubAdvisoryMirrorTaskTest` (integration) with EPSS test cases using real values from the GitHub API. Signed-off-by: Valentijn Scholten <valentijnscholten@gmail.com> * Address PR review comments: rename changelog, use ParameterizedTest - Rename docs/_posts/2026-02-19-v4.14.0.md to 2026-xx-xx-v4.14.0.md - Convert testConvertSeverityMapping to @ParameterizedTest with display name Signed-off-by: Valentijn Scholten <valentijnscholten@gmail.com> * add note to release notes Signed-off-by: Valentijn Scholten <valentijnscholten@gmail.com> --------- Signed-off-by: Valentijn Scholten <valentijnscholten@gmail.com>
Bumps org.metaeffekt.core:ae-security from 0.152.0 to 0.153.0. --- updated-dependencies: - dependency-name: org.metaeffekt.core:ae-security dependency-version: 0.153.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.12.0 to 4.0.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@8d2750c...4d04d5d) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.34.1 to 0.35.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](aquasecurity/trivy-action@e368e32...57a97c7) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-version: 0.35.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4.8.3 to 4.9.0. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@05fe457...2031cfc) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-version: 4.9.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/login-action](https://github.com/docker/login-action) from 3.7.0 to 4.0.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@c94ce9f...b45d80f) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.4 to 4.32.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@89a39a4...0d579ff) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.32.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [io.github.ascopes:protobuf-maven-plugin](https://github.com/ascopes/protobuf-maven-plugin) from 5.0.1 to 5.0.2. - [Release notes](https://github.com/ascopes/protobuf-maven-plugin/releases) - [Commits](ascopes/protobuf-maven-plugin@v5.0.1...v5.0.2) --- updated-dependencies: - dependency-name: io.github.ascopes:protobuf-maven-plugin dependency-version: 5.0.2 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps org.metaeffekt.core:ae-security from 0.153.0 to 0.153.1. --- updated-dependencies: - dependency-name: org.metaeffekt.core:ae-security dependency-version: 0.153.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps org.apache.maven:maven-artifact from 3.9.12 to 3.9.13. --- updated-dependencies: - dependency-name: org.apache.maven:maven-artifact dependency-version: 3.9.13 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Niklas <nscuro@protonmail.com>
Expand the Finding and GroupedFinding objects to include all CVSS vectors (v2, v3, and v4) as well as the OWASP RR vector. Additionally, external references and vulnerability publication dates are included. These fields are now available via the API and in the Finding Packaging Format (FPF) export. Currently, findings only include numerical scores, which prevents downstream systems like DefectDojo from performing deep vector-based risk assessments. Including advisory links and publication dates further improves vulnerability context and SLA tracking in external management platforms. The addition of all available vectors enhances this capability significantly. SQL queries, internal mappings (Finding, GroupedFinding), and the persistence layer (FindingsSearchQueryManager) were adjusted to support these new fields. The test suite was updated to ensure compatibility with the modified data structure and shifted result set indices after resolving merge conflicts from the integration of CVSSv4 support. Signed-off-by: Andre Schlegel-Tylla <andre.schlegel-tylla@virtimo.de>
Signed-off-by: Simon A. Eugster <simon.eu@gmail.com>
…ck#5886) This is a continuation of the existing watermark reset logic. Since the feed-based NVD mirroring does not keep watermarks in the database, we need to delete its timestamp files instead. Signed-off-by: nscuro <nscuro@protonmail.com>
DependencyTrack#5844 introduced new fields to findings Signed-off-by: nscuro <nscuro@protonmail.com>
Introduces 33 new licenses. Signed-off-by: nscuro <nscuro@protonmail.com>
Introduces 18 new CWEs. Signed-off-by: nscuro <nscuro@protonmail.com>
Signed-off-by: Niklas <nscuro@protonmail.com>
Signed-off-by: nscuro <nscuro@protonmail.com>
Signed-off-by: Niklas <nscuro@protonmail.com>
Signed-off-by: Niklas <nscuro@protonmail.com>
Signed-off-by: Niklas <nscuro@protonmail.com>
Signed-off-by: Andre Schlegel-Tylla <andre.schlegel-tylla@virtimo.de>
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
18 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The JSON example in docs/_docs/integrations/file-formats.md is not complete.
Addressed Issue
Additional Details
I have noted the date format for published is different from timestamp. Is this a problem?
Checklist