Implement user-managed vuln policies

* Allows users to manage vulnerability policies via REST API (and consequently REST API). Previously, vuln policies could only be used with bundles, which required an external file server.
* Paves the way for support of multiple bundles. Introduces a default bundle to bridge the gap with the previous behaviour.
* Adds the concept of priorities to enable deterministic evaluation order.
* Simplifies vuln policy management by switching from multiple conditions to only a single condition per policy. Having multiple conditions is largely useless given CEL is more expressive for combining multiple conditions.
* Removes S3 support for bundle retrieval. We have no actual requirement for this yet.
* Migrates all endpoints related to vuln policies to API v2.
* Refactors the sync task to a dex workflow.

Signed-off-by: nscuro <nscuro@protonmail.com>

Author: nscuro

api/src/main/openapi/components/schemas/invalid-vuln-policy-condition-problem-details.yaml

@@ -0,0 +1,26 @@
+# This file is part of Dependency-Track.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+type: object
+allOf:
+- $ref: "./problem-details.yaml"
+properties:
+  errors:
+    type: array
+    items:
+      $ref: "./vuln-policy-condition-error.yaml"
+required:
+- errors

api/src/main/openapi/components/schemas/vuln-policies/create-vuln-policy-request.yaml

@@ -0,0 +1,55 @@
+# This file is part of Dependency-Track.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+type: object
+properties:
+  name:
+    type: string
+    minLength: 1
+    maxLength: 255
+  description:
+    type: string
+    maxLength: 512
+  author:
+    type: string
+    maxLength: 255
+  condition:
+    type: string
+    maxLength: 4096
+    minLength: 1
+  analysis:
+    $ref: "./vuln-policy-analysis.yaml"
+  ratings:
+    type: array
+    items:
+      $ref: "./vuln-policy-rating.yaml"
+    maxItems: 3
+  operation_mode:
+    $ref: "./vuln-policy-operation-mode.yaml"
+  priority:
+    type: integer
+    format: int32
+    minimum: 0
+    maximum: 100
+    default: 0
+  valid_from:
+    $ref: "../../schemas/timestamp.yaml"
+  valid_until:
+    $ref: "../../schemas/timestamp.yaml"
+required:
+- name
+- condition
+- analysis

api/src/main/openapi/components/schemas/vuln-policies/get-vuln-policy-response.yaml

@@ -0,0 +1,63 @@
+# This file is part of Dependency-Track.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+type: object
+properties:
+  uuid:
+    type: string
+    format: uuid
+  name:
+    type: string
+  description:
+    type: string
+  author:
+    type: string
+  condition:
+    type: string
+  analysis:
+    $ref: "./vuln-policy-analysis.yaml"
+  ratings:
+    type: array
+    items:
+      $ref: "./vuln-policy-rating.yaml"
+    maxItems: 3
+  operation_mode:
+    $ref: "./vuln-policy-operation-mode.yaml"
+  priority:
+    type: integer
+    format: int32
+    minimum: 0
+    maximum: 100
+  source:
+    $ref: "./vuln-policy-source.yaml"
+  valid_from:
+    $ref: "../../schemas/timestamp.yaml"
+  valid_until:
+    $ref: "../../schemas/timestamp.yaml"
+  created:
+    $ref: "../../schemas/timestamp.yaml"
+    readOnly: true
+  updated:
+    $ref: "../../schemas/timestamp.yaml"
+    readOnly: true
+required:
+- uuid
+- name
+- condition
+- analysis
+- operation_mode
+- priority
+- source

api/src/main/openapi/components/schemas/vuln-policies/list-vuln-policies-response-item.yaml

@@ -0,0 +1,40 @@
+# This file is part of Dependency-Track.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+type: object
+properties:
+  uuid:
+    type: string
+    format: uuid
+  name:
+    type: string
+  description:
+    type: string
+  author:
+    type: string
+  priority:
+    type: integer
+    format: int32
+  operation_mode:
+    $ref: "./vuln-policy-operation-mode.yaml"
+  source:
+    $ref: "./vuln-policy-source.yaml"
+required:
+- uuid
+- name
+- priority
+- operation_mode
+- source

api/src/main/openapi/components/schemas/vuln-policies/list-vuln-policies-response.yaml

@@ -0,0 +1,27 @@
+# This file is part of Dependency-Track.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+type: object
+allOf:
+- $ref: "../paginated-response.yaml"
+properties:
+  items:
+    type: array
+    items:
+      $ref: "./list-vuln-policies-response-item.yaml"
+required:
+- total
+- items

api/src/main/openapi/components/schemas/vuln-policies/list-vuln-policy-bundles-response-item.yaml

@@ -0,0 +1,34 @@
+# This file is part of Dependency-Track.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+type: object
+properties:
+  uuid:
+    type: string
+    format: uuid
+  url:
+    type: string
+  hash:
+    type: string
+  last_successful_sync:
+    $ref: "../../schemas/timestamp.yaml"
+  created:
+    $ref: "../../schemas/timestamp.yaml"
+  updated:
+    $ref: "../../schemas/timestamp.yaml"
+required:
+- uuid
+- url

api/src/main/openapi/components/schemas/vuln-policies/list-vuln-policy-bundles-response.yaml

@@ -0,0 +1,27 @@
+# This file is part of Dependency-Track.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+type: object
+allOf:
+- $ref: "../paginated-response.yaml"
+properties:
+  items:
+    type: array
+    items:
+      $ref: "./list-vuln-policy-bundles-response-item.yaml"
+required:
+- items
+- total

api/src/main/openapi/components/schemas/vuln-policies/update-vuln-policy-request.yaml

@@ -0,0 +1,55 @@
+# This file is part of Dependency-Track.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+type: object
+properties:
+  name:
+    type: string
+    minLength: 1
+    maxLength: 255
+  description:
+    type: string
+    maxLength: 512
+  author:
+    type: string
+    maxLength: 255
+  condition:
+    type: string
+    maxLength: 4096
+    minLength: 1
+  analysis:
+    $ref: "./vuln-policy-analysis.yaml"
+  ratings:
+    type: array
+    items:
+      $ref: "./vuln-policy-rating.yaml"
+    maxItems: 3
+  operation_mode:
+    $ref: "./vuln-policy-operation-mode.yaml"
+  priority:
+    type: integer
+    format: int32
+    minimum: 0
+    maximum: 100
+    default: 0
+  valid_from:
+    $ref: "../../schemas/timestamp.yaml"
+  valid_until:
+    $ref: "../../schemas/timestamp.yaml"
+required:
+- name
+- condition
+- analysis

api/src/main/openapi/components/schemas/vuln-policies/vuln-policy-analysis.yaml

@@ -0,0 +1,53 @@
+# This file is part of Dependency-Track.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+type: object
+properties:
+  state:
+    type: string
+    enum:
+    - EXPLOITABLE
+    - IN_TRIAGE
+    - FALSE_POSITIVE
+    - NOT_AFFECTED
+    - RESOLVED
+  justification:
+    type: string
+    enum:
+    - CODE_NOT_PRESENT
+    - CODE_NOT_REACHABLE
+    - REQUIRES_CONFIGURATION
+    - REQUIRES_DEPENDENCY
+    - REQUIRES_ENVIRONMENT
+    - PROTECTED_BY_COMPILER
+    - PROTECTED_AT_RUNTIME
+    - PROTECTED_AT_PERIMETER
+    - PROTECTED_BY_MITIGATING_CONTROL
+  vendor_response:
+    type: string
+    enum:
+    - CAN_NOT_FIX
+    - WILL_NOT_FIX
+    - UPDATE
+    - ROLLBACK
+    - WORKAROUND_AVAILABLE
+  details:
+    type: string
+  suppress:
+    type: boolean
+    default: false
+required:
+- state