chore(deps-dev): Bump org.openapitools:openapi-generator-maven-plugin from 7.17.0 to 7.21.0 (#1927)

* chore(deps-dev): Bump org.openapitools:openapi-generator-maven-plugin

Bumps org.openapitools:openapi-generator-maven-plugin from 7.17.0 to 7.21.0.

---
updated-dependencies:
- dependency-name: org.openapitools:openapi-generator-maven-plugin
  dependency-version: 7.21.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Handle breaking change in openapi-generator

The generator reverted a previous breaking change where `@Path` annotations were only generated at the method level. It now generates them at the interface level again, which causes conflicts when endpoints sharing the same path use different tags.

Signed-off-by: nscuro <nscuro@protonmail.com>

* Increase assertion timeouts in notification relay test

Contention in CI test runs can cause things to be slower at times.

Signed-off-by: nscuro <nscuro@protonmail.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: nscuro <nscuro@protonmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: nscuro <nscuro@protonmail.com>

Author: dependabot[bot]

api/pom.xml

@@ -69,7 +69,7 @@
             <plugin>
                 <groupId>org.openapitools</groupId>
                 <artifactId>openapi-generator-maven-plugin</artifactId>
-                <version>7.17.0</version>
+                <version>7.21.0</version>
                 <executions>
                     <execution>
                         <id>generate-api-v2</id>

api/src/main/openapi/openapi.yaml

@@ -133,8 +133,8 @@ paths:
     $ref: "./paths/metrics_vulnerabilities.yaml"
   /projects/{uuid}/advisories:
     $ref: "./paths/projects__uuid__advisories.yaml"
-  /projects/{projectUuid}/advisories/{advisoryId}/findings:
-    $ref: "./paths/projects__projectUuid__advisories__advisoryId__findings.yaml"
+  /projects/{uuid}/advisories/{advisoryId}/findings:
+    $ref: "./paths/projects__uuid__advisories__advisoryId__findings.yaml"
   /projects/{uuid}/clone:
     $ref: "./paths/projects__uuid__clone.yaml"
   /projects/{uuid}/components:

api/src/main/openapi/paths/projects__uuid__advisories.yaml

@@ -22,7 +22,7 @@ get:
     
     Requires the `VIEW_VULNERABILITY` permission.
   tags:
-  - Advisories
+  - Projects
   parameters:
   - name: uuid
     in: path

…d__advisories__advisoryId__findings.yaml …d__advisories__advisoryId__findings.yamlapi/src/main/openapi/paths/projects__projectUuid__advisories__advisoryId__findings.yaml renamed to api/src/main/openapi/paths/projects__uuid__advisories__advisoryId__findings.yaml api/src/main/openapi/paths/projects__projectUuid__advisories__advisoryId__findings.yaml renamed to api/src/main/openapi/paths/projects__uuid__advisories__advisoryId__findings.yaml

@@ -19,9 +19,9 @@ get:
   summary: List findings by project and advisory
   description: Requires permission <strong>VIEW_VULNERABILITY</strong>
   tags:
-  - Advisories
+  - Projects
   parameters:
-  - name: projectUuid
+  - name: uuid
     in: path
     description: The UUID of the project
     required: true

apiserver/src/main/java/org/dependencytrack/resources/v2/AdvisoriesResource.java

@@ -21,15 +21,12 @@
 import alpine.server.auth.PermissionRequired;
 import io.csaf.retrieval.RetrievedDocument;
 import jakarta.ws.rs.NotFoundException;
-import jakarta.ws.rs.Path;
 import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.ext.Provider;
 import org.dependencytrack.api.v2.AdvisoriesApi;
 import org.dependencytrack.api.v2.model.GetAdvisoryResponse;
 import org.dependencytrack.api.v2.model.ListAdvisoriesResponse;
 import org.dependencytrack.api.v2.model.ListAdvisoriesResponseItem;
-import org.dependencytrack.api.v2.model.ListProjectAdvisoriesResponse;
-import org.dependencytrack.api.v2.model.ListProjectAdvisoriesResponseItem;
-import org.dependencytrack.api.v2.model.ListProjectAdvisoryFindingsResponseItem;
 import org.dependencytrack.auth.Permissions;
 import org.dependencytrack.common.pagination.Page;
 import org.dependencytrack.csaf.CsafModelConverter;
@@ -39,9 +36,6 @@
 import org.dependencytrack.persistence.jdbi.AdvisoryDao;
 import org.dependencytrack.persistence.jdbi.AdvisoryDao.AdvisoryDetailRow;
 import org.dependencytrack.persistence.jdbi.AdvisoryDao.ListAdvisoriesRow;
-import org.dependencytrack.persistence.jdbi.AdvisoryDao.ListProjectAdvisoriesRow;
-import org.dependencytrack.persistence.jdbi.ProjectDao;
-import org.dependencytrack.persistence.jdbi.query.ListAdvisoriesForProjectQuery;
 import org.dependencytrack.persistence.jdbi.query.ListAdvisoriesQuery;
 import org.dependencytrack.resources.AbstractApiResource;
 import org.owasp.security.logging.SecurityMarkers;
@@ -54,7 +48,6 @@
 import java.io.UncheckedIOException;
 import java.time.Instant;
 import java.util.HashSet;
-import java.util.List;
 import java.util.UUID;
 
 import static org.dependencytrack.persistence.jdbi.JdbiFactory.inJdbiTransaction;
@@ -67,7 +60,7 @@
  * @author Christian Banse
  * @since 5.7.0
  */
-@Path("/")
+@Provider
 public class AdvisoriesResource extends AbstractApiResource implements AdvisoriesApi {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(AdvisoriesResource.class);
@@ -252,78 +245,4 @@ public Response getAdvisoryById(UUID id) {
         return Response.ok(response).build();
     }
 
-    @Override
-    @PermissionRequired(Permissions.Constants.VIEW_VULNERABILITY)
-    public Response listAdvisoriesForProject(UUID projectUuid, String pageToken, Integer limit) {
-        final Page<ListProjectAdvisoriesRow> projectAdvisories =
-                inJdbiTransaction(getAlpineRequest(), handle -> {
-                    requireProjectAccess(handle, projectUuid);
-
-                    final long projectId = handle.attach(ProjectDao.class).getProjectId(projectUuid);
-
-                    return handle.attach(AdvisoryDao.class).listForProject(
-                            new ListAdvisoriesForProjectQuery(projectId)
-                                    .withPageToken(pageToken)
-                                    .withLimit(limit));
-                });
-
-        final var responseItems = projectAdvisories.items().stream()
-                .<ListProjectAdvisoriesResponseItem>map(
-                        advisory -> ListProjectAdvisoriesResponseItem.builder()
-                                .id(advisory.id())
-                                .publisher(advisory.publisher())
-                                .name(advisory.name())
-                                .version(advisory.version())
-                                .url(advisory.url())
-                                .title(advisory.title())
-                                .format(advisory.format())
-                                .seenAt(advisory.seenAt() != null
-                                        ? advisory.seenAt().toEpochMilli()
-                                        : null)
-                                .lastFetched(advisory.lastFetched() != null
-                                        ? advisory.lastFetched().toEpochMilli()
-                                        : null)
-                                .findingsCount(advisory.findingsCount())
-                                .build())
-                .toList();
-
-        final var response = ListProjectAdvisoriesResponse.builder()
-                .items(responseItems)
-                .nextPageToken(projectAdvisories.nextPageToken())
-                .total(convertTotalCount(projectAdvisories.totalCount()))
-                .build();
-
-        return Response.ok(response).build();
-    }
-
-    // TODO: What is the purpose of this endpoint? Do we really need it?
-    //  Can we include this in a more general /findings endpoint and add a filter option
-    //  for advisories, e.g. `/findings?project_uuid=foo&advisory_id=bar`?
-    @Override
-    @PermissionRequired(Permissions.Constants.VIEW_VULNERABILITY)
-    public Response getFindingsByProjectAdvisory(UUID projectUuid, UUID advisoryId) {
-        return inJdbiTransaction(getAlpineRequest(), handle -> {
-            requireProjectAccess(handle, projectUuid);
-
-            final long projectId = handle.attach(ProjectDao.class).getProjectId(projectUuid);
-
-            List<AdvisoryDao.ProjectAdvisoryFindingRow> advisoryRows = handle.attach(AdvisoryDao.class)
-                    .getFindingsByProjectAdvisory(projectId, advisoryId);
-            final long totalCount = advisoryRows.size();
-
-            final List<ListProjectAdvisoryFindingsResponseItem> responseItems = advisoryRows.stream()
-                    .<ListProjectAdvisoryFindingsResponseItem>map(
-                            row -> ListProjectAdvisoryFindingsResponseItem.builder()
-                                    .name(row.name())
-                                    .confidence((int) row.confidence())
-                                    .desc(row.desc())
-                                    .group(row.group())
-                                    .version(row.version())
-                                    .componentUuid(UUID.fromString(row.componentUuid()))
-                                    .build())
-                    .toList();
-
-            return Response.ok(responseItems).header(TOTAL_COUNT_HEADER, totalCount).build();
-        });
-    }
 }

apiserver/src/main/java/org/dependencytrack/resources/v2/ComponentsResource.java

@@ -22,10 +22,10 @@
 import jakarta.ws.rs.ClientErrorException;
 import jakarta.ws.rs.NotAuthorizedException;
 import jakarta.ws.rs.NotFoundException;
-import jakarta.ws.rs.Path;
 import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.Response;
 import jakarta.ws.rs.core.UriInfo;
+import jakarta.ws.rs.ext.Provider;
 import org.apache.commons.lang3.StringUtils;
 import org.dependencytrack.api.v2.ComponentsApi;
 import org.dependencytrack.api.v2.model.CreateComponentRequest;
@@ -48,7 +48,7 @@
 import static org.dependencytrack.resources.v2.mapping.ModelMapper.mapOrganizationalContacts;
 import static org.dependencytrack.util.PersistenceUtil.isUniqueConstraintViolation;
 
-@Path("/")
+@Provider
 public class ComponentsResource extends AbstractApiResource implements ComponentsApi {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(ComponentsResource.class);

apiserver/src/main/java/org/dependencytrack/resources/v2/CsafResource.java

@@ -22,8 +22,8 @@
 import jakarta.inject.Inject;
 import jakarta.ws.rs.BadRequestException;
 import jakarta.ws.rs.NotFoundException;
-import jakarta.ws.rs.Path;
 import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.ext.Provider;
 import org.dependencytrack.api.v2.CsafApi;
 import org.dependencytrack.api.v2.model.CreateCsafAggregatorRequest;
 import org.dependencytrack.api.v2.model.CreateCsafProviderRequest;
@@ -59,7 +59,7 @@
  *
  * @since 5.7.0
  */
-@Path("/")
+@Provider
 public class CsafResource extends AbstractApiResource implements CsafApi {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(CsafResource.class);

apiserver/src/main/java/org/dependencytrack/resources/v2/ExtensionsResource.java

@@ -26,8 +26,8 @@
 import jakarta.json.Json;
 import jakarta.ws.rs.BadRequestException;
 import jakarta.ws.rs.NotFoundException;
-import jakarta.ws.rs.Path;
 import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.ext.Provider;
 import org.dependencytrack.api.v2.ExtensionsApi;
 import org.dependencytrack.api.v2.model.GetExtensionConfigResponse;
 import org.dependencytrack.api.v2.model.ListExtensionPointsResponse;
@@ -69,7 +69,7 @@
 /**
  * @since 5.7.0
  */
-@Path("/")
+@Provider
 public class ExtensionsResource extends AbstractApiResource implements ExtensionsApi {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(ExtensionsResource.class);

apiserver/src/main/java/org/dependencytrack/resources/v2/MetricsResource.java

@@ -19,8 +19,8 @@
 package org.dependencytrack.resources.v2;
 
 import alpine.server.auth.PermissionRequired;
-import jakarta.ws.rs.Path;
 import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.ext.Provider;
 import org.dependencytrack.api.v2.MetricsApi;
 import org.dependencytrack.api.v2.model.ListVulnerabilityMetricsResponse;
 import org.dependencytrack.api.v2.model.ListVulnerabilityMetricsResponseItem;
@@ -34,7 +34,7 @@
 import static org.dependencytrack.persistence.jdbi.JdbiFactory.inJdbiTransaction;
 import static org.dependencytrack.persistence.jdbi.JdbiFactory.withJdbiHandle;
 
-@Path("/")
+@Provider
 public class MetricsResource extends AbstractApiResource implements MetricsApi {
 
     @Override

apiserver/src/main/java/org/dependencytrack/resources/v2/ProjectsResource.java

@@ -20,34 +20,41 @@
 
 import alpine.server.auth.PermissionRequired;
 import jakarta.ws.rs.NotFoundException;
-import jakarta.ws.rs.Path;
 import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.Response;
 import jakarta.ws.rs.core.UriInfo;
+import jakarta.ws.rs.ext.Provider;
 import org.dependencytrack.api.v2.ProjectsApi;
 import org.dependencytrack.api.v2.model.CloneProjectInclude;
 import org.dependencytrack.api.v2.model.CloneProjectRequest;
 import org.dependencytrack.api.v2.model.CloneProjectResponse;
 import org.dependencytrack.api.v2.model.ListComponentsResponse;
 import org.dependencytrack.api.v2.model.ListComponentsResponseItem;
+import org.dependencytrack.api.v2.model.ListProjectAdvisoriesResponse;
+import org.dependencytrack.api.v2.model.ListProjectAdvisoriesResponseItem;
+import org.dependencytrack.api.v2.model.ListProjectAdvisoryFindingsResponseItem;
 import org.dependencytrack.auth.Permissions;
 import org.dependencytrack.common.pagination.Page;
 import org.dependencytrack.model.Component;
+import org.dependencytrack.persistence.jdbi.AdvisoryDao;
+import org.dependencytrack.persistence.jdbi.AdvisoryDao.ListProjectAdvisoriesRow;
 import org.dependencytrack.persistence.jdbi.ComponentDao;
 import org.dependencytrack.persistence.jdbi.ProjectDao;
 import org.dependencytrack.persistence.jdbi.command.CloneProjectCommand;
+import org.dependencytrack.persistence.jdbi.query.ListAdvisoriesForProjectQuery;
 import org.dependencytrack.resources.AbstractApiResource;
 import org.owasp.security.logging.SecurityMarkers;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.util.List;
 import java.util.UUID;
 
 import static org.dependencytrack.persistence.jdbi.JdbiFactory.inJdbiTransaction;
 import static org.dependencytrack.resources.v2.mapping.ModelMapper.mapHashes;
 import static org.dependencytrack.resources.v2.mapping.ModelMapper.mapLicense;
 
-@Path("/")
+@Provider
 public class ProjectsResource extends AbstractApiResource implements ProjectsApi {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(ProjectsResource.class);
@@ -136,4 +143,76 @@ public Response cloneProject(final UUID projectUuid, final CloneProjectRequest r
                 .build();
     }
 
+    @Override
+    @PermissionRequired(Permissions.Constants.VIEW_VULNERABILITY)
+    public Response listAdvisoriesForProject(UUID uuid, String pageToken, Integer limit) {
+        final Page<ListProjectAdvisoriesRow> projectAdvisories =
+                inJdbiTransaction(getAlpineRequest(), handle -> {
+                    requireProjectAccess(handle, uuid);
+
+                    final long projectId = handle.attach(ProjectDao.class).getProjectId(uuid);
+
+                    return handle.attach(AdvisoryDao.class).listForProject(
+                            new ListAdvisoriesForProjectQuery(projectId)
+                                    .withPageToken(pageToken)
+                                    .withLimit(limit));
+                });
+
+        final var responseItems = projectAdvisories.items().stream()
+                .<ListProjectAdvisoriesResponseItem>map(
+                        advisory -> ListProjectAdvisoriesResponseItem.builder()
+                                .id(advisory.id())
+                                .publisher(advisory.publisher())
+                                .name(advisory.name())
+                                .version(advisory.version())
+                                .url(advisory.url())
+                                .title(advisory.title())
+                                .format(advisory.format())
+                                .seenAt(advisory.seenAt() != null
+                                        ? advisory.seenAt().toEpochMilli()
+                                        : null)
+                                .lastFetched(advisory.lastFetched() != null
+                                        ? advisory.lastFetched().toEpochMilli()
+                                        : null)
+                                .findingsCount(advisory.findingsCount())
+                                .build())
+                .toList();
+
+        final var response = ListProjectAdvisoriesResponse.builder()
+                .items(responseItems)
+                .nextPageToken(projectAdvisories.nextPageToken())
+                .total(convertTotalCount(projectAdvisories.totalCount()))
+                .build();
+
+        return Response.ok(response).build();
+    }
+
+    @Override
+    @PermissionRequired(Permissions.Constants.VIEW_VULNERABILITY)
+    public Response getFindingsByProjectAdvisory(UUID uuid, UUID advisoryId) {
+        return inJdbiTransaction(getAlpineRequest(), handle -> {
+            requireProjectAccess(handle, uuid);
+
+            final long projectId = handle.attach(ProjectDao.class).getProjectId(uuid);
+
+            List<AdvisoryDao.ProjectAdvisoryFindingRow> advisoryRows = handle.attach(AdvisoryDao.class)
+                    .getFindingsByProjectAdvisory(projectId, advisoryId);
+            final long totalCount = advisoryRows.size();
+
+            final List<ListProjectAdvisoryFindingsResponseItem> responseItems = advisoryRows.stream()
+                    .<ListProjectAdvisoryFindingsResponseItem>map(
+                            row -> ListProjectAdvisoryFindingsResponseItem.builder()
+                                    .name(row.name())
+                                    .confidence((int) row.confidence())
+                                    .desc(row.desc())
+                                    .group(row.group())
+                                    .version(row.version())
+                                    .componentUuid(UUID.fromString(row.componentUuid()))
+                                    .build())
+                    .toList();
+
+            return Response.ok(responseItems).header(TOTAL_COUNT_HEADER, totalCount).build();
+        });
+    }
+
 }