Releases: eclipse-sw360/sw360
Release list
sw360-20.1.0-rc-2
sw360-20.1.0-rc-2
This is the second release candidate for SW360 in the line of the next minor release version 20.1.0 of SW360. The candidate includes numerous features, corrections, and improvements over the previous release 20.1.0-rc-1
This release serves as a preview of the upcoming minor version 20.1.0 for testing and should not be used in production environments.
Highlight of the changes includes:
- Authentication & Authorization: Added multi-issuer JWT support with a per-issuer
jwk-set-urioverride, accepted JWTs from trusted issuers, wiredJWT_KEYSTORE, returned the plaintextclient_secretonce on creation, and associated each OAuth client with its owning user (breaking change, seefix(auth)!: associate user with client). - REST API Enhancements: Added an
attachmentAuthorfilter onGET /projects, manual scheduler-trigger APIs with scheduler refactoring, authenticated report download links, and search flags for empty BU and empty tags on projects. - Obligations & Reports: Allowed updating obligations of all levels at once, and RFC 5987-encoded the
Content-Dispositionfilename in report downloads. - SVM Integration: Optimized SW360 & SVM delta synchronization and simplified the SVM delta sync configuration.
- Build & CI: Added Spotless as a Maven plugin, required Maven 3.9, added a GitHub Actions step summary, and many dependencies bumped via Dependabot.
Credits
The following GitHub users have contributed to the source code since the last release (in alphabetical order):
> ADITYA-CODE-SOURCE <adityavishe67@gmail.com>
> amritkv <er.akverma8@gmail.com>
> Bibhuti Bhusan Dash <bibhuti230185@gmail.com>
> Dearsh Oberoi <oberoidearsh@gmail.com>
> dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
> developharsh <harsh237hk@gmail.com>
> Farooq Fateh Aftab <farooq-fateh.aftab@siemens.com>
> Gaurav Mishra <mishra.gaurav@siemens.com>
> rudra-superrr <prabhuchopra@gmail.com>
Please note that also many other persons usually contribute to the project with reviews, testing, documentations, conversations or presentations.
Features
df2a49e5cfeat: add batch summary endpoint for release lookupsc23ea8d66feat(authorization): support multi-issuersf06255f34feat(rest): add attachmentAuthor filter parameter to GET /projects endpointef7fa8a47feat(rest): per-issuer jwk-set-uri override6865f9a4ffeat(Scheduler): Added api to manually trigger the schedulers and refactor the apis8e09f74f3feat(SVM): Optimize the sync between SW360 and SVM9ad41c460feat(report): authenticating the report download link.884002335feat(search): flag to search empty tags in projectsa685a9ffcfeat(search): flag to search empty bu in projects
Corrections
a23a010d4fix(components): prevent duplicate components by name only, case insensitive4f8967a08fix(rest): fetch sub-project attachment usages for LicenseInfo report2f70346b4fix(project): show transitive sub-project releases in licenseClearing and attachmentUsage endpointsfe216246bfix(report): RFC 5987 encode Content-Disposition filename and reduce debug log verbosityec7903049fix(obligations): add functionality to update obligations of all levels3bb28a0aafix(pom): require maven 3.9 needed10102bec5fix(lucene): remove leading wildcard configuration since Nouveau does not support it.bc2eab4fffix(docker): wire JWT_KEYSTORE and keyea6fa51a4fix(auth): persist JWT signing key from keystore2ab7ffadffix(rest): preserve user roles, enforcing scopefaa394244fix(rest): accept JWTs from trusted issuersd258e0a66fix(auth): accept JWT token from frontend80e5f495dfix(auth)!: associate user with client8b60c44abfix(auth): return plaintext client_secret once533876e03fix(cloudant): set URL before anything elsed65cd86fafix(obligations): add obligations of status deferred to parent project to all obligations endpoint30354026efix(DBConnector): prevent NPE in getDistinctSortedStringKeys
Infrastructure
ba641d2f4chore(vulnerability): guards against NPEe220f7ecfperf(DB): use singleton for design and indexesc95528d34chore(spotless): add spotless as a plugin77aead739chore(deps): bump org.junit.platform:junit-platform-launcher25537a451chore(deps): bump junit.version from 6.0.3 to 6.1.0ed4e8926fchore(deps): bump step-security/harden-runner from 2.19.3 to 2.19.4106c4030dchore(deps): bump keycloak.version from 26.6.1 to 26.6.253235a988chore(deps): bump docker/build-push-action from 7.1.0 to 7.2.0751146e6achore(deps): bump github/codeql-action from 4.35.4 to 4.35.5a1c956fbbchore(deps): bump keycloak/keycloak from 26.6.1 to 26.6.2b93cc55f6chore(deps-dev): bump org.apache.maven.plugins:maven-enforcer-plugin19e5329b3perf(obligation): optimize the steams86333ea78chore(deps): bump com.google.code.gson:gson from 2.13.2 to 2.14.0a71baccf3chore(deps-dev): bump io.github.git-commit-id:git-commit-id-maven-pluginfbe707f18chore(deps): bump commons-cli:commons-cli from 1.10.0 to 1.11.0cce7dafa3chore(deps): bump org.mockito:mockito-core from 5.21.0 to 5.23.042b794e32chore(deps): bump org.json:json from 20250517 to 20251224d56c59d00chore(deps-dev): bump nl.jqno.equalsverifier:equalsverifiere9991b30cchore(deps): bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.3250e4e71a9chore(deps): bump jakarta.xml.bind:jakarta.xml.bind-apiad653f2f5chore(deps): bump org.spdx:java-spdx-library from 2.0.2 to 2.0.34cb50dd26chore(deps): bump org.projectlombok:lombok from 1.18.38 to 1.18.464964d11dcchore(deps): bump org.apache.maven.plugins:maven-resources-pluginba18507ecchore(deps): bump org.jboss.logging:jboss-loggingd80f0fd8dchore(deps): bump jaxen:jaxen from 2.0.0 to 2.0.3a6a95b111chore(deps): bump commons-io:commons-io from 2.20.0 to 2.22.0835dda3e4chore(deps): bump org.apache.maven.plugins:maven-failsafe-plugin05ca948c8chore(deps): bump org.jetbrains:annotations from 26.0.2-1 to 26.1.05933a825achore(deps): bump joda-time:joda-time from 2.14.0 to 2.14.2b5eb5734bchore(deps-dev): bump org.apache.maven.plugins:maven-assembly-plugin81f032588chore(deps-dev): bump org.codehaus.mojo:versions-maven-plugina6e9f835bchore(deps): bump org.owasp.encoder:encoder from 1.3.1 to 1.4.05bd330001chore(deps): bump org.jacoco:jacoco-maven-plugin from 0.8.13 to 0.8.14aba0ea009chore(deps-dev): bump org.apache.maven.plugins:maven-war-plugine12613460chore(deps): bump log4j2.version from 2.25.4 to 2.26.08c2bd8c5achore(deps): bump org.ow2.asm.version from 9.9.1 to 9.105ba4da017chore(deps-dev): bump net.bytebuddy:byte-buddy from 1.17.8 to 1.18.872a4910eechore(deps): bump org.wiremock:wiremock-standalone from 3.13.1 to 3.13.2c00bb0674chore(deps): bump org.glassfish.jaxb:jaxb-runtime from 4.0.6 to 4.0.8e77e2920bchore(deps): bump step-security/harden-runner from 2.19.1 to 2.19.3400e2b7d7chore(deps): bump actions/dependency-review-action from 4.9.0 to 5.0.0e9bfa51c2chore(deps): bump org.springframework.security:spring-security-oauth2-authorization-serverdcdda3c64chore(deps): bump com.google.guava:guava from 33.5.0-jre to 33.6.0-jre59e398084chore(deps): bump slf4j.version from 2.0.17 to 2.0.18c490401cdchore(deps): bump org.apache.maven.plugins:maven-surefire-plugin1d94b6814chore(deps): bump commons-codec:commons-codec from 1.20.0 to 1.22.070db3d143chore(rest): remove unused spring propertiesbe2726522chore(auth): align JWT keystore helper scriptse2914b5ecchore(docker): sync docker with actual configec56521b0refactor(svm): simplify SVM delta sync config1a4c392b4chore(ci): Added github step summary
sw360-20.1.0-rc-1
sw360-20.1.0-rc-1
This is the first release candidate for SW360 in the line of the next minor release version 20.1.0 of SW360. The candidate includes numerous features, corrections, and improvements over the previous release 20.0.0
This release serves as a preview of the upcoming minor version 20.1.0 for testing and should not be used in production environments.
Highlight of the changes includes:
- REST API Enhancements: Added
PATCH /ecc/{releaseId}with ECC status filtering, file-based caching for the releases endpoint, and a project detail tab pill-count endpoint with updated response structure. - Export Improvements: Extended project report export options with CSV, JSON, and XML formats in addition to spreadsheet output.
- Security Hardening: Added
@PreAuthorizeguards to license and attachment admin endpoints, strengthened authentication/authorization paths, sanitized attachment filenames to prevent path traversal, and hardened CORS/CSP behavior including Swagger CSP fixes. This release also allows disabling of basic auth and unifies Bearer token authentication across the board. - Performance Optimizations: Removed an N+1 package query by release IDs, improved LicenseInfo cache lookup from O(n) to O(1), and switched license-type usage counting to an indexed CouchDB view.
- Keycloak Provider Packaging: Consolidated provider packaging via shading, reduced provider artifacts to 3 jars, lowered classpath conflicts, and improved Keycloak startup time.
- Framework Upgrades: Upgraded runtime and security baselines to Spring Boot 4.x and Spring Security 7.x, and migrated tests from JUnit 4 to JUnit 5.
- Bug Fixes: Resolved thread-safety issues in
ProjectDatabaseHandlerand department import scheduling, fixed resource leaks across streams and Thrift clients, and improved HTTP error mapping for 404/403/409 paths. - Container & CI: Added Sigstore/Cosign image signing in CD and published JaCoCo coverage reports as CI artifacts.
Credits
The following GitHub users have contributed to the source code since the last release (in alphabetical order):
> aaryan359 <aaryanmeena96@gmail.com>
> Abhay349 <pandeyabhay967@gmail.com>
> Aditya Vishe <adityavishe67@gmail.com>
> afsahsyeda <afsah.syeda@siemens-healthineers.com>
> Agastya Kataria <katariaa@tcd.ie>
> Alex <alextanzhao22@gmail.com>
> Aman-Cool <aman017102007@gmail.com>
> amritkv <er.akverma8@gmail.com>
> Bhawani Shanker Sharma <bhawanishanker2005@gmail.com>
> Bibhuti Bhusan Dash <bibhuti230185@gmail.com>
> Dearsh Oberoi <oberoidearsh@gmail.com>
> dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
> developharsh <harsh237hk@gmail.com>
> Elbialy0 <mahmoudelbialy109@gmail.com>
> Farooq Fateh Aftab <farooq-fateh.aftab@siemens.com>
> Gaurav Mishra <mishra.gaurav@siemens.com>
> himanshu07gupta <himanshu29gupta0703@gmail.com>
> Kareem74x <kareemmostafa74x@gmail.com>
> Kaushlendra Pratap <kaushlendra-pratap.singh@siemens.com>
> Keerthi B L <keerthi.bl@siemens.com>
> Mahmoud Abdulmawlaa <m.elbaadishy@gmail.com>
> manhuu14 <umanhuu@gmail.com>
> Nikesh Kumar <kumar.nikesh@siemens.com>
> Priya Sharma <priyasharma1001a@gmail.com>
> rudra-superrr <prabhuchopra@gmail.com>
> Sandip Mandal <sandipsmmandal02@gmail.com>
> Shivamrut <gshivamrut@gmail.com>
> Suhyeon Park <ssantta999@gmail.com>
> Sushant Kumar <sushant.kumar@siemens-healthineers.com>
> Uddeshya <srivastavauddeshya98@gmail.com>
Please note that also many other persons usually contribute to the project with reviews, testing, documentations, conversations or presentations.
Features
a1468ca38feat(security): unify Bearer auth8e2ff4f02feat(security): make basic auth configurablec938d39a2feat(UI): Add expand/collapse functionality for projects with sub-projects9fb25453dfeat(rest): unify authentication authoritiesc3f4c6762feat(ci): upload JaCoCo reports to artifactsc8a7811c9feat(rest): add PATCH /ecc/{releaseId} and eccStatus filter to GET /ecc552804a36feat(release): catch and log exception silently3a02df85dfeat(Component): Added pagination and sorting for release overview in componentsfe17994e3feat(projects): get sorted groupsfba763c5afeat(project-pill): simplify codec8803e5b9feat(project): enhance project detail tab counts with new response structure and testsc3f4576dafeat(project): add endpoint and tests for project detail tab pill countsc473c1db9feat(cd): sign container images00a0e04f1feat(cache): update default cache directory06a7fb602feat(rest): add file-based API response cache for releases endpointc6edadfe7feat(export): add CSV, JSON, XML export formats for project reportsb92b07274feat(keycloak): update old README.md014c57440feat(kc-tf): add helper script to migrate tokens3cfdb9590feat(thrift): add build dependencies
Corrections
2236df6c1fix(csrf): enable and document CSRF7f7eb90c7Fix(Rest): Added code to fix exactmatch search if name is case-insensitive3d7b9121efix(users): revert default behavior85bd7d11afix(rest): Added code to filter user based on givenname lastname emailid.5d3913d23fix(docs): fix docker application templatefc4e4045efix(rest): register JwtAuthenticationProvidereb694593afix(rest): allow /api root read for READ tokensbdfaa110ffix(rest): handle broken pipe gracefully7b99a4d15fix(backend): prevent thread blocking in scheduler22780de39fix(backend): upgrade SVM client, add custom JKS57786ed2bfix(user): catch Runtime error of unknown userbc8d31677fix(ExportSpreadsheet): Fixed export spreadsheet in project with search results4eaf7ac4dfix(changelog): fix timestamp format to show just the date0c953166efix(keycloak): gson dependency issue.5596befa2fix(surefire): fix args and mockito jar patha19247a36fix(test): remove System.out and System.err643094cacfix(changelog): add sorting by change timestamp in changelogded8aa233fix(rest): use BadRequestClientException instead of RuntimeException98d5dadddfix(rest): correct status code, improve error messages, add test2c1e30d09fix(rest): return 500 instead of 200 on license update failure8a127bb4dfix(rest): Preserve 404/403 and others when mapping controller exceptions7f1347d59fix(rest): extract PasswordEncoder config to fix circular dependency7029ef920fix(rest): filter license obligations by project release main...dfbd81a4afix(Rest) : Backend API for All Obligation Tab0ff1aa515fix(UserHandler): fix compiler symbol not found3568c988efix: Prevent externalId overwrite in getByEmailOrExternalId5c90f3a57fix(users): :Update differing externalId in getByEmailOrExternalId75e5aaf89fix(http-support): implement native file request body support3b812a63ffix(http-support): correct native request builder URI/body/header semantics3a4ce2737fix(security): add @PreAuthorize ADMIN check to AttachmentCleanUpControllerec5eba472fix(base): remove duplicate @PreAuthorize annotation from ScheduleAdminController6b223609ffix(rest): Add missing @PreAuthorize annotations on license endpoints813381a34fix(css): fix code scanning alert no. 96ebd497894fix(css): fix code scanning alert no. 95cf2f6a365fix(rest): prevent empty email backend queriesac6add4c9fix(rest): migrate custom serializers to Jackson 364e4a15d5fix(rest): update CSP configuration for swaggere44954bf2fix(LicenseInfo): use SPDX ID for obligation-to-license mapping41fa5997ffix(rest): harden headers and fix CORS origin787b5aa7ffix(rest): add detailed exception handling for patchClearingRequestf7ab7bf36fix(vul): hande not found exceptions for loading releases/candidates while fetching vulnerabilities1701644b9fix(backend): fix thread safety in ProjectDatabaseHandlerd466912ddfix(licenseinfo): accumulate all obligations per license in DOCX report687ca811cfix(db): csv-reader resource leak in UserDatabaseHandler4a84ee580fix(vmcomponents): resource leak in svmutils9f3ab07b8fix(rest): avoid NPE on JWKS API-token auth when user or OIDC client metadata is missing068c3c667fix(docker): use tag name and sha for dependabot806f15ee6fix(rest): restricting modification of fields.d2329d341fix(fossology): revert clearing state on upload/scan trigger failure048faa2d9fix(backend): add SLF4J provider to backend WARsf23134295fix: corrected the pagination counts for vendor search76a1bf898fix(thrift): add sudo in thrift docker build stage371ac33fcfix(rest): validate department log date as yyyy-MM-dd before Thrift call102c10692fix(release): check set for NPEa947e0228fix(rest): resolve Authorization header lookup via servlet getHeader2020b2d44fix(rest): sanitize filename in addAttachment to prevent path traversalf34128ed6fix(release-service): ensure proper lock handling in Fossology process1c79fa170fix(http-support): make NewHttpClientImpl.execute non-blocking1835e799cfix(licenseinfo): Fix project clearing report issuesb57ec9665fix(user): prevent permanent import lockout on unchecked exceptions...46699bfc8fix(projects): fix NPE and Thrift client leak in attachment usage inheritanceb33414e4afix(jwt): remove nbf claim which is optional in kc45c5c6265fix(project): reduce memory consumption by using optimized CouchDB view for project cacheeb1c46bddfix(schedule): follow deploy.name pattern4fb3f28e7fix(rest): fix NPEs and missing security annotation in ProjectControllerc2c08674dfix(keycloak): add missing sl4j deps6f2c37c5cfix(license): Improve exception handlinge3f484f31fix...
sw360-20.0.0
sw360-20.0.0
We are proud to announce the release of SW360 version 20.0.0. This major release brings significant architectural changes, security enhancements, and performance improvements over the 19.2.x series. The most notable update in this version is the removal of the Liferay UI; the SW360 backend is now fully decoupled, and users must set up the new Next.js-based frontend from the eclipse-sw360/sw360-frontend repository.
Highlight of the changes in this version includes:
- Frontend Decoupling: Complete removal of the legacy Liferay UI, introducing a standalone backend with expanded endpoints to support the new Next.js frontend.
- Security Improvements: Addressed multiple vulnerabilities including XXE and path traversal, added XSS protection headers, and reinforced endpoint security.
- API & Documentation: Introduced extensive OpenAPI documentation and implemented robust pagination under the hood.
- User & Identity Management: Enhanced Keycloak user synchronization with CouchDB, and added batch processing.
- Performance & Stability: Implemented database-side pagination, optimized memory usage, and improved indexing and search speeds.
Credits
The following GitHub users have contributed to the source code since the last release (in alphabetical order):
> Aashish Jha <aashishjha1107@gmail.com>
> Abhay349 <pandeyabhay967@gmail.com>
> Achal Jhawar <35405812+achaljhawar@users.noreply.github.com>
> Aditya Vishe <adityavishe67@gmail.com>
> afsahsyeda <afsah.syeda@siemens-healthineers.com>
> airajena <airajena0@gmail.com>
> Akshit Joshi <akshit.joshi@siemens-healthineers.com>
> Alex <alextanzhao22@gmail.com>
> Ali <aligadallah14@gmail.com>
> Aman-Cool <aman017102007@gmail.com>
> amritkv <er.akverma8@gmail.com>
> Bibhuti Bhusan Dash <bibhuti230185@gmail.com>
> Dearsh Oberoi <oberoidearsh@gmail.com>
> drockparashar <pranshu007parashar@gmail.com>
> Elbialy0 <mahmoudelbialy109@gmail.com>
> Farooq Fateh Aftab <farooq-fateh.aftab@siemens.com>
> Gaurav Mishra <mishra.gaurav@siemens.com>
> harshdeveloper21 <harsh237hk@gmail.com>
> harshitg927 <121371860+harshitg927@users.noreply.github.com>
> Helio Chissini de Castro <dev@heliocastro.info>
> himanshu07gupta <himanshu29gupta0703@gmail.com>
> Himanshu A Garode <himanshu2006garode@gmail.com>
> Hritik Raj <hritik23154049@akgec.ac.in>
> Kareem74x <kareemmostafa74x@gmail.com>
> Kaushlendra Pratap <kaushlendra-pratap.singh@siemens.com>
> Keerthi B L <keerthi.bl@siemens.com>
> Mahmoud Abdulmawlaa <m.elbaadishy@gmail.com>
> Matthew Pappas <matteopappas@gmail.com>
> Md Ali <mdali620563@gmail.com>
> Mohamed Hanafy <mohamed.hanfy.dev@outlook.com>
> naitikk31 <DARJINAITIK7@GMAIL.COM>
> Nikesh Kumar <kumar.nikesh@siemens.com>
> pranayh24 <pranayheda24@gmail.com>
> Prathmesh <dhoneprathmesh72@gmail.com>
> Priya Sharma <priyasharma1001a@gmail.com>
> Rajnish Kumar <22it3036@rgipt.ac.in>
> RITANKAR SAHA <ritankar.saha786@gmail.com>
> rohit <brohit11544@gmail.com>
> Rudra Chopra <prabhuchopra@gmail.com>
> saiteja-in <vurukondasaiteja13@gmail.com>
> Sameed Ahmad <sameed.ahmad@siemens-healthineers.com>
> Sandip Mandal <sandipsmmandal02@gmail.com>
> Sathwik Hejamady Bhat <sathwikhbhat@gmail.com>
> sathwik-y <sathwik.yellapragada@gmail.com>
> Shivamrut <gshivamrut@gmail.com>
> Suhas2109 <suhas.n@siemens-healthineers.com>
> suvrat1629 <suvrat1629@gmail.com>
> Taanvi Khevaria <149520227+taanvi2205@users.noreply.github.com>
> tanwar-div <tanwarkheritalwana@gmail.com>
> VanKhanhAnny <arianne.dangvankhanh@gmail.com>
Please note that also many other persons usually contribute to the project with reviews, testing, documentations, conversations or presentations.
Features
7d37bb9b8feat(version): update /version endpoint
Corrections
ba842fcaafix(UI): The Linked Packages is not appearing in the project details page, even though packages are linked to the project.29af0f8fbfix(Release): merge release issue fixed.
Infrastructure
924ca4397chore(lang): remove old README_LANG.md
sw360-20.0.0-rc-2
sw360-20.0.0-rc-2
This is the second release candidate for SW360 in the line of next major release version 20.0.0 of SW360. The candidate includes numerous features, corrections, and improvements over the previous release 20.0.0-rc-1
This release serves as a preview of the upcoming major version 20.0.0 for testing and should not be used in production environments.
Highlight of the changes includes:
- Security Enhancements: Addressed XXE vulnerabilities in parsers, fixed header injection issues, added XSS protection headers, and reinforced endpoint security.
- API & Documentation: Expanded OpenAPI documentation across multiple core controllers.
- Performance & Stability: Optimize memory usage with static client reuse.
- Infrastructure: Updated container infrastructure for v20 and improve CI checks.
Credits
The following GitHub users have contributed to the source code since the last release (in alphabetical order):
> Abhay349 <pandeyabhay967@gmail.com>
> ADITYA-CODE-SOURCE <adityavishe67@gmail.com>
> afsahsyeda <afsah.syeda@siemens-healthineers.com>
> Alex <alextanzhao22@gmail.com>
> Ali <aligadallah14@gmail.com>
> Aman-Cool <aman017102007@gmail.com>
> Bibhuti Bhusan Dash <bibhuti230185@gmail.com>
> Dearsh Oberoi <oberoidearsh@gmail.com>
> dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
> Elbialy0 <mahmoudelbialy109@gmail.com>
> Farooq Fateh Aftab <farooq-fateh.aftab@siemens.com>
> Gaurav Mishra <mishra.gaurav@siemens.com>
> harshdeveloper21 <harsh237hk@gmail.com>
> himanshu07gupta <himanshu29gupta0703@gmail.com>
> Kareem74x <kareemmostafa74x@gmail.com>
> Keerthi B L <keerthi.bl@siemens.com>
> Mahmoud Abdulmawlaa <m.elbaadishy@gmail.com>
> Matthew Pappas <matteopappas@gmail.com>
> Nikesh Kumar <kumar.nikesh@siemens.com>
> Prathmesh <dhoneprathmesh72@gmail.com>
> Priya Sharma <priyasharma1001a@gmail.com>
> rudra-superrr <prabhuchopra@gmail.com>
> saiteja-in <vurukondasaiteja13@gmail.com>
> Sandip Mandal <sandipsmmandal02@gmail.com>
> Shivamrut <gshivamrut@gmail.com>
> VanKhanhAnny <arianne.dangvankhanh@gmail.com>
Please note that also many other persons usually contribute to the project with reviews, testing, documentations, conversations or presentations.
Features
a3b728052feat(attachments): add test for attachment service064862f46feat(agents): add AGENTS.md ref existing doc857e32f78feat(vmprocess): add shutdown hook to close thread3ad882f4afeat(container): add steps for keycloak image5ff8538dffeat(container): update container for version 20fba2f20fffeat(Project): Handle case sensitive for export spreadsheet2982f9d65feat(checkstyle): add Checkstyle configuration187b7b068feat(http-support): implement file upload method in NewRequestBodyBuilderImpl18c916a29feat(AttachmentUsages): Save existing attachment usages of sub-project at parent project levele1180015efeat(Email): Enhancement of e-mail notifications for updation of project31d4b31f1feat(licenseInfo): Normalise license text and optimise performance
Corrections
3597da377fix(clearingteam): Add clearing team to project api responses8702d8c43fix(docker): correct runtime startup configuration8ac24b639fix(rest): close streams and temp files in attachment bundle download021dff813fix(rest): prevent NPE in vulnerability tracking sorting and clean error messagebd3a16194fix(report): respect withSubProject semantics for licenseInfo7e8dd3413fix: XXE vulnerability in SPDX parser09cecb788fix(license): include timestamp in backup filename9a7acdb57fix(nouveau): add ConflictException retry to putNouveauDesignDocumentada574770fix(datahandler): add ConflictException retry to putDesignDocument342df4f9cfix(attachmentUsages): fix null owner corruption and infinite recursion in sub-project inheritancef7786d1c2fix(attachment): urlencode filename to getd3ed1ce48fix(project): ClearingTeam is a string, not user1acec288dfix(Docker): add missing runtime dependencyecbac4f45fix(release): fix test of attach field in mergebdac2d5f7fix(rest): X-XSS-Protection Headerfa0e2d515fix(clearingrequest): replace per-call THttpClient with shared ThriftClients instance709dfaeacfix(rest) : Compilation error fix from different PRs2b2b0c75cfix(components): correct clearing state priority in autosetReleaseClearingState61933e7d2fix(rest): update clearing request after editing in request tab5c11a3834fix(security): Add @PreAuthorize annotation to AttachmentControllerbafbd42acfix(security): Add @PreAuthorize to ScheduleAdminControllerf874c08c2fix(project): add null checks for both project and actual in updateProject to prevent NPEb9a63e0fefix(vmcomponents): handle NPE and ClassCastException in getVulIdsPerComponentVmId (#3780)e05569f31fix(rest): Add null check for getReleaseIdToUsage() ...ffa9aad1ffix(rest): return 400 for missing required request parameters instead of 50096f1a5963fix(SvmConnector): handle missing keystore251a50819fix(backend): close FileInputStream in SvmConnector to prevent resource leak05b632d05fix(importCDX):do not alter unknown domain VCS and revert old changes0c3a7c29dfix(rest): Unauthorrrized access to backend configurations.1876d51e3fix(index): check if vcs exists61fe5227efix(view): check release.eccInformation not nulld8acc1273Fix/jwt claim validation (#3753)b33e1be65Fix CORS filter activation and allowed methods (#3735)c7534cf0efix(rest): Add logic to delete open clearing requests from request tab, when the project has deleted.34d133488fix(security): replace newInstance() with newDefaultInstance()738366d2dfix(security): fix XXE vulnerability in XML parsing79ce6f23bfix: prevent NoSuchElementException when ...1ed5584d4fix(licenseinfo): check Optional.isPresent() before get() in DocxGenerator3b0c53f2afix(CR): header injection vulnerability.de763bb7cfix: Prevent NullPointerException in Sw360ProjectService8416467effix(rest): users receive email notification to download project reports for project-only/with-linked-releases5b8bca91afix(RepositoryUrl): update default value VCS_HOST9720ece9efix(config): update VCS_HOSTS to use JSON array format for config consistencyd8e8e7502fix: Exception Swallowing in UserRepository
Infrastructure
912b15d27refactor(licenses): replace String concatenation with StringBuilderb990ed902docs(api): add Swagger @apiresponse status code documentation for additional controllers842d5ee76chore(docs/swagger): add @ApiResponses annotations for ...ba7d5a24dchore(docs/swagger): add OpenAPI annotations for ImportExportController, LicenseController and UserController3739ad2f4chore(core): remove redundant String.format76caf9ae4chore(docs/swagger): add OpenAPI annotations for ReleaseController414a2f62cchore(docs/swagger): add OpenAPI annotations for ProjectControlleraeae97f81chore(deps): bump org.springframework:spring-webmvc8979d0ec0chore(deps): bump actions/cache from 5.0.3 to 5.0.4b149d3a08chore(deps): bump github/codeql-action from 4.32.6 to 4.33.0ebe9dcc80chore(deps): bump keycloak/keycloak froma7b0cb7to8d44614e2ab8ca4dperf(cloudant): use static client with retries805205f3eperf(gson): reuse Gson objectseec790b27chore(deps): bump step-security/harden-runner from 2.15.1 to 2.16.06904e658bchore(deps): bump https://github.com/gitleaks/gitleaks93cb74714perf(licenseinfo): remove redundant stream collection in obligation mapping3584fc7f2chore(deps): bump https://github.com/pre-commit/pre-commit-hooks847926002chore(deps): bump https://github.com/compilerla/conventional-pre-commit58a065cacchore(deps): bump actions/dependency-review-action from 4.8.3 to 4.9.0f904ba4f2chore(deps): bump https://github.com/pylint-dev/pylint5efa1d134chore(deps): bump docker/setup-qemu-action from 3.7.0 to 4.0.052c9d90b5chore(deps): bump https://github.com/gitleaks/gitleaks70ffa370bchore(deps): bump docker/metadata-action from 5.10.0 to 6.0.0a08389fc8chore(workflow): update workflow for containerse4ec0c915chore(config): remove unused config6a35ca228chore(lint): fix some style linter errors26a083764docs: update README for CouchDB password setupe13be358dchore(deps): bump docker/login-action from 3.7.0 to 4.0.09dd307df6chore(deps): bump step-security/harden-runner from 2.15.0 to 2.15.10a8c4bab5chore(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.08cd0f096bchore(deps): bump docker/build-push-action from 6.19.2 to 7.0.01fd521312chore(deps): bump github/codeql-action from 4.32.4 to 4.32.64df420199chore(deps): bump com.fasterxml.jackson.core:jackson-coreb35f52c48chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0043db8adbchore(deps): bump step-security/harden-runner from 2.14.2 to 2.15.04955cc43echore(deps): bump actions/dependency-review-action from 4.8.2 to 4.8.3205f8d670chore(deps): bump github/codeql-action from 4.32.3 to 4.32.4d444ed5bfci: cancel stale PR workflow runs using concurrency
Full Changelog: sw360-20.0.0-rc-1...sw360-20.0.0-rc-2
sw360-20.0.0-rc-1
sw360-20.0.0-rc-1
This is a first release candidate for SW360 in the line of next major release version 20.0.0 of SW360. The candidate includes numerous features, corrections, and improvements over the previous release 20.0.0-beta
This release serves as a preview of the upcoming major version 20.0.0 for testing and should not be used in production environments.
Highlight of the changes includes:
- Various vulnerabilities and security fixes.
- More endpoints created for the support of new UI project.
- Improvements on KeyCloak sync and user management.
- Improved performance, better pagination, better security posture.
Credits
The following GitHub users have contributed to the source code since the last release (in alphabetical order):
> Aashish Jha <aashishjha1107@gmail.com>
> Aditya Vishe <adityavishe67@gmail.com>
> afsahsyeda <afsah.syeda@siemens-healthineers.com>
> airajena <airajena0@gmail.com>
> Akshit Joshi <akshit.joshi@siemens-healthineers.com>
> Ali <aligadallah14@gmail.com>
> Aman_Cool <aman017102007@gmail.com>
> amritkv <er.akverma8@gmail.com>
> Bibhuti Bhusan Dash <bibhuti230185@gmail.com>
> drockparashar <pranshu007parashar@gmail.com>
> Farooq Fateh Aftab <farooq-fateh.aftab@siemens.com>
> Gaurav Mishra <mishra.gaurav@siemens.com>
> Helio Chissini de Castro <dev@heliocastro.info>
> Hritik Raj <hritik23154049@akgec.ac.in>
> Keerthi B L <keerthi.bl@siemens.com>
> Md Ali <mdali620563@gmail.com>
> naitikk31 <DARJINAITIK7@GMAIL.COM>
> Nikesh kumar <kumar.nikesh@siemens.com>
> RITANKAR SAHA <ritankar.saha786@gmail.com>
> Rohit11544 <brohit11544@gmail.com>
> Rudra Chopra <prabhuchopra@gmail.com>
> saiteja-in <vurukondasaiteja13@gmail.com>
> Sameed <sameed.ahmad@siemens-healthineers.com>
> Sandip Mandal <sandipsmmandal02@gmail.com>
> Sathwik Hejamady Bhat <sathwikhbhat@gmail.com>
> Shivamrut <gshivamrut@gmail.com>
> Suhas2109 <suhas.n@siemens-healthineers.com>
> Taanvi Khevaria <149520227+taanvi2205@users.noreply.github.com>
> tanwar-div <tanwarkheritalwana@gmail.com>
Please note that also many other persons usually contribute to the project with
reviews, testing, documentations, conversations or presentations.
Features
917b70103feat(rest): add configurable API token length property638345288feat(ai): add initial AI safeguards for backend026265668feat(search): double quotes search functionality.2e7db457ffeat(rest): Optimize addLicenseToLinkedReleases() with parallel executionff859fe0bfeat(resourceserver): Add endpoint to fetch linked packages for a releasedb5ee473dfeat(kc): update KC UserGroup if exists in CouchDBf935901b8feat(attachmentUsage): Store Ignore Licenses for Generating License Info in Attachment Usage5916e035afeat(attachmentUsage): Store Ignore Licenses for Generating License Info in Attachment Usage321bcb493feat(attachmentUsage): Store Ignore Licenses for Generating License Info in Attachment Usage42e6dff0ffeat(version): Add /version endpoint to use by frontend and API only applicationsd18521ac8feat(swagger): Add s runtime switch for swagger authentication4d12ca7b7feat(Request): Show open MR to the creator3dd17445ffeat(REST): Add includeSubproject parameter to licenseInfof4a0adbf8feat(KeyCloak): Use UserRepositoryf8cefd7e8feat(rest) : Endpoint to fetch UsageInfo for release merge8094c5a9efeat(CR): Add pagination and filtering to clearing requests endpoint9b43ebfa7feat(backend): enhance error logging in ComponentDatabaseHandler.getComponentc74ee8d80feat(OSADL): use Spring flex for reactive import7dad3fdbafeat(obligations): get texts as separate nodesce1c38c47feat(Vulnerability): Added svm link for external idf13ea427ffeat(CycloneDX): Added null check for export SBOM54c453f83feat(rest): enhance licenses API with missing fields and quick filter029f741adfeat(projects): endpoint to read projectsd48cef8c4feat(vulnerabilities): search on title or CVE3bc125355feat(rest): add ISR attachment support to licenseFileList endpoint34df8a27dfeat(rest): add attachmentId query param to licenseFileList endpointaecaf2053feat(xss): migrate deserialize logic to Jacksond356a4663feat(search): add sorting index for lucene searchb4834c223feat(rest): api for importing users via a .csv file83dc08ba3feat(ImportCDX): remove VCS URL redirection logic9d4afa6abfeat(rest): Api endpoint to retrieve package usage count5eb295ef6feat(rest): Get license clearing counts based on clearing status47060fe70feat(docker): Add SW360_IMAGE var to enable custom images722d6d0c7feat(report) : show release name under acknowledgement in readmeoss file.53a00d797feat(project): add tags to embedded0ba195593feat(Obligation) : Fields_missing_in_GET_PATCH_call_to_obligation_at_project_pagef4f7c1ff9feat(Obligation) : Fields_missing_in_GET_PATCH_call_to_obligation_at_project_page9ac3c44fffeat(Rest): Added comment for package table in LinkedPakagescb4c2017efeat(importCDX): make CDX importer compatible for non-package comps264e8a004feat(ci): use couchdb as actions service9c0938aa4feat(project): Add clearingRequestId to getAllProjects endpoint responsec6a244828feat(fossology): v2 endpoints refactor36a51de30feat(release): paginate /releases endpointa631711b0feat(ClearingRequest): Count all non-OSS components in the CR comments
Corrections
d1c7b7adbfix(attachment): handle url-encoded filenamesaa0e3e2dcfix(component): file path traversal vulnerability.8f70ebd3cfix(rest): add ADMIN authorization to sensitive API endpointsf3acb380dfix(rest): Prevent NullPointerException in VulnerabilityController.getSortedListb408799cefix(rest): close streams in license upload/downloadf6510d7e3fix(CDXImporter): Do not remove valid URL string after .git9c35d0504fix(rest): correct OSADL license obligations error messageb5ef67b8bfix(security): Add missing @PreAuthorize annotation on OSADL import endpointcd2dc45f4fix(version): fix version comment5d45a48f5fix(rest): Correct Swagger UI API request URL pathbe75a83e2fix(Moderation): Prevent empty moderation requests when no release changes detected7079b715cfix(rest): prevent silent data loss in obligation update06c98bb2afix(Project): LicenseClearing count to follow camelCasinge9874d9cffix(rest) : FilenameChanges for ComponentReport Download from Mail-URLdc6d1cb16fix(rest): Map vcs field correctly in component update request06d7d6462fix(controller): fix catch statement21740eda4fix(rest): prevent null in HAL response for missing licensese1a5efa8ffix(attachment): Prioritize attachment filename from request body608a18578fix: make project mainlineState field required (#3543)f93bfeeb3fix(docs): fix broken link to Liferay setup20234d333fix: add batch endpoint for license clearing counts to remove 502 errors0fd5d09d5fix(KeyCloak): Organization Mapper missing in backend16a36f1cffix(Obligation): Fixed update obligation499def947fix(vendors): fix search and paginationc055617fafix(swagger): Use the real backend, not hardcoded localhostdb13b73a0fix(clearingRequest): add missing fieldsacca246d8fix(CR): Allow multiple state values in CR state param (#3570)b5484d18afix(rest): Add shortname field to license REST API response.a2e247a93fix(LicenseInfo): null check for license text.bbaf2d9b9fix(rest): Correct 'obliagtion' typo to 'obligation'a3e595109fix(backend) : Merged release updation failure in restricted projects.8edaedc10fix(obligation): fix the pagination /obligations47b184e77fix(test): fix test cases for OSADL importa1ae300a4fix(licenses): resolve OSADL import errore13121ee1fix(obligations): new function getWithTextNodes8eebe39d9fix(rest): allow external license references in release updates63cf6c684fix: Disable arm64 docker builds for nowfe64dad20fix(rest) : Project Obligation should have default status "Open"8c0dc42d0fix(licenses): create new search function17ec8de50fix(projects): handle empty project searches168b6dd4cfix(docs): fix doc for /network/{id}/ endpoints738123fcafix(rest): sync CSV import with old code3fff93d20fix(component): accept comment in requestBody482d3a056fix(component): allow mr comment with delete19337ae09fix(release): allow mr comment with delete5b52d84c3fix(project): add validation for empty keys in project fields888f3e71dfix(api): send both read and write properties8ce3bbcfefix(config): fix disable of API write tokend4c268d3bfix(attachments): prevent deletion of attachments shared by multiple releases30a17542efix(REST):null error in license info2b9385c71fix(docker): Use the correct Thrift binary923df8c45fix(Dockerfile): fix version of mavenc7396754ffix(docker): Remove apt cache38f7c551dfix(docker): use new ubuntu-nobel for thrift95eaf2f15fix(docker): fix version to mentioned tags6a43cf79bfix(utils): check CR date >=dae41fabefix(script): Adding missing documentation for 062_update_packagids_to_map-pyffbd54567fix(keycloak): use version property for mavenb42052ae2fix(Release): listing the source files names for the license in release.900da12e0fix(jackson): split versions for annotation05ae5908dfix(REST): 500 internal server error on deleting a pkg linked to a release82c192a76fix(script): Modified script to include limit for fetching the query result688ca8591fix(CDXImport): Trim VCS URLs before processing196fbbaebfix(vulnerabilit...
sw360-20.0.0-beta
sw360-20.0.0-beta
This is a beta release for the next major version 20.0.0 of SW360. The release includes numerous features, corrections, and improvements over the previous release 19.2.0.
This release serves as a preview of the upcoming major version 20.0.0 for testing and should not be used in production environments.
Highlight of the changes includes:
- Various vulnerabilities and security fixes.
- More endpoints created for the support of new UI project.
- Improvements on KeyCloak sync and user management.
Credits
The following GitHub users have contributed to the source code since the last release (in alphabetical order):
> Achal Jhawar <35405812+achaljhawar@users.noreply.github.com>
> bibhuti230185 <bibhuti230185@gmail.com>
> Bibhuti Bhusan Dash <bibhuti230185@gmail.com>
> deo002 <oberoidearsh@gmail.com>
> dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
> Farooq Fateh Aftab <farooq-fateh.aftab@siemens.com>
> Gaurav Mishra <mishra.gaurav@siemens.com>
> harshitg927 <121371860+harshitg927@users.noreply.github.com>
> Himanshu A Garode <himanshu2006garode@gmail.com>
> Kaushlendra Pratap <kaushlendra-pratap.singh@siemens.com>
> Keerthi B L <keerthi.bl@siemens.com>
> Mohamed Hanafy <mohamed.hanfy.dev@outlook.com>
> Nikesh kumar <kumar.nikesh@siemens.com>
> nikesh <kumar.nikesh@siemens.com>
> pranayh24 <pranayheda24@gmail.com>
> Rajnish Kumar <22it3036@rgipt.ac.in>
> Rudra Chopra <prabhuchopra@gmail.com>
> Sameed Ahmad <141239852+sameed20@users.noreply.github.com>
> sathwik-y <sathwik.yellapragada@gmail.com>
> suvrat1629 <suvrat1629@gmail.com>
Please note that also many other persons usually contribute to the project with
reviews, testing, documentations, conversations or presentations.
Features
080b277bbfeat(importCDX): enhance importer VCS sanitizationc87d2c6b2feat(vuln): pagination on vulnerabilities endpointd588c924dfeat(project): use DB side pagination46cc985bdfeat(component): use DB side pagination13a9c716afeat(datahandler): prepare for paginated queries0ba6dd02efeat(docs): add other response types in docse4103eb3efeat(keycloak): set externalId on sync85986c781feat(Keycloak): Enhance user synchronization with batch processing and retry logice01a4e9f6feat(core): introduce quick search functionality for vulnerabilities59f5c49fdfeat(config): add old UI configs44e6f563ffeat(config): move more configs to DB64158b1bdfeat(rest): new Security user role.7be4e0675feat(Release): Need createdBy field for list of releases under a componentb25398586feat(Release) : Automate_check_for_Source_Code_Download_URL_1650178743477feat(rest): endpoint to get fossology connection configuration data.310434d5efeat(obligation): add field comparatorsa75e59bbbfeat(rest) : QuickFilter for Obligation pagebcf5141a7feat(rest) : Completed code for advance-search for packages3b929a059feat(Rest): Advance search for packages3ca1d5b6efeat(rest): add SBOM file validation for SPDX and CycloneDX formatsbbb4c6c01feat(rest): endpoint to get src file list for the licences.24d9d7df8feat(keycloak): allow thrift loc to be configured1480c0c75feat(rest): add additional fields to clearing request endpoint.c4b541310feat(rest): getting license info from release attachment's content id.d1a51acfafeat(rest): download users endpoint in CSV formatb9be6bacefeat(test): add test for invalid /mergeComponent93928eeabfeat(component): validate merge selection2086cf14dfeat(Rest): adding filter search in license clearing get endpoint.d7a6e4d28feat(ECC): Add field containsCryptography in Release ECC-Backend35aa150ebfeat(rest): fossology attachment configs to API85e406126feat(rest): added AttachmentCleanUpControllerTesteae223d9afeat(rest): added search API integration testsf5493594ffeat(rest): added tests for ecc rest endpoints
Corrections
d07f0d922fix(rest): add documentation for license types usage in admin view.37c9a5951fix(resource): no config read at init1e63f38dcfix(test): disable ssl health endpoint not used999eccda1fix(xss): test for null value for stripc75442858fix(spring): upgrade to 3.5.3 from 3.3.382e16b696fix(rest): add license type usage check and restructure delete API response8fe11c797fix(rest): add vendor existence validation in getReleases endpoint18ac76e0cfix(rest): handle missing component ID with 404 response.176a70f56fix(release): throw appropriate exceptionsde970cafdfix(rest): add endpoint to merge two releases.34ff1494efix(controller): fix access for SECURITY_USER7722ae9b0fix(component): skip should accept URLs3831b8a06fix(Rest): Only admin users can delete license types in the admin license tab.a6dec7574fix(svm): SVMSyncHandler dont return loop547611a75fix(rest): fix permission check48893d23aFix(Rest): Add quick search for license type.f1ec624adfix(bug): Fixed pagination at projects table (#3069)6f6eb2021Add proper self-link with project ID in licenseClearing endpoint (#3135)7a2680b80fix(rest) : Missing request param for downloadlicenseinfo report5432c35cdfix(components): read id for ComponentDTOaa2ca47effix(component): ComponentDTO for /splitcomponenta249b7ef1fix(component): read list of attachments for mergeab5c62292fix(rest): improve error messages for invalid SBOM file imports4e26b0553fix(cloudant): upgrade to 0.10.3 to fix gson issuef55dd3b5ffix(components): allow field createdBy43c5d1de9fix(deps): add com.sun.mail:jakarta.mail:2.0.1348337a8ffix(spdx): fix deps for spdx-library v2c8a756b10fix(sw360UserGroup): add missing CLEARING_EXPERTcdc2b5dcdfix(Security) : KeyCloak integration #3087f0f6ac7d6fix(backend): fix FossologyConfig2bfa0ae41fix(fossology): fetch download timeout from ConfigContainer repository68236f17dfix(docs): update scripts/utilities/README.md Documentation (#3066)586bdc3bbfix(project): return updated releasesbdf7648f8fix(docs): fix OpenAPI docs /fossology/saveConfig
Infrastructure
cce5b2cf9chore(release): 20.0.0 beta release4461e9ee1chore(deps): bump org.dom4j:dom4j from 2.1.4 to 2.2.00f9a61592chore(deps): bump step-security/harden-runner from 2.12.1 to 2.12.2d52f78f2cchore(deps): bump github/codeql-action from 3.29.1 to 3.29.22f76f4fc9chore(deps): bump org.apache.maven.plugins:maven-gpg-plugin3ddcf3e74chore(deps-dev): bump nl.jqno.equalsverifier:equalsverifierd1a9ce73achore(deps): bump keycloak.version from 26.2.5 to 26.3.0852f097f8chore(deps): bump tomcat fromd2f9bdcto5ea8fbd49d03be83chore(deps): bump maven fromd9f3089to615bd388bd566560perf(vuln): use views instead of mango query7ca79f030chore(rest): paginate users endpoint on DB4ee6294b9docs(controller): responses for /licensetype/usagee72f8207achore(deps): bump maven from3a4ab32tod9f30891724114c4chore(deps): bump github/codeql-action from 3.29.0 to 3.29.194d5ee4fdchore(deps-dev): bump nl.jqno.equalsverifier:equalsverifierdd8fe8decchore(deps): bump org.springframework.security:spring-security-oauth2-authorization-serverb7fc0e8a5chore(deps): bump log4j2.version from 2.24.3 to 2.25.03d4f3d68bchore(deps-dev): bump net.bytebuddy:byte-buddy from 1.17.5 to 1.17.6384f0c4d7chore(deps): bump spring-security.version from 6.5.0 to 6.5.1df8addc43chore(deps): bump docker/setup-buildx-action from 3.10.0 to 3.11.1ea9e7ab95chore(deps): bump tomcat fromf55695ftod2f9bdc64ef2aacfchore(deps): bump org.wiremock:wiremock from 3.13.0 to 3.13.1dccbe71fdchore(deps-dev): bump nl.jqno.equalsverifier:equalsverifier930c7b33dchore(deps): bump springdoc-openapi-stater-common.versionee35897bachore(deps): bump jackson.version from 2.19.0 to 2.19.176464f7bachore(deps): bump github/codeql-action from 3.28.19 to 3.29.0388c0b024chore(deps): bump step-security/harden-runner from 2.12.0 to 2.12.1d4814d4ddchore(deps): bump org.springframework:spring-web from 6.2.7 to 6.2.872787f9c2chore(deps): bump org.codehaus.mojo:build-helper-maven-plugin849b1bbcachore(deps): bump com.ibm.cloud:cloudant from 0.10.3 to 0.10.40bd9c6bd3chore(deps): bump github/codeql-action from 3.28.18 to 3.28.1998be9010bchore(deps): bump maven from933900dto3a4ab325bb6a9c5cchore(deps): bump tomcat from8058582tof55695f09ababc26chore(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2d6f94b768chore(deps): bump docker/build-push-action from 6.17.0 to 6.18.039d02c7acchore(deps): bump keycloak.version from 26.2.4 to 26.2.52f537d19achore(deps): bump io.github.git-commit-id:git-commit-id-maven-plugin24f1e19f8chore(deps): bump org.mockito:mockito-core from 5.17.0 to 5.18.06c06523dbchore(deps): bump org.apache.httpcomponents.client5:httpclient5c2bfc63c2chore(deps): bump spring-security.version from 6.4.5 to 6.5.09b3c09f76chore(mail): update MR email to include docname5dd802ff4chore(mail): added more information to the mails57f5de1a2chore(deps): bump actions/dependency-review-action from 4.7.0 to 4.7.1cfcc346f6chore(deps): bump docker/build-push-action from 6.16.0 to 6.17.0c7bc2e410chore(deps): bump github/codeql-action from 3.28.17 to 3.28.184719c400achore(deps): bump tomcat from7edbb52to8058582e51667a87chore(deps-dev): bump nl.jqno.equalsverifier:equalsverifier61e34e9b6chore(deps): bump org.json:json from 20250107 to 2025051767e95b77achore(deps): bump springframework.version from 6.2.6 to 6.2.7c9252e8b1...
sw360-19.2.0
sw360-19.2.0
This minor release includes numerous features, corrections, and improvements across the SW360 project since the 19.1.0 release.
Highlight of the changes includes:
- Various vulnerabilities and security fixes.
- Unified/simplified REST API error response with Exceptions.
- New endpoint to get and update SW360 config (also making it possible to update on fly).
- Multitude of REST API endpoint improvements and additions.
linux/amd64andlinux/arm64multi-arch docker image support.
Credits
The following GitHub users have contributed to the source code since the last release (in alphabetical order):
> Akshit Joshi <akshit.joshi@siemens-healthineers.com>
> Bibhuti Bhusan dash bibhuti230185 <bibhuti230185@gmail.com>
> dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
> duonglq-tsdv <duong1.lequy@toshiba.co.jp>
> Farooq Fateh Aftab <farooq-fateh.aftab@siemens.com>
> Gaurav Mishra <mishra.gaurav@siemens.com>
> Helio Chissini de Castro <heliocastro@gmail.com>
> hoangnt2 <hoang2.nguyenthai@toshiba.co.jp>
> Keerthi B L <keerthi.bl@siemens.com>
> mishraditi <aditimishra91924@gmail.com>
> Mohamed Hanafy <mohamed.hanfy.dev@outlook.com>
> Nikesh kumar <kumar.nikesh@siemens.com>
> Rudra Chopra <prabhuchopra@gmail.com>
> Sameed <sameed.ahmad@siemens-healthineers.com>
> Shi Qiu <shi1.qiu@toshiba.co.jp>
> Shushant <148479955+Shushant-Priyadarshi@users.noreply.github.com>
> Smruti Prakash Sahoo <smruti.sahoo@siemens.com>
Please note that also many other persons usually contribute to the project with reviews, testing, documentations, conversations or presentations.
Features
2d51a3097feat(exception): replace deprecated exceptionf133b896dfeat(Configurations): Add new endpoints that allow to GET/UPDATE SW360 configurations5fa3afec1feat(version): generate OpenAPI doc version on flyd8f6b01d8feat(Department): Add new endpoints: - Get/Update department members - Get importing department's log file list and contentedec79367feat(addNewComponentType) : Added new component type COTS-Trusted Suppliere464254befeat(rest): Added tests for upload and download componentsd8393a319feat(rest): Added endpoints to fetch schedule service statusa1a01c89dfeat(rest) : Endpoint for export SBOM at project detail pagef15fd779afeat(script): read host, user and pass as args8d5a77ee7feat(rest): new rest endpoint for edit obligation65db380b9feat(project): add new values to project state field8c17597a4feat(exportCDX): update CycloneDX exporter dependency from v1.4 to v1.6a84a42b48feat(rest): Count of attachments used in different projects.f40e72c3cfeat(rest): create new endpoint for bulk delete function927da5a54feat(rest) : Search for vendors added.45a53b4e2feat: Add multiarch for docker image6373bed28feat(rest) : Comment added to reuse methods for Duplicateobligation functionalitye764a5823feat(rest): endpoint to merge vendor.4bab8d07afeat(User): Add 2 new endpoints: - Allow Admin user to update user - List all existing department2d0664f2ffeat(rest) : Advanced Search for project pagef15ccd798feat(rest): standardize POST response to include created entity IDc273f1925feat(rest): create new endpoint to delete ModerationRequests by id.be7606f32feat(rest): create new enpoint to upload component csv file.068385703feat(api): complete advance search for components
Corrections
1b92b5135fix(spdx): add null and empty field checks for SPDX documents2d1ace631fix(ci): set min version of CMake to 3.51cb9e8f4efix(test): fix test cases for correct exceptions4cba33716fix(controller): fix further changes after rebaseeb73f32c4fix(Obligations): includes ObligationLevel in get all obligations responsesb0d1be0d0fix(security): remove WebSecurityCustomizer991eb8f0afix(xss): ignore essential headers from XSS filter00d3cb129fix(project): set fields getLicenseObligationDataef153bce9fix(obligation): fix obligation patch5f6796ee6fix(rest) : Advancesearch(AdditionalData) for project page with value based search9daf29b74fix(Project): Resolve issue with embedded type in project release response when length is 0e415d05a4fix: Set docker main and development image9038d8dd2fix: Adjust copyrights and licenses properly72dbb8c72fix(projectService): fix user role check18193631bfix(rest): Add license information linking for project releases.5336aea47fix(script): fix addUnsafeDefaultClient.sh script00b552d58fix(SPDXDocument): Fix bug add SPDX document always return faild4c0f913cfix(Token): Fix bug authentication by user token not working5b3535a9bfix(project): add more null checks for attachments0e9052f23fix(project): null check at /summaryAdministration840fa9740fix: Adjust sw360 container build for external thrifte378da720fix(Admin): fix OAuth Client deserialization and database operationscb52c1ad6fix(Rest): Create new endpoint to activate the department manually.4adc4a268fix(rest) : Add licenseInfoHeaderText in summaryAdministration api responsecadc213e9fix(rest) : Moderation update overwrites previous fieldsd3aeefc6dfix(Attachment): Make get attachment endpoints of component/release/project consistent - Allow updating project/component/release with attachment data (in a consistent way)48f9159bbfix(Rest): new endpoint will help to get the package details by projectId.fbea70a91fix(rest): Added packageIds in project create and update APIs.886ad473cfix(Rest): Updated the REST endpoint to schedule the upload of release component attachments.975e30f49fix(importCDX): Add logging for null metadata in sbom.41ea54857fix(licenseinfo): Corrected the Open Source title in TEXT format to match DOCX format6ba3bf675fix(rest): Prevent stored XSS5365f10b8fix(component): add null check for release mergeb91d3ad10fix(rest): Added code to get obligation releaseView data in project.bbd7a4361fix(Rest): License overview is not updating in summary page.eeb3c86d4fix(rest): fix doc for ModerationRequestController663ac8377fix(rest): Validate comment message while create a moderation request.6dbec3601fix(rest): adding additional fields to attachmentUsage endpoint.325cf0ef5fix(deps): Deprecate old commmons-lang library75d3748ccfix(cloudant): fix structure of elemMatch queryaadf18948fix(report): refactor /reports endpoint20d02c954fix(doc): fix OpenAPI docs for report controller73726c45efix(moderation): fix moderation creation1cd3739bdfix(rest) : modified attachment info in response to the moderation request rest api1e1c5c1d0fix(rest): Added code for for updating multiple project attachments.c8b27567ffix(rest) : Closed Project functionalities not uniform with respect to UI and REST
Infrastructure
57827d8edchore(deps): bump org.jacoco:jacoco-maven-plugin from 0.8.12 to 0.8.139bfa90129chore(deps): bump com.tngtech.jgiven:jgiven-maven-plugin30d5f61abchore(deps): bump org.apache.maven.plugins:maven-surefire-plugin40a22ede4chore(deps): bump poi.version from 5.4.0 to 5.4.1fad1b859achore(deps): bump step-security/harden-runner from 2.11.0 to 2.11.1f73f40dc4chore(deps): bump actions/dependency-review-action from 4.5.0 to 4.6.09f208baf0chore(rest): rework exceptionsb14bf4058chore(deps): bump github/codeql-action from 3.28.12 to 3.28.135387e3fcdchore(deps): bump maven from70591cbtof1e4a8587806a5aechore(deps-dev): bump nl.jqno.equalsverifier:equalsverifier5a3acda61chore(deps): bump springdoc-openapi-stater-common.versionb15710833chore(deps): bump org.apache.httpcomponents.client5:httpclient50cded8b31chore(deps): bump org.ow2.asm.version from 9.7.1 to 9.8d2de95f47chore(deps): bump httpcore5.version from 5.3.2 to 5.3.4b0e52e4f6chore(deps): bump org.mockito:mockito-core from 5.15.2 to 5.16.12a1ea1952chore(deps-dev): bump com.tngtech.jgiven:jgiven-junit350a8db21chore(deps): bump com.google.guava:failureaccess from 1.0.2 to 1.0.3b4b475444chore(deps): bump org.apache.maven.plugins:maven-compiler-plugin197ed98b4chore(deps): bump springframework.version from 6.2.4 to 6.2.58c87ab4edchore(deps): bump actions/cache from 4.2.2 to 4.2.3403020e2bchore(deps): bump actions/upload-artifact from 4.6.1 to 4.6.24809763e4chore(deps): bump github/codeql-action from 3.28.11 to 3.28.123ac6ea7dfchore(deps): bump org.springframework.security:spring-security-crypto64a8742a7doc(sbom): add allowable SBOM export types40c061cdfchore(controller): fix typo in endpoint namedfe68e180chore(deps): bump docker/login-action from 3.3.0 to 3.4.0712d613edchore(deps): bump org.springframework.security:spring-security-oauth2-authorization-server1b05c7addchore(deps): bump com.ibm.cloud:cloudant from 0.10.0 to 0.10.21ac13a85achore(deps): bump keycloak.version from 26.1.3 to 26.1.4dff3a99d9chore(deps): bump springframework.version from 6.2.3 to 6.2.4fc4910ec0chore(deps): bump org.cyclonedx:cyclonedx-core-java38e0f199achore: Add push docker tag capability4e424695brefactor(rest): enhance logging and error handling in FossologyRestClient79beaf846chore(deps): bump docker/build-push-action from 6.13.0 to 6.15.0ac0cf9887chore(deps): bump docker/metadata-action from 5.6.1 to 5.7.0341fad29bchore(deps): bump docker/setup-buildx-action from 3.9.0 to 3.10.0c442800bdchore(deps): bump github/codeql-action from 3.28.10 to 3.28.111b2c6f8f8chore(deps): bump tomcat from0530899to1374a56344b6995fchore(deps): bump slf4j.version from 2.0.16 t...
sw360-19.1.0
sw360-19.1.0
This minor release includes numerous features, corrections, and improvements across the SW360 project since the 19.0.0 release.
Highlight of the changes includes:
- Various vulnerabilities and security fixes.
- Multiple new REST API endpoints.
- Improvements on SBOM and CDX import.
Credits
The following GitHub users have contributed to the source code since the last release (in alphabetical order):
> Afsah Syeda <afsah.syeda@siemens-healthineers.com>
> Akshit Joshi <akshit.joshi@siemens-healthineers.com>
> Arun Azhakesan <arun.azhakesan@siemens-healthineers.com>
> dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
> duonglq-tsdv <duong1.lequy@toshiba.co.jp>
> Gaurav Mishra <mishra.gaurav@siemens.com>
> Helio Chissini de Castro <heliocastro@gmail.com>
> hoangnt2 <hoang2.nguyenthai@toshiba.co.jp>
> Keerthi B L <keerthi.bl@siemens.com>
> nikesh kumar <kumar.nikesh@siemens.com>
> Rudra Chopra <prabhuchopra@gmail.com>
> Sameed <sameed.ahmad@siemens-healthineers.com>
> Smruti Prakash Sahoo <smruti.sahoo@siemens.com>
> StepSecurity Bot <bot@stepsecurity.io>
> tuannn2 <tuan2.nguyennhu@toshiba.co.jp>
Please note that also many other persons usually contribute to the project with reviews, testing, documentations, conversations or presentations.
Features
2133694fafeat(rest) : Export Project Create Clearing Request36df4a611feat(spdx): Add API for feature SPDX Document tab719165516feat(rest): endpoint to get license info header text.c64470ff8feat(rest): Add documentation for new clearing size parameter.e02307383feat(rest) : Rest end point for project ECC Export Spreadsheet9cd8646c1feat(Component): Add new endpoint that allows user to subscribe and unsubscribe to a componenta3edc6ceefeat(Release): Add new endpoint for release subscription8d6315f31feat(FossologyTrigger): stop repetitive entries of attachment.3a48426c9feat(ImportCDX):Handle redirection of VCS URLs in SBOMbe8d94046feat(rest): Create new api's in schedule tab.f41b8927dfeat(importCDX): Add functionality to configure release creation when importing SBOM to an existing projectddec17e5dfeat(rest): Add size parameter to clearing request.be032e39cfeat(importCDX): enhance CDX importer to sanitize VCS URLs for non-GitHub domains646c4e1bbfeat(Project): Create new endpoint that allow to duplicate project with network68c1fb737feat(Release): Add new endpoint to check cyclic links between releases9b32525a3feat(Project): Add new endpoint that allow to compare project network with default network108ba6700feat(Project): Add new endpoint to fetch linked releases of linked projects067f9135bfeat(Release): Add new endpoint that allow to get linked releases of release466a8c6d7feat(Project): Create new endpoint that allow to get linked releases in dependency network of a project75e3bc899feat(rest): Add endpoint to handle updation of clearing requests.7bcedef6afeat(rest): endpoint to remove orphaned obligations from project.fa17c2fedfeat(rest): delete a vendor by id.453eff793feat: Add default user/pwd to couchdb connectione81031333feat: Add default admin user if database is emptyf98db4ff4feat(rest): Add pagination to get clearing requests endpoint and fix 403 forbidden error33012fdc2feat(REST):fetch releases that are in NEW_CLEARING state and have a SRC/SRS attachment using parameter isNewClearingWithSourceAvailable2621657cdfeat: Add logging to identify releases with corrupted attachments during license generation73d0576c7feat(rest): endpoint to get list of obligations depending upon obligation level.24b71c5e6feat: Update README.md with openssf scorecard badge
Corrections
802013389fix(openapi)!: add health endpoint to openapib39c71b5bfix(Cloudant): Fix Cloudant document creation error by setting id and rev to null instead of empty string during Java object conversionda677a677Revert "fix(importCDX): Resolved unnecessary update of component fields"8f9859955fix(docs): fix OpenAPI docs8164a1f48fix(rest): Fixed the reference to wrong db for oauthclients4918ecd85fix(test): Remove unused invalid entries7c4b647e9fix(test): Remove unused invalid entriesac410370cfix: Enable back client libraryc41cdedfcfix: Ignore SECURITY.md on license checkffd83c62ffix(Project): Add missing properties in network response849284e3bfix(Project): Unset unnecessory data before store network into database87bdf001efix(test): enable unauthorized request test519496118fix(Project): Fix vulnerability: Information exposure through an error message48eb7437efix(User): Fix XSS vulnerability due to a user-provided value89e67b7e9fix(Rest): component attachment deletion while updating externalIdsc35e05fbdfix: Create sw360oauthclients database9cfb2c16dfix(rest): Enhance the acceptRequest method to see the proposed changes in project/component/release pages.342145702fix: Restore target for Dockerfilee18227af9fix: Remove spotless dead codeec6d2bc18fix: Adjust pinned dependencies on Dockerfile73e682053fix: Update POI code to modern versiona2734ca50fix(StepSecurity): Apply security best practices
Infrastructure
8a0793ed5chore(deps): bump org.apache.maven.plugins:maven-gpg-plugin06426f8bbchore(deps): bump keycloak.version from 26.0.6 to 26.0.7385a8bc74chore(deps): bump tomcat from7ebc6c3to935ff51d24a5c32achore(deps): bump github/codeql-action from 3.27.6 to 3.27.9e38177ad1chore(deps-dev): bump com.tngtech.jgiven:jgiven-junit7277d0815chore(deps): bump org.apache.maven.plugins:maven-javadoc-plugine424549f5chore(deps): update wiremock to 3.10.0e35110da8chore(deps): use updated wiremockc5cbf16f4chore(deps): bump org.apache.httpcomponents.client5:httpclient5d59b81243chore(deps): bump actions/cache from 4.1.2 to 4.2.0e15aa510cchore(deps): bump maven from9ae8f00to85d505f97c483c04chore(deps): bump net.minidev:json-smart from 2.4.10 to 2.5.1862a08e73chore(deps): bump maven fromf401172to9ae8f00e0bec4851chore(deps): bump commons-io:commons-io from 2.17.0 to 2.18.0668953ad0chore(deps): bump org.mockito:mockito-core from 2.28.2 to 5.14.2684e0703cchore(deps): bump maven from5a44dfftof401172b80aaa302chore(deps): bump tomcat from2ade2b0to7ebc6c339bb1e985chore(deps): bump ubuntu from35b7fc7to80dd3c3f24cbc910chore(deps): bump github/codeql-action from 3.27.5 to 3.27.60db57d021chore(deps): bump ubuntu from278628fto35b7fc7db32f3bb8chore: Remove cache from java-setup action03dda4438chore(deps): bump org.codehaus.mojo:versions-maven-plugin2a4c3c3a6chore(deps): bump org.apache.maven.plugins:maven-assembly-plugin92f05513fchore(deps): bump org.apache.maven.plugins:maven-resources-plugin1c3aefe32chore(deps): bump jackson.version from 2.18.1 to 2.18.26d5b60f67chore(deps): bump org.springframework.security:spring-security-oauth2-authorization-server360f63268chore(deps): bump docker/build-push-action from 6.9.0 to 6.10.075b9565a2chore(deps): bump org.apache.maven.plugins:maven-dependency-plugin8589b49b9chore(deps-dev): bump com.github.tomakehurst:wiremock-jre8b4362b73dchore(deps): bump org.apache.commons:commons-lang3 from 3.12.0 to 3.17.0c0f95baabchore(deps): Fix Maven warning for deprecation values067a3025echore(deps): bump org.apache.commons:commons-csv from 1.10.0 to 1.12.041da93540chore(deps): Move versions to supperpom2dfa4afdbchore(deps): bump org.keycloak:keycloak-core from 26.0.5 to 26.0.690c1a4724chore(deps): bump log4j2.version from 2.24.1 to 2.24.2a2beaa41echore(deps-dev): bump net.bytebuddy:byte-buddy from 1.10.18 to 1.15.10cca5c12a9chore(deps-dev): bump org.ow2.asm:asm-commons from 7.1 to 9.7.1ec4e041f6chore(deps): bump springframework.version from 6.1.14 to 6.2.0bb9225664chore(deps): bump org.apache.maven.plugins:maven-enforcer-pluginc4b75cf53chore(deps): bump com.google.guava:guava from 32.0.0-jre to 33.3.1-jrec3c75c7dfchore(deps): bump spring-security.version from 6.3.3 to 6.4.1bca5bc337chore(deps): bump github/codeql-action from 3.27.4 to 3.27.5df9bf4801chore(deps): bump actions/dependency-review-action from 4.4.0 to 4.5.0eaf13a8d6chore(deps): bump docker/metadata-action from 5.5.1 to 5.6.19bf808d70chore(deps): bump org.apache.maven.plugins:maven-failsafe-plugina11f1830fchore(deps): Update apache.commons-compress3658d3970chore(deps): bump org.apache.commons:commons-text from 1.10.0 to 1.12.06cd1da38bchore(deps): bump com.tngtech.jgiven:jgiven-maven-plugin36398cfbbUpdate security.md filece6aa331cCreate SECURITY.mda2a88dc79chore(deps): bump step-security/harden-runner from 2.10.1 to 2.10.212bd1bf81chore(deps): bump org.projectlombok:lombok from 1.18.34 to 1.18.364d336c6adchore(deps): bump jackson.version from 2.17.1 to 2.18.1cce753580chore(deps-dev): bump nl.jqno.equalsverifier:equalsverifier6098b6723chore(deps): bump com.github.package-url:packageurl-java40ec24f69chore(deps): bump tomcat froma09d4c1to2ade2b0965ac8dc2chore(deps): bump ubuntu from99c3519to278628f49c3e574fchore(deps): bump maven from440a97ato5a44dffa91c6249cchore(deps): bump httpcore5.version from 5.2.5 to 5.3.1f2b202b7achore(docs): update the KeyCloak doc for 26.0.58f9492422chore(deps): bump keycloak.version from 25.0.6 to 26.0.56239843efchore(deps): Adjust Maven dependency declarations9fa14d2e3chore: Remove pre-commit checkstyl...
sw360-19.0.0
sw360-19.0.0
This tag covers many corrections, bug fixes and features after the 18.1 release. Version 19.0.0 is also the first release without the Front-end integrated, but as a separate sw360-frontend project.
Major changes in the release includes:
- Removal of Liferay and related libraries, OSGi framework
- Unification of various backend packages from src and svd
- Support for Java 21 and Apache Tomcat 11.0.0
- Replace couchdb-lucene with couchdb-nouveau
Credits
The following GitHub users have contributed to the source code since the last release (in alphabetical order):
> afsahsyeda <afsah.syeda@siemens-healthineers.com>
> Akshit Joshi <akshit.joshi@siemens-healthineers.com>
> Gaurav Mishra <mishra.gaurav@siemens.com>
> Helio Chissini de Castro <helio.chissini.de.castro@cariad.technology>
> hoangnt2 <hoang2.nguyenthai@toshiba.co.jp>
> Keerthi B L <keerthi.bl@siemens.com>
> Nikesh Kumar <kumar.nikesh@siemens.com>
> Rudra Chopra <prabhuchopra@gmail.com>
> Sameed <sameed.ahmad@siemens-healthineers.com>
> Smruti Prakash Sahoo <smruti.sahoo@siemens.com>
> tuannn2 <tuan2.nguyennhu@toshiba.co.jp>
Please note that also many other persons usually contribute to the project with reviews, testing, documentations, conversations or presentations.
Features
c167bcca9feat(rest): Endpoint to add comment on a clearing requestcd97b6154feat(rest): Create new endpoint for schedule CVE and schedule attachment deletion.00d70bcc5feat(rest): get releases used by vendor31b720b9efeat(rest) : Rest end point for generate source code bundle062a89290feat(rest): saveUsages in project page9751a2e1afeat(Project): Add new endpoint for project's license clearing tree view (New GUI)546d35b73feat(Project): Import SPDX as dependency networka18b053f5feat(rest): Create new endpoint to download component template in csv format.144ea5b81feat(rest) : Move GenerateLicenseInfoFile rest end point to SW360reportcontroller61ec9ac39feat(REST): Exclude release version from license info295f1cbfffeat(rest): fetch group list in project add and edit page.e9ec8d8a7feat: Make Java 21 defaultcb99fc678feat(ImportSBOM):Change naming convention of imported components441fa7d85feat(Project): Create new endpoint to serve list view of dependency network (New GUI)7b4c534e3feat(cloudant): use IBM SDK09586fad6feat(ektorp): remove ektorp from search handlersaf0262112feat(lucene): nouveau integrationa019b468bfeat(keycloak-spis): Added the custom keycloak SPIs3c453670dfeat(couchdb): Enable use of latest CouchDB with nouveau8fdd93c86feat(rest): endpoint to update a vendor.bff430140feat: Add CODEOWNERS to the repository90ad3ea1cfeat(rest): Add additional fields in get clearingrequest endpoints.771b965b2feat(ComponentPortletandImportCDX): Validate VCS URL and sanitize GitHub Repo URLs during CDX import99d0c80edfeat(api): postpone moderation request actionaf15a09e3feat(rest): includeAllAttachments parameter in licenseInfo endpoint66cac90c6feat(CycloneDX): Make methods compatible with cyclonedx upgrade and update jackson version9a15832c0feat(rest): Endpoint to get comments of a Clearing Request.ffbf1b183feat(project): endpoint for vulnerabilitySummary page.0d6908ab2feat(project): Add necessary library dependencies required by rest codeacb1e54eafeat(vscode): Add base Eclipse java formatter config filea29d5b0c2feat: Generate provenance and SBOMs on Docker images8b6aa42cffeat(docs): Remove old asciidocs supportfd0546244feat: Update to Ubuntu 24.04 (Noble)8f971f765feat(rest): new endpoint for releases of linked projects.5bd4cae83feat(obligation): rest endpoint to update license obligations of the project.3c40f09f2feat(License): Add API Listing LicenseType and Add pageble for licenses, obligations204ce2f02feat: Add scorecard
Corrections
9452b2b89fix(cloudant): fix attachment creation5bdef6d51fix(pom): fixed the java version in kc module pom.xml48e0f6c8cfix(ImportCDX): VCS sanitization failing on characters like colondc18109b8fix(Project): Fix project handler test with dependency network feature5702dc595fix(clearingState): making fossology report download configurable.3f10b6856fix(build): add the missing excludeReleaseVersion69fcc6c9ffix(servlet): complete migration javax to jakarta3cad1c4aafix(UI): Add lang attribute to ReadmeOSS.html for generated license info.77b801825fix(keycloak-spi): Added the README.mde43c3422afix(nouveau): fix nouveau query result442ac94c7fix(test): fix test cases with cloudant SDK41e3d4605fix(nouveau): extend nouveau connector as cloudantcbcffd979fix(cloudant): fix query buildersced70a0e4fix(cloudant): fix views57f5b6908fix(REST): Patch Release is causing the clearing state to be updated to NEW even if a Clearing is existing5c4810a56fix(backend): fix dependency for backend coref0719b97afix(rest): Resolved null value returning for svm tracking status.fe05d9f29fix(rest): Update search API to return 200 status with empty results array when no match foundb0c11a1fbfix(GenerateLicenseInfo): Generate License Info failing for releases having the same CLXd6f630021fix(rest): Ensure visibility field is case-insensitive6a1408f50fix(doc): fix OpenAPI doc for Search endpoint83796a935fix(rest): add requestClosedOn field in get clearingRequest_by_id endpoint45a8137f3fix: Update docker documentation to reflect current status9dc2d6835fix(rest): Enable back authorization and resource server with up to dat springbootc493d83bffix(couchdb): Move setup data for single file and update compose to use as read onlyc15e36cd8fix(docker): Use Tomcat with Ubuntu 24.04 (Noble)d655adc64fix(rest): Add null check for linkedProject field if it is empty77bdbf7f6fix(rest): Add null check for linkedProject field to prevent Internal Server Error on GET request to fetch the linked projects of a project5943127c6fix(rest): Add code to update user details when creating a moderation request.9777923f8fix(docker): Reinstate docker builds0265205b0fix(docker): Update docker build to fit Ubuntu Noble and improved caching293e025cffix(rest): Added JWT token convert to fix the issue with authorities540f9baf1fix(rest): Added the Oidc user info customizer and token customizer1fb7bcf97fix(rest): Add null check for linkedProject field to prevent Internal Server Error on GET request to fetch the linked projects of a project3f6ae983bfix(importCDX):Improve error message when PURL is invalid3dfbb5538fix(rest): Fix internal server error with 500 status code for link project to projects endpointf0e149422fix(rest): Fixing pagination for endpoint '/packages'.0d88cacc7fix(rest) : Non uniform link format in attachmentUsage end pointfea2d4edafix(rest): Fixed the swagger issue01218278dfix(backend) : Product clearing report generated has strange numbering issue fixda95be6e7fix(rest): Added modifiedBy field in get package_by_id endpoint.82ad83e70Revert "fix(rest): Fixed the swagger issue"cc38d07dffix(rest): Fixed the swagger issue51fabdfc2fix(rest):Added code to resolve the server error while fetching a summaryAdministraion endpoint.b262c4c82fix(rest): Fixing the rest test cases308ce540bfix(rest): Added a missed field in package endpoint for allDetails.8f0560c04fix: Only publish test report on failuresf48e6d27bfix: Thrift cache locationb69720c91fix: Update thrift build to fix github caching89f47fe05fix(test): Proper build tests now without jump folders4dd4f8aa7fix: Remove wrong placed copyrights on commit templatef8dcd79f2fix(test): Disable rest test to avoid chicken and egg integration7ce112133fix(github): restore pull_request_template.md
Infrastructure
4e883a5a1chore(deps): bump org.springframework:spring-context7dd44a5fdchore: Add maven validation on buildd086e9a71chore(deps): bump org.keycloak:keycloak-core2d90a9a00chore(deps): bump org.keycloak:keycloak-corebfd296052chore(maven): deploy keycloak listenersc71b0d5c4chore(maven): segregate war and jar deploy dirsd9b3edf25chore: Add Tomcat 11 default for Docker872c74ef1chore(nouveau): catch exception for nouveau query824504564chore(docker): update compose with dockerhub image3fc2e0976chore(couchdb-lucene): remove third-party/couchdb-lucene111a0fe88chore(refactor): Refactored the models by adding Lomboke3dccf3eechore: Reduce couchdb log level on docker composee3f3dab7echore: Update the license header checkfor CODEOWNERSaf056ef15chore: Properly set components servlet as war file27fddd182refactor: Use the correct thrift image56b63f065refactor: Remove dead code comments7b3fe9233chore: CouchDB setup can't be read only442970d4cchore: Add color coding for sw360 project30b6114f8refactor(backend): Adjust component test call9a09353afrefactor(backend): Disable ComponentImportTestUtilsa0369e0a3refactor(backend): Allow test properties be configurableb7d9941ddrefactor(backend): Fix licenseinfo test2f24d0b3echore: Disable logging on disk for couchdb and configure authorization serverbc759edb4refactor(backend): Restore webapps installa9cff25eachore: Fix version dependenciesa81fe91dcrefactor(backend): Remove invalid recursive add-build-configuration processa973a70f4refactor(backend): Disable usage of Handlers by importer2019328a3refactor(backend): Adjust dependencies for...
sw360-18.1.0-M1
sw360-18.1.0-M1
This tag includes important corrections and fixes following the 18.0 pre-release. It is also the final tag with Liferay, as SW360 will use the SW360-frontend project (https://github.com/eclipse-sw360/sw360-frontend) starting from the next release.
Migrations
For existing installations, a data migration is required with PR 1963. Please go to the readme file in scripts/migrations to see more information:
https://github.com/eclipse/sw360/blob/master/scripts/migrations/README.md
Note: For running the migrations scripts, you will need python and the couchdb package. Please note that you will need to change manually in the python file: the DRYRUN variable and the couchdb URL (if that is not on localhost or requires password or both).
SW360 18.1 Native Install Deployment
https://eclipse.dev/sw360/docs/deployment/legacy/nativeinstall/native-install-sw360-version-18.1.0/
Credits
The following github users have contributed to the source code since the last release (in alphabetical order):
> Afsah Syeda <afsah.syeda@siemens-healthineers.com>
> Aftab, Farooq Fateh (ext) <farooq-fateh.aftab.ext@siemens-energy.com>
> Anupam Ghosh <anupam.ghosh@siemens.com>
> Akshit Joshi <akshit.joshi@siemens-healthineers.com>
> Eldrin <eldrin.sanctis@siemens.com>
> Gaurav Mishra <gmishx@gmail.com>
> Helio Chissini de Castro <heliocastro@gmail.com>
> Jens Viebig <jens.viebig@vitec.com>
> hoangnt2 <hoang2.nguyenthai@toshiba.co.jp>
> Keerthi B L <keerthi.bl@siemens.com>
> Nikesh kumar <kumar.nikesh@simens.com>
> rudra-superrr <rudra.chopra@siemens.com>
> sameed.ahmad <sameed.ahmad@siemens-healthineers.com>
> tuannn2 <tuan2.nguyennhu@toshiba.co.jp>
Please note that also many other persons usually contribute to the project with reviews, testing, documentations, conversations or presentations.
Features
4bfabe486feat(rest) : Remove mail-request parameter and read from config file96863d14cfeat(REST): Search package by purl and version684d90117feat(REST): Create clearing request for a project and move the preferred clearing date limit field out of Liferay"fe044d00feat(project): Added release field for licenseObligation get endpoint70837b27feat(rest): filter attachment usages in projectea94202bfeat(license): Update Whitelistaf155858feat(CR): Update clearing request state from AWAITING RESPONSE to PENDING INPUT2bd2b2fdfeat(vscode): Add workspace java settings8ceba8fbfeat(docker): Add test build using docker944a7164feat(rest): added pagination for vulnerability tracking status page.70391d07feat(rest): add license obligations to a project.4f65386ffeat(obligation): endpoint to list license obligation table data5fcb3533feat(rest) : endpoint to list license obligations from license database.240c73f3feat(CR): Create a new Clearing Request state Sanity Check to perform sanity check before accepting a project4bc56326Revert "feat(CR): Disable Clearing Request creation for the projects which have linked releases without SRC type attachment"71d3a470Feat(User): Create new endpoints to Create/Revoke/List rest api tokend4820efcfeat(Rest) : Download license clearing report end point.14fda713feat(api): new endpoint /mySubmissionscec7f4b7feat(docker): Improve output of check_image script.d7699485feat(docker): Revamp docker build setup2ddf76f0feat(user): Enable API user endpoint by default36a41ceffeat(Obligation): adding obligation type data in license obligation table.44219a39feat(rest) : Pagination for vulnerability tracking statusb925c0abRevert "feat(UI): enhanced date filter for open and closed clearing requests tab"a3038447feat(UI): enhanced date filter for open and closed clearing requests tab9f9a1ffa1feat(UI): Add an info button in the create CR pageb98d346a4feat(UI): Add clearing type column in closed clearing request tabb6aa50650feat(Project): - Extract license from all releases in dependency network when download license information of a project - Generate source code bundle from all releases in dependency network when download Generate source code bundle for a project49f5486fafeat(rest): endpoint to link sourceProject to list of projects.1ab14350bfeat(CR): Disable Clearing Request creation for the projects which have linked releases without SRC type attachmentbcd600c26feat(User): Add new endpoints to get/update requesting user profile3cb73c19ffeat(rest): Create new endpoint to unschedule all services.83a2b3a28feat(license): Listing obligations by license8a9c407e8feat(license): Fix Update License isChecked89a75f815feat(project): Update ghactions workflows deps849e10a0cfeat(obligation): Add api listing obligations by ObligationLevel3ec2cb129feat(rest) : Rest end point for releases by lucene search7ccba71d5feat(project): Setup Sonatype publishingc0fb731c4feat(license): Create API Export License141e24babfeat(Release):Upload Source Code Attachment to Releases through a Scheduled Servicec7c33c78ffeat(rest): adding pagination for listing vendors endpoint.c805ff90ffeat(rest) : Adding or Modifying fields to project summaryadminastration page6a89beabcfeat(Script): Delete MR's for a specific useradc862038feat(license): Create new api update license
Corrections
dfabecd2cfix(importCDX) : Fix package's linked release updation when an SBOM is imported3de514387fix(project): adding project owner field in project get endpoint.c31464972fix(api): throw 409 if last moderator219792b1fix(importCDX): Resolve incorrect package/release count in import summary6d9f3620fix(rest): Create a new endpoint for dataBaseSanitation.ae997be2fix(project): Update outdated Github actionscb02b200fix(sw360): changing mkdocs version0c9523fbfix(REST): Improve error message handling for CycloneDX sbom import using REST APIdf735e9bfix(Release): Updating the license overview in the summary pagee5ac9278fix(SRCUploadService): Source upload should work for release versions having alphanumeric charactersfa42d204fix(api): provide typeMasks name as Optional type6e36abbbfix(api): check project modifier before embedding3beff049fix(Project): Fix bug Expand Next Level and Collapse All button are hidden when click on sort icon5112980ffix(urlEncoding): url encoding.fe0a4408fix(Release): Add embedded other licenses in release responsed4a8be84fix(importCDX): Packages without VCS in SBOM having VCS in SW360 are not getting linked to project8af9bd5efix(importCDX): Add check for existing comps and package using case-insensitive comparison of vcs and purlee3ed068fix(Liferay): Fix bug cannot access oauth client page when import lar fileedc9320cfix(rest) : attachment usage type fix in response49be7428fix(importSBOM): Remove the invalid characters appearing in import summary message for invalid packages list5a726764fix(rest): create endpoint for search by userName using lucene search.ff068133fix(rest): Added releaseId in recentRelease and release mySubscription.87a14f7afix(Rest): Added status for mysubsciption in component.d28843c2fix(docker): Fix broken binaries context inclusion16475d70fix(rest) : create new endpoint for cleanup attachment.0950a2cafix(script): update modifiedBy/modifiedOn project fields.67696a9ffix(department): Division by zero caused by bad default value for interval9703661dfix(rest): Added primaryRole and secondaryDepartmentRoles fields for user endpoint.fba0d8e5fix(rest): Added modifiedBy field in project search by id.178813e5ffix(docker): Adjust local naming for docker imagesb55372562fix(thrift): Add proper version to build34765dd80fix(thrift): Follow link download stepef5cc0142fix(database): Restore reading environment database vars8aaf95734fix(UI) : Issue fix for vulnerability not displaying for projectc63023c4dfix(release): modify the externalId query parsing6a6cb33b5fix(docker): We have been using wrong Java version625ffcfa1fix(release): revert external id query parsing222879a9efix(rest): error handling when user dont have sufficient import permissiond619c5121fix(Table): Fix error of hiding attachment table content when clicking sortef83441dffix(moderator): show message when only moderator choose remove me option.590a2b3adfix(docker): Remove deletion that invalidate image2fe147f09fix(rest): create new enpoint to check server connection.47d14b158fix(script): Fix migration script not working with python30d535c386fix(config): Correct file number0f9d9b85afix(rest): create a new endpoint for fossology in admin tab.5b9f10921fix(script): Fix incorrect numbering for migration scripts0f9d31974fix(couchdb): Add config entry to disable couchdb cache451948a79fix(javadoc): Remove invalid link reference05c2445fafix(lib): Add meta information to enable publishb5f6cb469fix(importCDX): Update failed component creation error message6e1964a40fix(rest-fossology): applied changes for upload endpoint5a83fe2c9fix(RequestsPortlet): Unable to reopen CR, Open Components to display open releases, clearing progress to show percentage2fdd5f4c5fix(Rest): Allowing search for releases using externalIdsd9fce216fFix(package): Fix issues api for package - Cannot unlink orphan packages from the project - Cannot link a package to a release without any package - Handle message when package with same purl already exists02d84be81fix (rest) : rest api created for component search by lucene search
Infrastructure
e71c5e53fRevert "build(deps): bu...