Update Hyades to Latest#21
Merged
Merged
Conversation
Add auth header support for webhook notifications
The default is 15s which may be too much given the timeouts some tests use. Signed-off-by: nscuro <nscuro@protonmail.com>
Reduce dex lease check interval for tests
Signed-off-by: nscuro <nscuro@protonmail.com>
Ports DependencyTrack/dependency-track#4858 Signed-off-by: nscuro <nscuro@protonmail.com>
… BOM upload Ports DependencyTrack/dependency-track#4905 Co-authored-by: Damian Sniezek <snieguu@gmail.com> Signed-off-by: nscuro <nscuro@protonmail.com>
Fix tag deletion failing when tag is used by project collection logic
Ports DependencyTrack/dependency-track#4935 Co-authored-by: kacper-uminski <kacperuminski@protonmail.com> Signed-off-by: nscuro <nscuro@protonmail.com>
Fix ProjectResourceTest using JVM time to insert metrics records
Align naming of isLatest parameter between PUT and POST endpoints for BOM upload
Make POLICY_VIOLATION emails more informative
Fixes findings identified by zizmor (https://github.com/zizmorcore/zizmor) Signed-off-by: nscuro <nscuro@protonmail.com>
Address zizmor GitHub Actions findings
Ports DependencyTrack/dependency-track#4942 Co-authored-by: Philippe Marschall <philippe.marschall@netcetera.com> Signed-off-by: nscuro <nscuro@protonmail.com>
Adds two functions to work with SPDX expressions: * `spdx_expr_allows` to check whether a n expression can be satisfied using only licenses from the given set. * `spdx_expr_requires_any` to check whether at least one of a set of IDs is required in every possible satisfaction of an expression. Includes a CEL script visitor that validates SPDX expression literals at compile time. Signed-off-by: nscuro <nscuro@protonmail.com>
Implement SPDX expression support for CEL policies
Ports DependencyTrack/dependency-track#5033 Signed-off-by: nscuro <nscuro@protonmail.com>
Classify GPL with CPE as weak copyleft
Handle dangling SPDX expression operators
Refactors the SPDX license expression parser to be more readable, and to report parsing failures as exceptions. Separates the tokenization and AST assembly more cleanly, and switches from shunting yard to recursive descent parsing. Tokens and AST nodes are modelled as proper types using sealed interfaces. Signed-off-by: nscuro <nscuro@protonmail.com>
Refactor SPDX expression parser
Signed-off-by: nscuro <nscuro@protonmail.com>
Bump SPDX license list to 3.28.0
BOM imports are among the most heavyweight tasks we have. In small to medium sized deployments that potentially didn't even tweak their PostgreSQL configs, high concurrency here might actually be detrimental. A max concurrency is more than sufficient here, and users who need more can still raise this. Signed-off-by: Niklas <nscuro@protonmail.com>
Reduce default artifact import max concurrency from 10 to 5
…y repeated over multiple bom-refs (#1943) * changes added Signed-off-by: Meha Bhargava <meha.bhargava2@gmail.com> * added change to address pipeline failure Signed-off-by: Meha Bhargava <meha.bhargava2@gmail.com> * addressed pr review comments Signed-off-by: Meha Bhargava <meha.bhargava2@gmail.com> --------- Signed-off-by: Meha Bhargava <meha.bhargava2@gmail.com>
… from 7.17.0 to 7.21.0 (#1927) * chore(deps-dev): Bump org.openapitools:openapi-generator-maven-plugin Bumps org.openapitools:openapi-generator-maven-plugin from 7.17.0 to 7.21.0. --- updated-dependencies: - dependency-name: org.openapitools:openapi-generator-maven-plugin dependency-version: 7.21.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Handle breaking change in openapi-generator The generator reverted a previous breaking change where `@Path` annotations were only generated at the method level. It now generates them at the interface level again, which causes conflicts when endpoints sharing the same path use different tags. Signed-off-by: nscuro <nscuro@protonmail.com> * Increase assertion timeouts in notification relay test Contention in CI test runs can cause things to be slower at times. Signed-off-by: nscuro <nscuro@protonmail.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: nscuro <nscuro@protonmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: nscuro <nscuro@protonmail.com>
…hub.openfeign-feign-bom-13.11 chore(deps): Bump io.github.openfeign:feign-bom from 13.8 to 13.11
* Removes the concept of roles, which (were intended to) allow project-scoped permissions. * Removes `@ResourceAccessRequired` permission, which bypassed permission checks at the filter level. * Removes the `USER_PROJECT_EFFECTIVE_PERMISSIONS` table and all corresponding triggers that maintained it. * Introduces a new `PROJECT_ACCESS_USERS` table, which mimics the `PROJECT_ACCESS_TEAMS` table used by the ACL feature to determine whether a project is accessible. The table is maintained by triggers and enables efficient lookups at query time. In contrast to `USER_PROJECT_EFFECTIVE_PERMISSIONS`, it no longer tracks permissions, but only "can user X access project Y?". * The new triggers are optimized to operate in batches, avoid unnecessary writes, and reduce the chance of deadlocks by ensuring row locks are acquired in deterministic order. Refer to DependencyTrack/hyades#2116 for background. Note that, since roles were only introduced in v5, this is not a breaking change for users of v4. This feature was never part of a stable release. Signed-off-by: nscuro <nscuro@protonmail.com>
Bumps [com.google.crypto.tink:tink](https://github.com/tink-crypto/tink-java) from 1.20.0 to 1.21.0. - [Release notes](https://github.com/tink-crypto/tink-java/releases) - [Commits](tink-crypto/tink-java@v1.20.0...v1.21.0) --- updated-dependencies: - dependency-name: com.google.crypto.tink:tink dependency-version: 1.21.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…hub.openfeign-feign-bom-13.12 chore(deps): Bump io.github.openfeign:feign-bom from 13.11 to 13.12
…s-io-commons-io-2.22.0 chore(deps): Bump commons-io:commons-io from 2.21.0 to 2.22.0
CBOR is more compact than JSON which leads to smaller page tokens. And as a binary format it's not human-readable, which strengthens the opaqueness API contract. Note that it's still decodable though. Signed-off-by: nscuro <nscuro@protonmail.com>
Encode page tokens with CBOR
Co-Authored-By: Steffen Ohrendorf <steffen.ohrendorf@gmx.de>
* Consistently uses Markdown in operation descriptions instead of HTML. * Consistently uses snake_case for path parameters, and enforces it using a new Spectral rule. * Defines "total" as being required directly in the paginated-response schema, so schemas inheriting it don't have to. * Relaxes case requirement for "bearer" in authorization headers. As per RFC 7235, the authorization scheme is to be treated case-insensitively. Signed-off-by: nscuro <nscuro@protonmail.com>
Signed-off-by: nscuro <nscuro@protonmail.com>
Bumps `lib.testcontainers.version` from 2.0.4 to 2.0.5. Updates `org.testcontainers:testcontainers-bom` from 2.0.4 to 2.0.5 - [Release notes](https://github.com/testcontainers/testcontainers-java/releases) - [Changelog](https://github.com/testcontainers/testcontainers-java/blob/main/CHANGELOG.md) - [Commits](testcontainers/testcontainers-java@2.0.4...2.0.5) Updates `org.testcontainers:testcontainers-postgresql` from 2.0.4 to 2.0.5 - [Release notes](https://github.com/testcontainers/testcontainers-java/releases) - [Changelog](https://github.com/testcontainers/testcontainers-java/blob/main/CHANGELOG.md) - [Commits](testcontainers/testcontainers-java@2.0.4...2.0.5) --- updated-dependencies: - dependency-name: org.testcontainers:testcontainers-bom dependency-version: 2.0.5 dependency-type: direct:production update-type: version-update:semver-patch - dependency-name: org.testcontainers:testcontainers-postgresql dependency-version: 2.0.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps com.google.cloud.sql:postgres-socket-factory from 1.28.2 to 1.28.3. --- updated-dependencies: - dependency-name: com.google.cloud.sql:postgres-socket-factory dependency-version: 1.28.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Improve OpenAPI consistency
Co-Authored-By: Damian Śnieżek <6084074+snieguu@users.noreply.github.com>
Co-Authored-By: Damian Śnieżek <6084074+snieguu@users.noreply.github.com>
…cy-query Port : Only return tags directly associated with a policy
…stcontainers.version-2.0.5 chore(deps): Bump lib.testcontainers.version from 2.0.4 to 2.0.5
…ogle.cloud.sql-postgres-socket-factory-1.28.3 chore(deps): Bump com.google.cloud.sql:postgres-socket-factory from 1.28.2 to 1.28.3
…dc-mapping Port : Make OIDC group mapping PUT idempotent
…ription-length Port : Validate description length for PUT /api/v1/project
Signed-off-by: nscuro <nscuro@protonmail.com>
Update repo documentation
Ports DependencyTrack/dependency-track#4968 Co-authored-by: Steffen Ohrendorf <steffen.ohrendorf@gmx.de> Signed-off-by: nscuro <nscuro@protonmail.com>
Some endpoints are only needed for integration with the frontend, but not really part of the public API. We don't want 3rd party clients depending on them, and the previous note in operation descriptions was too weak of a signal for that. Signed-off-by: nscuro <nscuro@protonmail.com>
Switch cvss handling to metaeffekt
Separate internal API endpoints more clearly
…-api Bumps [org.eclipse.microprofile.config:microprofile-config-api](https://github.com/eclipse/microprofile-config) from 3.1 to 3.1.1. - [Release notes](https://github.com/eclipse/microprofile-config/releases) - [Commits](microprofile/microprofile-config@3.1...3.1.1) --- updated-dependencies: - dependency-name: org.eclipse.microprofile.config:microprofile-config-api dependency-version: 3.1.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [org.jetbrains.kotlin:kotlin-bom](https://github.com/JetBrains/kotlin) from 2.3.20 to 2.3.21. - [Release notes](https://github.com/JetBrains/kotlin/releases) - [Changelog](https://github.com/JetBrains/kotlin/blob/master/ChangeLog.md) - [Commits](JetBrains/kotlin@v2.3.20...v2.3.21) --- updated-dependencies: - dependency-name: org.jetbrains.kotlin:kotlin-bom dependency-version: 2.3.21 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…lipse.microprofile.config-microprofile-config-api-3.1.1 chore(deps): Bump org.eclipse.microprofile.config:microprofile-config-api from 3.1 to 3.1.1
…tbrains.kotlin-kotlin-bom-2.3.21 chore(deps): Bump org.jetbrains.kotlin:kotlin-bom from 2.3.20 to 2.3.21
mfrystacky
approved these changes
Apr 29, 2026
mfrystacky
left a comment
mfrystacky
left a comment
There was a problem hiding this comment.
Amazing work, flawless code and execution. 
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hyades to latest so development can begin