Update Hyades to Latest

.github/PULL_REQUEST_TEMPLATE.md

@@ -37,7 +37,10 @@
 - [ ] This PR implements an enhancement, and I have provided tests to verify that it works as intended
 - [ ] This PR introduces changes to the database model, and I have updated the [migration changelog] accordingly
 - [ ] This PR introduces new or alters existing behavior, and I have updated the [documentation] accordingly
+- [ ] This PR is a substantial change (per the [ADR criteria]), and I have added an [ADR] under `docs/adr/`
 
+[ADR]: ../docs/adr/
+[ADR criteria]: ../CONTRIBUTING.md#architecture-decision-records
 [contributing guidelines]: ../CONTRIBUTING.md#pull-requests
-[documentation]: https://dependencytrack.github.io/hyades/latest/development/documentation/
-[migration changelog]: https://dependencytrack.github.io/hyades/latest/development/database-migrations/
+[documentation]: https://github.com/DependencyTrack/docs
+[migration changelog]: ../DEVELOPING.md#database-migrations

.github/copilot-instructions.md

@@ -0,0 +1,79 @@
+# Copilot Code Review Instructions
+
+These instructions steer GitHub Copilot's automatic PR reviews. They complement `AGENTS.md` and `CONTRIBUTING.md`.
+
+## Project context
+
+Dependency-Track is an intelligent component analysis platform that allows organizations to identify and reduce risk in the software supply chain.
+The repo is a multi-module Maven project. Relevant modules: `apiserver` (main application),
+`api` (REST API v2, OpenAPI v3, spec-first), `alpine` (legacy framework being dissolved), `cache`, `common`, `dex` (durable execution),
+`migration` (Liquibase), `notification`, `plugin`, `proto`.
+
+## Review priorities
+
+Review in this order. Do not surface low-priority nits if higher-priority issues are present in the same change.
+
+1. Security
+2. Persistence and migration correctness
+3. REST API conventions (v1 vs. v2)
+4. Architectural change gate (ADR required?)
+5. Code quality, performance, testing
+
+---
+
+## 1. Security (highest priority)
+
+This is a security product. Be unapologetic about flagging insecure patterns.
+
+- **SQL injection.** Flag any string concatenation or interpolation into SQL. Require JDBI bind parameters or `PreparedStatement` placeholders.
+  - Bad: `handle.createQuery("SELECT * FROM project WHERE name = '" + name + "'")`
+  - Good: `handle.createQuery("SELECT * FROM project WHERE name = :name").bind("name", name)`
+- **Injection sinks.** Flag unvalidated user input flowing into: `Runtime.exec` / `ProcessBuilder`, file paths (`Paths.get`, `new File`), HTTP clients (SSRF), XML/JSON parsers without hardening (XXE, polymorphic deserialization), template engines, LDAP filters, regex compiled from user input.
+- **AuthN/AuthZ.** Flag new REST endpoints that lack a permission check (`@PermissionRequired` or equivalent). Flag IDOR risk: lookups by UUID/ID that do not verify the caller has access to the target object.
+- **Secrets and crypto.** Flag hardcoded credentials, API keys, or tokens. Flag MD5/SHA-1 used for security purposes, ECB mode, static IVs, hardcoded salts, `Random`/`ThreadLocalRandom` used to generate tokens or IDs (require `SecureRandom`).
+- **Logging.** Flag log statements that include secrets, API keys, session tokens, raw request bodies, or PII. Flag `printStackTrace()` in production paths.
+- **Dependencies.** Flag introduction of unmaintained or low-reputation libraries.
+
+## 2. Persistence
+
+- **New persistence code must use JDBI + raw SQL.** Flag new code in non-legacy paths that uses JDO (`PersistenceManager`, `@PersistenceCapable`, DataNucleus extensions). Existing JDO code in `apiserver` may be modified, but new entities and queries should be JDBI.
+- **Schema changes need a Liquibase changelog.** If a PR adds/modifies a `@PersistenceCapable` field, JDBI mapping, or raw DDL without a corresponding changelog under `migration/src/main/resources/migration/`, flag it.
+- **Strong consistency by default.** Flag transaction boundaries that look incorrect (long-running transactions, cross-service calls inside a transaction, missing rollback on error).
+- **Throughput over latency.** Flag obvious N+1 patterns (loops issuing one query per element); suggest batching.
+
+## 3. REST API conventions
+
+- **New endpoints belong in API v2** (`api/src/main/openapi/`, spec-first). Flag PRs that add new JAX-RS resource classes or new endpoints under `apiserver/src/main/java/org/dependencytrack/resources/v1/` unless they extend existing v1 endpoints.
+- **Separate API from persistence in v2.** Flag v2 DTOs that import or extend classes from `org.dependencytrack.model` or other JDO persistence packages. v2 must use dedicated request/response types.
+- **v1 Swagger annotations.** When a v1 endpoint is touched, flag missing or stale `@Operation`, `@ApiResponse`, `@Parameter` annotations on the modified method.
+
+## 4. Architectural change gate
+
+Substantial changes require an Architecture Decision Record under `docs/adr/` (template at `docs/adr/000-template.md`). Flag PRs that introduce, remove, or significantly alter any of the following without a corresponding ADR file in the diff:
+
+- A module, plugin extension point, or cross-module API.
+- Database schema, persistence model, or data migration semantics (beyond routine column additions).
+- A REST API contract change that is paradigm-shifting or breaking (new authN/authZ model, new API version, cross-cutting conventions). Routine new endpoints following existing conventions do *not* require an ADR.
+- A runtime dependency, datastore, or external integration.
+- Concurrency, consistency, or scalability characteristics of an existing subsystem.
+
+When in doubt, ask the author whether an ADR was considered.
+
+## 5. Code quality, performance, testing
+
+- **No speculative future-proofing.** Flag added abstractions, interfaces, or config flags that have a single implementation/value and no near-term second use.
+- **No new dependencies for trivial logic.** Flag added Maven dependencies whose functionality is available in the JDK or in libraries already on the classpath.
+- **Comments.** Flag trivial comments that restate the code. Comments are only warranted for non-obvious *why*.
+- **Error handling.** Flag broad `catch (Exception | Throwable)` that swallows or logs and continues. Flag empty catch blocks. Flag `catch` blocks that lose the original exception.
+- **Concurrency.** Flag shared mutable state without synchronization.
+- **Tests.** Flag new public methods, endpoints, or branches added without corresponding test coverage in the same PR. Prefer integration tests that exercise real persistence over heavy mocking when the area already has integration tests.
+
+---
+
+## What NOT to comment on
+
+- Whitespace, indentation, or import ordering. These are enforced by `make lint-java`.
+- Breaking changes in `proto/` or OpenAPI specs. CI lint (`make lint-proto`, `make lint-openapi`) catches these.
+- PR title, description, or commit message wording.
+- Style preferences that conflict with existing code in the same file. Consistency with surrounding code wins.
+- Vague "consider improving readability" suggestions without a concrete alternative.

.github/dependabot.yml

@@ -4,21 +4,17 @@ updates:
     directory: /
     schedule:
       interval: daily
-    ignore:
-    # Jetty >= 11 is currently not supported by Alpine.
-    # https://github.com/stevespringett/Alpine/issues/402
-    - dependency-name: "org.eclipse.jetty:jetty-maven-plugin"
-      update-types:
-      - version-update:semver-major
+    cooldown:
+      default-days: 7
   - package-ecosystem: docker
-    directory: /src/main/docker
+    directory: /apiserver/src/main/docker
     schedule:
       interval: weekly
+    cooldown:
+      default-days: 7
   - package-ecosystem: github-actions
     directory: /
     schedule:
       interval: weekly
-  - package-ecosystem: bundler
-    directory: /docs
-    schedule:
-      interval: daily
+    cooldown:
+      default-days: 7

.github/workflows/_meta-build.yaml

@@ -45,15 +45,26 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # tag=v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up JDK
-        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # tag=v5.0.0
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # tag=v5.2.0
         with:
           distribution: 'temurin'
-          java-version: '21'
+          java-version: '25'
           cache: 'maven'
 
+      - name: Restore Maven build cache
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # tag=v5.0.5
+        with:
+          path: ~/.m2/build-cache
+          key: maven-build-cache-build-${{ hashFiles('.mvn/maven-build-cache-config.xml') }}-${{ github.run_id }}
+          restore-keys: |
+            maven-build-cache-build-${{ hashFiles('.mvn/maven-build-cache-config.xml') }}-
+            maven-build-cache-build-
+
       - name: Setup CycloneDX CLI
         run: |
           mkdir -p "$HOME/.local/bin"
@@ -64,52 +75,67 @@ jobs:
 
       - name: Build with Maven
         run: |-
-          mvn -B -Pquick -Dservices.bom.merge.skip=false package
+          mvn -B -Pquick,dist -Dservices.bom.merge.skip=false package
 
-      - name: Upload Artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # tag=v4.6.2
+      - name: Upload Distribution Archive
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # tag=v7.0.1
         with:
-          name: assembled-wars
+          name: assembled-dist
+          path: |-
+            apiserver/target/dependency-track-apiserver-dist.tar.gz
+
+      - name: Upload BOM
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # tag=v7.0.1
+        with:
+          name: bom
           path: |-
-            apiserver/target/*.jar
             apiserver/target/bom.json
 
+      - name: Extract OpenAPI Specs
+        run: |-
+          mkdir -p openapi-spec/v1 openapi-spec/v2
+          unzip -p api/target/api-*.jar org/dependencytrack/api/v2/openapi.yaml > openapi-spec/v2/openapi.yaml
+          unzip -p apiserver/target/dependency-track-apiserver.jar org/dependencytrack/api/v1/openapi.yaml > openapi-spec/v1/openapi.yaml
+
       - name: Upload OpenAPI Spec
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # tag=v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # tag=v7.0.1
         with:
           name: openapi-spec
-          path: |-
-            api/target/classes/**/openapi.yaml
+          path: openapi-spec/
 
   build-container:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     permissions:
       packages: write # Required to push images to ghcr.io
-      security-events: write # Required to upload trivy's SARIF output
     needs:
       - build-java
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # tag=v5.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Download Artifacts
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # tag=v5.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # tag=v8.0.1
         with:
-          name: assembled-wars
+          name: assembled-dist
           path: apiserver/target
 
+      - name: Extract Distribution Archive
+        run: tar xzf apiserver/target/dependency-track-apiserver-dist.tar.gz -C apiserver/target
+
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # tag=v3.6.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # tag=v4.0.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # tag=v3.11.1
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # tag=v4.0.0
         id: buildx
         with:
           install: true
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # tag=v3.5.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # tag=v4.1.0
         if: ${{ inputs.publish-container }}
         with:
           registry: ghcr.io
@@ -118,23 +144,25 @@ jobs:
 
       - name: Set Container Tags
         id: tags
+        env:
+          REF_NAME: ${{ inputs.ref-name }}
+          APP_VERSION: ${{ inputs.app-version }}
         run: |-
           IMAGE_NAME="ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/hyades-apiserver"
-          REF_NAME="${{ inputs.ref-name }}"
           TAGS=""
-          
+
           if [[ $REF_NAME == feature-* ]]; then
             TAGS="${IMAGE_NAME}:${REF_NAME,,}"
           else
-            TAGS="${IMAGE_NAME}:${{ inputs.app-version }}"
-            if [[ "${{ inputs.app-version }}" != "snapshot" ]]; then
+            TAGS="${IMAGE_NAME}:${APP_VERSION}"
+            if [[ "${APP_VERSION}" != "snapshot" && "${APP_VERSION}" != *-* ]]; then
               TAGS="${TAGS},${IMAGE_NAME}:latest"
             fi
           fi
           echo "tags=${TAGS}" >> $GITHUB_OUTPUT
 
       - name: Build multi-arch Container Image
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # tag=v6.18.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # tag=v7.1.0
         with:
           tags: ${{ steps.tags.outputs.tags }}
           build-args: |-
@@ -143,20 +171,4 @@ jobs:
           platforms: linux/amd64,linux/arm64
           push: ${{ inputs.publish-container }}
           context: ./apiserver
-          file: ./apiserver/src/main/docker/Dockerfile
-
-      - name: Run Trivy Vulnerability Scanner
-        if: ${{ inputs.publish-container }}
-        uses: aquasecurity/trivy-action@f9424c10c36e288d5fa79bd3dfd1aeb2d6eae808 # tag=0.33.0
-        with:
-          image-ref: ghcr.io/dependencytrack/hyades-apiserver:${{ inputs.app-version }}
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          ignore-unfixed: true
-          vuln-type: 'os'
-
-      - name: Upload Trivy Scan Results to GitHub Security Tab
-        if: ${{ inputs.publish-container }}
-        uses: github/codeql-action/upload-sarif@2d92b76c45b91eb80fc44c74ce3fce0ee94e8f9d # tag=v3.29.5
-        with:
-          sarif_file: 'trivy-results.sarif'
+          file: ./apiserver/src/main/docker/Dockerfile

.github/workflows/buf.yml

@@ -31,17 +31,19 @@ jobs:
     timeout-minutes: 5
     steps:
     - name: Checkout Repository
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # tag=v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+      with:
+        persist-credentials: false
     - name: Setup buf
       uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # tag=v1.50.0
       with:
         github_token: ${{ github.token }}
     - name: Lint Protobuf
       uses: bufbuild/buf-lint-action@06f9dd823d873146471cfaaf108a993fe00e5325 # tag=v1.1.1
       with:
-        input: proto/src/main/proto
+        input: .
     - name: Detect Breaking Changes
       uses: bufbuild/buf-breaking-action@c57b3d842a5c3f3b454756ef65305a50a587c5ba # tag=v1.1.4
       with:
-        input: proto/src/main/proto
-        against: "https://github.com/${{ github.repository }}.git#branch=${{ github.base_ref }},subdir=proto/src/main/proto"
+        input: .
+        against: "https://github.com/${{ github.repository }}.git#branch=${{ github.base_ref }}"

.github/workflows/ci-build.yaml

@@ -34,18 +34,21 @@ on:
       - 'docs/**'
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 permissions: { }
 
 jobs:
   call-build:
     uses: ./.github/workflows/_meta-build.yaml
     with:
       app-version: "snapshot"
-      publish-container: ${{ github.ref == 'refs/heads/main' }}
+      publish-container: ${{ github.ref_name == 'main' || startsWith(github.ref_name, 'feature-') }}
       ref-name: ${{ github.ref_name }}
     permissions:
       packages: write # Required to push images to ghcr.io
-      security-events: write # Required to upload trivy's SARIF output
     secrets:
       registry-0-usr: ${{ github.repository_owner }}
-      registry-0-psw: ${{ github.repository_owner == 'DependencyTrack' && secrets.BOT_IMAGE_PUSH_TOKEN || secrets.GITHUB_TOKEN }}
+      registry-0-psw: ${{ github.repository_owner == 'DependencyTrack' && secrets.BOT_IMAGE_PUSH_TOKEN || secrets.GITHUB_TOKEN }}