Port changes from v4.6.3 to v4.7.0-SNAPSHOT

docs/_docs/analysis-types/known-vulnerabilities.md

@@ -24,9 +24,6 @@ The internal analyzer relies on a dictionary of vulnerable software. This dictio
 NVD, GitHub Advisories, or VulnDB mirroring is performed. The internal analyzer is applicable to all components with valid 
 CPEs, including application, operating system, and hardware components, and all components with Package URLs.
 
-**NOTE**: Currently, vulnerable software describing affected package is treated as 'append-only' meaning there might be some entries no longer reported by the vulnerability source.
-Fix is under progress and can be tracked via issue [#1815](https://github.com/DependencyTrack/dependency-track/issues/1815).
-
 ### OSS Index Analyzer
 
 OSS Index is a service provided by Sonatype which identifies vulnerabilities in third-party components. The service 
@@ -52,14 +49,14 @@ VulnDB is a source of vulnerability intelligence that provides its own content.
 
 ### Snyk Analyzer
 
-It is a service provided by Snyk which identifies vulnerabilities in third-party components using REST API. Snyk returns only direct vulnerabilities for a specific package version identified by Package URL (purl). 
+It is a service provided by Snyk which identifies vulnerabilities in third-party components using REST API. Snyk returns only direct vulnerabilities for a specific package version identified by Package URL (purl).
 This analyzer is applicable to all components with valid Package URLs.
 
 Snyk REST API version is updated every 6 months and can be referred at
 [Snyk REST API for PURL](https://apidocs.snyk.io/?version=2022-10-06#get-/orgs/-org_id-/packages/-purl-/issues) for additional information.
 
-### Analysis Interval Throttle
+### Analysis Result Cache
 
 Dependency-Track contains an internal limiter which prevents repeated requests to remote services when performing
-vulnerability analysis. When a components Package URL or CPE is successfully used for a given analyzer, the action
-and the timestamp is recorded and compared to the interval throttle. The interval throttle defaults to 24 hours.
+vulnerability analysis. When a component's Package URL or CPE is successfully analyzed by a given analyzer, 
+the result is cached. By default, cache entries expire after 12 hours.

docs/_posts/2022-11-18-v4.6.3.md

@@ -0,0 +1,41 @@
+---
+title: v4.6.3
+type: patch
+---
+
+This release fixes a defect in the caching of vulnerability analysis results from external sources.  
+There are no changes for the frontend, the latest version of it remains 4.6.1.
+
+**Fixes:**
+
+* Resolved a defect that caused the [component analysis cache] validity period to be too short - [#2115]
+
+**Upgrade Notes:**
+
+* The value of the `scanner.analysis.cache.validity.period` configuration property will be reset to 12 hours
+during the automated upgrade. No manual actions are required.
+
+For a complete list of changes, refer to the respective GitHub milestones:
+
+* [API server milestone 4.6.3](https://github.com/DependencyTrack/dependency-track/milestone/30?closed=1)
+
+###### dependency-track-apiserver.jar
+
+| Algorithm | Checksum                                                         |
+|:----------|:-----------------------------------------------------------------|
+| SHA-1     | 68b806410c2e68fe8c586b93044f29a648f96466                         |
+| SHA-256   | d9b5337419addee26658da8e421f0286aaa92160b8f6f85caca83aa1a328611f |
+
+###### dependency-track-bundled.jar
+
+| Algorithm | Checksum                                                         |
+|:----------|:-----------------------------------------------------------------|
+| SHA-1     | ac2a60bc8fedad714fa55c2aaad44533fa2086d7                         |
+| SHA-256   | 1229681b5d1dc399ec662946969f7ef225bc7e6381861d8eb35e31d431b25714 |
+
+###### Software Bill of Materials (SBOM)
+
+* API Server: [bom.json](https://github.com/DependencyTrack/dependency-track/releases/download/4.6.3/bom.json)
+
+[#2115]: https://github.com/DependencyTrack/dependency-track/issues/2115
+[component analysis cache]: {{ site.baseurl }}{% link _docs/analysis-types/known-vulnerabilities.md %}#analysis-result-cache

src/main/java/org/dependencytrack/model/ConfigPropertyConstants.java

@@ -46,7 +46,7 @@ public enum ConfigPropertyConstants {
     SCANNER_VULNDB_ENABLED("scanner", "vulndb.enabled", "false", PropertyType.BOOLEAN, "Flag to enable/disable VulnDB"),
     SCANNER_VULNDB_OAUTH1_CONSUMER_KEY("scanner", "vulndb.api.oauth1.consumerKey", null, PropertyType.STRING, "The OAuth 1.0a consumer key"),
     SCANNER_VULNDB_OAUTH1_CONSUMER_SECRET("scanner", "vulndb.api.oath1.consumerSecret", null, PropertyType.ENCRYPTEDSTRING, "The OAuth 1.0a consumer secret"),
-    SCANNER_ANALYSIS_CACHE_VALIDITY_PERIOD("scanner", "analysis.cache.validity.period", "864000", PropertyType.NUMBER, "Validity period for individual component analysis cache"),
+    SCANNER_ANALYSIS_CACHE_VALIDITY_PERIOD("scanner", "analysis.cache.validity.period","43200000", PropertyType.NUMBER, "Validity period for individual component analysis cache"),
     SCANNER_SNYK_ENABLED("scanner", "snyk.enabled", "false", PropertyType.BOOLEAN, "Flag to enable/disable Snyk Vulnerability Analysis"),
     SCANNER_SNYK_API_TOKEN("scanner", "snyk.api.token", null, PropertyType.ENCRYPTEDSTRING, "The API token used for Snyk API authentication"),
     SCANNER_SNYK_ORG_ID("scanner", "snyk.org.id", null, PropertyType.STRING, "The Organization ID used for Snyk API access"),

src/main/java/org/dependencytrack/upgrade/UpgradeItems.java

@@ -33,6 +33,7 @@ class UpgradeItems {
         UPGRADE_ITEMS.add(org.dependencytrack.upgrade.v440.v440Updater.class);
         UPGRADE_ITEMS.add(org.dependencytrack.upgrade.v450.v450Updater.class);
         UPGRADE_ITEMS.add(org.dependencytrack.upgrade.v460.v460Updater.class);
+        UPGRADE_ITEMS.add(org.dependencytrack.upgrade.v463.v463Updater.class);
     }
 
     static List<Class<? extends UpgradeItem>> getUpgradeItems() {

src/main/java/org/dependencytrack/upgrade/v463/v463Updater.java

@@ -0,0 +1,52 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) Steve Springett. All Rights Reserved.
+ */
+package org.dependencytrack.upgrade.v463;
+
+import alpine.common.logging.Logger;
+import alpine.persistence.AlpineQueryManager;
+import alpine.server.upgrade.AbstractUpgradeItem;
+
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+
+import static org.dependencytrack.model.ConfigPropertyConstants.SCANNER_ANALYSIS_CACHE_VALIDITY_PERIOD;
+
+public class v463Updater extends AbstractUpgradeItem {
+
+    private static final Logger LOGGER = Logger.getLogger(v463Updater.class);
+
+    @Override
+    public String getSchemaVersion() {
+        return "4.6.3";
+    }
+
+    @Override
+    public void executeUpgrade(final AlpineQueryManager qm, final Connection connection) throws Exception {
+        LOGGER.info("Resetting scanner cache validity period to 12h");
+        final PreparedStatement ps = connection.prepareStatement("""
+                UPDATE "CONFIGPROPERTY" SET "PROPERTYVALUE" = ?
+                WHERE "GROUPNAME" = ? AND "PROPERTYNAME" = ?
+                """);
+        ps.setString(1, SCANNER_ANALYSIS_CACHE_VALIDITY_PERIOD.getDefaultPropertyValue());
+        ps.setString(2, SCANNER_ANALYSIS_CACHE_VALIDITY_PERIOD.getGroupName());
+        ps.setString(3, SCANNER_ANALYSIS_CACHE_VALIDITY_PERIOD.getPropertyName());
+        ps.executeUpdate();
+    }
+
+}