Port changes from upstream DT release 4.11.x

[nscuro]

Current Behavior

v4.11 of vanilla Dependency-Track is about to be released. We need to port the relevant changes to Hyades.

For reference, changes from v4.10.x were ported here: #983

Proposed Behavior

API server:

• v4.11.0: https://github.com/DependencyTrack/dependency-track/milestone/26?closed=1
• v4.11.1: https://github.com/DependencyTrack/dependency-track/milestone/37?closed=1
• v4.11.2: https://github.com/DependencyTrack/dependency-track/milestone/39?closed=1
• v4.11.3: https://github.com/DependencyTrack/dependency-track/milestone/40?closed=1
• v4.11.4: https://github.com/DependencyTrack/dependency-track/milestone/41?closed=1

Frontend:

• v4.11.0: https://github.com/DependencyTrack/frontend/milestone/18?closed=1
• v4.11.1: https://github.com/DependencyTrack/frontend/milestone/22?closed=1
• v4.11.2: https://github.com/DependencyTrack/frontend/milestone/24?closed=1
• v4.11.3: https://github.com/DependencyTrack/frontend/milestone/25?closed=1
• v4.11.4: https://github.com/DependencyTrack/frontend/milestone/26?closed=1

Note

We decided to rebase our frontend changes on top of the frontend release v4.11.3, instead of porting individual PRs. v4.11.x came with lots of changes in code formatting, making the porting effort painful. Our frontend changes are very limited so far, making a rebase the easiest way forward.

Issue / PR	Type	Description	Backported	Backport PR
DependencyTrack/dependency-track#2472	Enhancement	Global Audit View: Vulnerabilities	✅	DependencyTrack/hyades-apiserver#723
DependencyTrack/dependency-track#3248	Bugfix	Project cloning logic for cloning policy violations and Violationanalysis	✅	DependencyTrack/hyades-apiserver#691
DependencyTrack/dependency-track#3259	Enhancement	Trivy integration	TODO via #1343	-
DependencyTrack/dependency-track#3260	Enhancement	Return processing token when cloning project	✅	DependencyTrack/hyades-apiserver#659
DependencyTrack/dependency-track#3261	Enhancement	ACL: Add projects to team should only show not yet added projects	✅	DependencyTrack/hyades-apiserver#689
DependencyTrack/dependency-track#3275	Enhancement	Webhook alert token and new user alerts	✅	#1338, DependencyTrack/hyades-apiserver#742
DependencyTrack/dependency-track#3284	Enhancement	Preprocess CWE dictionary	✅	DependencyTrack/hyades-apiserver#688
DependencyTrack/dependency-track#3285	Enhancement	Add "Show in Dependency-Graph" Button in "Affected Projects" List	✅	DependencyTrack/hyades-apiserver#671
DependencyTrack/dependency-track#3304	Bugfix	Fix dropping of CWE table failing due to FK constraint	❌ N/A, constraint was never created for Hyades	-
DependencyTrack/dependency-track#3305	Bugfix	Fix notifications not being sent for child projects where active is null	❌ Already fixed	-
DependencyTrack/dependency-track#3313	Bugfix	Improve Error handling and add default version type	❌ Already fixed	-
DependencyTrack/dependency-track#3322	Bugfix	Fix NVD API's last modified timestamp requiring restart to be applied	❌ N/A, Hyades stores the timestamp differently	-
DependencyTrack/dependency-track#3357	Enhancement	Refactor BOM upload processing for better efficiency, correctness, and consistency	✅	DependencyTrack/hyades-apiserver#705
DependencyTrack/dependency-track#3368	Enhancement	Update SPDX license list to v3.22	❌ N/A, was superseded by DependencyTrack/dependency-track#3508	-
DependencyTrack/dependency-track#3394	Bugfix	Ignore withdrawn Github advisories	✅	#1305
DependencyTrack/dependency-track#3408	Enhancement	Store computed severities in the database	✅	DependencyTrack/hyades-apiserver#706
DependencyTrack/dependency-track#3422	Enhancement	Configurable email subject prefix	✅	#1307
DependencyTrack/dependency-track#3425	Enhancement	enhance API to support frontend changes for active/inactive affected projects	✅	DependencyTrack/hyades-apiserver#701
DependencyTrack/dependency-track#3437	Bugfix	DependencyTrack/dependency-track#3437	❌ N/A, VulnDB is not yet supported in Hyades, see #286	-
DependencyTrack/dependency-track#3456	Bugfix	Fix URISyntaxException when NPM PURL contains special characters	✅	#1309
DependencyTrack/dependency-track#3488	Bugfix	Finding Attributed On date is not retained when cloning projects	✅	DependencyTrack/hyades-apiserver#700
DependencyTrack/dependency-track#3491	Enhancement	Bump CWE dictionary to v4.13	✅	#1322 DependencyTrack/hyades-apiserver#713
DependencyTrack/dependency-track#3492	Enhancement	Apply consistent formatting to SQL queries; Use text blocks instead of string concatenation	✅	DependencyTrack/hyades-apiserver#709
DependencyTrack/dependency-track#3493	Enhancement	Improve test coverage of Trivy integration	TODO via #1343	-
DependencyTrack/dependency-track#3494	Enhancement	Align retry configuration and behavior across analyzers	❌ N/A, retry configs never deviated that much in Hyades	-
DependencyTrack/dependency-track#3499	Enhancement	Add support for component properties	✅	DependencyTrack/hyades-apiserver#712
DependencyTrack/dependency-track#3502	Enhancement	Add auto-generated changelog to GitHub releases	❌ N/A, already done for Hyades repos	-
DependencyTrack/dependency-track#3508	Enhancement	Bump SPDX license list to v3.23	✅	DependencyTrack/hyades-apiserver#714
DependencyTrack/dependency-track#3511	Enhancement	adding cargo to IMetaAnalyzer	✅	#1242
DependencyTrack/dependency-track#3512	Bugfix	Fix type of purl fields in Swagger docs	✅	DependencyTrack/hyades-apiserver#716
DependencyTrack/dependency-track#3514	Enhancement	Report test coverage for all branches, not just master	❌ N/A, already done with recent Codacy migration	-
DependencyTrack/dependency-track#3517	Enhancement	Upload test coverage for PRs via separate workflow	❌ N/A, already done with recent Codacy migration	-
DependencyTrack/dependency-track#3515	Enhancement	Bump Alpine to 2.2.5	✅	DependencyTrack/hyades-apiserver#628
DependencyTrack/dependency-track#3522	Enhancement	Validate uploaded BOMs against CycloneDX schema	✅	DependencyTrack/hyades-apiserver#715
DependencyTrack/dependency-track#3535	Enhancement	Improve Lucene observability	❌ N/A, Lucene was removed in Hyades	-
DependencyTrack/dependency-track#3537	Enhancement	Add endpoint for updating API key comment	✅	DependencyTrack/hyades-apiserver#702
DependencyTrack/dependency-track#3549	Enhancement	Implement the hackage and nixpkgs meta analyzers	✅	#1332
DependencyTrack/dependency-track#3555	Enhancement	Perform License Resolution On Name Field During SBOM Import	✅	DependencyTrack/hyades-apiserver#717
DependencyTrack/dependency-track#3556	Bugfix	Update License Of Existing Components On BOM Upload	✅	DependencyTrack/hyades-apiserver#717
DependencyTrack/dependency-track#3557	Enhancement	OpenAPI spec fixes and improvements	✅	DependencyTrack/hyades-apiserver#722
DependencyTrack/dependency-track#3558	Bugfix	Provide meaningful error message for bom and vex exceeding Jackson's character limit	✅	DependencyTrack/hyades-apiserver#724
DependencyTrack/dependency-track#3559	Bugfix	Fix unhandled NotFoundExceptions causing a HTTP 500 response	❌ N/A, superseded by DependencyTrack/dependency-track#3659	-
DependencyTrack/dependency-track#3560	Bugfix	Extend length of PURL and PURLCOORDINATES columns from 255 to 786	❌ N/A, alrady done in Hyades	-
DependencyTrack/dependency-track#3561	Enhancement	Generate SARIF File Of Project Vulnerability Findings	✅	DependencyTrack/hyades-apiserver#746
DependencyTrack/dependency-track#3573	N/A	Transfer copyright from Steve Springett to OWASP Foundation	✅	-
DependencyTrack/dependency-track#3574	Enhancement	Disable automatic API key generation for teams	✅	DependencyTrack/hyades-apiserver#725
DependencyTrack/dependency-track#3590	Bugfix	Validate UUID request parameters	✅	DependencyTrack/hyades-apiserver#721
DependencyTrack/dependency-track#3588	Enhancement	New feature: VulnDB Aliases!	❌ N/A, VulnDB is not yet supported in Hyades, see #286	-
DependencyTrack/dependency-track#3595	Bugfix	Vuln db severity	❌ N/A, VulnDB is not yet supported in Hyades, see #286	-
DependencyTrack/dependency-track#3620	Enhancement	Leverage component properties for Trivy scans	TODO via #1343	-
DependencyTrack/dependency-track#3621	Enhancement	support for experimental configurations	✅	DependencyTrack/hyades-apiserver#715
DependencyTrack/dependency-track#3625	Enhancement	Include pagination parameters in OpenAPI spec	✅	DependencyTrack/hyades-apiserver#720
DependencyTrack/dependency-track#3630	Enhancement	Trivy tweaks	TODO via #1343	-
DependencyTrack/dependency-track#3631	Enhancement	Include sorting query parameters in OpenAPI spec	✅	DependencyTrack/hyades-apiserver#743
DependencyTrack/dependency-track#3648	Enhancement	Gracefully handle unique constraint violations	❌ N/A, areas where this could happen either no longer exist in Hyades, or already deal with constraint violations (i.e. via retry)	-
DependencyTrack/dependency-track#3650	Bugfix	Fix JDOFatalUserException for long reference URLs from OSS Index	✅	DependencyTrack/hyades-apiserver#747
DependencyTrack/dependency-track#3651	Enhancement	Log debug information upon possible secret key corruption	✅	DependencyTrack/hyades-apiserver#750
DependencyTrack/dependency-track#3652	Enhancement	Bump Temurin base image to 21.0.3_9	✅	DependencyTrack/hyades-apiserver#666
DependencyTrack/dependency-track#3657	Enhancement	Add support for worker pool drain timeout	❌ N/A, already implemented in Hyades	-
DependencyTrack/dependency-track#3659	Bugfix	Catch all unhandled ClientErrorExceptions	✅	DependencyTrack/hyades-apiserver#744
DependencyTrack/dependency-track#3661	Enhancement	Fall back to no authentication when OSS Index API token decryption fails	❌ N/A, the token is currently provided via environment variable, no decryption is involved.	-
DependencyTrack/dependency-track#3662	Enhancement	Truncate ComponentProperty value at 1024 characters	@sahibamittal	DependencyTrack/hyades-apiserver#748
DependencyTrack/dependency-track#3664	Bugfix	Fix unique constraint violation during NVD mirroring via feed files	❌ N/A, Hyades doesn't mirror the NVD via feed files	-
DependencyTrack/dependency-track#3666	Enhancement	Add the project name and project URL to bom processing notifications	✅	#1342 DependencyTrack/hyades-apiserver#745
DependencyTrack/dependency-track#3667	Bugfix	De-duplicate CPEs in NVD feed file parsing	❌ N/A, Hyades doesn't mirror the NVD via feed files	-
DependencyTrack/dependency-track#3672	Enhancement	Run builds and CI on feature-* branches	❌ N/A, already done	-
DependencyTrack/dependency-track#3676	Enhancement	Simplify BomUploadProcessingTaskTest	❌ N/A, simplified code never existed in Hyades	-
DependencyTrack/dependency-track#3677	Enhancement	Disable Maven transfer progress in CI	✅	DependencyTrack/hyades-apiserver#726
DependencyTrack/dependency-track#3678	Bugfix	Fix missing default repos for Hackage and Nixpkgs	✅	DependencyTrack/hyades-apiserver#729
DependencyTrack/dependency-track#3680	Enhancement	Reduce verbosity of ResourceTests	✅	#1190
DependencyTrack/dependency-track#3681	Enhancement	Bump bundled frontend to v4.11.0	❌ N/A, frontend is no longer bundled in Hyades	-
DependencyTrack/dependency-track#3698	Bugfix	Fix failing JSON BOM validation when specVersion is not one of the first fields	✅	DependencyTrack/hyades-apiserver#715
DependencyTrack/dependency-track#3701	Bugfix	Fix broken global vuln audit view for MSSQL	❌ N/A, MSSQL is no longer supported	-
DependencyTrack/dependency-track#3729	Bugfix	fix os handling when trivy sets pkgType on properties	TODO via #1343	-
DependencyTrack/dependency-track#3785	Bugfix	Handle breaking change in Trivy server API	TODO via #1343	-
DependencyTrack/dependency-track#3787	Bugfix	Fix project name not showing in Jira tickets	✅	DependencyTrack/hyades-apiserver#703
DependencyTrack/dependency-track#3788	Bugfix	Add date format to support offset in NuGet timestamps	✅	-
DependencyTrack/dependency-track#3786	Bugfix	Fix licenses not being resolved by name	✅	DependencyTrack/hyades-apiserver#705
DependencyTrack/dependency-track#3792	Bugfix	Fix Slack notifications failing when no base URL is configured	✅	DependencyTrack/hyades-apiserver#703
DependencyTrack/dependency-track#3794	Enhancement	Bump bundled frontend to 4.11.2	❌ N/A, frontend is no longer bundled in Hyades	-
DependencyTrack/dependency-track#3801	Bugfix	Fix JDODataStoreException for unresolved licenses during BOM upload processing	✅	DependencyTrack/hyades-apiserver#705
DependencyTrack/dependency-track#3863	Enhancement	Support ingestion of CycloneDX v1.6 BOMs	✅	DependencyTrack/hyades-apiserver#754
DependencyTrack/dependency-track#3864	Bugfix	Fix inverted "show inactive" filter in vulnerability audit view	✅	DependencyTrack/hyades-apiserver#723
DependencyTrack/dependency-track#3866	Bugfix	Fix BOM validation failing when URL contains encoded [ and ] characters	✅	DependencyTrack/hyades-apiserver#755
DependencyTrack/dependency-track#3867	Bugfix	Fix external references not being updated via POST /v1/component	✅	DependencyTrack/hyades-apiserver#697
DependencyTrack/dependency-track#3871	Bugfix	Prevent XXE injection during CycloneDX validation and parsing	✅	DependencyTrack/hyades-apiserver#756
DependencyTrack/frontend#917	Enhancement	Improve German translation	✅	DependencyTrack/hyades-frontend#72
DependencyTrack/frontend#918	Enhancement	Improve Chinese translation	✅	DependencyTrack/hyades-frontend#79

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this enhancement was already requested

[nscuro]

Labeled as good first issue since it's easy to pick individual changes. The expectation is not that all changes are ported in one go.

Essentially, pick a change from v4.11, and port only that change. I am happy to suggest tickets to port, and provide guidance on the implementation if folks are interested and not sure where to start.

[leec94]

hi i'm interested in working on this, feel free to assign me

[leec94]

#1051

this PR ported issues from 4.11 to 4.10.x, so they already exist in hyades

these are the 4.11 issues that are already ported

• Fix notifications not being sent for child projects where active is null dependency-track#3305
• feat: Improve Error handling and add default version type dependency-track#3313

[nscuro]

Thanks @leec94, I updated the table in the issue accordingly!

[nscuro]

Extracted Trivy support into separate issue since it'll be a larger task: #1343