sw360-20.1.0-rc-1
Pre-release
Pre-release
sw360-20.1.0-rc-1
This is the first release candidate for SW360 in the line of the next minor release version 20.1.0 of SW360. The candidate includes numerous features, corrections, and improvements over the previous release 20.0.0
This release serves as a preview of the upcoming minor version 20.1.0 for testing and should not be used in production environments.
Highlight of the changes includes:
- REST API Enhancements: Added
PATCH /ecc/{releaseId}with ECC status filtering, file-based caching for the releases endpoint, and a project detail tab pill-count endpoint with updated response structure. - Export Improvements: Extended project report export options with CSV, JSON, and XML formats in addition to spreadsheet output.
- Security Hardening: Added
@PreAuthorizeguards to license and attachment admin endpoints, strengthened authentication/authorization paths, sanitized attachment filenames to prevent path traversal, and hardened CORS/CSP behavior including Swagger CSP fixes. This release also allows disabling of basic auth and unifies Bearer token authentication across the board. - Performance Optimizations: Removed an N+1 package query by release IDs, improved LicenseInfo cache lookup from O(n) to O(1), and switched license-type usage counting to an indexed CouchDB view.
- Keycloak Provider Packaging: Consolidated provider packaging via shading, reduced provider artifacts to 3 jars, lowered classpath conflicts, and improved Keycloak startup time.
- Framework Upgrades: Upgraded runtime and security baselines to Spring Boot 4.x and Spring Security 7.x, and migrated tests from JUnit 4 to JUnit 5.
- Bug Fixes: Resolved thread-safety issues in
ProjectDatabaseHandlerand department import scheduling, fixed resource leaks across streams and Thrift clients, and improved HTTP error mapping for 404/403/409 paths. - Container & CI: Added Sigstore/Cosign image signing in CD and published JaCoCo coverage reports as CI artifacts.
Credits
The following GitHub users have contributed to the source code since the last release (in alphabetical order):
> aaryan359 <aaryanmeena96@gmail.com>
> Abhay349 <pandeyabhay967@gmail.com>
> Aditya Vishe <adityavishe67@gmail.com>
> afsahsyeda <afsah.syeda@siemens-healthineers.com>
> Agastya Kataria <katariaa@tcd.ie>
> Alex <alextanzhao22@gmail.com>
> Aman-Cool <aman017102007@gmail.com>
> amritkv <er.akverma8@gmail.com>
> Bhawani Shanker Sharma <bhawanishanker2005@gmail.com>
> Bibhuti Bhusan Dash <bibhuti230185@gmail.com>
> Dearsh Oberoi <oberoidearsh@gmail.com>
> dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
> developharsh <harsh237hk@gmail.com>
> Elbialy0 <mahmoudelbialy109@gmail.com>
> Farooq Fateh Aftab <farooq-fateh.aftab@siemens.com>
> Gaurav Mishra <mishra.gaurav@siemens.com>
> himanshu07gupta <himanshu29gupta0703@gmail.com>
> Kareem74x <kareemmostafa74x@gmail.com>
> Kaushlendra Pratap <kaushlendra-pratap.singh@siemens.com>
> Keerthi B L <keerthi.bl@siemens.com>
> Mahmoud Abdulmawlaa <m.elbaadishy@gmail.com>
> manhuu14 <umanhuu@gmail.com>
> Nikesh Kumar <kumar.nikesh@siemens.com>
> Priya Sharma <priyasharma1001a@gmail.com>
> rudra-superrr <prabhuchopra@gmail.com>
> Sandip Mandal <sandipsmmandal02@gmail.com>
> Shivamrut <gshivamrut@gmail.com>
> Suhyeon Park <ssantta999@gmail.com>
> Sushant Kumar <sushant.kumar@siemens-healthineers.com>
> Uddeshya <srivastavauddeshya98@gmail.com>
Please note that also many other persons usually contribute to the project with reviews, testing, documentations, conversations or presentations.
Features
a1468ca38feat(security): unify Bearer auth8e2ff4f02feat(security): make basic auth configurablec938d39a2feat(UI): Add expand/collapse functionality for projects with sub-projects9fb25453dfeat(rest): unify authentication authoritiesc3f4c6762feat(ci): upload JaCoCo reports to artifactsc8a7811c9feat(rest): add PATCH /ecc/{releaseId} and eccStatus filter to GET /ecc552804a36feat(release): catch and log exception silently3a02df85dfeat(Component): Added pagination and sorting for release overview in componentsfe17994e3feat(projects): get sorted groupsfba763c5afeat(project-pill): simplify codec8803e5b9feat(project): enhance project detail tab counts with new response structure and testsc3f4576dafeat(project): add endpoint and tests for project detail tab pill countsc473c1db9feat(cd): sign container images00a0e04f1feat(cache): update default cache directory06a7fb602feat(rest): add file-based API response cache for releases endpointc6edadfe7feat(export): add CSV, JSON, XML export formats for project reportsb92b07274feat(keycloak): update old README.md014c57440feat(kc-tf): add helper script to migrate tokens3cfdb9590feat(thrift): add build dependencies
Corrections
2236df6c1fix(csrf): enable and document CSRF7f7eb90c7Fix(Rest): Added code to fix exactmatch search if name is case-insensitive3d7b9121efix(users): revert default behavior85bd7d11afix(rest): Added code to filter user based on givenname lastname emailid.5d3913d23fix(docs): fix docker application templatefc4e4045efix(rest): register JwtAuthenticationProvidereb694593afix(rest): allow /api root read for READ tokensbdfaa110ffix(rest): handle broken pipe gracefully7b99a4d15fix(backend): prevent thread blocking in scheduler22780de39fix(backend): upgrade SVM client, add custom JKS57786ed2bfix(user): catch Runtime error of unknown userbc8d31677fix(ExportSpreadsheet): Fixed export spreadsheet in project with search results4eaf7ac4dfix(changelog): fix timestamp format to show just the date0c953166efix(keycloak): gson dependency issue.5596befa2fix(surefire): fix args and mockito jar patha19247a36fix(test): remove System.out and System.err643094cacfix(changelog): add sorting by change timestamp in changelogded8aa233fix(rest): use BadRequestClientException instead of RuntimeException98d5dadddfix(rest): correct status code, improve error messages, add test2c1e30d09fix(rest): return 500 instead of 200 on license update failure8a127bb4dfix(rest): Preserve 404/403 and others when mapping controller exceptions7f1347d59fix(rest): extract PasswordEncoder config to fix circular dependency7029ef920fix(rest): filter license obligations by project release main...dfbd81a4afix(Rest) : Backend API for All Obligation Tab0ff1aa515fix(UserHandler): fix compiler symbol not found3568c988efix: Prevent externalId overwrite in getByEmailOrExternalId5c90f3a57fix(users): :Update differing externalId in getByEmailOrExternalId75e5aaf89fix(http-support): implement native file request body support3b812a63ffix(http-support): correct native request builder URI/body/header semantics3a4ce2737fix(security): add @PreAuthorize ADMIN check to AttachmentCleanUpControllerec5eba472fix(base): remove duplicate @PreAuthorize annotation from ScheduleAdminController6b223609ffix(rest): Add missing @PreAuthorize annotations on license endpoints813381a34fix(css): fix code scanning alert no. 96ebd497894fix(css): fix code scanning alert no. 95cf2f6a365fix(rest): prevent empty email backend queriesac6add4c9fix(rest): migrate custom serializers to Jackson 364e4a15d5fix(rest): update CSP configuration for swaggere44954bf2fix(LicenseInfo): use SPDX ID for obligation-to-license mapping41fa5997ffix(rest): harden headers and fix CORS origin787b5aa7ffix(rest): add detailed exception handling for patchClearingRequestf7ab7bf36fix(vul): hande not found exceptions for loading releases/candidates while fetching vulnerabilities1701644b9fix(backend): fix thread safety in ProjectDatabaseHandlerd466912ddfix(licenseinfo): accumulate all obligations per license in DOCX report687ca811cfix(db): csv-reader resource leak in UserDatabaseHandler4a84ee580fix(vmcomponents): resource leak in svmutils9f3ab07b8fix(rest): avoid NPE on JWKS API-token auth when user or OIDC client metadata is missing068c3c667fix(docker): use tag name and sha for dependabot806f15ee6fix(rest): restricting modification of fields.d2329d341fix(fossology): revert clearing state on upload/scan trigger failure048faa2d9fix(backend): add SLF4J provider to backend WARsf23134295fix: corrected the pagination counts for vendor search76a1bf898fix(thrift): add sudo in thrift docker build stage371ac33fcfix(rest): validate department log date as yyyy-MM-dd before Thrift call102c10692fix(release): check set for NPEa947e0228fix(rest): resolve Authorization header lookup via servlet getHeader2020b2d44fix(rest): sanitize filename in addAttachment to prevent path traversalf34128ed6fix(release-service): ensure proper lock handling in Fossology process1c79fa170fix(http-support): make NewHttpClientImpl.execute non-blocking1835e799cfix(licenseinfo): Fix project clearing report issuesb57ec9665fix(user): prevent permanent import lockout on unchecked exceptions...46699bfc8fix(projects): fix NPE and Thrift client leak in attachment usage inheritanceb33414e4afix(jwt): remove nbf claim which is optional in kc45c5c6265fix(project): reduce memory consumption by using optimized CouchDB view for project cacheeb1c46bddfix(schedule): follow deploy.name pattern4fb3f28e7fix(rest): fix NPEs and missing security annotation in ProjectControllerc2c08674dfix(keycloak): add missing sl4j deps6f2c37c5cfix(license): Improve exception handlinge3f484f31fix(attachment): Restrict access to security user.f381c05cefix(sbom): exclude component main licenses from release license aggregation44e7eeae6fix(rest): prevent IndexOutOfBoundsException for out-of-range paginationf6b5154d4fix(logging): correct spelling of occured to occurred in log messages480635f01fix(component): close FileInputStream in uploadAttachmentd32f3e0d8fix(rest): handle DUPLICATE status in updateProjectForAttachmentd04bf0678fix(rest): return 409 Conflict on duplicate name/version for release,...f712b5b60fix(cyclonedx): count validation failures in compImportErrorCount4be5409fbfix: report errors instead of unconditional SUCCESS in CycloneDX SBOM importb65b700a4fix(sorting): use natural version ordering instead of lexicographic4c5e0acebfix(http-support): return null for missing native response headerse5208792efix(cyclonedx): use full createRelease overload to preserve metadata98c91155dfix(rest): avoid NPE in obligation Boolean filter931b19f12fix(component): fix unreachable forceDelete logic in deleteComponent810532bb1fix(REST): Remove extra brackets from embedded attachment response788bcb41cfix(clearingrequest): surface CR cleanup failure in response bodye56fb73b3fix(rest): delete clearing request only after project deletion succeedsdb12fd524fix(rest): Fixed typo in Sw360AuthorizationServerConfigurationdd5bfeb8ffix(report): fix the file traversal path vulnerability.0aba60c36fix(compile): fix annotation processing for lombok8c5d1190efix(test): align JUnit 5 and resolve WireMock3d554fd96fix(junit): upgrade to JUnit586e578885fix(Rest) : Acknowledgement missing from ReadmeOSS for license with same namef8e63854dfix(keycloak-tf): fix client_id for null
Infrastructure
5211c4bebchore(codeowners): add @rudra-superrr as CODEOWNERS6f163c6d2chore(deps): bump org.cyclonedx:cyclonedx-core-java615c8bf1cchore(deps): bump keycloak/keycloak from26ae264todea2640deac05e7dchore(deps): bump com.puppycrawl.tools:checkstyle from 10.21.4 to 13.4.2fcb56e4a3chore(deps): bump sigstore/cosign-installer from 4.1.1 to 4.1.29a3eaf3dechore(deps): bump step-security/harden-runner from 2.19.0 to 2.19.131d82a4d1chore(deps): bump github/codeql-action from 4.35.2 to 4.35.41135f0fa6chore(deps): bump org.apache.httpcomponents.client5:httpclient5acc1b9576chore(deps): bump poi.version from 5.5.0 to 5.5.192bcc6777chore(deps): bump org.apache.maven.plugins:maven-shade-plugin37492c950chore(deps): bump com.ibm.cloud:cloudant from 0.10.16 to 0.10.17584862469chore(deps): bump com.jayway.jsonpath:json-path from 2.10.0 to 3.0.088604afe5chore(deps): bump jackson.version from 2.21.1 to 2.21.3532965928chore(deps): bump webiny/action-conventional-commits from 1.3.1 to 1.4.2ccd3dbf24chore(deps): bump com.tngtech.archunit:archunit-junit5a21a4e52bchore(deps): bump spring-boot.version from 4.0.5 to 4.0.694f80ea33chore(rest): add visible-for-testing comment and note @value limitation in test357f16d4atest(rest): add service-level unit test and fix controller test for license update failure898bf57aachore(rest): avoid extra object by injecting shared PasswordEncoder in auth server4050c1e3achore(rest): removed the unused logger in ResourceServerConfigurationa6daf8b6ctest(licenseinfo): add edge-case test coverage for CLIParserdcf63aae5chore(resource): implement review comments51043fe4dchore(deps): bump springframework.version from 7.0.6 to 7.0.73c8a7daedchore(deps): bump httpcore5.version from 5.3.6 to 5.4.22746ebbd4chore(deps): bump org.springframework.security:spring-security-core8d93886c9chore(deps): bump step-security/harden-runner from 2.18.0 to 2.19.08f38fe218chore(deps): bump org.apache.maven.plugins:maven-compiler-plugin316d30b6achore(deps): bump org.apache.maven.plugins:maven-source-pluginf4c812213chore(deps): bump keycloak/keycloak from 26.6.0 to 26.6.1d2aee4458chore(deps): bump docker/build-push-action from 7.0.0 to 7.1.0b14bd6d56chore(deps): bump actions/cache from 5.0.4 to 5.0.517745d429chore(deps): bump github/codeql-action from 4.35.1 to 4.35.2bac88c4ffchore(deps): bump keycloak.version from 26.5.6 to 26.6.12cb98abb6chore(deps): bump actions/upload-artifact from 7.0.0 to 7.0.109bf98f75chore(deps): bump step-security/harden-runner from 2.17.0 to 2.18.04f53c8670chore(deps): bump springdoc-openapi-stater-common.version0d7c9e141test(rest): enhance ArchUnit tests with dependency governance and resource management rules060b574efrefactor(jackson): reuse mixin registrations5b3ae5e91chore(deps): upgrade to Spring Boot 4.x and Spring Security 7.xd3050e8bbtest(rest): add ArchUnit tests for SW360 REST architecturecec129adechore(deps): bump keycloak/keycloak from45ae201tob0e5dbcd5a1f5b2bchore(deps): bump org.apache.logging.log4j:log4j-core4efe3a84fchore(deps): bump step-security/harden-runner from 2.16.1 to 2.17.086d138560chore(deps): bump org.apache.maven.plugins:maven-dependency-plugind2b279120refactor(resource): refactor resource-server5ad1329b8chore(fossology): simplify FossologyHandleracfb91a7btest(fossology): add unit tests for FossologyHandler to validate preconditions4584a5fbeperf(licenseinfo): fix O(n) cache lookup to use O(1) direct access9ed7f04c0perf(packages): eliminate N+1 query problem in getPackagesByReleaseIdsf9d5a2189test(licenses): add test coverage for LicenseHandler methods7705870b0chore(docs/swagger): add OpenAPI annotations for ComponentControllerceec3d08fchore(keycloak): common code to keycloak-common276506c8dchore(keycloak): shared shaded common librarye0595383bchore(keycloak): prevent dependency split6659cf96atest(sbom): add tests to prevent component license leakage956ee7e09perf(license): optimize getLicenseTypeUsageCount to use database view...6d20f2d7drefactor: replace printStackTrace with logger4793d5509refactor(backend) : extract persistence logic in LicenseDatabaseHandler5c018017drefactor(wsimport): improve duplicate releaseId logging in ThriftUploader8a31ff682chore(deps): bump spring-boot from 3.5.3 to 3.5.1252fd56e17test(warning): suppress repetitive log msgs536347327chore(osgi): remove unused osgi code and flagsf50b3c091chore(pom): housekeeping moving to parent2bf538f34chore(okhttp): update to 5.3.2a4af101fachore(deps): bump com.squareup.okhttp3:okhttp from 4.12.0 to 5.0.0f20c0a97achore(deps): bump https://github.com/gitleaks/gitleaks1ec5e2185chore(deps): bump org.codehaus.plexus:plexus-utils from 4.0.2 to 4.0.393b1f9484chore(deps): bump step-security/harden-runner from 2.16.0 to 2.16.14cb4678cechore(deps): bump github/codeql-action from 4.33.0 to 4.35.16e41dbaf4chore(deps): bump docker/login-action from 4.0.0 to 4.1.06f3a13d92chore(deps): update version comment5a84c16b4chore(deps): bump keycloak/keycloak from8d44614to45ae201955875e50chore(tf): make idp alias as variable0c1bacac0chore(deps): bump org.keycloak:keycloak-model-jpa from 26.5.2 to 26.5.6