├── docs ├── CNAME ├── _docs │ ├── _defaults.md │ ├── analysis-types │ │ ├── integrity-verification.md │ │ ├── license.md │ │ └── component-identity.md │ ├── integrations │ │ ├── ecosystem.md │ │ ├── rest-api.md │ │ ├── badges.md │ │ └── threadfix.md │ ├── datasources │ │ ├── github-advisories.md │ │ ├── internal-components.md │ │ └── ossindex.md │ ├── triage │ │ ├── auditing-basics.md │ │ └── analysis-states.md │ ├── getting-started │ │ ├── deploy-war.md │ │ ├── initial-startup.md │ │ └── data-directory.md │ └── usage │ │ ├── continuous-transparency.md │ │ ├── procurement.md │ │ ├── impact-analysis.md │ │ └── policy-compliance.md ├── favicon.ico ├── siteicon.png ├── touch-icon.png ├── apple-touch-icon.png ├── images │ ├── integrations.png │ ├── promo-glitch.png │ ├── screenshots │ │ ├── teams.png │ │ ├── license.png │ │ ├── dashboard.png │ │ ├── oidc-user.png │ │ ├── oidc-groups.png │ │ ├── repositories.png │ │ ├── dashboard-small.png │ │ ├── kenna-findings.png │ │ ├── oidc-login-page.png │ │ ├── vulnerabilities.png │ │ ├── vulnerability.png │ │ ├── defectdojo_config.png │ │ ├── fortify-ssc-step1.png │ │ ├── fortify-ssc-step2.png │ │ ├── fortify-ssc-step3.png │ │ ├── fortify-ssc-step4.png │ │ ├── fortify-ssc-step5.png │ │ ├── kenna-connectors.png │ │ ├── threadfix-results.png │ │ ├── vulnerability-add.png │ │ ├── defectdojo_api_key.png │ │ ├── fortify-ssc-analysis.png │ │ ├── notifications-create.png │ │ ├── oidc-keycloak-groups.png │ │ ├── scanners-configure.png │ │ ├── swagger-ui-console.png │ │ ├── vulnerable-component.png │ │ ├── audit-finding-project.png │ │ ├── defectdojo_create_cicd.png │ │ ├── fortify-ssc-artifacts.png │ │ ├── defectdojo_api_key_menu.png │ │ ├── defectdojo_create_product.png │ │ ├── kenna-add-kdi-connector.png │ │ ├── kenna-project-properties.png │ │ ├── notifications-configure.png │ │ ├── defectdojo_create_cicd_menu.png │ │ ├── kenna-dtrack-configuration.png │ │ ├── configure-internal-components.png │ │ ├── defectdojo_cicd_engagement_id.png │ │ ├── oidc-keycloak-client-settings.png │ │ ├── fortify-ssc-dtrack-configuration.png │ │ ├── threadfix-remoteprovider-create.png │ │ ├── vulnerability-affected-projects.png │ │ ├── threadfix-remoteprovider-mappings.png │ │ └── oidc-keycloak-create-protocol-mapper.png │ ├── menu.svg │ ├── badge-project-novulns.svg │ └── badge-project-nometrics.svg ├── 404.md ├── robots.txt ├── _posts │ ├── 2018-06-20-v3.1.1.md │ ├── 2018-03-30-v3.0.2.md │ ├── _defaults.md │ ├── 2018-05-02-v3.0.4.md │ ├── 2019-10-01-v3.6.1.md │ ├── 2019-04-16-v3.4.1.md │ ├── 2018-04-13-v3.0.3.md │ ├── 2019-07-17-v3.5.1.md │ ├── 2018-03-29-v3.0.1.md │ ├── 2020-01-07-v3.7.1.md │ ├── 2018-10-02-v3.2.2.md │ ├── 2021-09-20-v4.3.5.md │ ├── 2018-09-21-v3.2.1.md │ ├── 2021-08-03-v4.3.1.md │ ├── 2021-08-31-v4.3.4.md │ ├── 2021-08-07-v4.3.2.md │ ├── 2021-01-12-v4.0.1.md │ ├── 2018-03-27-v3.0.0.md │ ├── 2021-03-20-v4.2.1.md │ ├── 2021-09-20-v4.3.6.md │ ├── 2022-03-04-v4.4.2.md │ ├── 2022-02-18-v4.4.1.md │ ├── 2021-08-20-v4.3.3.md │ ├── 2018-11-13-v3.3.1.md │ ├── 2021-05-07-v4.2.2.md │ └── 2022-xx-xx-v4.5.0.md ├── Gemfile ├── _plugins │ └── replace-regex.rb ├── _sass │ ├── _tables.scss │ ├── _mixins.scss │ └── _code.scss ├── changelog.html └── css │ └── main.scss ├── src ├── test │ ├── resources │ │ ├── textfile.txt │ │ ├── integration │ │ │ ├── application-h2.properties │ │ │ ├── application-postgres.properties │ │ │ └── application-mysql.properties │ │ └── bom-1.xml │ └── java │ │ └── org │ │ └── dependencytrack │ │ ├── policy │ │ └── PolicyEngineTest.java │ │ ├── resources │ │ └── v1 │ │ │ └── LicenseGroupResourceTest.java │ │ ├── event │ │ ├── NistMirrorEventTest.java │ │ ├── VulnDbSyncEventTest.java │ │ ├── CloneProjectEventTest.java │ │ ├── RepositoryMetaEventTest.java │ │ ├── FortifySscUploadEventTest.java │ │ └── KennaSecurityUploadEventTest.java │ │ ├── notification │ │ ├── NotificationScopeTest.java │ │ └── publisher │ │ │ └── SendMailPublisherTest.java │ │ ├── assertion │ │ ├── AssertionsTest.java │ │ └── Assertions.java │ │ ├── common │ │ ├── HttpClientPoolTest.java │ │ └── UnirestFactoryTest.java │ │ ├── metrics │ │ └── MetricsTest.java │ │ ├── model │ │ ├── SeverityTest.java │ │ └── AnalysisStateTest.java │ │ ├── util │ │ └── HttpUtilTest.java │ │ ├── TaskTest.java │ │ ├── persistence │ │ └── CweImporterTest.java │ │ └── integrations │ │ └── IntegrationPointTest.java └── main │ ├── resources │ ├── application.version │ ├── templates │ │ ├── notification │ │ │ └── publisher │ │ │ │ ├── console.peb │ │ │ │ ├── webhook.peb │ │ │ │ └── cswebex.peb │ │ └── badge │ │ │ ├── project-novulns.peb │ │ │ └── project-nometrics.peb │ └── license-list-data │ │ └── json │ │ ├── exceptions │ │ ├── Libtool-exception.json │ │ ├── gnu-javamail-exception.json │ │ ├── Swift-exception.json │ │ ├── Bootloader-exception.json │ │ ├── LZMA-exception.json │ │ ├── Font-exception-2.0.json │ │ ├── PS-or-PDF-font-exception-20170817.json │ │ ├── eCos-exception-2.0.json │ │ ├── openvpn-openssl-exception.json │ │ ├── GPL-3.0-linking-exception.json │ │ ├── GCC-exception-2.0.json │ │ ├── i2p-gpl-java-exception.json │ │ ├── u-boot-exception-2.0.json │ │ ├── mif-exception.json │ │ ├── Linux-syscall-note.json │ │ ├── Bison-exception-2.2.json │ │ ├── OCCT-exception-1.0.json │ │ ├── GPL-3.0-linking-source-exception.json │ │ ├── Classpath-exception-2.0.json │ │ ├── LLVM-exception.json │ │ └── Qt-GPL-exception-1.0.json │ │ └── details │ │ ├── diffmark.json │ │ ├── dvipdfm.json │ │ ├── FSFUL.json │ │ ├── FSFAP.json │ │ ├── Zed.json │ │ ├── Dotseqn.json │ │ ├── FSFULLR.json │ │ ├── NLPL.json │ │ ├── Beerware.json │ │ └── blessing.json │ ├── webapp │ ├── WEB-INF │ │ └── fragments │ │ │ └── error.jsp │ └── index.html │ └── java │ └── org │ └── dependencytrack │ ├── persistence │ ├── IQueryManager.java │ ├── package-info.java │ └── defaults │ │ └── IDefaultObjectImporter.java │ ├── parser │ ├── package-info.java │ ├── nvd │ │ └── package-info.java │ ├── spdx │ │ ├── package-info.java │ │ └── json │ │ │ └── package-info.java │ └── cyclonedx │ │ └── package-info.java │ ├── resources │ ├── package-info.java │ └── v1 │ │ ├── vo │ │ ├── package-info.java │ │ └── MappedOidcGroupRequest.java │ │ └── package-info.java │ ├── exception │ ├── package-info.java │ ├── RequirementsException.java │ └── ParseException.java │ ├── search │ ├── package-info.java │ └── SearchResult.java │ ├── tasks │ ├── package-info.java │ └── scanners │ │ └── AnalyzerIdentity.java │ ├── auth │ └── package-info.java │ ├── model │ ├── package-info.java │ ├── Severity.java │ ├── ViolationAnalysisState.java │ ├── AnalysisState.java │ ├── AnalysisResponse.java │ ├── Classifier.java │ └── AnalysisJustification.java │ ├── notification │ ├── NotificationScope.java │ └── NotificationGroup.java │ ├── metrics │ └── package-info.java │ ├── event │ ├── VulnDbSyncEvent.java │ ├── package-info.java │ ├── EpssMirrorEvent.java │ ├── NistMirrorEvent.java │ ├── GitHubAdvisoryMirrorEvent.java │ ├── ClearComponentAnalysisCacheEvent.java │ ├── PortfolioVulnerabilityAnalysisEvent.java │ ├── DefectDojoUploadEventAbstract.java │ ├── FortifySscUploadEventAbstract.java │ ├── KennaSecurityUploadEventAbstract.java │ ├── RepositoryMetaEvent.java │ ├── AbstractVulnerabilityManagementUploadEvent.java │ ├── VulnDbAnalysisEvent.java │ ├── CloneProjectEvent.java │ ├── OssIndexAnalysisEvent.java │ └── InternalAnalysisEvent.java │ ├── integrations │ ├── PortfolioFindingUploader.java │ ├── FindingUploader.java │ ├── IntegrationPoint.java │ └── ProjectFindingUploader.java │ ├── common │ └── UnirestFactory.java │ └── upgrade │ └── v400 │ └── v400Updater.java ├── dev-docs.sh ├── .gitignore ├── upgrade ├── 3.0.0_to_3.0.1.sql ├── 3.7.1_and_previous_maven_central_fix.sql └── README.md ├── .github ├── default-release-notes.md ├── ISSUE_TEMPLATE │ ├── enhancement-request.md │ ├── ask-a-question.md │ └── defect-report.md ├── dependabot.yml └── workflows │ ├── dependency-review.yaml │ ├── ci-build.yaml │ ├── lock.yaml │ └── ci-test.yaml ├── clearlogs.sh ├── prerelease.sh └── SECURITY.md /docs/CNAME: -------------------------------------------------------------------------------- 1 | docs.dependencytrack.org -------------------------------------------------------------------------------- /src/test/resources/textfile.txt: -------------------------------------------------------------------------------- 1 | This is a sample text file -------------------------------------------------------------------------------- /docs/_docs/_defaults.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: 3 | category: 4 | chapter: 1 5 | order: 1 6 | --- 7 | -------------------------------------------------------------------------------- /docs/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/favicon.ico -------------------------------------------------------------------------------- /docs/siteicon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/siteicon.png -------------------------------------------------------------------------------- /docs/touch-icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/touch-icon.png -------------------------------------------------------------------------------- /dev-docs.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | cd docs 4 | bundle install 5 | bundle exec jekyll serve 6 | cd .. -------------------------------------------------------------------------------- /docs/apple-touch-icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/apple-touch-icon.png -------------------------------------------------------------------------------- /docs/images/integrations.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/integrations.png -------------------------------------------------------------------------------- /docs/images/promo-glitch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/promo-glitch.png -------------------------------------------------------------------------------- /docs/404.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Not Found 3 | permalink: /404.html 4 | sitemap: false 5 | --- 6 | 7 | This page doesn't exist! 8 | -------------------------------------------------------------------------------- /docs/images/screenshots/teams.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/teams.png -------------------------------------------------------------------------------- /docs/images/screenshots/license.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/license.png -------------------------------------------------------------------------------- /docs/images/screenshots/dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/dashboard.png -------------------------------------------------------------------------------- /docs/images/screenshots/oidc-user.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/oidc-user.png -------------------------------------------------------------------------------- /docs/images/screenshots/oidc-groups.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/oidc-groups.png -------------------------------------------------------------------------------- /docs/images/screenshots/repositories.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/repositories.png -------------------------------------------------------------------------------- /docs/robots.txt: -------------------------------------------------------------------------------- 1 | --- 2 | layout: null 3 | sitemap: false 4 | --- 5 | User-agent: * 6 | Sitemap: {{ site.url }}/sitemap.xml 7 | Disallow: /search/ -------------------------------------------------------------------------------- /docs/images/screenshots/dashboard-small.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/dashboard-small.png -------------------------------------------------------------------------------- /docs/images/screenshots/kenna-findings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/kenna-findings.png -------------------------------------------------------------------------------- /docs/images/screenshots/oidc-login-page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/oidc-login-page.png -------------------------------------------------------------------------------- /docs/images/screenshots/vulnerabilities.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/vulnerabilities.png -------------------------------------------------------------------------------- /docs/images/screenshots/vulnerability.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/vulnerability.png -------------------------------------------------------------------------------- /docs/images/screenshots/defectdojo_config.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/defectdojo_config.png -------------------------------------------------------------------------------- /docs/images/screenshots/fortify-ssc-step1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/fortify-ssc-step1.png -------------------------------------------------------------------------------- /docs/images/screenshots/fortify-ssc-step2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/fortify-ssc-step2.png -------------------------------------------------------------------------------- /docs/images/screenshots/fortify-ssc-step3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/fortify-ssc-step3.png -------------------------------------------------------------------------------- /docs/images/screenshots/fortify-ssc-step4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/fortify-ssc-step4.png -------------------------------------------------------------------------------- /docs/images/screenshots/fortify-ssc-step5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/fortify-ssc-step5.png -------------------------------------------------------------------------------- /docs/images/screenshots/kenna-connectors.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/kenna-connectors.png -------------------------------------------------------------------------------- /docs/images/screenshots/threadfix-results.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/threadfix-results.png -------------------------------------------------------------------------------- /docs/images/screenshots/vulnerability-add.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/vulnerability-add.png -------------------------------------------------------------------------------- /docs/images/screenshots/defectdojo_api_key.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/defectdojo_api_key.png -------------------------------------------------------------------------------- /docs/images/screenshots/fortify-ssc-analysis.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/fortify-ssc-analysis.png -------------------------------------------------------------------------------- /docs/images/screenshots/notifications-create.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/notifications-create.png -------------------------------------------------------------------------------- /docs/images/screenshots/oidc-keycloak-groups.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/oidc-keycloak-groups.png -------------------------------------------------------------------------------- /docs/images/screenshots/scanners-configure.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/scanners-configure.png -------------------------------------------------------------------------------- /docs/images/screenshots/swagger-ui-console.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/swagger-ui-console.png -------------------------------------------------------------------------------- /docs/images/screenshots/vulnerable-component.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/vulnerable-component.png -------------------------------------------------------------------------------- /docs/images/screenshots/audit-finding-project.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/audit-finding-project.png -------------------------------------------------------------------------------- /docs/images/screenshots/defectdojo_create_cicd.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/defectdojo_create_cicd.png -------------------------------------------------------------------------------- /docs/images/screenshots/fortify-ssc-artifacts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/fortify-ssc-artifacts.png -------------------------------------------------------------------------------- /docs/images/screenshots/defectdojo_api_key_menu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/defectdojo_api_key_menu.png -------------------------------------------------------------------------------- /docs/images/screenshots/defectdojo_create_product.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/defectdojo_create_product.png -------------------------------------------------------------------------------- /docs/images/screenshots/kenna-add-kdi-connector.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/kenna-add-kdi-connector.png -------------------------------------------------------------------------------- /docs/images/screenshots/kenna-project-properties.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/kenna-project-properties.png -------------------------------------------------------------------------------- /docs/images/screenshots/notifications-configure.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/notifications-configure.png -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | docs/_site/ 2 | docs/.sass-cache/ 3 | docs/.jekyll-metadata 4 | 5 | # vscode 6 | .settings/ 7 | target/ 8 | .classpath 9 | .project 10 | .idea/ 11 | -------------------------------------------------------------------------------- /docs/images/screenshots/defectdojo_create_cicd_menu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/defectdojo_create_cicd_menu.png -------------------------------------------------------------------------------- /docs/images/screenshots/kenna-dtrack-configuration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/kenna-dtrack-configuration.png -------------------------------------------------------------------------------- /docs/images/screenshots/configure-internal-components.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/configure-internal-components.png -------------------------------------------------------------------------------- /docs/images/screenshots/defectdojo_cicd_engagement_id.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/defectdojo_cicd_engagement_id.png -------------------------------------------------------------------------------- /docs/images/screenshots/oidc-keycloak-client-settings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/oidc-keycloak-client-settings.png -------------------------------------------------------------------------------- /docs/_posts/2018-06-20-v3.1.1.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v3.1.1 3 | type: minor 4 | --- 5 | 6 | **Fixes:** 7 | * Fixed issue where new permissions were not being added to database on upgrades -------------------------------------------------------------------------------- /docs/images/screenshots/fortify-ssc-dtrack-configuration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/fortify-ssc-dtrack-configuration.png -------------------------------------------------------------------------------- /docs/images/screenshots/threadfix-remoteprovider-create.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/threadfix-remoteprovider-create.png -------------------------------------------------------------------------------- /docs/images/screenshots/vulnerability-affected-projects.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/vulnerability-affected-projects.png -------------------------------------------------------------------------------- /docs/_docs/analysis-types/integrity-verification.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Integrity Verification 3 | category: Analysis Types 4 | chapter: 3 5 | order: 6 6 | --- 7 | 8 | Work in progress 9 | -------------------------------------------------------------------------------- /docs/images/screenshots/threadfix-remoteprovider-mappings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/threadfix-remoteprovider-mappings.png -------------------------------------------------------------------------------- /docs/images/screenshots/oidc-keycloak-create-protocol-mapper.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/product/dependency-track/master/docs/images/screenshots/oidc-keycloak-create-protocol-mapper.png -------------------------------------------------------------------------------- /src/main/resources/application.version: -------------------------------------------------------------------------------- 1 | # Automatically populated by Maven build - do not modify 2 | name=${project.name} 3 | version=${project.version} 4 | timestamp=${timestamp} 5 | uuid=${project.build.uuid} 6 | -------------------------------------------------------------------------------- /docs/_posts/2018-03-30-v3.0.2.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v3.0.2 3 | type: minor 4 | --- 5 | 6 | **Fixes:** 7 | 8 | * Responded to changes in NVD data feed URLs by correcting the XML 1.2 and 2.0 URLs used for mirroring. 9 | -------------------------------------------------------------------------------- /docs/_posts/_defaults.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: 3 | type: major 4 | --- 5 | 6 | This release introduces 7 | 8 | **Features:** 9 | 10 | * 11 | 12 | **Fixes:** 13 | 14 | * 15 | 16 | **Upgrade Notes:** 17 | 18 | * -------------------------------------------------------------------------------- /docs/images/menu.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | -------------------------------------------------------------------------------- /docs/_docs/integrations/ecosystem.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Ecosystem Overview 3 | category: Integrations 4 | chapter: 6 5 | order: 1 6 | --- 7 | 8 | ![](../../images/integrations.png) 9 |
Use of logos does not imply endorsement
-------------------------------------------------------------------------------- /docs/_posts/2018-05-02-v3.0.4.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v3.0.4 3 | type: minor 4 | --- 5 | 6 | **Fixes:** 7 | 8 | * Fixed defect resulting in incorrect results returned when filtering on components in the project view 9 | * Synced CycloneDX specification to latest v1.0.1 release -------------------------------------------------------------------------------- /docs/_docs/analysis-types/license.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: License Evaluation 3 | category: Analysis Types 4 | chapter: 3 5 | order: 3 6 | --- 7 | 8 | As part of the Dependency-Track policy engine, component licenses can be evaluated against one or more policies. 9 | 10 | -------------------------------------------------------------------------------- /upgrade/3.0.0_to_3.0.1.sql: -------------------------------------------------------------------------------- 1 | /* 2 | Removes the constraint on having a unique project name thus preventing 3 | multiple versions of the project from existing. 4 | https://github.com/DependencyTrack/dependency-track/issues/118 5 | */ 6 | ALTER TABLE PROJECT DROP CONSTRAINT PROJECT_NAME_IDX; -------------------------------------------------------------------------------- /.github/default-release-notes.md: -------------------------------------------------------------------------------- 1 | For official releases, refer to [Dependency Track Docs >> Changelogs](https://docs.dependencytrack.org/changelog/) for information about improvements and upgrade notes. 2 | If additional details are required, consult the closed issues for this release milestone. 3 | -------------------------------------------------------------------------------- /docs/Gemfile: -------------------------------------------------------------------------------- 1 | source 'https://rubygems.org' 2 | 3 | gem 'jekyll', '3.7.4' 4 | 5 | group :jekyll_plugins do 6 | gem 'jekyll-feed', '0.9.3' 7 | gem 'jekyll-seo-tag', '2.4.0' 8 | gem 'jekyll-sitemap', '1.2.0' 9 | gem 'jekyll-redirect-from' 10 | gem 'jekyll-mermaid', '~> 1.0' 11 | end -------------------------------------------------------------------------------- /src/main/webapp/WEB-INF/fragments/error.jsp: -------------------------------------------------------------------------------- 1 | <%@page contentType="application/json; charset=UTF-8" pageEncoding="UTF-8" isErrorPage="true"%> 2 | <% 3 | // String errorMessage = exception.getMessage(); 4 | response.setStatus(500); 5 | %> 6 | { 7 | "message": "An error occurred. Please try again." 8 | } -------------------------------------------------------------------------------- /docs/_plugins/replace-regex.rb: -------------------------------------------------------------------------------- 1 | module Jekyll 2 | module RegexFilter 3 | def replace_regex(input, regex_string, replace_string) 4 | regex = Regexp.new regex_string 5 | input.gsub regex, replace_string 6 | end 7 | end 8 | end 9 | 10 | Liquid::Template.register_filter(Jekyll::RegexFilter) 11 | -------------------------------------------------------------------------------- /docs/_sass/_tables.scss: -------------------------------------------------------------------------------- 1 | table { 2 | width: 100%; 3 | margin-bottom: 1.75em; 4 | } 5 | 6 | tr { 7 | border-bottom: 1px solid #EEE; 8 | } 9 | 10 | tr { 11 | background: #ffffff; 12 | } 13 | 14 | td, th { 15 | padding: 8px; 16 | text-align: left; 17 | border: 1px solid #EEE; 18 | } 19 | 20 | th { 21 | padding-bottom: 4px; 22 | } 23 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/enhancement-request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Enhancement Request 3 | about: Request improvements or ideas for new features 4 | title: '' 5 | labels: enhancement 6 | assignees: '' 7 | --- 8 | The enhancement may already be reported! Please search for the enhancement before creating one. 9 | 10 | ### Current Behavior: 11 | 12 | 13 | ### Proposed Behavior: 14 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: maven 4 | directory: / 5 | schedule: 6 | interval: daily 7 | - package-ecosystem: docker 8 | directory: /src/main/docker 9 | schedule: 10 | interval: weekly 11 | - package-ecosystem: github-actions 12 | directory: / 13 | schedule: 14 | interval: weekly 15 | -------------------------------------------------------------------------------- /.github/workflows/dependency-review.yaml: -------------------------------------------------------------------------------- 1 | name: Dependency Review 2 | on: 3 | pull_request: 4 | 5 | permissions: 6 | contents: read 7 | 8 | jobs: 9 | dependency-review: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - name: Checkout Repository 13 | uses: actions/checkout@v3.0.2 14 | 15 | - name: Dependency Review 16 | uses: actions/dependency-review-action@v1 17 | -------------------------------------------------------------------------------- /clearlogs.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # This is a non-production script which simply zeros out various log files. 4 | # Executing this script prior to launching Dependency-Track in a development 5 | # environment is the intended use-case. 6 | 7 | echo -n > ~/.dependency-track/dependency-track.log 8 | echo -n > ~/.dependency-track/dependency-track-audit.log 9 | echo -n > ~/.dependency-track/server.log 10 | -------------------------------------------------------------------------------- /src/main/resources/templates/notification/publisher/console.peb: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- 2 | Notification 3 | -- timestamp: {{ timestamp }} 4 | -- level: {{ notification.level }} 5 | -- scope: {{ notification.scope }} 6 | -- group: {{ notification.group }} 7 | -- title: {{ notification.title }} 8 | -- content: {{ notification.content }} 9 | -------------------------------------------------------------------------------- /upgrade/3.7.1_and_previous_maven_central_fix.sql: -------------------------------------------------------------------------------- 1 | /* 2 | This statement changes the URL for Maven Central from using HTTP to HTTPS. 3 | As of January 2020, Maven Central no longer accepts HTTP requests and will 4 | respond with a 501. This prevents Java components from being analyzed for 5 | being out-of-date. 6 | */ 7 | 8 | UPDATE "REPOSITORY" SET "URL" = 'https://repo1.maven.org/maven2/' WHERE "TYPE" = 'MAVEN' AND "IDENTIFIER" = 'central'; 9 | -------------------------------------------------------------------------------- /.github/workflows/ci-build.yaml: -------------------------------------------------------------------------------- 1 | name: Build CI 2 | 3 | on: 4 | push: 5 | branches: 6 | - 'master' # Default branch 7 | - '[0-9]+.[0-9]+.x' # Release branches 8 | workflow_dispatch: 9 | 10 | jobs: 11 | call-build: 12 | uses: ./.github/workflows/_meta-build.yaml 13 | with: 14 | app-version: "snapshot" 15 | secrets: 16 | registry-0-usr: ${{ secrets.HUB_USERNAME }} 17 | registry-0-psw: ${{ secrets.HUB_ACCESSS_TOKEN }} 18 | -------------------------------------------------------------------------------- /src/main/webapp/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Dependency-Track 6 | 7 | 8 |

Dependency-Track API Server

9 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /src/main/resources/templates/notification/publisher/webhook.peb: -------------------------------------------------------------------------------- 1 | { 2 | "notification": { 3 | "level": "{{ notification.level | escape(strategy="json") }}", 4 | "scope": "{{ notification.scope | escape(strategy="json") }}", 5 | "group": "{{ notification.group | escape(strategy="json") }}", 6 | "timestamp": "{{ notification.timestamp }}", 7 | "title": "{{ notification.title | escape(strategy="json") }}", 8 | "content": "{{ notification.content | escape(strategy="json") }}", 9 | "subject": {{ subjectJson | raw }} 10 | } 11 | } -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/exceptions/Libtool-exception.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseExceptionText": "As a special exception to the GNU General Public License, if you distribute this file as part of a program or library that is built using GNU Libtool, you may include this file under the same distribution terms that you use for the rest of that program.\n", 4 | "name": "Libtool Exception", 5 | "seeAlso": [ 6 | "http://git.savannah.gnu.org/cgit/libtool.git/tree/m4/libtool.m4" 7 | ], 8 | "licenseExceptionId": "Libtool-exception" 9 | } -------------------------------------------------------------------------------- /docs/_posts/2019-10-01-v3.6.1.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v3.6.1 3 | type: minor 4 | --- 5 | 6 | **Fixes:** 7 | 8 | * Fixed issue that prevented upgrades to 3.6.0 when using Microsoft SQL Server 9 | 10 | ###### dependency-track-embedded.war 11 | 12 | | Algorithm | Checksum | 13 | | SHA-1 | f18f248d2601878b3d437e3c6539311dc4a31c47 | 14 | | SHA-256 | b24cc49e8483c4841d6bc3efa9c1f944836a9524028960ee463ae4db7dac7c02 | 15 | 16 | ###### dependency-track.war 17 | 18 | | Algorithm | Checksum | 19 | | SHA-1 | b758993e26f812494ca0191e7ad39037f2cd79ea | 20 | | SHA-256 | da128b3602ea4e0214558074abd3df30201e7d858b79a7abb5065d358db19b40 | 21 | -------------------------------------------------------------------------------- /docs/changelog.html: -------------------------------------------------------------------------------- 1 | --- 2 | title: Change Log 3 | --- 4 | 5 |

Subscribe with RSS to keep up with the latest changes.

6 | 7 |
8 | {% for change in site.posts %} 9 |
10 |

{{ change.title }}

11 |

{{ change.date | date: "%B %d, %Y" }} {{ change.type }}

12 | 13 | {{ change.content }} 14 | 15 |

Update Entry

16 |
17 | {% endfor %} 18 |
19 | -------------------------------------------------------------------------------- /docs/_posts/2019-04-16-v3.4.1.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v3.4.1 3 | type: minor 4 | --- 5 | 6 | **Fixes:** 7 | 8 | * Fixed defect that caused high CPU consumption (via thread exhaustion) in some cases when NPM Audit was enabled. 9 | 10 | 11 | ###### dependency-track-embedded.war 12 | 13 | | Algorithm | Checksum | 14 | | SHA-1 | f8da8e34a3cabcf72b721488f5294710ff632bf6 | 15 | | SHA-256 | 72391cc636c2159ffc0c516f2001688129a3b6424164c98ce9045c0fd5c3219b | 16 | 17 | ###### dependency-track.war 18 | 19 | | Algorithm | Checksum | 20 | | SHA-1 | 1cdb5b6c5698229b21acbc610df77ec819ad5180 | 21 | | SHA-256 | 619e9ae00feb9f9723bef68981d32932d2d5cdf808b192619bf072d525224f5e | 22 | -------------------------------------------------------------------------------- /docs/_posts/2018-04-13-v3.0.3.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v3.0.3 3 | type: minor 4 | --- 5 | 6 | **Fixes:** 7 | 8 | * Fixed defect resulting in incorrect vulnerability counts for projects 9 | * Fixed defect which prevented project metrics from returning results 10 | * Fixed issue related to the assignment of tags on project creation 11 | * Added the VIEW_PORTFOLIO permission to the 'automation' team on new installs 12 | * Updated several dependencies 13 | * Performance improvements in database connection pool 14 | * Fixed defect where database connections were not being reconnected if the connection was lost 15 | * Fixed multiple defects related to component reconciliation when processing BOM and scan uploads -------------------------------------------------------------------------------- /docs/_docs/datasources/github-advisories.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: GitHub Advisories 3 | category: Datasources 4 | chapter: 4 5 | order: 2 6 | redirect_from: 7 | - /datasources/nsp/ 8 | - /datasources/npm/ 9 | --- 10 | 11 | GitHub Advisories is a centralized source of vulnerability intelligence specific to GitHub projects. GitHub advisories may 12 | or may not be documented in the National Vulnerability Database. 13 | 14 | Dependency-Track integrates with GitHub Advisories using the public GraphQL API. In doing so, Dependency-Track is able 15 | to create a mirror of all GitHub advisory data. The mirror is kept up-to-date on a daily basis, or upon the restarting of the 16 | Dependency-Track instance. 17 | -------------------------------------------------------------------------------- /docs/_posts/2019-07-17-v3.5.1.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v3.5.1 3 | type: minor 4 | --- 5 | 6 | **Fixes:** 7 | 8 | * [GHSA-jp9v-w6vw-9m5v](https://github.com/DependencyTrack/dependency-track/security/advisories/GHSA-jp9v-w6vw-9m5v) Cross-Site Scripting (XSS): Persistent 9 | 10 | 11 | ###### dependency-track-embedded.war 12 | 13 | | Algorithm | Checksum | 14 | | SHA-1 | aafdfa3142dc478b95f1d6ffc268b2a1832ccb29 | 15 | | SHA-256 | 73bbe06a22f84ce7b099da3c552e267c980f0f8c58ca6cccdd3eaa210bfe9b6c | 16 | 17 | ###### dependency-track.war 18 | 19 | | Algorithm | Checksum | 20 | | SHA-1 | cf71dbf7ae697038d6a42485f14991f343ffdeff | 21 | | SHA-256 | 271705e72e94e9f9fb36159ea110a05ff465c4d1f2572a89570774e57c08a247 | 22 | -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/exceptions/gnu-javamail-exception.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseExceptionText": "As a special exception, if you link this library with other files to produce an executable, this library does not by itself cause the resulting executable to be covered by the GNU General Public License. This exception does not however invalidate any other reasons why the executable file might be covered by the GNU General Public License.\"\n", 4 | "name": "GNU JavaMail exception", 5 | "licenseComments": "Typically used with GPL (any version)", 6 | "seeAlso": [ 7 | "http://www.gnu.org/software/classpathx/javamail/javamail.html" 8 | ], 9 | "licenseExceptionId": "gnu-javamail-exception" 10 | } -------------------------------------------------------------------------------- /docs/_sass/_mixins.scss: -------------------------------------------------------------------------------- 1 | @mixin flex-direction($values) { 2 | -webkit-flex-direction: $values; 3 | flex-direction: $values; 4 | } 5 | 6 | @mixin flex-flow($values) { 7 | -webkit-flex-flow: $values; 8 | flex-flow: $values; 9 | } 10 | 11 | @mixin align-items($values) { 12 | -webkit-align-items: $values; 13 | align-items: $values; 14 | } 15 | 16 | @mixin justify-content($values) { 17 | -webkit-justify-content: $values; 18 | justify-content: $values; 19 | } 20 | 21 | @mixin flex($values) { 22 | -webkit-flex: $values; 23 | flex: $values; 24 | } 25 | 26 | @mixin display-flex() { 27 | display: -webkit-flex; 28 | display: flex; 29 | } 30 | 31 | @mixin display-inline-flex() { 32 | display: -webkit-inline-flex; 33 | display: inline-flex; 34 | } 35 | -------------------------------------------------------------------------------- /prerelease.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # This script (for macOS) will release Dependency-Track 3 | 4 | export JAVA_HOME=`/usr/libexec/java_home -v 11` 5 | export PATH=JAVA_HOME/bin:$PATH 6 | 7 | mvn clean 8 | mvn package -Dmaven.test.skip=true -P clean-exclude-wars -P enhance -P embedded-jetty -Dlogback.configuration.file=src/main/docker/logback.xml 9 | mvn clean -P clean-exclude-wars 10 | mvn package -Dmaven.test.skip=true -P enhance -P embedded-jetty -P bundle-ui -Dlogback.configuration.file=src/main/docker/logback.xml 11 | mvn clean -P clean-exclude-wars 12 | mvn package -Dmaven.test.skip=true -P enhance -P bundle-ui 13 | mvn clean -P clean-exclude-wars 14 | mvn net.nicoulaj.maven.plugins:checksum-maven-plugin:files 15 | mvn github-release:release 16 | -------------------------------------------------------------------------------- /docs/_posts/2018-03-29-v3.0.1.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v3.0.1 3 | type: minor 4 | --- 5 | 6 | **Fixes:** 7 | 8 | * Fixed data model issue which prevented multiple versions of the same project name from being persisted. 9 | * Fixed issue in admin console which did not properly display the number of team members. 10 | 11 | **Upgrade Notes:** 12 | 13 | If v3.0.0 was deployed, shutdown Dependency-Track, execute the following statement against the database, 14 | and deploy v3.0.1. 15 | 16 | ```sql 17 | /* 18 | Removes the constraint on having a unique project name thus preventing 19 | multiple versions of the project from existing. 20 | https://github.com/DependencyTrack/dependency-track/issues/118 21 | */ 22 | ALTER TABLE PROJECT DROP CONSTRAINT PROJECT_NAME_IDX; 23 | ``` -------------------------------------------------------------------------------- /docs/_posts/2020-01-07-v3.7.1.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v3.7.1 3 | type: minor 4 | --- 5 | 6 | **Features:** 7 | 8 | * Added additional debug logging to metric update tasks 9 | 10 | **Fixes:** 11 | 12 | * Fixed portfolio metrics issue that allowed multiple operations to be executed simultaneously leading to performance degradation 13 | 14 | ###### dependency-track-embedded.war 15 | 16 | | Algorithm | Checksum | 17 | | SHA-1 | 5cd02dc5c6ca8aba3cea1ad5ad03d039ecdd757c | 18 | | SHA-256 | f80f527d96692a45f3bba86849551debf4b407bd880f104b890912975cc865ca | 19 | 20 | ###### dependency-track.war 21 | 22 | | Algorithm | Checksum | 23 | | SHA-1 | 766d5394ce7a5a0e08c96a55930adc3377897d99 | 24 | | SHA-256 | 4e6233013af574585d93dd99586455a810ea434c3bc5da95e53aad45751f5bc2 | 25 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/ask-a-question.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Ask a question - Use Slack instead - Do not create issues for questions 3 | about: Have a question about Dependency-Track? 4 | title: '' 5 | labels: question 6 | assignees: '' 7 | --- 8 | All questions should be directed to the Dependency-Track Slack channel or to GitHub discussions 9 | Questions submitted through GitHub issues will be closed. 10 | 11 | Slack channel 12 | - https://dependencytrack.org/slack 13 | 14 | Slack invite 15 | - https://dependencytrack.org/slack/invite 16 | 17 | GitHub discussions 18 | - https://github.com/DependencyTrack/dependency-track/discussions 19 | 20 | Groups.io (mailing list) 21 | - https://dependencytrack.org/discussion 22 | 23 | Providing as much detail as possible, what is your question? 24 | -------------------------------------------------------------------------------- /docs/_posts/2018-10-02-v3.2.2.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v3.2.2 3 | type: minor 4 | --- 5 | 6 | **Fixes:** 7 | 8 | * Critical defect which may lead to duplicate or erroneous requests to NPM Audit API 9 | 10 | **Changes:** 11 | 12 | * Added checksums.xml including SHA-1, SHA-256, SHA-512 checksums for traditional and embedded wars to GitHub releases. 13 | 14 | ###### dependency-track-embedded.war 15 | 16 | | Algorithm | Checksum | 17 | | SHA-1 | fead4ed834b4738b8c19c427ae57653f7af4a3b8 | 18 | | SHA-256 | ee53ceacb07b0b0b4dfa88e2bdc2e905668f0dd6d42ca1000b3204d0a2ee1842 | 19 | 20 | ###### dependency-track.war 21 | 22 | | Algorithm | Checksum | 23 | | SHA-1 | defbb7a40bb12c3beacdeb43fb5fd325d226da50 | 24 | | SHA-256 | c154f0f07c9875d602d3e1df93d93d617e83f350ef683bdb16eb193d03a86ea5 | 25 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/defect-report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Defect Report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: 'in triage' 6 | assignees: '' 7 | --- 8 | The defect may already be reported! Please search for the defect before creating one. 9 | 10 | 11 | ### Current Behavior: 12 | 13 | 14 | ### Steps to Reproduce: 15 | 16 | 17 | ### Expected Behavior: 18 | 19 | 20 | ### Environment: 21 | 22 | - Dependency-Track Version: 23 | - Distribution: [ Docker | Executable WAR | Traditional WAR ] 24 | - BOM Format & Version: 25 | - Database Server: [ H2 | MSSQL | MySQL | PostgreSQL ] 26 | - Browser: 27 | 28 | ### Additional Details: 29 | 30 | (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. stackoverflow, gitter, etc) 31 | -------------------------------------------------------------------------------- /docs/_docs/triage/auditing-basics.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Auditing Basics 3 | category: Triage Results 4 | chapter: 5 5 | order: 1 6 | --- 7 | 8 | Dependency-Track incorporates an enterprise-class auditing workflow engine capable of keeping track of audit history, 9 | comments and analysis decisions for all findings. 10 | 11 | ### Auditing Projects 12 | 13 | Project auditing is the process of triaging findings on the components for each project. Audit decisions, comments, 14 | and audit history performed on a project only affect the findings for said project. 15 | 16 | The **VULNERABILITY_ANALYSIS** permission is required to perform project auditing. 17 | The audit trail will be visible to all users with **VIEW_VULNERABILITY** permission. 18 | 19 | ![Project Auditing](/images/screenshots/audit-finding-project.png) 20 | 21 | -------------------------------------------------------------------------------- /docs/_posts/2021-09-20-v4.3.5.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v4.3.5 3 | type: patch 4 | --- 5 | 6 | No changes in this release. 7 | 8 | 9 | ###### dependency-track-apiserver.war 10 | 11 | | Algorithm | Checksum | 12 | | SHA-1 | d13ea84585009e70da2745690f4580b8db2a6e75 | 13 | | SHA-256 | 5334a13a5cc0662986d1643463c22bd6a7f3875165ad89296e2f9704b51acec5 | 14 | 15 | ###### dependency-track-bundled.war 16 | 17 | | Algorithm | Checksum | 18 | | SHA-1 | 2aee316ac07c5941a7ba734c30bec4f517cc2df1 | 19 | | SHA-256 | 3053e47cee828f459bede221159d68a61294670c3aed0720901273c7f3091256 | 20 | 21 | ###### Software Bill of Materials (SBOM) ###### 22 | 23 | [bom.json](https://github.com/DependencyTrack/dependency-track/releases/download/4.3.5/bom.json) 24 | [bom.xml](https://github.com/DependencyTrack/dependency-track/releases/download/4.3.5/bom.xml) 25 | -------------------------------------------------------------------------------- /docs/_sass/_code.scss: -------------------------------------------------------------------------------- 1 | pre, code, tt { 2 | font-family: Inconsolata, Consolas, Courier, "Courier New", "Liberation Mono", monospace; 3 | font-size: 0.85em; 4 | white-space: pre-wrap; 5 | border-radius: 2px; 6 | line-height: 1.4; 7 | font-weight: 400; 8 | background-color: #44475A; 9 | color: #FAFAFA; 10 | border: 1px solid #282A36; 11 | } 12 | 13 | pre { 14 | box-sizing: border-box; 15 | margin: 0 0 1.75em 0; 16 | width: 100%; 17 | padding: 10px; 18 | font-size: 0.9em; 19 | white-space: pre; 20 | overflow: auto; 21 | border-radius: 3px; 22 | 23 | code, tt { 24 | font-size: inherit; 25 | white-space: pre-wrap; 26 | background: transparent; 27 | border: none; 28 | padding: 0 29 | } 30 | } 31 | 32 | blockquote > code, 33 | li > code, 34 | p > code { 35 | padding: 4px 6px; 36 | white-space: nowrap; 37 | } 38 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Reporting Security Issues 2 | 3 | The Dependency-Track team and community take security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions. 4 | 5 | To report a security issue, email [security@dependencytrack.org](mailto:security@dependencytrack.org) and [steve.springett@owasp.org](mailto:steve.springett@owasp.org) and include the word "SECURITY" in the subject line. 6 | 7 | The Dependency-Track team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance. 8 | 9 | Report security bugs in third-party modules to the person or team maintaining the module. 10 | -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/exceptions/Swift-exception.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseExceptionText": "### Runtime Library Exception to the Apache 2.0 License: ###\n\nAs an exception, if you use this Software to compile your source code and\nportions of this Software are embedded into the binary product as a result,\nyou may redistribute such product without providing attribution as would\notherwise be required by Sections 4(a), 4(b) and 4(d) of the License.\n", 4 | "name": "Swift Exception", 5 | "licenseComments": "This exception was created specifically to be used with Apache-2.0", 6 | "seeAlso": [ 7 | "https://swift.org/LICENSE.txt", 8 | "https://github.com/apple/swift-package-manager/blob/7ab2275f447a5eb37497ed63a9340f8a6d1e488b/LICENSE.txt#L205" 9 | ], 10 | "licenseExceptionId": "Swift-exception" 11 | } -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/exceptions/Bootloader-exception.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseExceptionText": "Bootloader Exception\n--------------------\n\nIn addition to the permissions in the GNU General Public License, the\nauthors give you unlimited permission to link or embed compiled bootloader\nand related files into combinations with other programs, and to distribute\nthose combinations without any restriction coming from the use of those\nfiles. (The General Public License restrictions do apply in other respects;\nfor example, they cover modification of the files, and distribution when\nnot linked into a combine executable.)\n", 4 | "name": "Bootloader Distribution Exception", 5 | "seeAlso": [ 6 | "https://github.com/pyinstaller/pyinstaller/blob/develop/COPYING.txt" 7 | ], 8 | "licenseExceptionId": "Bootloader-exception" 9 | } -------------------------------------------------------------------------------- /docs/_docs/integrations/rest-api.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: REST API 3 | category: Integrations 4 | chapter: 6 5 | order: 8 6 | --- 7 | 8 | Dependency-Track is built using a *thin server architecture* and an *API-first design*. API's are simply at the heart 9 | of the platform. Every API is fully documented via Swagger 2.0. 10 | 11 | > http://{hostname}:{port}/api/swagger.json 12 | 13 | The Swagger UI Console (not included) can be used to visualize and explore the wide range of possibilities. Chrome and 14 | FireFox extensions can be use to quickly use the Swagger UI Console. 15 | 16 | ![Swagger UI Console](/images/screenshots/swagger-ui-console.png) 17 | 18 | Prior to using the REST APIs, an API Key must be generated. By default, creating a team will also create a corresponding 19 | API key. A team may have multiple keys. 20 | 21 | ![Teams - API Key](/images/screenshots/teams.png) 22 | -------------------------------------------------------------------------------- /docs/_posts/2018-09-21-v3.2.1.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v3.2.1 3 | type: minor 4 | --- 5 | 6 | **Features:** 7 | 8 | * The NSP Advisory API has been removed and replaced with the NPM Public Advisory API 9 | 10 | **Fixes:** 11 | 12 | * Processing and permission corrections to new multi-part BOM upload API 13 | * UI corrections for vulnerabilities with unassigned severity 14 | * Fixes for displaying and processing of vulnerabilities without CVSS scores 15 | * Minor changes to severity colour scheme 16 | 17 | **Upgrade Notes:** 18 | 19 | All previous NSP vulnerabilities will automatically be migrated to NPM vulnerabilities. No additional 20 | action is required. Unlike NSP vulnerabilities, NPM does not provide CVSS scores or vectors. Therefore 21 | all NPM vulnerabilities will no longer display the CVSS vector, or the base, impact, or exploitability 22 | scores and corresponding chart data. -------------------------------------------------------------------------------- /src/main/resources/templates/badge/project-novulns.peb: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | dependencies 13 | dependencies 14 | no vulns 15 | no vulns 16 | 17 | 18 | -------------------------------------------------------------------------------- /docs/css/main.scss: -------------------------------------------------------------------------------- 1 | --- 2 | layout: null 3 | sitemap: false 4 | --- 5 | 6 | {% if site.baseurl and site.baseurl != "" %} 7 | $baseurl: "{{ site.baseurl }}"; 8 | {% else %} 9 | $baseurl: ""; 10 | {% endif %} 11 | $body-background-color: #2B2E31; 12 | 13 | $content-max-width: 800px; 14 | $content-color: #222; 15 | $content-background-color: #f0f0f0; 16 | 17 | $brand-colour: #1A232F; 18 | $brand-colour-light: mix($brand-colour, $content-background-color, 10%); 19 | 20 | $nav-header-background-color: $brand-colour; 21 | $nav-header-height: 60px; 22 | $nav-background-color: #1A232F; 23 | $nav-width: 300px; 24 | 25 | $space: 20px; 26 | 27 | $mobile-break: 700px; 28 | $full-width-break: $nav-width + ($space * 4) + $content-max-width; 29 | 30 | @import "mixins"; 31 | @import "normalize"; 32 | @import "pygments"; 33 | @import "typography"; 34 | @import "code"; 35 | @import "tables"; 36 | @import "layout"; 37 | -------------------------------------------------------------------------------- /src/main/resources/templates/badge/project-nometrics.peb: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | dependencies 13 | dependencies 14 | no metrics 15 | no metrics 16 | 17 | 18 | -------------------------------------------------------------------------------- /docs/images/badge-project-novulns.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | dependencies 13 | dependencies 14 | no vulns 15 | no vulns 16 | 17 | 18 | -------------------------------------------------------------------------------- /docs/images/badge-project-nometrics.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | dependencies 13 | dependencies 14 | no metrics 15 | no metrics 16 | 17 | 18 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/persistence/IQueryManager.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.persistence; 20 | 21 | interface IQueryManager { 22 | } 23 | -------------------------------------------------------------------------------- /src/test/java/org/dependencytrack/policy/PolicyEngineTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.policy; 20 | 21 | public class PolicyEngineTest { 22 | } 23 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/parser/package-info.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | 20 | /** 21 | * Package contains various parsers. 22 | */ 23 | package org.dependencytrack.parser; -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/parser/nvd/package-info.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | 20 | /** 21 | * Base package for the NVD parser. 22 | */ 23 | package org.dependencytrack.parser.nvd; -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/parser/spdx/package-info.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | 20 | /** 21 | * Base package for SPDX parsers. 22 | */ 23 | package org.dependencytrack.parser.spdx; -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/resources/package-info.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | 20 | /** 21 | * Package contains JAX-RS resources. 22 | */ 23 | package org.dependencytrack.resources; -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/exceptions/LZMA-exception.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseExceptionText": "I.6 Special exception for LZMA compression module\n\nIgor Pavlov and Amir Szekely, the authors of the LZMA compression module for NSIS, expressly permit you to statically or dynamically link your code (or bind by name) to the files from the LZMA compression module for NSIS without subjecting your linked code to the terms of the Common Public license version 1.0. Any modifications or additions to files from the LZMA compression module for NSIS, however, are subject to the terms of the Common Public License version 1.0.\n", 4 | "name": "LZMA exception", 5 | "licenseComments": "Used by the LZMA compression module for NSIS to apply an exception to CPL-1.0", 6 | "seeAlso": [ 7 | "http://nsis.sourceforge.net/Docs/AppendixI.html#I.6" 8 | ], 9 | "licenseExceptionId": "LZMA-exception" 10 | } -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/exception/package-info.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | 20 | /** 21 | * Package contains various Exception classes. 22 | */ 23 | package org.dependencytrack.exception; -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/search/package-info.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | 20 | /** 21 | * Package contains search engine related classes. 22 | */ 23 | package org.dependencytrack.search; -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/tasks/package-info.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | 20 | /** 21 | * Package contains scheduled and event-driven tasks. 22 | */ 23 | package org.dependencytrack.tasks; -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/auth/package-info.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | 20 | /** 21 | * Package containing authentication and authorization classes. 22 | */ 23 | package org.dependencytrack.auth; -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/persistence/package-info.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | 20 | /** 21 | * Package contains persistence classes and generators. 22 | */ 23 | package org.dependencytrack.persistence; -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/exceptions/Font-exception-2.0.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseExceptionText": "As a special exception, if you create a document which uses this font, and embed this font or unaltered portions of this font into the document, this font does not by itself cause the resulting document to be covered by the GNU General Public License. This exception does not however invalidate any other reasons why the document might be covered by the GNU General Public License. If you modify this font, you may extend this exception to your version of the font, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version.\n", 4 | "name": "Font exception 2.0", 5 | "licenseComments": "Typically used with GPL-2.0", 6 | "seeAlso": [ 7 | "http://www.gnu.org/licenses/gpl-faq.html#FontException" 8 | ], 9 | "licenseExceptionId": "Font-exception-2.0" 10 | } -------------------------------------------------------------------------------- /src/test/java/org/dependencytrack/resources/v1/LicenseGroupResourceTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | 20 | package org.dependencytrack.resources.v1; 21 | 22 | public class LicenseGroupResourceTest { 23 | } 24 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/model/package-info.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | 20 | /** 21 | * Package contains model classes. Most model classes will be persistable. 22 | */ 23 | package org.dependencytrack.model; -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/exceptions/PS-or-PDF-font-exception-20170817.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseExceptionText": "The font and related files in this directory are distributed under the\nGNU AFFERO GENERAL PUBLIC LICENSE Version 3 (see the file COPYING), with\nthe following exemption:\n\nAs a special exception, permission is granted to include these font\nprograms in a Postscript or PDF file that consists of a document that\ncontains text to be displayed or printed using this font, regardless\nof the conditions or license applying to the document itself.\n", 4 | "name": "PS/PDF font exception (2017-08-17)", 5 | "licenseComments": "Author-suggested standard header language recommends use with APGL-3.0", 6 | "seeAlso": [ 7 | "https://github.com/ArtifexSoftware/urw-base35-fonts/blob/65962e27febc3883a17e651cdb23e783668c996f/LICENSE" 8 | ], 9 | "licenseExceptionId": "PS-or-PDF-font-exception-20170817" 10 | } -------------------------------------------------------------------------------- /docs/_docs/datasources/internal-components.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Internal Components 3 | category: Datasources 4 | chapter: 4 5 | order: 7 6 | --- 7 | 8 | Organizations have the ability to specify a namespace and/or name which represents internally 9 | developed components. Components identified as internal will not be analyzed using external 10 | sources of vulnerability intelligence or external repositories. With this option configured, 11 | it is possible, for example, to skip the analysis of internal components via OSS Index, NPM Audit, 12 | Maven Central, and npm.js. Organizations that have a unique namespace and/or name which does 13 | not conflict with known third-party namespaces and/or names, may opt to define internal components 14 | if the disclosure of such information is not desirable. 15 | 16 | > By default, components are not identified as internal. 17 | 18 | ![configure internal components](/images/screenshots/configure-internal-components.png) 19 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/notification/NotificationScope.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.notification; 20 | 21 | public enum NotificationScope { 22 | SYSTEM, 23 | PORTFOLIO 24 | } -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/metrics/package-info.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | 20 | /** 21 | * Package contains helper method for creating or manipulating various metrics. 22 | */ 23 | package org.dependencytrack.metrics; -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/resources/v1/vo/package-info.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | 20 | /** 21 | * Package contains value objects used to parse or format JSON. 22 | */ 23 | package org.dependencytrack.resources.v1.vo; -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/resources/v1/package-info.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | 20 | /** 21 | * Package contains JAX-RS resources for v1 of the Dependency-Track API. 22 | */ 23 | package org.dependencytrack.resources.v1; -------------------------------------------------------------------------------- /docs/_docs/getting-started/deploy-war.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Deploying the WAR 3 | category: Getting Started 4 | chapter: 1 5 | order: 3 6 | --- 7 | 8 | This is the most difficult to deploy option as it requires an already installed and configured Servlet 9 | container such as Apache Tomcat 8.5 and higher. Follow the Servlet containers instructions for deploying `dependency-track.war`. 10 | 11 | `dependency-track.war` must be deployed to the ROOT context. 12 | 13 | > **Deprecated and unsupported** 14 | > 15 | > Traditional WAR deployments to a Servlet container are deprecated, unsupported, and will no longer be produced in a 16 | > future version of Dependency-Track. It is advisable that organizations migrate to a container strategy such as 17 | > Docker or Kubernetes. 18 | 19 | ### Requirements 20 | 21 | | Minimum | Recommended | 22 | |:---------|:--------| 23 | | Java 8 u162 (or higher) | Java 8 u162 or higher | 24 | | 4GB RAM | 16GB RAM | 25 | | 2 CPU cores | 4 CPU cores | 26 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/parser/spdx/json/package-info.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | 20 | /** 21 | * Package contains JSON parser for processing SPDX license information. 22 | */ 23 | package org.dependencytrack.parser.spdx.json; -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/event/VulnDbSyncEvent.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.event; 20 | 21 | import alpine.event.framework.Event; 22 | 23 | public class VulnDbSyncEvent implements Event { 24 | 25 | } 26 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/parser/cyclonedx/package-info.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | 20 | /** 21 | * Base package for the CycloneDX functionality specific to Dependency-Track. 22 | */ 23 | package org.dependencytrack.parser.cyclonedx; -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/event/package-info.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | 20 | /** 21 | * Package contains initialization for the event subsystem and 22 | * Dependency-Track specific events. 23 | */ 24 | package org.dependencytrack.event; -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/exceptions/eCos-exception-2.0.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseExceptionText": "As a special exception, if other files instantiate templates or use macros or inline functions from this file, or you compile this file and link it with other works to produce a work based on this file, this file does not by itself cause the resulting work to be covered by the GNU General Public License. However the source code for this file must still be made available in accordance with section (3) of the GNU General Public License.\n\nThis exception does not invalidate any other reasons why a work based on this file might be covered by the GNU General Public License.\n", 4 | "name": "eCos exception 2.0", 5 | "licenseComments": "Typically used with GPL-2.0. Similar to Macro and Inlines Functions Exception", 6 | "seeAlso": [ 7 | "http://ecos.sourceware.org/license-overview.html" 8 | ], 9 | "licenseExceptionId": "eCos-exception-2.0" 10 | } -------------------------------------------------------------------------------- /upgrade/README.md: -------------------------------------------------------------------------------- 1 | Upgrade Notes 2 | ========= 3 | 4 | This directory contains a scripts and other information that may be necessary to execute prior to upgrading. 5 | 6 | SQL Scripts (Manual) 7 | ------------------- 8 | 9 | To upgrade, shutdown Dependency-Track and execute the script for the version you're upgrading from to the version 10 | being upgraded to. The scripts must be executed prior to upgrades. 11 | 12 | SQL Scripts (Automated) 13 | ------------------- 14 | 15 | It's highly recommended that Dependency-Track users manage their database schemas through tools like 16 | [Liquibase](https://www.liquibase.org/) or [Flyway](https://flywaydb.org/). The automatic creation of 17 | schema columns, indexes, and constraints is part of the Dependency-Track startup process. However, if 18 | indexes, columns, or constraints are altered or removed between versions, tools like Liquibase and Flyway 19 | can assist in automating the versioning and migration of the schema without much need for manual intervention. -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/exceptions/openvpn-openssl-exception.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseExceptionText": "Special exception for linking OpenVPN with OpenSSL:\n\nIn addition, as a special exception, OpenVPN Technologies, Inc. gives permission to link the code of this program with the OpenSSL Library (or with modified versions of OpenSSL that use the same license as OpenSSL), and distribute linked combinations including the two. You must obey the GNU General Public License in all respects for all of the code used other than OpenSSL. If you modify this file, you may extend this exception to your version of the file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version.\n", 4 | "name": "OpenVPN OpenSSL Exception", 5 | "licenseComments": "Typically used with GPL 2.0", 6 | "seeAlso": [ 7 | "http://openvpn.net/index.php/license.html" 8 | ], 9 | "licenseExceptionId": "openvpn-openssl-exception" 10 | } -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/details/diffmark.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseText": "1. you can do what you want with it\n2. I refuse any responsibility for the consequences\n", 4 | "standardLicenseTemplate": "\n\n \u003c\u003cvar;name\u003d\"bullet\";original\u003d\"1.\";match\u003d\".{0,20}\"\u003e\u003e you can do what you want with it\n\n \u003c\u003cvar;name\u003d\"bullet\";original\u003d\"2.\";match\u003d\".{0,20}\"\u003e\u003e I refuse any responsibility for the consequences", 5 | "name": "diffmark license", 6 | "licenseId": "diffmark", 7 | "crossRef": [ 8 | { 9 | "isLive": true, 10 | "isValid": true, 11 | "isWayBackLink": false, 12 | "match": "false", 13 | "url": "https://fedoraproject.org/wiki/Licensing/diffmark", 14 | "order": 0, 15 | "timestamp": "2020-11-25 - 21:58:28" 16 | } 17 | ], 18 | "seeAlso": [ 19 | "https://fedoraproject.org/wiki/Licensing/diffmark" 20 | ], 21 | "isOsiApproved": false 22 | } -------------------------------------------------------------------------------- /docs/_docs/datasources/ossindex.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Sonatype OSS Index 3 | category: Datasources 4 | chapter: 4 5 | order: 3 6 | --- 7 | 8 | Sonatype OSS Index provides transparent and highly accurate results for components with valid Package URLs. 9 | The majority of vulnerabilities directly map to CVEs in the National Vulnerability Database (NVD), however, 10 | OSS Index does contain many vulnerabilities that are not present in the NVD. 11 | 12 | Dependency-Track integrates with OSS Index using its public API. Dependency-Track does not mirror OSS Index, 13 | but it does consume vulnerabilities from OSS Index on a 'as-identified' basis. 14 | 15 | > Starting with Dependency-Track v4.0, OSS Index is enabled by default and does not require an account. For prior 16 | > Dependency-Track versions, OSS Index is disabled by default and requires an account. To enable OSS Index, 17 | > sign up for a free account and enter the account details in Dependency-Track in the 'Analyzers' settings in the 18 | > administrative console. 19 | -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/exceptions/GPL-3.0-linking-exception.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseExceptionText": "Additional permission under GNU GPL version 3 section 7\n\nIf you modify this Program, or any covered work, by linking or combining it with [name of library] (or a modified version of that library), containing parts covered by the terms of [name of library\u0027s license], the licensors of this Program grant you additional permission to convey the resulting work.\n", 4 | "name": "GPL-3.0 Linking Exception", 5 | "licenseComments": "This exception is based on the suggested template from the Free Software Foundation\u0027s FAQ about the GPL. This variant does not include the second optional sentence regarding Corresponding Source. For a variant with that sentence, please see GPL-3.0-linking-source-exception.", 6 | "seeAlso": [ 7 | "https://www.gnu.org/licenses/gpl-faq.en.html#GPLIncompatibleLibs" 8 | ], 9 | "licenseExceptionId": "GPL-3.0-linking-exception" 10 | } -------------------------------------------------------------------------------- /docs/_docs/triage/analysis-states.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Analysis States 3 | category: Triage Results 4 | chapter: 5 5 | order: 2 6 | --- 7 | 8 | When triaging results, an analysis decision can be made for each finding. The following states are supported: 9 | 10 | 11 | | State | Description | 12 | | ------|-------------| 13 | |EXPLOITABLE| The finding is exploitable (or likely exploitable) | 14 | |IN_TRIAGE| An investigation is in progress to determine if the finding is accurate and affects the project or component | 15 | |FALSE_POSITIVE| The finding was identified through faulty logic or data (i.e. misidentified component or incorrect vulnerability intelligence) | 16 | |NOT_AFFECTED| The finding is a true positive, but the project is not affected by the vulnerability identified | 17 | |NOT_SET| Analysis of the finding has not commenced | 18 | 19 | Audit history is maintained for every finding including changes to analysis states. The user making the change 20 | along with a timestamp the change occurred is appended to the audit trail. -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/exceptions/GCC-exception-2.0.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseExceptionText": "In addition to the permissions in the GNU General Public License, the Free Software Foundation gives you unlimited permission to link the compiled version of this file into combinations with other programs, and to distribute those combinations without any restriction coming from the use of this file. (The General Public License restrictions do apply in other respects; for example, they cover modification of the file, and distribution when not linked into a combine executable.)\n", 4 | "name": "GCC Runtime Library exception 2.0", 5 | "licenseComments": "Typically used with GPL-2.0+. Sometimes also referred to a \"linking exception.\"", 6 | "seeAlso": [ 7 | "https://gcc.gnu.org/git/?p\u003dgcc.git;a\u003dblob;f\u003dgcc/libgcc1.c;h\u003d762f5143fc6eed57b6797c82710f3538aa52b40b;hb\u003dcb143a3ce4fb417c68f5fa2691a1b1b1053dfba9#l10" 8 | ], 9 | "licenseExceptionId": "GCC-exception-2.0" 10 | } -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/exceptions/i2p-gpl-java-exception.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseExceptionText": "In addition, as a special exception, \u003c\u003cvar;name\u003dlicensor;original\u003dXXXX;match\u003d.+\u003e\u003e gives permission to link the code of this program with the proprietary Java implementation provided by Sun (or other vendors as well), and distribute linked combinations including the two. You must obey the GNU General Public License in all respects for all of the code used other than the proprietary Java implementation. If you modify this file, you may extend this exception to your version of the file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version.\n", 4 | "name": "i2p GPL+Java Exception", 5 | "licenseComments": "Typically used with GPL-2.0+", 6 | "seeAlso": [ 7 | "http://geti2p.net/en/get-involved/develop/licenses#java_exception" 8 | ], 9 | "licenseExceptionId": "i2p-gpl-java-exception" 10 | } -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/exceptions/u-boot-exception-2.0.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseExceptionText": "The U-Boot License Exception:\n\nEven though U-Boot in general is covered by the GPL-2.0/GPL-2.0+, this does *not* cover the so-called \"standalone\" applications that use U-Boot services by means of the jump table provided by U-Boot exactly for this purpose - this is merely considered normal use of U-Boot, and does *not* fall under the heading of \"derived work\".\n\nThe header files \"include/image.h\" and \"arch/*/include/asm/u-boot.h\" define interfaces to U-Boot. Including these (unmodified) header files in another file is considered normal use of U-Boot, and does *not* fall under the heading of \"derived work\".\n-- Wolfgang Denk\n", 4 | "name": "U-Boot exception 2.0", 5 | "licenseComments": "Typically used with GPL-2.0+", 6 | "seeAlso": [ 7 | "http://git.denx.de/?p\u003du-boot.git;a\u003dblob;f\u003dLicenses/Exceptions" 8 | ], 9 | "licenseExceptionId": "u-boot-exception-2.0" 10 | } -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/exception/RequirementsException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.exception; 20 | 21 | public class RequirementsException extends RuntimeException { 22 | 23 | public RequirementsException(String message) { 24 | super(message); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/details/dvipdfm.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseText": "A modified version of this file may be distributed, but it should be distributed with a *different* name. Changed files must be distributed *together with a complete and unchanged* distribution of these files.\n", 4 | "standardLicenseTemplate": "A modified version of this file may be distributed, but it should be distributed with a *different* name. Changed files must be distributed *together with a complete and unchanged* distribution of these files.", 5 | "name": "dvipdfm License", 6 | "licenseId": "dvipdfm", 7 | "crossRef": [ 8 | { 9 | "isLive": true, 10 | "isValid": true, 11 | "isWayBackLink": false, 12 | "match": "false", 13 | "url": "https://fedoraproject.org/wiki/Licensing/dvipdfm", 14 | "order": 0, 15 | "timestamp": "2020-11-25 - 21:48:55" 16 | } 17 | ], 18 | "seeAlso": [ 19 | "https://fedoraproject.org/wiki/Licensing/dvipdfm" 20 | ], 21 | "isOsiApproved": false 22 | } -------------------------------------------------------------------------------- /docs/_posts/2021-08-03-v4.3.1.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v4.3.1 3 | type: patch 4 | --- 5 | 6 | **Features:** 7 | 8 | **Fixes:** 9 | * Resolves an issue introduced in Datanucleus 5.2.8 that lead to invalid SQL generation on Postgres databases - [#1129](https://github.com/DependencyTrack/dependency-track/issues/1129) 10 | 11 | **Security:** 12 | 13 | **Upgrade Notes:** 14 | 15 | 16 | ###### dependency-track-apiserver.war 17 | 18 | | Algorithm | Checksum | 19 | | SHA-1 | 6c188379b93f2b4052bb73649608db69175b0efc | 20 | | SHA-256 | 6008b32cc3cf6b13d0e7efaff335290102580bd6b518f50d630b99280a9b5538 | 21 | 22 | ###### dependency-track-bundled.war 23 | 24 | | Algorithm | Checksum | 25 | | SHA-1 | 9ff235da5d4b6fb9e9fe4b6762c5dfa8d83073e9 | 26 | | SHA-256 | a64885b7146e7b74e0099a691781ef6417f094fd7424768cf25a86a7de642b00 | 27 | 28 | ###### Software Bill of Materials (SBOM) ###### 29 | 30 | [bom.json](https://github.com/DependencyTrack/dependency-track/releases/download/4.3.1/bom.json) 31 | [bom.xml](https://github.com/DependencyTrack/dependency-track/releases/download/4.3.1/bom.xml) 32 | -------------------------------------------------------------------------------- /docs/_posts/2021-08-31-v4.3.4.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v4.3.4 3 | type: patch 4 | --- 5 | 6 | **Features:** 7 | 8 | **Fixes:** 9 | * Logic issue that causes inconsistent vulnerability findings when uploading the same BOM to different projects - [#1176](https://github.com/DependencyTrack/dependency-track/issues/1176) 10 | 11 | **Security:** 12 | 13 | **Upgrade Notes:** 14 | 15 | 16 | ###### dependency-track-apiserver.war 17 | 18 | | Algorithm | Checksum | 19 | | SHA-1 | 813e3a7207e47a7ee6769a1e74b040942f8995b5 | 20 | | SHA-256 | 1f8bae644dc6982933ec080167d90a66d8090055d75aad7e924a91a9cb8783c8 | 21 | 22 | ###### dependency-track-bundled.war 23 | 24 | | Algorithm | Checksum | 25 | | SHA-1 | 11db7cb3cf83b4e0d6ac121061b42d3f7e3c2c4e | 26 | | SHA-256 | f6a2012a352294371e8396396e4659789c43c40931ada0d89e5c17352de0d1f1 | 27 | 28 | ###### Software Bill of Materials (SBOM) ###### 29 | 30 | [bom.json](https://github.com/DependencyTrack/dependency-track/releases/download/4.3.4/bom.json) 31 | [bom.xml](https://github.com/DependencyTrack/dependency-track/releases/download/4.3.4/bom.xml) 32 | -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/exceptions/mif-exception.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseExceptionText": "As a special exception, you may use this file as part of a free software library without restriction. Specifically, if other files instantiate templates or use macros or inline functions from this file, or you compile this file and link it with other files to produce an executable, this file does not by itself cause the resulting executable to be covered by the GNU General Public License. This exception does not however invalidate any other reasons why the executable file might be covered by the GNU General Public License.\n", 4 | "name": "Macros and Inline Functions Exception", 5 | "licenseComments": "Typically used with GPL-2.0 for older versions of GCC. This is similar to the eCos Exception.", 6 | "seeAlso": [ 7 | "http://www.scs.stanford.edu/histar/src/lib/cppsup/exception", 8 | "http://dev.bertos.org/doxygen/", 9 | "https://www.threadingbuildingblocks.org/licensing" 10 | ], 11 | "licenseExceptionId": "mif-exception" 12 | } -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/persistence/defaults/IDefaultObjectImporter.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.persistence.defaults; 20 | 21 | import java.io.IOException; 22 | 23 | public interface IDefaultObjectImporter { 24 | 25 | boolean shouldImport(); 26 | 27 | void loadDefaults() throws IOException; 28 | 29 | } 30 | -------------------------------------------------------------------------------- /docs/_docs/getting-started/initial-startup.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Initial Startup 3 | category: Getting Started 4 | chapter: 1 5 | order: 4 6 | --- 7 | 8 | Upon starting Dependency-Track for the first time, multiple tasks occur including: 9 | 10 | * Generation of default objects such as users, teams, and permissions 11 | * Generation of secret key used for JWT token creation and validation 12 | * Population of CWE and SPDX license data 13 | * Initial mirroring of all supported vulnerability datasources (National Vulnerability Database, GitHub Advisories, etc) 14 | 15 | > The initial mirroring may take between 10 - 30 minutes or more. Do not interrupt this process. Wait for the 16 | > completion of all mirroring tasks before shutting down the system. These tasks can be monitored by watching 17 | > `dependency-track.log` or the Docker containers console. 18 | 19 | #### Default credentials 20 | 21 | An administrative account is created on initial startup with the following credentials: 22 | * username: admin 23 | * password: admin 24 | 25 | Upon first login, the admin user is required to change the password. 26 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/integrations/PortfolioFindingUploader.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.integrations; 20 | 21 | import java.io.InputStream; 22 | 23 | public interface PortfolioFindingUploader extends FindingUploader { 24 | 25 | InputStream process(); 26 | 27 | void upload(InputStream payload); 28 | 29 | } 30 | -------------------------------------------------------------------------------- /.github/workflows/lock.yaml: -------------------------------------------------------------------------------- 1 | name: Lock Threads 2 | 3 | on: 4 | schedule: 5 | - cron: '0 10 * * *' 6 | 7 | permissions: 8 | issues: write 9 | pull-requests: write 10 | 11 | jobs: 12 | action: 13 | runs-on: ubuntu-latest 14 | # don't run on forks 15 | if: ${{ contains(github.repository, 'DependencyTrack/') }} 16 | steps: 17 | - uses: dessant/lock-threads@v3 18 | with: 19 | github-token: ${{ github.token }} 20 | issue-inactive-days: '30' 21 | exclude-issue-created-before: '' 22 | exclude-any-issue-labels: '' 23 | add-issue-labels: '' 24 | issue-comment: 'This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.' 25 | issue-lock-reason: 'resolved' 26 | pr-inactive-days: '30' 27 | exclude-pr-created-before: '' 28 | exclude-any-pr-labels: '' 29 | add-pr-labels: '' 30 | pr-comment: '' 31 | pr-lock-reason: 'resolved' 32 | process-only: '' 33 | 34 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/integrations/FindingUploader.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.integrations; 20 | 21 | import org.dependencytrack.persistence.QueryManager; 22 | 23 | public interface FindingUploader extends IntegrationPoint { 24 | 25 | void setQueryManager(QueryManager qm); 26 | 27 | boolean isEnabled(); 28 | 29 | } 30 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/model/Severity.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.model; 20 | 21 | /** 22 | * Defines internal severity labels. 23 | * 24 | * @author Steve Springett 25 | * @since 3.0.0 26 | */ 27 | public enum Severity { 28 | CRITICAL, 29 | HIGH, 30 | MEDIUM, 31 | LOW, 32 | INFO, 33 | UNASSIGNED 34 | } 35 | -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/exceptions/Linux-syscall-note.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseExceptionText": " NOTE! This copyright does *not* cover user programs that use kernel\n services by normal system calls - this is merely considered normal use\n of the kernel, and does *not* fall under the heading of \"derived work\".\n Also note that the GPL below is copyrighted by the Free Software\n Foundation, but the instance of code that it refers to (the Linux\n kernel) is copyrighted by me and others who actually wrote it.\n\n Also note that the only valid version of the GPL as far as the kernel\n is concerned is _this_ particular version of the license (ie v2, not\n v2.2 or v3.x or whatever), unless explicitly otherwise stated.\n\n\t\t\tLinus Torvalds\n", 4 | "name": "Linux Syscall Note", 5 | "licenseComments": "This note is used with the Linux kernel to clarify how user space API files should be treated.", 6 | "seeAlso": [ 7 | "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/COPYING" 8 | ], 9 | "licenseExceptionId": "Linux-syscall-note" 10 | } -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/event/EpssMirrorEvent.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.event; 20 | 21 | import alpine.event.framework.Event; 22 | 23 | /** 24 | * Defines an event used to start a mirror of EPSS. 25 | * 26 | * @author Steve Springett 27 | * @since 4.5.0 28 | */ 29 | public class EpssMirrorEvent implements Event { 30 | 31 | } 32 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/event/NistMirrorEvent.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.event; 20 | 21 | import alpine.event.framework.Event; 22 | 23 | /** 24 | * Defines an event used to start a mirror of the NVD. 25 | * 26 | * @author Steve Springett 27 | * @since 3.0.0 28 | */ 29 | public class NistMirrorEvent implements Event { 30 | 31 | } 32 | -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/exceptions/Bison-exception-2.2.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseExceptionText": "Bison Exception\n\nAs a special exception, you may create a larger work that contains part or all of the Bison parser skeleton and distribute that work under terms of your choice, so long as that work isn\u0027t itself a parser generator using the skeleton or a modified version thereof as a parser skeleton. Alternatively, if you modify or redistribute the parser skeleton itself, you may (at your option) remove this special exception, which will cause the skeleton and the resulting Bison output files to be licensed under the GNU General Public License without this special exception.\n\nThis special exception was added by the Free Software Foundation in version 2.2 of Bison.\n", 4 | "name": "Bison exception 2.2", 5 | "licenseComments": "Typically used with GPL-2.0 or GPL-3.0", 6 | "seeAlso": [ 7 | "http://git.savannah.gnu.org/cgit/bison.git/tree/data/yacc.c?id\u003d193d7c7054ba7197b0789e14965b739162319b5e#n141" 8 | ], 9 | "licenseExceptionId": "Bison-exception-2.2" 10 | } -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/model/ViolationAnalysisState.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.model; 20 | 21 | /** 22 | * Provides a list of available states an analysis decision may have. 23 | * 24 | * @author Steve Springett 25 | * @since 4.0.0 26 | */ 27 | public enum ViolationAnalysisState { 28 | APPROVED, 29 | REJECTED, 30 | NOT_SET 31 | } 32 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/event/GitHubAdvisoryMirrorEvent.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.event; 20 | 21 | import alpine.event.framework.Event; 22 | 23 | /** 24 | * Defines an event used to start a mirror of GitHub Advisories. 25 | * 26 | * @author Steve Springett 27 | * @since 4.4.0 28 | */ 29 | public class GitHubAdvisoryMirrorEvent implements Event { 30 | 31 | } 32 | -------------------------------------------------------------------------------- /docs/_posts/2021-08-07-v4.3.2.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v4.3.2 3 | type: patch 4 | --- 5 | 6 | **Features:** 7 | 8 | **Fixes:** 9 | * Resoled an issue with portfolio access control where a user belonging to multiple teams will not have access to the aggregate of all projects or components they're permitted to - [#1132](https://github.com/DependencyTrack/dependency-track/issues/1132) 10 | 11 | **Security:** 12 | 13 | **Upgrade Notes:** 14 | 15 | 16 | ###### dependency-track-apiserver.war 17 | 18 | | Algorithm | Checksum | 19 | | SHA-1 | 9746e03d0bd7dc02ca1d94aa29a6445144fb7589 | 20 | | SHA-256 | 283282536ec276bf048428fc02aee119ff9e42f995c67cf169e2bd2a7a92cd31 | 21 | 22 | ###### dependency-track-bundled.war 23 | 24 | | Algorithm | Checksum | 25 | | SHA-1 | 1cb384c6f5fc457cddbb93c55b7188cf5b446f6f | 26 | | SHA-256 | cbab1409dc262d461db99587bd99fe6b0677fde36414b3c6c965b14640aec29b | 27 | 28 | ###### Software Bill of Materials (SBOM) ###### 29 | 30 | [bom.json](https://github.com/DependencyTrack/dependency-track/releases/download/4.3.2/bom.json) 31 | [bom.xml](https://github.com/DependencyTrack/dependency-track/releases/download/4.3.2/bom.xml) 32 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/event/ClearComponentAnalysisCacheEvent.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.event; 20 | 21 | import alpine.event.framework.Event; 22 | 23 | /** 24 | * Defines an event used to clear the ComponentAnalysisCache 25 | * 26 | * @author Steve Springett 27 | * @since 4.0.0 28 | */ 29 | public class ClearComponentAnalysisCacheEvent implements Event { 30 | } 31 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/event/PortfolioVulnerabilityAnalysisEvent.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.event; 20 | 21 | import alpine.event.framework.SingletonCapableEvent; 22 | 23 | public class PortfolioVulnerabilityAnalysisEvent extends SingletonCapableEvent { 24 | 25 | public PortfolioVulnerabilityAnalysisEvent() { 26 | super.setSingleton(true); 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/integrations/IntegrationPoint.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.integrations; 20 | 21 | public interface IntegrationPoint { 22 | 23 | /** 24 | * The name of the integration point. 25 | */ 26 | String name(); 27 | 28 | /** 29 | * A description of the integration point. 30 | */ 31 | String description(); 32 | 33 | } 34 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/tasks/scanners/AnalyzerIdentity.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.tasks.scanners; 20 | 21 | /** 22 | * Specifies identities of all supported analyzers. 23 | * 24 | * @since 4.0.0 25 | */ 26 | public enum AnalyzerIdentity { 27 | INTERNAL_ANALYZER, 28 | OSSINDEX_ANALYZER, 29 | NPM_AUDIT_ANALYZER, 30 | VULNDB_ANALYZER, 31 | NONE 32 | } 33 | -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/details/FSFUL.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseText": "Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.\n\nThis configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it.\n", 4 | "standardLicenseTemplate": "\u003c\u003cvar;name\u003d\"copyright\";original\u003d\"Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.\";match\u003d\".{0,1000}\"\u003e\u003e\n\nThis configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it.", 5 | "name": "FSF Unlimited License", 6 | "licenseId": "FSFUL", 7 | "crossRef": [ 8 | { 9 | "isLive": true, 10 | "isValid": true, 11 | "isWayBackLink": false, 12 | "match": "false", 13 | "url": "https://fedoraproject.org/wiki/Licensing/FSF_Unlimited_License", 14 | "order": 0, 15 | "timestamp": "2020-11-25 - 21:48:49" 16 | } 17 | ], 18 | "seeAlso": [ 19 | "https://fedoraproject.org/wiki/Licensing/FSF_Unlimited_License" 20 | ], 21 | "isOsiApproved": false 22 | } -------------------------------------------------------------------------------- /src/test/java/org/dependencytrack/event/NistMirrorEventTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.event; 20 | 21 | import org.junit.Assert; 22 | import org.junit.Test; 23 | 24 | public class NistMirrorEventTest { 25 | 26 | @Test 27 | public void testDefaultConstructor() { 28 | NistMirrorEvent event = new NistMirrorEvent(); 29 | Assert.assertNotNull(event); 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /src/test/java/org/dependencytrack/event/VulnDbSyncEventTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.event; 20 | 21 | import org.junit.Assert; 22 | import org.junit.Test; 23 | 24 | public class VulnDbSyncEventTest { 25 | 26 | @Test 27 | public void testDefaultConstructor() { 28 | VulnDbSyncEvent event = new VulnDbSyncEvent(); 29 | Assert.assertNotNull(event); 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /src/test/resources/integration/application-h2.properties: -------------------------------------------------------------------------------- 1 | alpine.worker.threads=0 2 | alpine.worker.thread.multiplier=4 3 | alpine.data.directory=~/.dependency-track 4 | alpine.watchdog.logging.interval=0 5 | alpine.database.mode=embedded 6 | alpine.database.port=9092 7 | alpine.database.url=jdbc:h2:mem:alpine 8 | alpine.database.driver=org.h2.Driver 9 | # alpine.database.driver.path=/path/to/dbdriver.jar 10 | alpine.database.username=sa 11 | #alpine.database.password= 12 | alpine.enforce.authentication=true 13 | alpine.enforce.authorization=true 14 | alpine.bcrypt.rounds=14 15 | alpine.ldap.enabled=false 16 | alpine.ldap.server.url=ldap://ldap.example.com:389 17 | alpine.ldap.basedn=dc=example,dc=com 18 | alpine.ldap.security.auth=simple 19 | alpine.ldap.bind.username= 20 | alpine.ldap.bind.password= 21 | alpine.ldap.auth.username.format=%s@example.com 22 | alpine.ldap.attribute.name=userPrincipalName 23 | alpine.ldap.attribute.mail=mail 24 | alpine.ldap.groups.filter=(&(objectClass=group)(objectCategory=Group)) 25 | alpine.ldap.user.groups.filter=(member:1.2.840.113556.1.4.1941:={USER_DN}) 26 | alpine.ldap.user.provisioning=false 27 | alpine.ldap.team.synchronization=false -------------------------------------------------------------------------------- /docs/_posts/2021-01-12-v4.0.1.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v4.0.1 3 | type: minor 4 | --- 5 | 6 | **Fixes:** 7 | * Fixes issue that resulted in policy violations being returned for all projects rather than the project for which the query is made for. 8 | 9 | 10 | ###### dependency-track-apiserver.war 11 | 12 | | Algorithm | Checksum | 13 | | SHA-1 | 5fb224978c700f5c38d49527669da262a324a9be | 14 | | SHA-256 | d46594ec65c0a30b645eb13419bdc36df41cc6d71053b8bb9efdee80d4de7b99 | 15 | 16 | ###### dependency-track-bundled.war 17 | 18 | | Algorithm | Checksum | 19 | | SHA-1 | d9275f0b660b54205ec811c0d0cab9f584ba2a91 | 20 | | SHA-256 | 89e155529036c5f8eb977f0c611eac2abc9496c55d2c49dd4dec14dbc5acb431 | 21 | 22 | ###### dependency-track.war 23 | 24 | | Algorithm | Checksum | 25 | | SHA-1 | 59b571d0b1ee97a12342938d0d3b17b287c86ad4 | 26 | | SHA-256 | a54b564123873ea3c2378c2dce5a9ecf0000df6ee0721f9d3ddf0349ba4c575f | 27 | 28 | ###### Software Bill of Materials (SBOM) ###### 29 | 30 | * [bom.json](https://github.com/DependencyTrack/dependency-track/releases/download/4.0.1/bom.json) 31 | * [bom.xml](https://github.com/DependencyTrack/dependency-track/releases/download/4.0.1/bom.xml) 32 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/model/AnalysisState.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.model; 20 | 21 | /** 22 | * Provides a list of available states an analysis decision may have. 23 | * 24 | * @author Steve Springett 25 | * @since 3.0.0 26 | */ 27 | public enum AnalysisState { 28 | EXPLOITABLE, 29 | IN_TRIAGE, 30 | FALSE_POSITIVE, 31 | NOT_AFFECTED, 32 | RESOLVED, 33 | NOT_SET 34 | } 35 | -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/details/FSFAP.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "isFsfLibre": true, 4 | "licenseText": "Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. This file is offered as-is, without any warranty.\n", 5 | "standardLicenseTemplate": "Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. This file is offered as-is, without any warranty.", 6 | "name": "FSF All Permissive License", 7 | "licenseId": "FSFAP", 8 | "crossRef": [ 9 | { 10 | "isLive": true, 11 | "isValid": true, 12 | "isWayBackLink": false, 13 | "match": "true", 14 | "url": "https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html", 15 | "order": 0, 16 | "timestamp": "2020-11-25 - 21:57:41" 17 | } 18 | ], 19 | "seeAlso": [ 20 | "https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html" 21 | ], 22 | "isOsiApproved": false 23 | } -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/exceptions/OCCT-exception-1.0.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseExceptionText": "Open CASCADE Exception (version 1.0) to GNU LGPL version 2.1.\n\nThe object code (i.e. not a source) form of a \"work that uses the Library\" can incorporate material from a header file that is part of the Library. As a special exception to the GNU Lesser General Public License version 2.1, you may distribute such object code incorporating material from header files provided with the Open CASCADE Technology libraries (including code of CDL generic classes) under terms of your choice, provided that you give prominent notice in supporting documentation to this code that it makes use of or is based on facilities provided by the Open CASCADE Technology software.\n", 4 | "name": "Open CASCADE Exception 1.0", 5 | "licenseComments": "Open CASCADE Technology version 6.7.0 and later are governed by (LGPL-2.1 with this exception.) A specific license (OCCT-PL) is applied to Open CASCADE Technology version 6.6.0 and earlier.", 6 | "seeAlso": [ 7 | "http://www.opencascade.com/content/licensing" 8 | ], 9 | "licenseExceptionId": "OCCT-exception-1.0" 10 | } -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/model/AnalysisResponse.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.model; 20 | 21 | /** 22 | * Provides a list of available responses an analysis decisions may have. 23 | * 24 | * @author Steve Springett 25 | * @since 4.4.0 26 | */ 27 | public enum AnalysisResponse { 28 | CAN_NOT_FIX, 29 | WILL_NOT_FIX, 30 | UPDATE, 31 | ROLLBACK, 32 | WORKAROUND_AVAILABLE, 33 | NOT_SET 34 | } 35 | -------------------------------------------------------------------------------- /docs/_posts/2018-03-27-v3.0.0.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v3.0.0 3 | type: major 4 | --- 5 | 6 | Project Reboot Successful! This is the first release after being developed from the ground up. 7 | 8 | **Features:** 9 | 10 | * Dramatically increases visibility into the use of vulnerable components 11 | * Supports an unlimited number of projects and components 12 | * Projects can range from applications, operating systems, firmware, to IoT devices 13 | * Tracks vulnerabilities across entire project portfolio 14 | * Tracks vulnerabilities by component 15 | * Easily identify projects that are potentially vulnerable to newly published vulnerabilities 16 | * Supports standardized SPDX license ID’s and tracks license use by component 17 | * Supports CycloneDX and SPDX bill-of-material formats 18 | * Easy to read metrics for components, projects, and portfolio 19 | * API-first design facilitates easy integration with other systems 20 | * API documentation available in Swagger 2.0 (OpenAPI 3 support coming soon) 21 | * Flexible authentication supports internally managed users, Active Directory/LDAP, and API Keys 22 | * Simple to install and configure. Get up and running in just a few minutes 23 | 24 | **Fixes:** 25 | 26 | -------------------------------------------------------------------------------- /src/main/resources/templates/notification/publisher/cswebex.peb: -------------------------------------------------------------------------------- 1 | {"markdown":"**{{ notification.title | escape(strategy="json") }}**{% if notification.group == "NEW_VULNERABILITY" %}\n**VulnID:** {{ subject.vulnerability.vulnId | escape(strategy="json") }}\n**Severity:** {{ subject.vulnerability.severity | escape(strategy="json") }}\n**Source:** {{ subject.vulnerability.source | escape(strategy="json") }}\n**Component:** {{ subject.component.toString | escape(strategy="json") }}\n**Actions:**\n[View Vulnerability]({{ baseUrl }}/vulnerability/?source={{ subject.vulnerability.source | escape(strategy="json") }}&vulnId={{ subject.vulnerability.vulnId | escape(strategy="json") }}){% elseif notification.group == "NEW_VULNERABLE_DEPENDENCY" %}\n**Project:** {{ subject.dependency.project.toString | escape(strategy="json") }}\n**Component:** {{ subject.dependency.component.toString | escape(strategy="json") }}\n**Actions:**\n[View Project]({{ baseUrl }}/project/?uuid={{ subject.dependency.project.uuid | escape(strategy="json") }}){% endif %}\n[View Component]({{ baseUrl }}/component/?uuid={{ subject.dependency.component.uuid | escape(strategy="json") }})\n**Description:** {{ notification.content | escape(strategy="json") }}"} -------------------------------------------------------------------------------- /docs/_posts/2021-03-20-v4.2.1.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v4.2.1 3 | type: patch 4 | --- 5 | 6 | **Features:** 7 | 8 | **Fixes:** 9 | * Resolves an issue in OIDC support where "email" could not be used as the username claim 10 | 11 | **Security:** 12 | 13 | **Upgrade Notes:** 14 | 15 | 16 | ###### dependency-track-apiserver.war 17 | 18 | | Algorithm | Checksum | 19 | | SHA-1 | 92a0e935c7d4309e67fc7eb149191d96a1635c8b | 20 | | SHA-256 | 80cc253d05ccb91aa432667bf7d418bc8327f82b1dfe770aec71c434d0ecd308 | 21 | 22 | ###### dependency-track-bundled.war 23 | 24 | | Algorithm | Checksum | 25 | | SHA-1 | 930d89d1a37e85130a6603969f30253fe842a6e0 | 26 | | SHA-256 | 2b27c6f1918a897f22b48542010611c67fa137f399521a45c900ee59120b81c5 | 27 | 28 | ###### dependency-track.war 29 | 30 | | Algorithm | Checksum | 31 | | SHA-1 | 7a3061da05f67fd4f98b149eeb6d588389d1b202 | 32 | | SHA-256 | 06da5d59c8404f31d3497d163a2d3fe75f35af50374339315c6161dd0b989637 | 33 | 34 | ###### Software Bill of Materials (SBOM) ###### 35 | 36 | [bom.json](https://github.com/DependencyTrack/dependency-track/releases/download/4.2.1/bom.json) 37 | [bom.xml](https://github.com/DependencyTrack/dependency-track/releases/download/4.2.1/bom.xml) 38 | -------------------------------------------------------------------------------- /docs/_posts/2021-09-20-v4.3.6.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v4.3.6 3 | type: patch 4 | --- 5 | 6 | **Features:** 7 | 8 | **Fixes:** 9 | * Added missing policy violation analysis on projects with empty component list [#1183](https://github.com/DependencyTrack/dependency-track/issues/1183) 10 | 11 | **Security:** 12 | * Added additional audit logging for login attempts where the account has been locked out [#1189](https://github.com/DependencyTrack/dependency-track/issues/1189) 13 | 14 | **Upgrade Notes:** 15 | 16 | 17 | ###### dependency-track-apiserver.war 18 | 19 | | Algorithm | Checksum | 20 | | SHA-1 | d41721f52bfb17c9ba507a1ac01532071643d8ac | 21 | | SHA-256 | 83f0bc7199677e3f6f84a76673b936ca73a6b8f54d5cb7cf181f77d548d47a6b | 22 | 23 | ###### dependency-track-bundled.war 24 | 25 | | Algorithm | Checksum | 26 | | SHA-1 | 31fb39d8fecb6ec1e5c02d0fdede7a3e7e1cd952 | 27 | | SHA-256 | 3b0d1905291cf74af8f9e3bd81366d2b6c278ffe4b3940c0bb649871f6dfd15d | 28 | 29 | ###### Software Bill of Materials (SBOM) ###### 30 | 31 | [bom.json](https://github.com/DependencyTrack/dependency-track/releases/download/4.3.6/bom.json) 32 | [bom.xml](https://github.com/DependencyTrack/dependency-track/releases/download/4.3.6/bom.xml) 33 | -------------------------------------------------------------------------------- /docs/_posts/2022-03-04-v4.4.2.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v4.4.2 3 | type: patch 4 | --- 5 | 6 | **Features:** 7 | * Added advanced configuration options for controlling outbound HTTP connection timeouts - [1431](https://github.com/DependencyTrack/dependency-track/issues/1431) 8 | 9 | **Fixes:** 10 | * Resolved defect that resulted in a server error when suppressing a vulnerability - [1409](https://github.com/DependencyTrack/dependency-track/issues/1409) 11 | 12 | **Security:** 13 | 14 | **Upgrade Notes:** 15 | 16 | ###### dependency-track-apiserver.war 17 | 18 | | Algorithm | Checksum | 19 | | SHA-1 | 172f569eb85f1182500571a160b134e8b1005ebf | 20 | | SHA-256 | 5869df68cd29d48366d653a697bc198e0f3396c2897cd4a668743fc7157fb8df | 21 | 22 | ###### dependency-track-bundled.war 23 | 24 | | Algorithm | Checksum | 25 | | SHA-1 | 49e73a820426a39ab83e6ec2a12f1c24e198a144 | 26 | | SHA-256 | d1570efdb61f7a2aa264f8103f6285e5330818087d3c54456e1b5335a3ca681f | 27 | 28 | ###### Software Bill of Materials (SBOM) ###### 29 | 30 | [bom.json](https://github.com/DependencyTrack/dependency-track/releases/download/4.4.2/bom.json) 31 | [bom.xml](https://github.com/DependencyTrack/dependency-track/releases/download/4.4.2/bom.xml) 32 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/model/Classifier.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.model; 20 | 21 | /** 22 | * Defines various types of components. Roughly matches the CycloneDX specification. 23 | * 24 | * @author Steve Springett 25 | * @since 3.0.0 26 | */ 27 | public enum Classifier { 28 | APPLICATION, 29 | FRAMEWORK, 30 | LIBRARY, 31 | CONTAINER, 32 | OPERATING_SYSTEM, 33 | DEVICE, 34 | FIRMWARE, 35 | FILE 36 | } 37 | -------------------------------------------------------------------------------- /src/test/java/org/dependencytrack/notification/NotificationScopeTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.notification; 20 | 21 | import org.junit.Assert; 22 | import org.junit.Test; 23 | 24 | public class NotificationScopeTest { 25 | 26 | @Test 27 | public void testEnums() { 28 | Assert.assertEquals("SYSTEM", NotificationScope.SYSTEM.name()); 29 | Assert.assertEquals("PORTFOLIO", NotificationScope.PORTFOLIO.name()); 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /docs/_posts/2022-02-18-v4.4.1.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v4.4.1 3 | type: patch 4 | --- 5 | 6 | **Features:** 7 | 8 | * **Fixes:** 9 | * Resolved defect where the automatic upgrade failed on Microsoft SQL Server databases 10 | 11 | **Security:** 12 | 13 | **Upgrade Notes:** 14 | * For MSSQL users only: If an upgrade to v4.4.0 was previously attempted and no rollback was performed yet, 15 | the following SQL statement must be executed before launching v4.4.1: `DELETE FROM "PERMISSION" WHERE "NAME" = 'VIEW_VULNERABILITY'` 16 | 17 | ###### dependency-track-apiserver.war 18 | 19 | | Algorithm | Checksum | 20 | | SHA-1 | 9d6f20709009193540c4c152f0c0757d3b26bd5e | 21 | | SHA-256 | c3eaeee440bfd1a734fb009983c97792407b107d64d4e9035a179b9b27c8ca49 | 22 | 23 | ###### dependency-track-bundled.war 24 | 25 | | Algorithm | Checksum | 26 | | SHA-1 | ebadb4576ea419eb42807f5ef2bedb572de02df0 | 27 | | SHA-256 | e7b5e0ac00bc0e1021dc7a6571e02392c6854b12bba2ceea543c3959b7572524 | 28 | 29 | ###### Software Bill of Materials (SBOM) ###### 30 | 31 | [bom.json](https://github.com/DependencyTrack/dependency-track/releases/download/4.4.1/bom.json) 32 | [bom.xml](https://github.com/DependencyTrack/dependency-track/releases/download/4.4.1/bom.xml) 33 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/event/DefectDojoUploadEventAbstract.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.event; 20 | 21 | import java.util.UUID; 22 | 23 | public class DefectDojoUploadEventAbstract extends AbstractVulnerabilityManagementUploadEvent { 24 | 25 | public DefectDojoUploadEventAbstract() { 26 | super(); 27 | } 28 | 29 | public DefectDojoUploadEventAbstract(final UUID projectUuid) { 30 | super(projectUuid); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/event/FortifySscUploadEventAbstract.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.event; 20 | 21 | import java.util.UUID; 22 | 23 | public class FortifySscUploadEventAbstract extends AbstractVulnerabilityManagementUploadEvent { 24 | 25 | public FortifySscUploadEventAbstract() { 26 | super(); 27 | } 28 | 29 | public FortifySscUploadEventAbstract(final UUID projectUuid) { 30 | super(projectUuid); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /src/test/java/org/dependencytrack/assertion/AssertionsTest.java: -------------------------------------------------------------------------------- 1 | package org.dependencytrack.assertion; 2 | 3 | import org.junit.Test; 4 | 5 | import java.time.Duration; 6 | import java.util.function.Supplier; 7 | 8 | import static org.assertj.core.api.Assertions.assertThatExceptionOfType; 9 | import static org.assertj.core.api.Assertions.assertThatNoException; 10 | import static org.dependencytrack.assertion.Assertions.assertConditionWithTimeout; 11 | 12 | public class AssertionsTest { 13 | 14 | @Test 15 | public void testAssertConditionWithTimeout() { 16 | assertThatNoException() 17 | .isThrownBy(() -> assertConditionWithTimeout(new TestSupplier(), Duration.ofMillis(500))); 18 | 19 | assertThatExceptionOfType(AssertionError.class) 20 | .isThrownBy(() -> assertConditionWithTimeout(() -> false, Duration.ofMillis(200))); 21 | } 22 | 23 | private static class TestSupplier implements Supplier { 24 | 25 | private static final int FALSE_INVOCATIONS = 2; 26 | private int invocations; 27 | 28 | @Override 29 | public Boolean get() { 30 | return invocations++ >= FALSE_INVOCATIONS; 31 | } 32 | 33 | } 34 | 35 | } 36 | -------------------------------------------------------------------------------- /src/test/java/org/dependencytrack/common/HttpClientPoolTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.common; 20 | 21 | import io.jsonwebtoken.lang.Assert; 22 | import org.apache.http.impl.client.CloseableHttpClient; 23 | import org.junit.Test; 24 | 25 | public class HttpClientPoolTest { 26 | 27 | @Test 28 | public void getClientTest() { 29 | CloseableHttpClient client = HttpClientPool.getClient(); 30 | Assert.notNull(client); 31 | } 32 | 33 | } 34 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/event/KennaSecurityUploadEventAbstract.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.event; 20 | 21 | import java.util.UUID; 22 | 23 | public class KennaSecurityUploadEventAbstract extends AbstractVulnerabilityManagementUploadEvent { 24 | 25 | public KennaSecurityUploadEventAbstract() { 26 | super(); 27 | } 28 | 29 | public KennaSecurityUploadEventAbstract(final UUID projectUuid) { 30 | super(projectUuid); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/details/Zed.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseText": "(c) Jim Davies, January 1995\nYou may copy and distribute this file freely. Any queries and complaints should be forwarded to Jim.Davies@comlab.ox.ac.uk.\nIf you make any changes to this file, please do not distribute the results under the name `zed-csp.sty\u0027.\n", 4 | "standardLicenseTemplate": "\u003c\u003cvar;name\u003d\"copyright\";original\u003d\"(c) Jim Davies, January 1995\";match\u003d\".{0,1000}\"\u003e\u003e\n\nYou may copy and distribute this file freely. Any queries and complaints should be forwarded to Jim.Davies@comlab.ox.ac.uk.\n\nIf you make any changes to this file, please do not distribute the results under the name `zed-csp.sty\u0027.", 5 | "name": "Zed License", 6 | "licenseId": "Zed", 7 | "crossRef": [ 8 | { 9 | "isLive": true, 10 | "isValid": true, 11 | "isWayBackLink": false, 12 | "match": "false", 13 | "url": "https://fedoraproject.org/wiki/Licensing/Zed", 14 | "order": 0, 15 | "timestamp": "2020-11-25 - 21:49:55" 16 | } 17 | ], 18 | "seeAlso": [ 19 | "https://fedoraproject.org/wiki/Licensing/Zed" 20 | ], 21 | "isOsiApproved": false 22 | } -------------------------------------------------------------------------------- /src/test/resources/bom-1.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Example Incorporated 6 | com.example 7 | xmlutil 8 | 1.0.0 9 | A makebelieve XML utility library 10 | 11 | 2b67669c925048d1a5c7f124d9ba1d2a 12 | 72ca79908c814022905e86f8bbecd9b829352139 13 | 1389877662864d2bb0488b4b1e417ce5647a1687084341178a203b243dfe90e7 14 | 15 | 16 | 17 | Apache-2.0 18 | 19 | 20 | Copyright Example Inc. All rights reserved. 21 | cpe:/a:example:xmlutil:1.0.0 22 | pkg:maven/com.example/xmlutil@1.0.0?packaging=jar 23 | false 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /src/test/resources/integration/application-postgres.properties: -------------------------------------------------------------------------------- 1 | alpine.worker.threads=0 2 | alpine.worker.thread.multiplier=4 3 | alpine.data.directory=~/.dependency-track 4 | alpine.watchdog.logging.interval=0 5 | alpine.database.mode=external 6 | alpine.database.port=9092 7 | alpine.database.url=jdbc:postgresql://localhost:5432/dtrack 8 | alpine.database.driver=org.postgresql.Driver 9 | alpine.database.driver.path=/Users/steve/Development/Java_Libraries/postgresql-jdbc-42.2.1/postgresql-42.2.1.jar 10 | alpine.database.username=sa 11 | # alpine.database.password= 12 | alpine.enforce.authentication=true 13 | alpine.enforce.authorization=true 14 | alpine.bcrypt.rounds=14 15 | alpine.ldap.enabled=false 16 | alpine.ldap.server.url=ldap://ldap.example.com:389 17 | alpine.ldap.basedn=dc=example,dc=com 18 | alpine.ldap.security.auth=simple 19 | alpine.ldap.bind.username= 20 | alpine.ldap.bind.password= 21 | alpine.ldap.auth.username.format=%s@example.com 22 | alpine.ldap.attribute.name=userPrincipalName 23 | alpine.ldap.attribute.mail=mail 24 | alpine.ldap.groups.filter=(&(objectClass=group)(objectCategory=Group)) 25 | alpine.ldap.user.groups.filter=(member:1.2.840.113556.1.4.1941:={USER_DN}) 26 | alpine.ldap.user.provisioning=false 27 | alpine.ldap.team.synchronization=false -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/details/Dotseqn.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseText": "Copyright (C) 1995 by Donald Arseneau\n\nThis file may be freely transmitted and reproduced, but it may not be changed unless the name is changed also (except that you may freely change the paper-size option for \\documentclass).\n\nThis notice must be left intact.\n", 4 | "standardLicenseTemplate": "\u003c\u003cvar;name\u003d\"copyright\";original\u003d\"Copyright (C) 1995 by Donald Arseneau\";match\u003d\".{0,1000}\"\u003e\u003e\n\nThis file may be freely transmitted and reproduced, but it may not be changed unless the name is changed also (except that you may freely change the paper-size option for \\documentclass).\n\nThis notice must be left intact.", 5 | "name": "Dotseqn License", 6 | "licenseId": "Dotseqn", 7 | "crossRef": [ 8 | { 9 | "isLive": true, 10 | "isValid": true, 11 | "isWayBackLink": false, 12 | "match": "false", 13 | "url": "https://fedoraproject.org/wiki/Licensing/Dotseqn", 14 | "order": 0, 15 | "timestamp": "2020-11-25 - 21:48:59" 16 | } 17 | ], 18 | "seeAlso": [ 19 | "https://fedoraproject.org/wiki/Licensing/Dotseqn" 20 | ], 21 | "isOsiApproved": false 22 | } -------------------------------------------------------------------------------- /docs/_docs/analysis-types/component-identity.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Component Identity 3 | category: Analysis Types 4 | chapter: 3 5 | order: 4 6 | --- 7 | 8 | Components can be evaluated based on their identity as part of the Dependency-Track policy engine. Identity may include: 9 | 10 | | Identity | Description | 11 | |-------------|-------------| 12 | | Coordinates | Matches components that contain the specified group, name, and version | 13 | | Package URL | Matches components that have the specified Package URL | 14 | | CPE | Matches components that have the specified CPE | 15 | | SWID TagID | Matches components with the specified SWID TagID | 16 | | Hash | Matches components with the specified hash | 17 | 18 | * Hash identity automatically checks all supported hash algorithms including: 19 | * MD5 20 | * SHA-1 21 | * SHA-256 22 | * SHA-384 23 | * SHA-512 24 | * SHA3-256 25 | * SHA3-384 26 | * SHA3-512 27 | * BLAKE2b-256 28 | * BLAKE2b-384 29 | * BLAKE2b-512 30 | * BLAKE3 31 | 32 | ## Usages 33 | 34 | Common uses for evaluating components based on their identity include: 35 | * Organizational policy containing pre-defined list of allowed and/or prohibited components 36 | * Identifying counterfeit and/or known malicious components 37 | -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/exceptions/GPL-3.0-linking-source-exception.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseExceptionText": "Additional permission under GNU GPL version 3 section 7\n\nIf you modify this Program, or any covered work, by linking or combining it with [name of library] (or a modified version of that library), containing parts covered by the terms of [name of library\u0027s license], the licensors of this Program grant you additional permission to convey the resulting work. Corresponding Source for a non-source form of such a combination shall include the source code for the parts of [name of library] used as well as that of the covered work.\n", 4 | "name": "GPL-3.0 Linking Exception (with Corresponding Source)", 5 | "licenseComments": "This exception is based on the suggested template from the Free Software Foundation\u0027s FAQ about the GPL. This variant includes the second optional sentence regarding Corresponding Source. For a variant without that sentence, please see GPL-3.0-linking-exception.", 6 | "seeAlso": [ 7 | "https://www.gnu.org/licenses/gpl-faq.en.html#GPLIncompatibleLibs", 8 | "https://github.com/mirror/wget/blob/master/src/http.c#L20" 9 | ], 10 | "licenseExceptionId": "GPL-3.0-linking-source-exception" 11 | } -------------------------------------------------------------------------------- /src/test/java/org/dependencytrack/notification/publisher/SendMailPublisherTest.java: -------------------------------------------------------------------------------- 1 | package org.dependencytrack.notification.publisher; 2 | 3 | import org.junit.Assert; 4 | import org.junit.Test; 5 | 6 | import javax.json.Json; 7 | import javax.json.JsonObject; 8 | 9 | public class SendMailPublisherTest { 10 | private static JsonObject configWithDestination(final String destination) { 11 | return Json.createObjectBuilder().add("destination", destination).build(); 12 | } 13 | 14 | 15 | @Test 16 | public void testSingleDestination() { 17 | JsonObject config = configWithDestination("john@doe.com"); 18 | Assert.assertArrayEquals(new String[] { "john@doe.com" }, SendMailPublisher.parseDestination(config)); 19 | } 20 | 21 | 22 | @Test 23 | public void testMultipleDestinations() { 24 | JsonObject config = configWithDestination("john@doe.com,steve@jobs.org"); 25 | Assert.assertArrayEquals(new String[] { "john@doe.com", "steve@jobs.org" }, 26 | SendMailPublisher.parseDestination(config)); 27 | } 28 | 29 | 30 | @Test 31 | public void testEmptyDestinations() { 32 | JsonObject config = configWithDestination(""); 33 | Assert.assertArrayEquals(null, SendMailPublisher.parseDestination(config)); 34 | } 35 | 36 | } 37 | -------------------------------------------------------------------------------- /src/test/java/org/dependencytrack/metrics/MetricsTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.metrics; 20 | 21 | import org.junit.Assert; 22 | import org.junit.Test; 23 | 24 | public class MetricsTest { 25 | 26 | @Test 27 | public void testMetricCalculations() { 28 | double chml = Metrics.inheritedRiskScore(20, 10, 5, 1, 3); 29 | Assert.assertEquals(281, chml, 0); 30 | 31 | double ratio = Metrics.vulnerableComponentRatio(5, 100); 32 | Assert.assertEquals(0.05, ratio, 0); 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /src/test/resources/integration/application-mysql.properties: -------------------------------------------------------------------------------- 1 | alpine.worker.threads=0 2 | alpine.worker.thread.multiplier=4 3 | alpine.data.directory=~/.dependency-track 4 | alpine.watchdog.logging.interval=0 5 | alpine.database.mode=external 6 | alpine.database.port=9092 7 | alpine.database.url=jdbc:mysql://localhost:3306/dtrack?autoReconnect=true&useSSL=false 8 | alpine.database.driver=com.mysql.jdbc.Driver 9 | alpine.database.driver.path=/Users/steve/Development/Java_Libraries/mysql-connector-java-5.1.45/mysql-connector-java-5.1.45-bin.jar 10 | alpine.database.username=sa 11 | # alpine.database.password= 12 | alpine.enforce.authentication=true 13 | alpine.enforce.authorization=true 14 | alpine.bcrypt.rounds=14 15 | alpine.ldap.enabled=false 16 | alpine.ldap.server.url=ldap://ldap.example.com:389 17 | alpine.ldap.basedn=dc=example,dc=com 18 | alpine.ldap.security.auth=simple 19 | alpine.ldap.bind.username= 20 | alpine.ldap.bind.password= 21 | alpine.ldap.auth.username.format=%s@example.com 22 | alpine.ldap.attribute.name=userPrincipalName 23 | alpine.ldap.attribute.mail=mail 24 | alpine.ldap.groups.filter=(&(objectClass=group)(objectCategory=Group)) 25 | alpine.ldap.user.groups.filter=(member:1.2.840.113556.1.4.1941:={USER_DN}) 26 | alpine.ldap.user.provisioning=false 27 | alpine.ldap.team.synchronization=false -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/details/FSFULLR.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseText": "Copyright 1996-2006 Free Software Foundation, Inc.\n\nThis file is free software; the Free Software Foundation gives unlimited permission to copy and/or distribute it, with or without modifications, as long as this notice is preserved.\n", 4 | "standardLicenseTemplate": "\u003c\u003cvar;name\u003d\"copyright\";original\u003d\"Copyright 1996-2006 Free Software Foundation, Inc.\";match\u003d\".{0,1000}\"\u003e\u003e\n\nThis file is free software; the Free Software Foundation gives unlimited permission to copy and/or distribute it, with or without modifications, as long as this notice is preserved.", 5 | "name": "FSF Unlimited License (with License Retention)", 6 | "licenseId": "FSFULLR", 7 | "crossRef": [ 8 | { 9 | "isLive": true, 10 | "isValid": true, 11 | "isWayBackLink": false, 12 | "match": "false", 13 | "url": "https://fedoraproject.org/wiki/Licensing/FSF_Unlimited_License#License_Retention_Variant", 14 | "order": 0, 15 | "timestamp": "2020-11-25 - 21:54:38" 16 | } 17 | ], 18 | "seeAlso": [ 19 | "https://fedoraproject.org/wiki/Licensing/FSF_Unlimited_License#License_Retention_Variant" 20 | ], 21 | "isOsiApproved": false 22 | } -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/exceptions/Classpath-exception-2.0.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseExceptionText": "Linking this library statically or dynamically with other modules is making a combined work based on this library. Thus, the terms and conditions of the GNU General Public License cover the whole combination.\n\nAs a special exception, the copyright holders of this library give you permission to link this library with independent modules to produce an executable, regardless of the license terms of these independent modules, and to copy and distribute the resulting executable under terms of your choice, provided that you also meet, for each linked independent module, the terms and conditions of the license of that module. An independent module is a module which is not derived from or based on this library. If you modify this library, you may extend this exception to your version of the library, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version.\n", 4 | "name": "Classpath exception 2.0", 5 | "seeAlso": [ 6 | "http://www.gnu.org/software/classpath/license.html", 7 | "https://fedoraproject.org/wiki/Licensing/GPL_Classpath_Exception" 8 | ], 9 | "licenseExceptionId": "Classpath-exception-2.0" 10 | } -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/exceptions/LLVM-exception.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseExceptionText": "---- LLVM Exceptions to the Apache 2.0 License ----\n\n As an exception, if, as a result of your compiling your source code, portions\n of this Software are embedded into an Object form of such source code, you\n may redistribute such embedded portions in such Object form without complying\n with the conditions of Sections 4(a), 4(b) and 4(d) of the License.\n\n In addition, if you combine or link compiled forms of this Software with\n software that is licensed under the GPLv2 (\"Combined Software\") and if a\n court of competent jurisdiction determines that the patent provision (Section\n 3), the indemnity provision (Section 9) or other Section of the License\n conflicts with the conditions of the GPLv2, you may retroactively and\n prospectively choose to deem waived or otherwise exclude such Section(s) of\n the License, but only in their entirety and only with respect to the Combined\n Software.\n", 4 | "name": "LLVM Exception", 5 | "licenseComments": "This exception was created specifically to be used with Apache-2.0", 6 | "seeAlso": [ 7 | "http://llvm.org/foundation/relicensing/LICENSE.txt" 8 | ], 9 | "licenseExceptionId": "LLVM-exception" 10 | } -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/event/RepositoryMetaEvent.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.event; 20 | 21 | import alpine.event.framework.Event; 22 | import org.dependencytrack.model.Component; 23 | 24 | public class RepositoryMetaEvent implements Event { 25 | 26 | private Component component; 27 | 28 | public RepositoryMetaEvent() { } 29 | 30 | public RepositoryMetaEvent(final Component component) { 31 | this.component = component; 32 | } 33 | 34 | public Component getComponent() { 35 | return component; 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/integrations/ProjectFindingUploader.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.integrations; 20 | 21 | import org.dependencytrack.model.Finding; 22 | import org.dependencytrack.model.Project; 23 | 24 | import java.io.InputStream; 25 | import java.util.List; 26 | 27 | public interface ProjectFindingUploader extends FindingUploader { 28 | 29 | boolean isProjectConfigured(Project project); 30 | 31 | InputStream process(Project project, List findings); 32 | 33 | void upload(Project project, InputStream payload); 34 | } 35 | -------------------------------------------------------------------------------- /src/test/java/org/dependencytrack/assertion/Assertions.java: -------------------------------------------------------------------------------- 1 | package org.dependencytrack.assertion; 2 | 3 | import java.time.Duration; 4 | import java.time.LocalDateTime; 5 | import java.util.concurrent.TimeUnit; 6 | import java.util.function.Supplier; 7 | 8 | import static org.assertj.core.api.Assertions.fail; 9 | 10 | public final class Assertions { 11 | 12 | private Assertions() { 13 | } 14 | 15 | /** 16 | * Assert that a condition becomes true within a given timeout. 17 | * 18 | * @param condition The condition to evaluate 19 | * @param timeout The timeout to enforce 20 | * @throws InterruptedException When interrupted while sleeping in between evaluations 21 | */ 22 | public static void assertConditionWithTimeout(final Supplier condition, final Duration timeout) throws InterruptedException { 23 | final var deadline = LocalDateTime.now().plus(timeout); 24 | 25 | while (LocalDateTime.now().isBefore(deadline)) { 26 | final Boolean conditionResult = condition.get(); 27 | if (conditionResult != null && conditionResult) { 28 | return; 29 | } 30 | 31 | TimeUnit.MILLISECONDS.sleep(100); 32 | } 33 | 34 | fail("Timeout exceeded while waiting for condition to become true"); 35 | } 36 | 37 | } 38 | -------------------------------------------------------------------------------- /docs/_posts/2021-08-20-v4.3.3.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v4.3.3 3 | type: patch 4 | --- 5 | 6 | **Features:** 7 | 8 | **Fixes:** 9 | * Persistence issue related to manual server-side pagination that may cause `JDOObjectNotFoundException: No such database row` - [#1059](https://github.com/DependencyTrack/dependency-track/issues/1059) 10 | * Persistence issue that may result in 'unknown' project names for affect projects in the UI - [#1154](https://github.com/DependencyTrack/dependency-track/issues/1154) 11 | * Updated frontend to v4.3.1 which includes minor fixes and dependency updates 12 | 13 | **Security:** 14 | 15 | **Upgrade Notes:** 16 | 17 | 18 | ###### dependency-track-apiserver.war 19 | 20 | | Algorithm | Checksum | 21 | | SHA-1 | e28bc741856904115e54dd5bf2ef09addde011e8 | 22 | | SHA-256 | b748e9b43a25068dc5096f5a68d2e21d5450fca1d3805350042a566c4506d2ba | 23 | 24 | ###### dependency-track-bundled.war 25 | 26 | | Algorithm | Checksum | 27 | | SHA-1 | e884e3e32e18ff608837cc2d33b1d1760a00d0c7 | 28 | | SHA-256 | 05b87a43da078a684126f752d83a8da7488a8c02ef6d9ae9d3f0b347baec1832 | 29 | 30 | ###### Software Bill of Materials (SBOM) ###### 31 | 32 | [bom.json](https://github.com/DependencyTrack/dependency-track/releases/download/4.3.3/bom.json) 33 | [bom.xml](https://github.com/DependencyTrack/dependency-track/releases/download/4.3.3/bom.xml) 34 | -------------------------------------------------------------------------------- /docs/_posts/2018-11-13-v3.3.1.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v3.3.1 3 | type: minor 4 | --- 5 | 6 | **Features:** 7 | 8 | * Improved findings API to support a wider range of use-cases 9 | 10 | **Fixes:** 11 | 12 | * When importing some npm dependencies (via Dependency-Check report), some modules would get misidentified causing an NPE 13 | * Fixed non-standard Java versioning schemes (such as Debian OpenJDK) that caused version comparison to fail 14 | * Corrected issue that resulted in suppressed vulnerabilities to be returned from a query as if they were not suppressed 15 | * Fixed issue preventing saving of SMTP settings with anonymous authentication 16 | 17 | **Upgrade Notes:** 18 | 19 | The format of the findings API has changed and will not be versioned. This API is used to present findings from the 20 | audit tab in the UI. If this API was being used outside the UI, please note that the response format has changed. 21 | 22 | ###### dependency-track-embedded.war 23 | 24 | | Algorithm | Checksum | 25 | | SHA-1 | f7a0fcf9568a765b9bb3cdf3465f475810c333e8 | 26 | | SHA-256 | f5693cab665932c80e7056c37ed93bf61a1638e252e48e9c0717b8d0c4740ea4 | 27 | 28 | ###### dependency-track.war 29 | 30 | | Algorithm | Checksum | 31 | | SHA-1 | bfcf20a5cb87d562b781419f7b989c35ff67e390 | 32 | | SHA-256 | 91156bc404ab84a09e912302888ef06c52813764e88ad73039550a9ff2e82b91 | 33 | -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/exceptions/Qt-GPL-exception-1.0.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseExceptionText": "The Qt Company GPL Exception 1.0\n\nException 1:\n\nAs a special exception you may create a larger work which contains the\noutput of this application and distribute that work under terms of your\nchoice, so long as the work is not otherwise derived from or based on\nthis application and so long as the work does not in itself generate\noutput that contains the output from this application in its original\nor modified form.\n\nException 2:\n\nAs a special exception, you have permission to combine this application\nwith Plugins licensed under the terms of your choice, to produce an\nexecutable, and to copy and distribute the resulting executable under\nthe terms of your choice. However, the executable must be accompanied\nby a prominent notice offering all users of the executable the entire\nsource code to this application, excluding the source code of the\nindependent modules, but including any changes you have made to this\napplication, under the terms of this license.\n", 4 | "name": "Qt GPL exception 1.0", 5 | "licenseComments": "Typically used with the GPL-3.0.", 6 | "seeAlso": [ 7 | "http://code.qt.io/cgit/qt/qtbase.git/tree/LICENSE.GPL3-EXCEPT" 8 | ], 9 | "licenseExceptionId": "Qt-GPL-exception-1.0" 10 | } -------------------------------------------------------------------------------- /docs/_docs/usage/continuous-transparency.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Continuous Transparency 3 | category: Usage 4 | chapter: 2 5 | order: 2 6 | --- 7 | 8 | Much of the focus of Dependency-Track centers around the consumption and analysis of SBOMs. However, Dependency-Track 9 | is also capable of generating SBOMs from any project in the portfolio. Organizations are able to create SBOMs when 10 | requested by customers, partners, or other stakeholders for any project in the portfolio. 11 | 12 | Organizations that require greater levels of transparency may optionally use Dependency-Tracks notification feature 13 | which is capable of publishing SBOMs via webhooks whenever an SBOM is consumed or processed by the system. When used 14 | in a continuous integration or delivery environment, SBOMs can optionally be published to one or more endpoints 15 | thus achieving continuous transparency with pre-determined parties. 16 | 17 | Although continuous transparency is possible, the radius of transparency should be carefully considered. Organizations 18 | are encouraged to start with sharing SBOM data with other departments or business units within the same organization 19 | prior to sharing data with external parties. 20 | 21 | Refer to [Notifications]({{ site.baseurl }}{% link _docs/integrations/notifications.md %}) for information on sharing 22 | SBOM data via webhooks on `BOM_CONSUMED` and `BOM_PROCESSED` events. 23 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/model/AnalysisJustification.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.model; 20 | 21 | /** 22 | * Provides a list of available justification an analysis decision of 'not affected' may have. 23 | * 24 | * @author Steve Springett 25 | * @since 4.4.0 26 | */ 27 | public enum AnalysisJustification { 28 | CODE_NOT_PRESENT, 29 | CODE_NOT_REACHABLE, 30 | REQUIRES_CONFIGURATION, 31 | REQUIRES_DEPENDENCY, 32 | REQUIRES_ENVIRONMENT, 33 | PROTECTED_BY_COMPILER, 34 | PROTECTED_AT_RUNTIME, 35 | PROTECTED_AT_PERIMETER, 36 | PROTECTED_BY_MITIGATING_CONTROL, 37 | NOT_SET 38 | } 39 | -------------------------------------------------------------------------------- /docs/_posts/2021-05-07-v4.2.2.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v4.2.2 3 | type: patch 4 | --- 5 | 6 | **Features:** 7 | 8 | **Fixes:** 9 | * Resolved issue originating from changes in the NVD JSON feed which prevented the identification of vulnerabilities by a components CPE. ([#1018](https://github.com/DependencyTrack/dependency-track/issues/1018)), ([#1033](https://github.com/DependencyTrack/dependency-track/issues/1033)) 10 | 11 | **Security:** 12 | 13 | **Upgrade Notes:** 14 | 15 | 16 | ###### dependency-track-apiserver.war 17 | 18 | | Algorithm | Checksum | 19 | | SHA-1 | 60a87ecafd9ba4b0ba119a65e1a041b0c5f576ea | 20 | | SHA-256 | bd20dbee794fa0c37c345526204058dbfbdd734acaf257783f9cb47e2cf17c63 | 21 | 22 | ###### dependency-track-bundled.war 23 | 24 | | Algorithm | Checksum | 25 | | SHA-1 | 748b3fbf89efb61d29a468e3cd1c90bfcaeb3c4e | 26 | | SHA-256 | 93948be57b0e7864b872a2869c840c50bf9f2b3d1e9cc75794abea4c53038851 | 27 | 28 | ###### dependency-track.war 29 | 30 | | Algorithm | Checksum | 31 | | SHA-1 | 35b61e4309303a7ad605c21cfa5eddcbabcfa15f | 32 | | SHA-256 | 965508b98df6701ffea13ec9bcfb2f3d8a7e14eba95a68f5c266a2b75b1db109 | 33 | 34 | ###### Software Bill of Materials (SBOM) ###### 35 | 36 | [bom.json](https://github.com/DependencyTrack/dependency-track/releases/download/4.2.2/bom.json) 37 | [bom.xml](https://github.com/DependencyTrack/dependency-track/releases/download/4.2.2/bom.xml) 38 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/common/UnirestFactory.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.common; 20 | 21 | import kong.unirest.Unirest; 22 | import kong.unirest.UnirestInstance; 23 | 24 | public final class UnirestFactory { 25 | 26 | private static final UnirestInstance UNIREST_INSTANCE = Unirest.primaryInstance(); 27 | static { 28 | UNIREST_INSTANCE.config().httpClient(ManagedHttpClientFactory.newManagedHttpClient().getHttpClient()); 29 | } 30 | 31 | private UnirestFactory() { 32 | } 33 | 34 | public static UnirestInstance getUnirestInstance() { 35 | return UNIREST_INSTANCE; 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/event/AbstractVulnerabilityManagementUploadEvent.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.event; 20 | 21 | import alpine.event.framework.Event; 22 | 23 | import java.util.UUID; 24 | 25 | public abstract class AbstractVulnerabilityManagementUploadEvent implements Event { 26 | 27 | private UUID projectUuid; 28 | 29 | AbstractVulnerabilityManagementUploadEvent() { 30 | } 31 | 32 | AbstractVulnerabilityManagementUploadEvent(final UUID projectUuid) { 33 | this.projectUuid = projectUuid; 34 | } 35 | 36 | public UUID getProjectUuid() { 37 | return projectUuid; 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /docs/_docs/usage/procurement.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Procurement 3 | category: Usage 4 | chapter: 2 5 | order: 5 6 | --- 7 | 8 | Dependency-Track is an ideal choice for vendor risk assessments and identifying potential risk in third-party software 9 | during and after procurement. 10 | 11 | The ability for vendors to generate Software Bill of Materials (SBOM) demonstrates a certain level of organizational 12 | maturity. Vendors that have the capability to provide SBOMs in supported formats may have lower risk than vendors unable 13 | to do so. The [OWASP Software Component Verification Standard (SCVS)](https://owasp.org/scvs) provides guidance on 14 | measuring and improving software supply chain assurance. The guidance includes foundational SBOM requirements as well as 15 | guidance for supplier evaluation. 16 | 17 | Once obtained, SBOMs can be manually uploaded to Dependency-Track for analysis. First, create a new project that 18 | corresponds to the software and version being procured. Then, upload the SBOM for analysis. 19 | 20 | This will provide complete visibility of component inventory, vulnerabilities, outdated component status, and 21 | policy violations. If the software being procurred will eventually be deployed to production, simply keep the project 22 | active in Dependency-Track so that visibility of risk can continue to be tracked. If the software will not be procured, simply 23 | delete the project. 24 | -------------------------------------------------------------------------------- /src/test/java/org/dependencytrack/model/SeverityTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.model; 20 | 21 | import org.junit.Assert; 22 | import org.junit.Test; 23 | 24 | public class SeverityTest { 25 | 26 | @Test 27 | public void testEnums() { 28 | Assert.assertEquals("CRITICAL", Severity.CRITICAL.name()); 29 | Assert.assertEquals("HIGH", Severity.HIGH.name()); 30 | Assert.assertEquals("MEDIUM", Severity.MEDIUM.name()); 31 | Assert.assertEquals("LOW", Severity.LOW.name()); 32 | Assert.assertEquals("INFO", Severity.INFO.name()); 33 | Assert.assertEquals("UNASSIGNED", Severity.UNASSIGNED.name()); 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /docs/_docs/integrations/badges.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: SVG Badges 3 | category: Integrations 4 | chapter: 6 5 | order: 10 6 | --- 7 | 8 | Dependency-Track supports badges in Scalable Vector Graphics (SVG) format. Support for badges is a globally configurable 9 | option and is disabled by default. 10 | 11 | 12 |     13 | 14 |     15 | 16 | 17 | > Enabling badge support will provide vulnerability metric information to unauthenticated users. Any anonymous 18 | > user with network access to Dependency-Track and knowledge of a projects information will be able to view the SVG badge. 19 | 20 | SVG badges may be retrieved using either the UUID of the project, or the combination of a 21 | projects name and version. 22 | 23 | ### HTML Examples 24 | ```html 25 | 26 | 27 | ``` 28 | 29 | ### Markdown Examples 30 | ```markdown 31 | ![alt text](https://dtrack.example.com/api/v1/badge/vulns/project/{name}/{version}) 32 | ![alt text](https://dtrack.example.com/api/v1/badge/vulns/project/{uuid}) 33 | ``` 34 | 35 | In all examples, replace `{name}`, `{version}`, and `{uuid}` with their respective values. 36 | -------------------------------------------------------------------------------- /.github/workflows/ci-test.yaml: -------------------------------------------------------------------------------- 1 | name: Tests CI 2 | 3 | on: 4 | push: 5 | paths-ignore: 6 | - '**/*.md' 7 | pull_request: 8 | paths-ignore: 9 | - '**/*.md' 10 | workflow_dispatch: 11 | 12 | # The following concurrency group cancels in-progress jobs or runs on pull_request events only; 13 | # if github.head_ref is undefined, the concurrency group will fallback to the run ID, 14 | # which is guaranteed to be both unique and defined for the run. 15 | concurrency: 16 | group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} 17 | cancel-in-progress: true 18 | 19 | jobs: 20 | test: 21 | runs-on: ubuntu-latest 22 | steps: 23 | - name: Checkout repository 24 | uses: actions/checkout@v3.0.2 25 | 26 | - name: Set up JDK 27 | uses: actions/setup-java@v3.3.0 28 | with: 29 | distribution: 'temurin' 30 | java-version: '11' 31 | cache: 'maven' 32 | 33 | - name: Execute unit tests 34 | run: |- 35 | mvn clean 36 | mvn test -P enhance 37 | 38 | - name: Publish test coverage 39 | if: ${{ github.ref == 'refs/heads/master' && contains(github.repository, 'DependencyTrack/') }} 40 | uses: codacy/codacy-coverage-reporter-action@v1.3.0 41 | with: 42 | project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} 43 | language: Java 44 | coverage-reports: target/jacoco-ut/jacoco.xml 45 | -------------------------------------------------------------------------------- /src/test/java/org/dependencytrack/event/CloneProjectEventTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.event; 20 | 21 | import org.dependencytrack.resources.v1.vo.CloneProjectRequest; 22 | import org.junit.Assert; 23 | import org.junit.Test; 24 | 25 | import java.util.UUID; 26 | 27 | public class CloneProjectEventTest { 28 | 29 | @Test 30 | public void testEvent() { 31 | UUID uuid = UUID.randomUUID(); 32 | CloneProjectRequest request = new CloneProjectRequest(uuid.toString(), "1.0", true, true, true, true, true, true); 33 | CloneProjectEvent event = new CloneProjectEvent(request); 34 | Assert.assertEquals(request, event.getRequest()); 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /src/test/java/org/dependencytrack/model/AnalysisStateTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.model; 20 | 21 | import org.junit.Assert; 22 | import org.junit.Test; 23 | 24 | public class AnalysisStateTest { 25 | 26 | @Test 27 | public void testEnums() { 28 | Assert.assertEquals("NOT_SET", AnalysisState.NOT_SET.name()); 29 | Assert.assertEquals("IN_TRIAGE", AnalysisState.IN_TRIAGE.name()); 30 | Assert.assertEquals("NOT_AFFECTED", AnalysisState.NOT_AFFECTED.name()); 31 | Assert.assertEquals("FALSE_POSITIVE", AnalysisState.FALSE_POSITIVE.name()); 32 | Assert.assertEquals("NOT_AFFECTED", AnalysisState.NOT_AFFECTED.name()); 33 | } 34 | 35 | } 36 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/notification/NotificationGroup.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.notification; 20 | 21 | public enum NotificationGroup { 22 | 23 | // System Groups 24 | CONFIGURATION, 25 | DATASOURCE_MIRRORING, 26 | REPOSITORY, 27 | INTEGRATION, 28 | INDEXING_SERVICE, 29 | FILE_SYSTEM, 30 | ANALYZER, 31 | 32 | // Portfolio Groups 33 | NEW_VULNERABILITY, 34 | NEW_VULNERABLE_DEPENDENCY, 35 | //NEW_OUTDATED_COMPONENT, 36 | //FIXED_VULNERABILITY, 37 | //FIXED_OUTDATED, 38 | //GLOBAL_AUDIT_CHANGE, 39 | PROJECT_AUDIT_CHANGE, 40 | BOM_CONSUMED, 41 | BOM_PROCESSED, 42 | VEX_CONSUMED, 43 | VEX_PROCESSED 44 | } 45 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/event/VulnDbAnalysisEvent.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.event; 20 | 21 | import org.dependencytrack.model.Component; 22 | 23 | import java.util.List; 24 | 25 | /** 26 | * Defines an event used to start an analysis via VulnDB REST API. 27 | * 28 | * @author Steve Springett 29 | * @since 3.6.0 30 | */ 31 | public class VulnDbAnalysisEvent extends VulnerabilityAnalysisEvent { 32 | 33 | public VulnDbAnalysisEvent() { } 34 | 35 | public VulnDbAnalysisEvent(final Component component) { 36 | super(component); 37 | } 38 | 39 | public VulnDbAnalysisEvent(final List components) { 40 | super(components); 41 | } 42 | 43 | } 44 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/resources/v1/vo/MappedOidcGroupRequest.java: -------------------------------------------------------------------------------- 1 | package org.dependencytrack.resources.v1.vo; 2 | 3 | import com.fasterxml.jackson.annotation.JsonCreator; 4 | import com.fasterxml.jackson.annotation.JsonProperty; 5 | 6 | import javax.validation.constraints.Pattern; 7 | 8 | /** 9 | * Defines a custom request object used when adding a new MappedOidcGroup. 10 | * 11 | * @since 4.0.0 12 | */ 13 | public class MappedOidcGroupRequest { 14 | 15 | @Pattern(regexp = "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", message = "The team must be a valid 36 character UUID") 16 | private String team; 17 | 18 | @Pattern(regexp = "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", message = "The group must be a valid 36 character UUID") 19 | private String group; 20 | 21 | @JsonCreator 22 | public MappedOidcGroupRequest(@JsonProperty(value = "team", required = true) final String team, 23 | @JsonProperty(value = "group", required = true) final String group) { 24 | this.team = team; 25 | this.group = group; 26 | } 27 | 28 | public String getTeam() { 29 | return team; 30 | } 31 | 32 | public void setTeam(String team) { 33 | this.team = team; 34 | } 35 | 36 | public String getGroup() { 37 | return group; 38 | } 39 | 40 | public void setGroup(String group) { 41 | this.group = group; 42 | } 43 | 44 | } 45 | -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/details/NLPL.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseText": "NO LIMIT PUBLIC LICENSE\n Version 0, June 2012\n\nGilles LAMIRAL\nLa Billais\n35580 Baulon\nFrance\n\nNO LIMIT PUBLIC LICENSE\n\nTerms and conditions for copying, distribution, modification\nor anything else.\n\n 0. No limit to do anything with this work and this license.\n", 4 | "standardLicenseTemplate": "\u003c\u003cbeginOptional\u003e\u003e NO LIMIT PUBLIC LICENSE\n\nVersion 0, June 2012\u003c\u003cendOptional\u003e\u003e\u003c\u003cbeginOptional\u003e\u003e Gilles LAMIRAL\n\nLa Billais\n\n35580 Baulon\n\nFrance\u003c\u003cendOptional\u003e\u003e\u003c\u003cbeginOptional\u003e\u003e NO LIMIT PUBLIC LICENSE\u003c\u003cendOptional\u003e\u003e\n\nTerms and conditions for copying, distribution, modification or anything else.\n\n \u003c\u003cvar;name\u003d\"bullet\";original\u003d\"0.\";match\u003d\".{0,20}\"\u003e\u003e No limit to do anything with this work and this license.", 5 | "name": "No Limit Public License", 6 | "licenseId": "NLPL", 7 | "crossRef": [ 8 | { 9 | "isLive": true, 10 | "isValid": true, 11 | "isWayBackLink": false, 12 | "match": "true", 13 | "url": "https://fedoraproject.org/wiki/Licensing/NLPL", 14 | "order": 0, 15 | "timestamp": "2020-11-25 - 21:54:55" 16 | } 17 | ], 18 | "seeAlso": [ 19 | "https://fedoraproject.org/wiki/Licensing/NLPL" 20 | ], 21 | "isOsiApproved": false 22 | } -------------------------------------------------------------------------------- /src/test/java/org/dependencytrack/util/HttpUtilTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.util; 20 | 21 | import org.junit.Assert; 22 | import org.junit.Test; 23 | 24 | public class HttpUtilTest { 25 | 26 | @Test 27 | public void testBasicAuthHeader() throws Exception { 28 | String header = HttpUtil.basicAuthHeader("username", "password"); 29 | Assert.assertEquals("Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=", header); 30 | } 31 | 32 | @Test 33 | public void testBasicAuthHeaderValue() throws Exception { 34 | String authvalue = HttpUtil.basicAuthHeaderValue("username", "password"); 35 | Assert.assertEquals("Basic dXNlcm5hbWU6cGFzc3dvcmQ=", authvalue); 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/event/CloneProjectEvent.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.event; 20 | 21 | import alpine.event.framework.AbstractChainableEvent; 22 | import org.dependencytrack.resources.v1.vo.CloneProjectRequest; 23 | 24 | /** 25 | * Defines an event triggered when a project should be cloned. 26 | * 27 | * @author Steve Springett 28 | * @since 3.3.0 29 | */ 30 | public class CloneProjectEvent extends AbstractChainableEvent { 31 | 32 | private final CloneProjectRequest request; 33 | 34 | public CloneProjectEvent(final CloneProjectRequest request) { 35 | this.request = request; 36 | } 37 | 38 | public CloneProjectRequest getRequest() { 39 | return request; 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/event/OssIndexAnalysisEvent.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.event; 20 | 21 | import org.dependencytrack.model.Component; 22 | 23 | import java.util.List; 24 | 25 | /** 26 | * Defines an event used to start an analysis via Sonatype OSS Index REST API. 27 | * 28 | * @author Steve Springett 29 | * @since 3.2.0 30 | */ 31 | public class OssIndexAnalysisEvent extends VulnerabilityAnalysisEvent { 32 | 33 | public OssIndexAnalysisEvent() { } 34 | 35 | public OssIndexAnalysisEvent(final Component component) { 36 | super(component); 37 | } 38 | 39 | public OssIndexAnalysisEvent(final List components) { 40 | super(components); 41 | } 42 | 43 | } 44 | -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/details/Beerware.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseText": "\"THE BEER-WARE LICENSE\" (Revision 42): \u003cphk@FreeBSD.ORG\u003e wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp\n", 4 | "standardLicenseTemplate": "\"THE BEER-WARE LICENSE\" (Revision 42):\n\n\u003cphk@FreeBSD.ORG\u003e wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp", 5 | "name": "Beerware License", 6 | "licenseId": "Beerware", 7 | "crossRef": [ 8 | { 9 | "isLive": true, 10 | "isValid": true, 11 | "isWayBackLink": false, 12 | "match": "false", 13 | "url": "https://fedoraproject.org/wiki/Licensing/Beerware", 14 | "order": 0, 15 | "timestamp": "2020-11-25 - 21:52:48" 16 | }, 17 | { 18 | "isLive": true, 19 | "isValid": true, 20 | "isWayBackLink": false, 21 | "match": "false", 22 | "url": "https://people.freebsd.org/~phk/", 23 | "order": 1, 24 | "timestamp": "2020-11-25 - 21:52:49" 25 | } 26 | ], 27 | "seeAlso": [ 28 | "https://fedoraproject.org/wiki/Licensing/Beerware", 29 | "https://people.freebsd.org/~phk/" 30 | ], 31 | "isOsiApproved": false 32 | } -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/event/InternalAnalysisEvent.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.event; 20 | 21 | import org.dependencytrack.model.Component; 22 | 23 | import java.util.List; 24 | 25 | /** 26 | * Defines an event used to start an internal analysis which leverages the VulnerableSoftware model. 27 | * 28 | * @author Steve Springett 29 | * @since 3.6.0 30 | */ 31 | public class InternalAnalysisEvent extends VulnerabilityAnalysisEvent { 32 | 33 | public InternalAnalysisEvent() { } 34 | 35 | public InternalAnalysisEvent(final Component component) { 36 | super(component); 37 | } 38 | 39 | public InternalAnalysisEvent(final List components) { 40 | super(components); 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /src/test/java/org/dependencytrack/event/RepositoryMetaEventTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.event; 20 | 21 | import org.dependencytrack.model.Component; 22 | import org.junit.Assert; 23 | import org.junit.Test; 24 | 25 | public class RepositoryMetaEventTest { 26 | 27 | @Test 28 | public void testDefaultConstructor() { 29 | RepositoryMetaEvent event = new RepositoryMetaEvent(); 30 | Assert.assertNull(event.getComponent()); 31 | } 32 | 33 | @Test 34 | public void testComponentConstructor() { 35 | Component component = new Component(); 36 | RepositoryMetaEvent event = new RepositoryMetaEvent(component); 37 | Assert.assertEquals(component, event.getComponent()); 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /docs/_docs/usage/impact-analysis.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Impact Analysis 3 | category: Usage 4 | chapter: 2 5 | order: 3 6 | --- 7 | 8 | Organizations can analyze the potential for impact of a vulnerability in their environment. 9 | Dependency-Track can help identify all affected projects across the organization. If the vulnerability is published 10 | to a datasource Dependency-Track supports (i.e. NVD, GitHub Advisories, OSS Index, VulnDB, etc), then simply looking up the 11 | vulnerability in the platform is all that's required. 12 | 13 | Using Dependency-Track can help organizations answer two important questions: 14 | - What is affected? 15 | - Where am I affected? 16 | 17 | ![vulnerability](/images/screenshots/vulnerability.png) 18 | 19 | Dependency-Track contains a full mirror for each of the vulnerability datasources it supports. Virtually all public 20 | information about the vulnerability including the description, affected versions, CWE, and severity, are captured, 21 | as well as the affected projects. The list of affected projects is dynamically generated based on data in 22 | Dependency-Track at the time of inquiry. 23 | 24 | ![affected projects](/images/screenshots/vulnerability-affected-projects.png) 25 | 26 | Alternatively, if the component name and version are known, then performing a search on that component will 27 | reveal a list of vulnerabilities, as well as a list of all projects that have a dependency on the component. 28 | 29 | ![incident response](/images/screenshots/vulnerable-component.png) 30 | -------------------------------------------------------------------------------- /docs/_docs/integrations/threadfix.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: ThreadFix 3 | category: Integrations 4 | chapter: 6 5 | order: 9 6 | --- 7 | 8 | ThreadFix includes a *remote provider* for Dependency-Track which provides seemless and automatic integration. 9 | Vulnerabilities on a per-project basis in Dependency-Track are mapped to corresponding applications in ThreadFix 10 | along with details of every vulnerability. 11 | 12 | ### Remote Provider Configuration 13 | In ThreadFix, define a Dependency Track remote provider. Ensure a valid URL to the Dependency-Track server is 14 | specified along with a valid API Key. 15 | 16 | ![Remote Provider Creation](/images/screenshots/threadfix-remoteprovider-create.png) 17 | 18 | Once the remote provider is created, projects in Dependency-Track must be mapped to applications in ThreadFix. 19 | 20 | ![Remote Provider Mapping](/images/screenshots/threadfix-remoteprovider-mappings.png) 21 | 22 | It is recommend to setup a schedule for ThreadFix to automatically import Dependency-Track results periodically. 23 | Refer to the ThreadFix documentation on instructions on how to setup importer schedules. 24 | 25 | ### Usage 26 | Results are imported and integrated into ThreadFix and behave like any other vulnerability ThreadFix tracks. 27 | Vulnerabilities can be sorted, filtered, and expanded with further details. The vulnerabilities can now be 28 | included in the advanced analytics and workflows that ThreadFix provides. 29 | 30 | ![ThreadFix Findings](/images/screenshots/threadfix-results.png) 31 | -------------------------------------------------------------------------------- /docs/_docs/getting-started/data-directory.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Data Directory 3 | category: Getting Started 4 | chapter: 1 5 | order: 7 6 | --- 7 | 8 | Dependency-Track uses `~/.dependency-track` on UNIX/Linux systems and `.dependency-track` in the current users 9 | home directory on Windows machines. This directory, referred to as the *data directory*, contains 10 | the NIST NVD mirror, embedded database files, application and audit logs, as well as keys used during normal 11 | operation, such as validating JWT tokens. It is essential that best practices are followed to secure the 12 | data directory. 13 | 14 | The data directory includes: 15 | 16 | 17 | | Content | Purpose | 18 | | -------------------------- | ------------------------------------------ | 19 | | db.mv.db | Embedded H2 database | 20 | | dependency-track.log | Application log | 21 | | dependency-track-audit.log | Application audit log | 22 | | id.system | Randomly generated system identifier | 23 | | index | Internal search engine index | 24 | | keys | Keys used to generate/verify JWT tokens | 25 | | nist | Mirror of the NVD and CPE | 26 | | server.log | Embedded Jetty server log | 27 | | vulndb | Mirror of VulnDB | 28 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/upgrade/v400/v400Updater.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.upgrade.v400; 20 | 21 | import alpine.common.logging.Logger; 22 | import alpine.persistence.AlpineQueryManager; 23 | import alpine.server.upgrade.AbstractUpgradeItem; 24 | 25 | import java.sql.Connection; 26 | 27 | public class v400Updater extends AbstractUpgradeItem { 28 | 29 | private static final Logger LOGGER = Logger.getLogger(v400Updater.class); 30 | 31 | @Override 32 | public String getSchemaVersion() { 33 | return "4.0.0"; 34 | } 35 | 36 | @Override 37 | public void executeUpgrade(final AlpineQueryManager alpineQueryManager, final Connection connection) throws Exception { 38 | LOGGER.info("HOOOO"); 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /src/test/java/org/dependencytrack/event/FortifySscUploadEventTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.event; 20 | 21 | import org.junit.Assert; 22 | import org.junit.Test; 23 | 24 | import java.util.UUID; 25 | 26 | public class FortifySscUploadEventTest { 27 | 28 | @Test 29 | public void testDefaultConstructor() { 30 | FortifySscUploadEventAbstract event = new FortifySscUploadEventAbstract(); 31 | Assert.assertNull(event.getProjectUuid()); 32 | } 33 | 34 | @Test 35 | public void testProjectConstructor() { 36 | UUID uuid = UUID.randomUUID(); 37 | FortifySscUploadEventAbstract event = new FortifySscUploadEventAbstract(uuid); 38 | Assert.assertEquals(uuid, event.getProjectUuid()); 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/exception/ParseException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.exception; 20 | 21 | /** 22 | * Exception for when parsing files. 23 | * 24 | * @author Steve Springett 25 | * @since 3.0.0 26 | */ 27 | public class ParseException extends Exception { 28 | 29 | /** 30 | * @since 3.0.0 31 | */ 32 | public ParseException(final String message) { 33 | super(message); 34 | } 35 | 36 | /** 37 | * @since 3.0.0 38 | */ 39 | public ParseException(final Throwable cause) { 40 | super(cause); 41 | } 42 | 43 | /** 44 | * @since 3.0.0 45 | */ 46 | public ParseException(final String message, final Throwable cause) { 47 | super(message, cause); 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /src/test/java/org/dependencytrack/TaskTest.java: -------------------------------------------------------------------------------- 1 | package org.dependencytrack; 2 | 3 | import alpine.Config; 4 | import org.dependencytrack.persistence.QueryManager; 5 | import org.glassfish.jersey.servlet.ServletContainer; 6 | import org.glassfish.jersey.test.DeploymentContext; 7 | import org.glassfish.jersey.test.JerseyTest; 8 | import org.glassfish.jersey.test.ServletDeploymentContext; 9 | import org.glassfish.jersey.test.grizzly.GrizzlyWebTestContainerFactory; 10 | import org.glassfish.jersey.test.spi.TestContainerFactory; 11 | import org.junit.After; 12 | import org.junit.Before; 13 | import org.junit.BeforeClass; 14 | 15 | import static org.dependencytrack.PersistenceCapableTest.dbReset; 16 | 17 | public abstract class TaskTest extends JerseyTest { 18 | 19 | protected QueryManager qm; 20 | 21 | @BeforeClass 22 | public static void init() { 23 | Config.enableUnitTests(); 24 | } 25 | 26 | @Override 27 | protected TestContainerFactory getTestContainerFactory() { 28 | return new GrizzlyWebTestContainerFactory(); 29 | } 30 | 31 | @Override 32 | protected DeploymentContext configureDeployment() { 33 | return ServletDeploymentContext.forServlet(new ServletContainer()).build(); 34 | } 35 | 36 | @Before 37 | public void setUp() throws Exception { 38 | dbReset(); 39 | qm = new QueryManager(); 40 | } 41 | 42 | @After 43 | public void after() throws Exception { 44 | dbReset(); 45 | qm.close(); 46 | } 47 | 48 | } 49 | -------------------------------------------------------------------------------- /src/test/java/org/dependencytrack/common/UnirestFactoryTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.common; 20 | 21 | import kong.unirest.UnirestInstance; 22 | import org.junit.Assert; 23 | import org.junit.Test; 24 | 25 | public class UnirestFactoryTest { 26 | 27 | @Test 28 | public void instanceTest() { 29 | UnirestInstance ui1 = UnirestFactory.getUnirestInstance(); 30 | UnirestInstance ui2 = UnirestFactory.getUnirestInstance(); 31 | Assert.assertSame(ui1, ui2); 32 | } 33 | 34 | @Test 35 | public void httpClientTest() { 36 | UnirestInstance ui = UnirestFactory.getUnirestInstance(); 37 | Assert.assertNotSame(ui.config().getClient().getClient(), ManagedHttpClientFactory.newManagedHttpClient()); 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /src/main/resources/license-list-data/json/details/blessing.json: -------------------------------------------------------------------------------- 1 | { 2 | "isDeprecatedLicenseId": false, 3 | "licenseText": "The author disclaims copyright to this source code. In place of a legal notice, here is a blessing:\n\nMay you do good and not evil.\nMay you find forgiveness for yourself and forgive others.\nMay you share freely, never taking more than you give.\n", 4 | "standardLicenseTemplate": "The author disclaims copyright to this source code. In place of a legal notice, here is a blessing:\n\n \n\n May you do good and not evil.\n\n \n\n May you find forgiveness for yourself and forgive others.\n\n \n\n May you share freely, never taking more than you give.", 5 | "name": "SQLite Blessing", 6 | "licenseId": "blessing", 7 | "crossRef": [ 8 | { 9 | "isLive": true, 10 | "isValid": true, 11 | "isWayBackLink": false, 12 | "match": "false", 13 | "url": "https://www.sqlite.org/src/artifact/e33a4df7e32d742a?ln\u003d4-9", 14 | "order": 0, 15 | "timestamp": "2020-11-25 - 21:54:45" 16 | }, 17 | { 18 | "isLive": true, 19 | "isValid": true, 20 | "isWayBackLink": false, 21 | "match": "true", 22 | "url": "https://sqlite.org/src/artifact/df5091916dbb40e6", 23 | "order": 1, 24 | "timestamp": "2020-11-25 - 21:54:45" 25 | } 26 | ], 27 | "seeAlso": [ 28 | "https://www.sqlite.org/src/artifact/e33a4df7e32d742a?ln\u003d4-9", 29 | "https://sqlite.org/src/artifact/df5091916dbb40e6" 30 | ], 31 | "isOsiApproved": false 32 | } -------------------------------------------------------------------------------- /src/test/java/org/dependencytrack/event/KennaSecurityUploadEventTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.event; 20 | 21 | import org.junit.Assert; 22 | import org.junit.Test; 23 | 24 | import java.util.UUID; 25 | 26 | public class KennaSecurityUploadEventTest { 27 | 28 | @Test 29 | public void testDefaultConstructor() { 30 | KennaSecurityUploadEventAbstract event = new KennaSecurityUploadEventAbstract(); 31 | Assert.assertNull(event.getProjectUuid()); 32 | } 33 | 34 | @Test 35 | public void testProjectConstructor() { 36 | UUID uuid = UUID.randomUUID(); 37 | KennaSecurityUploadEventAbstract event = new KennaSecurityUploadEventAbstract(uuid); 38 | Assert.assertEquals(uuid, event.getProjectUuid()); 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /src/test/java/org/dependencytrack/persistence/CweImporterTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.persistence; 20 | 21 | import org.dependencytrack.PersistenceCapableTest; 22 | import org.dependencytrack.model.Cwe; 23 | import org.junit.Assert; 24 | import org.junit.Test; 25 | 26 | public class CweImporterTest extends PersistenceCapableTest { 27 | 28 | @Test 29 | public void testProcessCweDefinitions() throws Exception { 30 | CweImporter importer = new CweImporter(); 31 | importer.processCweDefinitions(); 32 | Cwe cwe79 = qm.getCweById(79); 33 | Assert.assertEquals("Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", cwe79.getName()); 34 | Assert.assertEquals(1357, qm.getCwes().getTotal()); 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /src/main/java/org/dependencytrack/search/SearchResult.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.search; 20 | 21 | import java.util.Collections; 22 | import java.util.HashMap; 23 | import java.util.List; 24 | import java.util.Map; 25 | 26 | /** 27 | * Wrapper class for returning search results. 28 | * 29 | * @author Steve Springett 30 | * @since 3.0.0 31 | */ 32 | public class SearchResult { 33 | 34 | private final Map>> results = Collections.synchronizedMap(new HashMap<>()); 35 | 36 | public Map>> getResults() { 37 | return results; 38 | } 39 | 40 | public void addResultSet(final String key, final List> resultSet) { 41 | results.put(key, resultSet); 42 | } 43 | 44 | } 45 | -------------------------------------------------------------------------------- /docs/_docs/usage/policy-compliance.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Policy Compliance 3 | category: Usage 4 | chapter: 2 5 | order: 4 6 | --- 7 | 8 | Organizations can create policies and measure policy violations across the portfolio, and against individual 9 | projects and components. Policies are configurable and can be enforced for the portfolio, or can be 10 | limited to specific projects. Policies are evaluated when an SBOM is uploaded. 11 | 12 | There are three types of policy violations: 13 | * License 14 | * Security 15 | * Operational 16 | 17 | ## License Violation 18 | Policy conditions can specify zero or more SPDX license IDs as well as license groups. Dependency-Track comes with 19 | pre-configured groups of related licenses (e.g. Copyleft) that provide a starting point for organizations to create 20 | custom license policies. 21 | 22 | ## Security Violation 23 | Policy conditions can specify the severity of vulnerabilities. A vulnerability affecting a component can result in a 24 | policy violation if the policy condition matches the severity of the vulnerability. Vulnerabilities that are suppressed 25 | will not result in a policy violation. 26 | 27 | ## Operational Violation 28 | Policy conditions can specify zero or more: 29 | * Coordinates (group, name, version) 30 | * Package URL 31 | * CPE 32 | * SWID Tag ID 33 | * Hash (MD5, SHA, SHA3, Blake2b, Blake3) 34 | 35 | This allows organizations to create lists of allowable and/or prohibited components. Future versions 36 | of Dependency-Track will incorporate additional operational parameters into the policy framework. 37 | -------------------------------------------------------------------------------- /src/test/java/org/dependencytrack/integrations/IntegrationPointTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of Dependency-Track. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * SPDX-License-Identifier: Apache-2.0 17 | * Copyright (c) Steve Springett. All Rights Reserved. 18 | */ 19 | package org.dependencytrack.integrations; 20 | 21 | import org.junit.Assert; 22 | import org.junit.Test; 23 | 24 | import static org.mockito.Mockito.mock; 25 | import static org.mockito.Mockito.when; 26 | 27 | public class IntegrationPointTest { 28 | 29 | @Test 30 | public final void integrationPointMetadataTest() { 31 | IntegrationPoint integrationPoint = mock(IntegrationPoint.class); 32 | when(integrationPoint.name()).thenReturn("Acme Endpoint"); 33 | when(integrationPoint.description()).thenReturn("An example endpoint"); 34 | Assert.assertEquals("Acme Endpoint", integrationPoint.name()); 35 | Assert.assertEquals("An example endpoint", integrationPoint.description()); 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /docs/_posts/2022-xx-xx-v4.5.0.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: v4.5.0 3 | type: major 4 | --- 5 | 6 | **Features:** 7 | * Added new `VIEW_POLICY_VIOLATION` permission that grants read-only access to policy violations and the audit trail - [#1433](https://github.com/DependencyTrack/dependency-track/issues/1433) 8 | 9 | **Fixes:** 10 | * Resolved defect where the `VULNERABILITY_ANALYSIS` permission was required to see policy violations - [#126](https://github.com/DependencyTrack/frontend/issues/126) 11 | * Resolved defect where audit trail entries were generated for `Justification` and `Response`, even though they didn't actually change - [#1566](https://github.com/DependencyTrack/dependency-track/pull/1566) 12 | * Resolved defect where vulnerabilities from GitHub Advisories could not be matched with Go modules - [#1574](https://github.com/DependencyTrack/dependency-track/issues/1574) 13 | 14 | **Security:** 15 | 16 | **Upgrade Notes:** 17 | * Users and teams with `POLICY_VIOLATION_ANALYSIS` permission are automatically granted the `VIEW_POLICY_VIOLATION` permission during the automatic upgrade. 18 | 19 | ###### dependency-track-apiserver.war 20 | 21 | | Algorithm | Checksum | 22 | | SHA-1 | | 23 | | SHA-256 | | 24 | 25 | ###### dependency-track-bundled.war 26 | 27 | | Algorithm | Checksum | 28 | | SHA-1 | | 29 | | SHA-256 | | 30 | 31 | ###### Software Bill of Materials (SBOM) ###### 32 | 33 | [bom.json](https://github.com/DependencyTrack/dependency-track/releases/download/4.5.0/bom.json) 34 | [bom.xml](https://github.com/DependencyTrack/dependency-track/releases/download/4.5.0/bom.xml) 35 | --------------------------------------------------------------------------------