Resolve merge conflicts in collection projects PR#1
Merged
rkg-mm merged 182 commits intorkg-mm:2041-introduce-collection-projectsfrom Dec 7, 2024
Merged
Conversation
Introduces project-level locking for BOM upload processing, policy evaluation, and vulnerability analysis. This prevents duplicate records from being created during any of the mentioned activities. The locking happens in-memory. Refactors policy violation reconciliation to be more deterministic and able to remove duplicates. In a later release, a `UNIQUE` constraint should be added to the `POLICYVIOLATION` table to prevent duplicate records on the database-level (already done in Hyades). Fixes DependencyTrack#4215 Signed-off-by: nscuro <[email protected]>
…ext` pooling For BOM upload processing, we customize the `PersistenceManager` for better performance: https://github.com/DependencyTrack/dependency-track/blob/6f7c49c0f2f163895b95e5b80554a49a3ec500f8/src/main/java/org/dependencytrack/tasks/BomUploadProcessingTask.java#L231-L259 It turns out that the custom options are internally delegated to a DataNucleus `ExecutionContext`. Other than `PersistenceManager`s, `ExecutionContext`s are never really closed, but instead reused (https://github.com/datanucleus/datanucleus-core/blob/master/src/main/java/org/datanucleus/ExecutionContextPool.java). Per default, DN pools up to 20 ECs. The issue with this behavior is that customizing a PM in code location A, can unintentionally impact code location B. An example of this is project cloning, where an EC can get picked that has `FlushMode=MANUAL`, whereas the cloning logic assumes the default `FlushMode=AUTO` (DependencyTrack#4220). Disable EC pooling to prevent such unintended behavior changes. Fixes DependencyTrack#4220 Signed-off-by: nscuro <[email protected]>
Prevent duplicate policy violations
Signed-off-by: Thomas Schauer-Köckeis <[email protected]>
Signed-off-by: Thomas Schauer-Köckeis <[email protected]>
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.8.0 to 6.9.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@32945a3...4f58ea7) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.6.1 to 3.7.1. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@988b5a0...c47758b) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.9 to 3.26.11. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@461ef6c...6db8d63) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [com.icegreen:greenmail-junit4](https://github.com/greenmail-mail-test/greenmail) from 2.0.1 to 2.1.0. - [Release notes](https://github.com/greenmail-mail-test/greenmail/releases) - [Commits](greenmail-mail-test/greenmail@release-2.0.1...release-2.1.0) --- updated-dependencies: - dependency-name: com.icegreen:greenmail-junit4 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
…ot/maven/com.icegreen-greenmail-junit4-2.1.0 Bump com.icegreen:greenmail-junit4 from 2.0.1 to 2.1.0
…ot/github_actions/github/codeql-action-3.26.11 Bump github/codeql-action from 3.26.9 to 3.26.11
…ot/github_actions/docker/build-push-action-6.9.0 Bump docker/build-push-action from 6.8.0 to 6.9.0
…ot/github_actions/docker/setup-buildx-action-3.7.1 Bump docker/setup-buildx-action from 3.6.1 to 3.7.1
Log contains now username when user gets deleted
Fix unintended manual flushing mode due to DataNucleus `ExecutionContext` pooling
Instead of just discarding *any* duplicate, compare them first, and only keep the most "useful" one. DependencyTrack#4215 (comment) Signed-off-by: nscuro <[email protected]>
Enhance policy violation de-duplication logic
Signed-off-by: nscuro <[email protected]>
It turns out that `Component#version` differs from the PURL's version, in that it contains the epoch (e.g. `1:`). Trivy does not expect the epoch as part of the version field, since it has its own dedicated field.
For example:
```json
{
"type": "library",
"name": "dbus-common",
"version": "1:1.12.20-8.el9",
"purl": "pkg:rpm/redhat/[email protected]?arch=noarch&distro=redhat-9.4&epoch=1"
},
```
Signed-off-by: nscuro <[email protected]>
Fix inaccuracies of Trivy analyzer
Signed-off-by: nscuro <[email protected]> # Conflicts: # src/main/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTask.java
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.0 to 4.2.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@d632683...eef6144) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.4.0 to 4.4.3. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@5076954...b4b15b8) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.11 to 3.26.12. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@6db8d63...c36620d) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.24.0 to 0.27.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](aquasecurity/trivy-action@6e7b7d1...5681af8) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
…ot/github_actions/github/codeql-action-3.26.12 Bump github/codeql-action from 3.26.11 to 3.26.12
…ot/github_actions/aquasecurity/trivy-action-0.27.0 Bump aquasecurity/trivy-action from 0.24.0 to 0.27.0
…ot/github_actions/actions/checkout-4.2.1 Bump actions/checkout from 4.2.0 to 4.2.1
…ot/github_actions/actions/upload-artifact-4.4.3 Bump actions/upload-artifact from 4.4.0 to 4.4.3
Bumps `lib.protobuf-java.version` from 4.28.3 to 4.29.0. Updates `com.google.protobuf:protobuf-java` from 4.28.3 to 4.29.0 - [Release notes](https://github.com/protocolbuffers/protobuf/releases) - [Changelog](https://github.com/protocolbuffers/protobuf/blob/main/protobuf_release.bzl) - [Commits](https://github.com/protocolbuffers/protobuf/commits) Updates `com.google.protobuf:protobuf-java-util` from 4.28.3 to 4.29.0 --- updated-dependencies: - dependency-name: com.google.protobuf:protobuf-java dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: com.google.protobuf:protobuf-java-util dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
…sory-mirroring-notification
…ot/maven/lib.protobuf-java.version-4.29.0
Fixes DependencyTrack#3856 Signed-off-by: nscuro <[email protected]>
Signed-off-by: Edouard Shaar <[email protected]>
Bumps [io.github.jeremylong:open-vulnerability-clients](https://github.com/jeremylong/vuln-tools) from 7.0.1 to 7.0.2. - [Release notes](https://github.com/jeremylong/vuln-tools/releases) - [Commits](jeremylong/open-vulnerability-cli@v7.0.1...v7.0.2) --- updated-dependencies: - dependency-name: io.github.jeremylong:open-vulnerability-clients dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [net.javacrumbs.json-unit:json-unit-assertj](https://github.com/lukas-krecan/JsonUnit) from 4.0.0 to 4.1.0. - [Changelog](https://github.com/lukas-krecan/JsonUnit/blob/master/RELEASES.md) - [Commits](lukas-krecan/JsonUnit@json-unit-parent-4.0.0...json-unit-parent-4.1.0) --- updated-dependencies: - dependency-name: net.javacrumbs.json-unit:json-unit-assertj dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [com.icegreen:greenmail-junit4](https://github.com/greenmail-mail-test/greenmail) from 2.1.1 to 2.1.2. - [Release notes](https://github.com/greenmail-mail-test/greenmail/releases) - [Commits](greenmail-mail-test/greenmail@release-2.1.1...release-2.1.2) --- updated-dependencies: - dependency-name: com.icegreen:greenmail-junit4 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [software.amazon.jdbc:aws-advanced-jdbc-wrapper](https://github.com/awslabs/aws-advanced-jdbc-wrapper) from 2.5.2 to 2.5.3. - [Release notes](https://github.com/awslabs/aws-advanced-jdbc-wrapper/releases) - [Changelog](https://github.com/aws/aws-advanced-jdbc-wrapper/blob/main/CHANGELOG.md) - [Commits](aws/aws-advanced-jdbc-wrapper@2.5.2...2.5.3) --- updated-dependencies: - dependency-name: software.amazon.jdbc:aws-advanced-jdbc-wrapper dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.9.0 to 6.10.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@4f58ea7...48aba3b) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps debian from `32f6d6f` to `4d63ef5`. --- updated-dependencies: - dependency-name: debian dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
…ot/docker/src/main/docker/debian-4d63ef5
Signed-off-by: nscuro <[email protected]>
…do-integration
…ot/maven/com.icegreen-greenmail-junit4-2.1.2
…ot/github_actions/docker/build-push-action-6.10.0
…ot/maven/io.github.jeremylong-open-vulnerability-clients-7.0.2
…ot/maven/software.amazon.jdbc-aws-advanced-jdbc-wrapper-2.5.3
…ot/maven/net.javacrumbs.json-unit-json-unit-assertj-4.1.0
Signed-off-by: Niklas <[email protected]>
Signed-off-by: Niklas <[email protected]>
Signed-off-by: Niklas <[email protected]>
…into 2041-introduce-collection-projects
Author
|
Relevant commit is |
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
15 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Resolves merge conflicts in collection projects PR.
Addressed Issue
Relates to DependencyTrack#2041
Additional Details
N/A
Checklist
This PR fixes a defect, and I have provided tests to verify that the fix is effectiveThis PR implements an enhancement, and I have provided tests to verify that it works as intendedThis PR introduces changes to the database model, and I have added corresponding update logicThis PR introduces new or alters existing behavior, and I have updated the documentation accordingly