Skip to content

Commit

Permalink
Merge branch 'msr-322-pr-scheduled-notifications' of https://github.c…
Browse files Browse the repository at this point in the history 
…om/MM-msr/dependency-track into msr-322-pr-scheduled-notifications

Signed-off-by: Marlon Gäthje <[email protected]>
  • Loading branch information
@mge-mm
mge-mm committed Oct 30, 2024
2 parents 859fbc3 + 3d5ceb2 commit 21fbda9
Show file tree
Hide file tree
Showing 879 changed files with 12,460 additions and 4,697 deletions.
10 changes: 3 additions & 7 deletions .github/ISSUE_TEMPLATE/defect-report.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,13 +64,9 @@ body:
- 4.8.x
- 4.9.x
- 4.10.x
- 4.11.0
- 4.11.1
- 4.11.2
- 4.11.3
- 4.11.4
- 4.11.5
- 4.12.0-SNAPSHOT
- 4.11.x
- 4.12.0
- 4.13.0-SNAPSHOT
validations:
required: true
- type: dropdown
Expand Down
30 changes: 17 additions & 13 deletions .github/workflows/_meta-build.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # tag=v4.2.1

- name: Set up JDK
uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # tag=v4.2.1
uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # tag=v4.4.0
with:
distribution: 'temurin'
java-version: '21'
Expand All @@ -41,8 +41,8 @@ jobs:
run: |
mkdir -p "$HOME/.local/bin"
echo "$HOME/.local/bin" >> $GITHUB_PATH
wget -O "$HOME/.local/bin/cyclonedx" https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.24.2/cyclonedx-linux-x64
echo "ef0d3b31d176e02bc594f83e19cfcea053c6bc5b197351f71696e189390f851d $HOME/.local/bin/cyclonedx" | sha256sum -c
wget -O "$HOME/.local/bin/cyclonedx" https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.26.0/cyclonedx-linux-x64
echo "207c82fbbaed96642a033a4da1c20eb4c6d4b53acccf37619c8d4183803ccbf4 $HOME/.local/bin/cyclonedx" | sha256sum -c
chmod +x "$HOME/.local/bin/cyclonedx"
- name: Build with Maven
Expand All @@ -55,7 +55,7 @@ jobs:
mvn -B --no-transfer-progress cyclonedx:makeBom -Dservices.bom.merge.skip=false org.codehaus.mojo:exec-maven-plugin:exec@merge-services-bom
- name: Upload Artifacts
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # tag=v4.3.4
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # tag=v4.4.3
with:
name: assembled-wars
path: |-
Expand All @@ -78,25 +78,25 @@ jobs:

steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # tag=v4.2.1

- name: Download Artifacts
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # tag=v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # tag=v4.1.8
with:
name: assembled-wars
path: target

- name: Set up QEMU
uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # tag=v3.1.0
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # tag=v3.2.0

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # tag=v3.4.0
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # tag=v3.7.1
id: buildx
with:
install: true

- name: Login to Docker.io
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # tag=v3.2.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # tag=v3.3.0
if: ${{ inputs.publish-container }}
with:
registry: docker.io
Expand All @@ -121,7 +121,7 @@ jobs:
echo "tags=${TAGS}" >> $GITHUB_OUTPUT
- name: Build multi-arch Container Image
uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # tag=v6.3.0
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # tag=v6.9.0
with:
tags: ${{ steps.tags.outputs.tags }}
build-args: |-
Expand All @@ -135,7 +135,11 @@ jobs:

- name: Run Trivy Vulnerability Scanner
if: ${{ inputs.publish-container }}
uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # tag=0.23.0
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # tag=0.28.0
env:
# https://github.com/aquasecurity/trivy-action/issues/389
TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:2"
TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db:1"
with:
image-ref: docker.io/dependencytrack/${{ matrix.distribution }}:${{ inputs.app-version }}
format: 'sarif'
Expand All @@ -145,6 +149,6 @@ jobs:

- name: Upload Trivy Scan Results to GitHub Security Tab
if: ${{ inputs.publish-container }}
uses: github/codeql-action/upload-sarif@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # tag=v3.25.12
uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # tag=v3.26.13
with:
sarif_file: 'trivy-results.sarif'
6 changes: 3 additions & 3 deletions .github/workflows/ci-publish.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:
exit 1
fi
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # tag=v4.2.1

- name: Parse Version from POM
id: parse
Expand Down Expand Up @@ -52,10 +52,10 @@ jobs:
- call-build
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # tag=v4.2.1

- name: Download Artifacts
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # tag=v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # tag=v4.1.8
with:
name: assembled-wars
path: target
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/ci-release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
release-branch: ${{ steps.variables.outputs.release-branch }}
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # tag=v4.2.1

- name: Setup Environment
id: variables
Expand Down Expand Up @@ -51,10 +51,10 @@ jobs:

steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # tag=v4.2.1

- name: Set up JDK
uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # tag=v4.2.1
uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # tag=v4.4.0
with:
distribution: 'temurin'
java-version: '21'
Expand Down Expand Up @@ -118,7 +118,7 @@ jobs:

steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # tag=v4.2.1
with:
ref: ${{ needs.prepare-release.outputs.release-branch }}

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ci-test-pr-coverage.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
&& github.event.workflow_run.conclusion == 'success'
steps:
- name: Download PR test coverage report
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # tag=v4.1.7
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # tag=v4.1.8
with:
name: pr-test-coverage-report
github-token: ${{ secrets.GITHUB_TOKEN }}
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/ci-test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,10 +33,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # tag=v4.2.1

- name: Set up JDK
uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # tag=v4.2.1
uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # tag=v4.4.0
with:
distribution: 'temurin'
java-version: '21'
Expand Down Expand Up @@ -66,7 +66,7 @@ jobs:
- name: Upload PR test coverage report
if: ${{ github.event_name == 'pull_request' }}
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # tag=v4.3.4
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # tag=v4.4.3
with:
name: pr-test-coverage-report
path: |-
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dependency-review.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=v4.1.7
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # tag=v4.2.1

- name: Dependency Review
uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # tag=v4.3.4
34 changes: 22 additions & 12 deletions ADOPTERS.md
View file
Original file line number Diff line number Diff line change
@@ -1,27 +1,37 @@
# Adopters

<!-- Hello! If you are using OWASP Dependency Trtack and contributing to this file, thank you! -->
<!-- Hello! If you are using OWASP Dependency Track and contributing to this file, thank you! -->
<!-- Please keep lines shorter than 80 characters (or so.) Links can go long. -->

This is a list of organizations that have spoken publicly about their adoption or
production users that have added themselves (in alphabetical order):

* [Coming Soon]


| Organization | Contact | Description |
|:----------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <img src="https://avatars.githubusercontent.com/u/39411067?s=200&v=4"/> [Rohde & Schwarz] | [@lukas-braune] | At Rohde & Schwarz, we are deeply committed to ensuring the cybersecurity of our products, systems, and solutions. As part of our comprehensive security strategy, we utilize a diverse set of tools to safeguard our technology. We value Dependency-Track for its scalability, adherence to open standards, and active community. Additionally, we actively contribute to the development of Dependency-Track by adding features, improving its usability for large organizations, and strengthening its security posture. |
| <img src="https://avatars.githubusercontent.com/u/43382006?s=400&u=c45feb70b5eeb3393b43dd1b73c729815e65b2e8&v=4"/> [World Kinect Corporation] | [@aravindparappil46], [@setchy] | World Kinect Corporation (NYSE: WKC) uses Dependency-Track to continuously identify software supply chain risks and to enforce policy compliance across the portfolio. Its usage of Dependency-Track was [showcased in the community meeting of May 2024](https://www.youtube.com/watch?v=MS2DlMdUI7Q&t=1320s). |

This is a list of adopters in early stages of production or
pre-production (in alphabetical order):

* [Air France-KLM](https://www.airfranceklm.com/) has always been highly vigilant and profoundly committed to the realm of IT security. We use a variety of tools to ensure our systems' safety, one of which is the OWASP Dependency Track. This tool forms a crucial part of our vulnerability detection systems, scanning the Software Bill of Materials (SBOM) for each application and sending it to our in-house DT instance. With over 10,000 projects undergoing daily scans, our security measures are both comprehensive and rigorous.

The Dependency Track API is not only highly configurable but also user-friendly, boasting a visually appealing user interface. The project is in a constant state of evolution, adapting and improving to meet the ever-changing landscape of IT security. The community of DT contributors is always ready to lend a hand when issues arise, making it not just an effective tool, but also a pleasure to work with as a developer.

We extend our gratitude to the team behind the OWASP Dependency Track for their excellent work. We look forward to welcoming you aboard our flights soon!

* [Apex Fintech Solutions](https://apexfintechsolutions.com/) has integrated OWASP Dependency-Track into their CI/CD pipeline as part of the DevSecOps program. This integration allows for the upload of SBOMs (Software Bill of Materials) to the platform for comprehensive component analysis and a detailed understanding of the software inventory used in software applications. By analyzing the components in our monorepo, we enhance our vulnerability management program and gain valuable insights into transitive dependencies, which traditional SCA (Software Composition Analysis) tools often overlook.

| Organization | Contact | Description |
|:-------------------------------------|:---------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [Air France-KLM] | [@nekhtan] | Air France-KLM has always been highly vigilant and profoundly committed to the realm of IT security. We use a variety of tools to ensure our systems' safety, one of which is the OWASP Dependency Track. This tool forms a crucial part of our vulnerability detection systems, scanning the Software Bill of Materials (SBOM) for each application and sending it to our in-house DT instance. With over 10,000 projects undergoing daily scans, our security measures are both comprehensive and rigorous. The Dependency Track API is not only highly configurable but also user-friendly, boasting a visually appealing user interface. The project is in a constant state of evolution, adapting and improving to meet the ever-changing landscape of IT security. The community of DT contributors is always ready to lend a hand when issues arise, making it not just an effective tool, but also a pleasure to work with as a developer. We extend our gratitude to the team behind the OWASP Dependency Track for their excellent work. We look forward to welcoming you aboard our flights soon! |
| [Apex Fintech Solutions] | [@spawar-apex] | Apex Fintech Solutions has integrated OWASP Dependency-Track into their CI/CD pipeline as part of the DevSecOps program. This integration allows for the upload of SBOMs (Software Bill of Materials) to the platform for comprehensive component analysis and a detailed understanding of the software inventory used in software applications. By analyzing the components in our monorepo, we enhance our vulnerability management program and gain valuable insights into transitive dependencies, which traditional SCA (Software Composition Analysis) tools often overlook. |
| [Dutch Tax Office - Belastingdienst] | [@SudoHenk] | Dutch Tax Office has integrated OWASP Dependency-Track into their development processes as part of the DevSecOps program. We integrate Dependency-Track with various platforms and programming languages to gain vulnerability insights in our internally developed software. We want to thank all contributors of Dependency-Track creating a resilient and extensible SCA tool. Especially the API is a huge asset to integrate within the current organization processes. |

If you have adopted OWASP Depenency Track and would like to be included in this list,
feel free to submit a PR updating this file or
[open an issue](https://github.com/).

[@SudoHenk]: https://github.com/SudoHenk
[@aravindparappil46]: https://github.com/aravindparappil46
[@lukas-braune]: https://github.com/lukas-braune
[@nekhtan]: https://github.com/nekhtan
[@setchy]: https://github.com/setchy
[@spawar-apex]: https://github.com/spawar-apex
[Air France-KLM]: https://www.airfranceklm.com/
[Apex Fintech Solutions]: https://apexfintechsolutions.com/
[Dutch Tax Office - Belastingdienst]: https://www.belastingdienst.nl/
[Rohde & Schwarz]: https://www.rohde-schwarz.com/
[World Kinect Corporation]: https://world-kinect.com/
Loading

0 comments on commit 21fbda9

Please sign in to comment.