Port changes from upstream DT release 4.11.x

[nscuro]

Current Behavior

v4.11 of vanilla Dependency-Track is about to be released. We need to port the relevant changes to Hyades.

For reference, changes from v4.10.x were ported here: #983

Proposed Behavior

API server: https://github.com/DependencyTrack/dependency-track/milestone/26?closed=1
Frontend: https://github.com/DependencyTrack/frontend/milestone/18?closed=1

Issue / PR	Type	Description	Backported	Backport PR
DependencyTrack/dependency-track#2472	Enhancement	Global Audit View: Vulnerabilities	TODO	TODO
DependencyTrack/dependency-track#3248	Bugfix	Project cloning logic for cloning policy violations and Violationanalysis	✅	DependencyTrack/hyades-apiserver#691
DependencyTrack/dependency-track#3259	Enhancement	Trivy integration	TODO, but might be bigger task that deserves its own issue	TODO
DependencyTrack/dependency-track#3260	Enhancement	Return processing token when cloning project	✅	DependencyTrack/hyades-apiserver#659
DependencyTrack/dependency-track#3261	Enhancement	ACL: Add projects to team should only show not yet added projects	✅	DependencyTrack/hyades-apiserver#689
DependencyTrack/dependency-track#3275	Enhancement	Webhook alert token and new user alerts	TODO	TODO
DependencyTrack/dependency-track#3284	Enhancement	Preprocess CWE dictionary	✅	DependencyTrack/hyades-apiserver#688
DependencyTrack/dependency-track#3285	Enhancement	Add "Show in Dependency-Graph" Button in "Affected Projects" List	✅	DependencyTrack/hyades-apiserver#671
DependencyTrack/dependency-track#3304	Bugfix	Fix dropping of CWE table failing due to FK constraint	❌ N/A, constraint was never created for Hyades	-
DependencyTrack/dependency-track#3305	Bugfix	Fix notifications not being sent for child projects where active is null	❌ Already fixed	-
DependencyTrack/dependency-track#3313	Bugfix	Improve Error handling and add default version type	❌ Already fixed	-
DependencyTrack/dependency-track#3322	Bugfix	Fix NVD API's last modified timestamp requiring restart to be applied	❌ N/A, Hyades stores the timestamp differently	-
DependencyTrack/dependency-track#3357	Enhancement	Refactor BOM upload processing for better efficiency, correctness, and consistency	TODO, most of it came from Hyades but some additions were made as well (i.e. InternalComponentIdentifier, usage of MDC for logging etc.) @nscuro	TODO
DependencyTrack/dependency-track#3368	Enhancement	Update SPDX license list to v3.22	❌ N/A, was superseded by DependencyTrack/dependency-track#3508	-
DependencyTrack/dependency-track#3394	Bugfix	Ignore withdrawn Github advisories	✅	#1305
DependencyTrack/dependency-track#3408	Enhancement	Store computed severities in the database	TODO	TODO
DependencyTrack/dependency-track#3422	Enhancement	Configurable email subject prefix	✅	#1307
DependencyTrack/dependency-track#3425	Enhancement	enhance API to support frontend changes for active/inactive affected projects	TODO	TODO
DependencyTrack/dependency-track#3437	Bugfix	DependencyTrack/dependency-track#3437	❌ N/A, VulnDB is not yet supported in Hyades, see #286	-
DependencyTrack/dependency-track#3456	Bugfix	Fix URISyntaxException when NPM PURL contains special characters	✅	#1309
DependencyTrack/dependency-track#3488	Bugfix	Finding Attributed On date is not retained when cloning projects	TODO	DependencyTrack/hyades-apiserver#700
DependencyTrack/dependency-track#3491	Enhancement	Bump CWE dictionary to v4.13	TODO	TODO
DependencyTrack/dependency-track#3492	Enhancement	Apply consistent formatting to SQL queries; Use text blocks instead of string concatenation	TODO	TODO
DependencyTrack/dependency-track#3493	Enhancement	Improve test coverage of Trivy integration	TODO	TODO
DependencyTrack/dependency-track#3494	Enhancement	Align retry configuration and behavior across analyzers	TODO, but possibly N/A	TODO
DependencyTrack/dependency-track#3499	Enhancement	Add support for component properties	TODO	TODO
DependencyTrack/dependency-track#3502	Enhancement	Add auto-generated changelog to GitHub releases	❌ N/A, already done for Hyades repos	-
DependencyTrack/dependency-track#3508	Enhancement	Bump SPDX license list to v3.23	TODO	TODO
DependencyTrack/dependency-track#3511	Enhancement	adding cargo to IMetaAnalyzer	✅	#1242
DependencyTrack/dependency-track#3512	Bugfix	Fix type of purl fields in Swagger docs	TODO	TODO
DependencyTrack/dependency-track#3514	Enhancement	Report test coverage for all branches, not just master	❌ N/A, already done with recent Codacy migration	-
DependencyTrack/dependency-track#3517	Enhancement	Upload test coverage for PRs via separate workflow	❌ N/A, already done with recent Codacy migration	-
DependencyTrack/dependency-track#3515	Enhancement	Bump Alpine to 2.2.5	✅	DependencyTrack/hyades-apiserver#628
DependencyTrack/dependency-track#3522	Enhancement	Validate uploaded BOMs against CycloneDX schema	TODO, some of it came from Hyades, but includes additional changes such as introduction of ProblemDetails etc.	TODO
DependencyTrack/dependency-track#3535	Enhancement	Improve Lucene observability	❌ N/A, Lucene was removed in Hyades	-
DependencyTrack/dependency-track#3537	Enhancement	Add endpoint for updating API key comment	TODO	TODO
DependencyTrack/dependency-track#3549	Enhancement	Implement the hackage and nixpkgs meta analyzers	TODO	TODO
DependencyTrack/dependency-track#3555	Enhancement	Perform License Resolution On Name Field During SBOM Import	TODO	TODO
DependencyTrack/dependency-track#3556	Bugfix	Update License Of Existing Components On BOM Upload	TODO	TODO
DependencyTrack/dependency-track#3557	Enhancement	OpenAPI spec fixes and improvements	TODO	TODO
DependencyTrack/dependency-track#3558	Bugfix	Provide meaningful error message for bom and vex exceeding Jackson's character limit	TODO	TODO
DependencyTrack/dependency-track#3559	Bugfix	Fix unhandled NotFoundExceptions causing a HTTP 500 response	❌ N/A, superseded by DependencyTrack/dependency-track#3659	-
DependencyTrack/dependency-track#3560	Bugfix	Extend length of PURL and PURLCOORDINATES columns from 255 to 786	❌ N/A, alrady done in Hyades	-
DependencyTrack/dependency-track#3561	Enhancement	Generate SARIF File Of Project Vulnerability Findings	TODO	TODO
DependencyTrack/dependency-track#3573	N/A	Transfer copyright from Steve Springett to OWASP Foundation	✅	-
DependencyTrack/dependency-track#3574	Enhancement	Disable automatic API key generation for teams	TODO	TODO
DependencyTrack/dependency-track#3590	Bugfix	Validate UUID request parameters	TODO	TODO
DependencyTrack/dependency-track#3588	Enhancement	New feature: VulnDB Aliases!	❌ N/A, VulnDB is not yet supported in Hyades, see #286	-
DependencyTrack/dependency-track#3595	Bugfix	Vuln db severity	❌ N/A, VulnDB is not yet supported in Hyades, see #286	-
DependencyTrack/dependency-track#3620	Enhancement	Leverage component properties for Trivy scans	TODO	TODO
DependencyTrack/dependency-track#3621	Enhancement	support for experimental configurations	TODO	TODO
DependencyTrack/dependency-track#3625	Enhancement	Include pagination parameters in OpenAPI spec	TODO	TODO
DependencyTrack/dependency-track#3630	Enhancement	Trivy tweaks	TODO	TODO
DependencyTrack/dependency-track#3631	Enhancement	Include sorting query parameters in OpenAPI spec	TODO	TODO
DependencyTrack/dependency-track#3648	Enhancement	Gracefully handle unique constraint violations	TODO	TODO
DependencyTrack/dependency-track#3650	Bugfix	Fix JDOFatalUserException for long reference URLs from OSS Index	TODO	TODO
DependencyTrack/dependency-track#3651	Enhancement	Log debug information upon possible secret key corruption	TODO	TODO
DependencyTrack/dependency-track#3652	Enhancement	Bump Temurin base image to 21.0.3_9	TODO	TODO
DependencyTrack/dependency-track#3657	Enhancement	Add support for worker pool drain timeout	❌ N/A, already implemented in Hyades	-
DependencyTrack/dependency-track#3659	Bugfix	Catch all unhandled ClientErrorExceptions	TODO	TODO
DependencyTrack/dependency-track#3661	Enhancement	Fall back to no authentication when OSS Index API token decryption fails	TODO	TODO
DependencyTrack/dependency-track#3662	Enhancement	Truncate ComponentProperty value at 1024 characters	TODO	TODO
DependencyTrack/dependency-track#3664	Bugfix	Fix unique constraint violation during NVD mirroring via feed files	❌ N/A, Hyades doesn't mirror the NVD via feed files	-
DependencyTrack/dependency-track#3666	Enhancement	Add the project name and project URL to bom processing notifications	TODO	TODO
DependencyTrack/dependency-track#3667	Bugfix	De-duplicate CPEs in NVD feed file parsing	❌ N/A, Hyades doesn't mirror the NVD via feed files	-
DependencyTrack/dependency-track#3672	Enhancement	Run builds and CI on feature-* branches	❌ N/A, already done	-
DependencyTrack/dependency-track#3676	Enhancement	Simplify BomUploadProcessingTaskTest	❌ N/A, simplified code never existed in Hyades	-
DependencyTrack/dependency-track#3677	Enhancement	Disable Maven transfer progress in CI	TODO	TODO
DependencyTrack/dependency-track#3678	Bugfix	Fix missing default repos for Hackage and Nixpkgs	TODO	TODO
DependencyTrack/dependency-track#3680	Enhancement	Reduce verbosity of ResourceTests	TODO	TODO
DependencyTrack/dependency-track#3681	Enhancement	Bump bundled frontend to v4.11.0	❌ N/A, frontend is no longer bundled in Hyades	-
DependencyTrack/dependency-track#3698	Bugfix	Fix failing JSON BOM validation when specVersion is not one of the first fields	TODO	TODO
DependencyTrack/dependency-track#3701	Bugfix	Fix broken global vuln audit view for MSSQL	❌ N/A, MSSQL is no longer supported	-
DependencyTrack/dependency-track#3729	Bugfix	fix os handling when trivy sets pkgType on properties	TODO	TODO
DependencyTrack/dependency-track#3785	Bugfix	Handle breaking change in Trivy server API	TODO	TODO
DependencyTrack/dependency-track#3787	Bugfix	Fix project name not showing in Jira tickets	TODO	TODO
DependencyTrack/dependency-track#3788	Bugfix	Add date format to support offset in NuGet timestamps	✅	-
DependencyTrack/dependency-track#3786	Bugfix	Fix licenses not being resolved by name	TODO	TODO
DependencyTrack/dependency-track#3792	Bugfix	Fix Slack notifications failing when no base URL is configured	TODO	TODO
DependencyTrack/dependency-track#3794	Enhancement	Bump bundled frontend to 4.11.2	❌ N/A, frontend is no longer bundled in Hyades	-
DependencyTrack/dependency-track#3801	Bugfix	Fix JDODataStoreException for unresolved licenses during BOM upload processing	TODO	TODO

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this enhancement was already requested

[nscuro]

Labeled as good first issue since it's easy to pick individual changes. The expectation is not that all changes are ported in one go.

Essentially, pick a change from v4.11, and port only that change. I am happy to suggest tickets to port, and provide guidance on the implementation if folks are interested and not sure where to start.

[leec94]

hi i'm interested in working on this, feel free to assign me

[leec94]

#1051

this PR ported issues from 4.11 to 4.10.x, so they already exist in hyades

these are the 4.11 issues that are already ported

• Fix notifications not being sent for child projects where active is null dependency-track#3305
• feat: Improve Error handling and add default version type dependency-track#3313

[nscuro]

Thanks @leec94, I updated the table in the issue accordingly!