Squashed commit of the following:

commit a7f499a
Merge: c10153f 22c2844
Author: Niklas <[email protected]>
Date:   Tue Apr 11 21:15:47 2023 +0200

    Merge pull request DependencyTrack#2549 from syalioune/fix/issue-2538-vex-for-all-sources

    Fix: Allowing VEX import to audit all vulnerability sources

    Fixes DependencyTrack#2538

commit c10153f
Merge: 695b6f2 2962fc7
Author: Niklas <[email protected]>
Date:   Tue Apr 11 21:12:51 2023 +0200

    Merge pull request DependencyTrack#2665 from mvandermade/use-component-for-msteams

    Change dependency to component to show info again

    Closes DependencyTrack#2638

commit 22c2844
Author: syalioune <[email protected]>
Date:   Tue Apr 11 19:55:50 2023 +0200

    Fix: Allowing VEX import to audit all vulnerability sources

    Taking into account code review comments

    Signed-off-by: syalioune <[email protected]>

commit 4db8420
Author: syalioune <[email protected]>
Date:   Wed Mar 8 11:14:27 2023 +0100

    Fix: Allowing VEX import to audit all vulnerability sources

    Taking into account Steve insights

    Signed-off-by: syalioune <[email protected]>

commit 8820f9b
Author: syalioune <[email protected]>
Date:   Thu Mar 2 11:14:30 2023 +0100

    Fix: Allowing VEX import to audit all vulnerability sources

    See DependencyTrack#2538 for details

    Signed-off-by: syalioune <[email protected]>

commit 2962fc7
Author: mvandermade <[email protected]>
Date:   Tue Apr 11 15:35:27 2023 +0200

    Change dependency to component to show info again

    For MSTeams plugin

    Signed-off-by: mvandermade <[email protected]>

commit 695b6f2
Merge: 7fbc063 9c4c339
Author: Niklas <[email protected]>
Date:   Tue Apr 11 12:34:18 2023 +0200

    Merge pull request DependencyTrack#2545 from Hunroll/master

    Allow specifying parent project for autocreated projects (bom upload)

commit 7fbc063
Merge: 169acce 4877351
Author: Niklas <[email protected]>
Date:   Tue Apr 11 08:21:58 2023 +0200

    Merge pull request DependencyTrack#2661 from nscuro/bom-processing-failed-test

commit 169acce
Merge: 8f7fb01 d29e082
Author: Niklas <[email protected]>
Date:   Tue Apr 11 08:21:27 2023 +0200

    Merge pull request DependencyTrack#2662 from nscuro/bump-temurin

commit d29e082
Author: nscuro <[email protected]>
Date:   Mon Apr 10 21:54:16 2023 +0200

    Bump temurin base image to 17.0.6_10

    Signed-off-by: nscuro <[email protected]>

commit 4877351
Author: nscuro <[email protected]>
Date:   Mon Apr 10 21:04:23 2023 +0200

    Add test to verify that the `BOM_PROCESSING_FAILED` notification is triggered as expected

    Signed-off-by: nscuro <[email protected]>

commit 8f7fb01
Merge: a2df9ca 15d0958
Author: Niklas <[email protected]>
Date:   Mon Apr 10 12:42:28 2023 +0200

    Merge pull request DependencyTrack#2646 from DependencyTrack/dependabot/maven/org.cyclonedx-cyclonedx-core-java-7.3.2

    Bump cyclonedx-core-java from 7.3.0 to 7.3.2

commit a2df9ca
Merge: 92cb66e d94d7f9
Author: Niklas <[email protected]>
Date:   Mon Apr 10 12:42:11 2023 +0200

    Merge pull request DependencyTrack#2645 from DependencyTrack/dependabot/maven/org.mock-server-mockserver-netty-5.15.0

    Bump mockserver-netty from 5.14.0 to 5.15.0

commit 92cb66e
Merge: f14b08d cff912a
Author: Niklas <[email protected]>
Date:   Mon Apr 10 12:41:57 2023 +0200

    Merge pull request DependencyTrack#2644 from DependencyTrack/dependabot/maven/com.puppycrawl.tools-checkstyle-10.9.3

    Bump checkstyle from 10.6.0 to 10.9.3

commit f14b08d
Merge: d29ab68 19bcaaf
Author: Niklas <[email protected]>
Date:   Mon Apr 10 12:41:43 2023 +0200

    Merge pull request DependencyTrack#2643 from DependencyTrack/dependabot/maven/lib.resilience4j.version-2.0.2

    Bump lib.resilience4j.version from 2.0.1 to 2.0.2

commit 15d0958
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Fri Apr 7 09:16:53 2023 +0000

    Bump cyclonedx-core-java from 7.3.0 to 7.3.2

    Bumps [cyclonedx-core-java](https://github.com/CycloneDX/cyclonedx-core-java) from 7.3.0 to 7.3.2.
    - [Release notes](https://github.com/CycloneDX/cyclonedx-core-java/releases)
    - [Changelog](https://github.com/CycloneDX/cyclonedx-core-java/blob/master/CHANGELOG.md)
    - [Commits](CycloneDX/cyclonedx-core-java@cyclonedx-core-java-7.3.0...cyclonedx-core-java-7.3.2)

    ---
    updated-dependencies:
    - dependency-name: org.cyclonedx:cyclonedx-core-java
      dependency-type: direct:production
      update-type: version-update:semver-patch
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit d94d7f9
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Fri Apr 7 09:16:20 2023 +0000

    Bump mockserver-netty from 5.14.0 to 5.15.0

    Bumps [mockserver-netty](https://github.com/jamesdbloom/mockservice) from 5.14.0 to 5.15.0.
    - [Release notes](https://github.com/jamesdbloom/mockservice/releases)
    - [Changelog](https://github.com/mock-server/mockserver/blob/master/changelog.md)
    - [Commits](mock-server/mockserver@mockserver-5.14.0...mockserver-5.15.0)

    ---
    updated-dependencies:
    - dependency-name: org.mock-server:mockserver-netty
      dependency-type: direct:development
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit cff912a
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Fri Apr 7 09:08:24 2023 +0000

    Bump checkstyle from 10.6.0 to 10.9.3

    Bumps [checkstyle](https://github.com/checkstyle/checkstyle) from 10.6.0 to 10.9.3.
    - [Release notes](https://github.com/checkstyle/checkstyle/releases)
    - [Commits](checkstyle/checkstyle@checkstyle-10.6.0...checkstyle-10.9.3)

    ---
    updated-dependencies:
    - dependency-name: com.puppycrawl.tools:checkstyle
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit 19bcaaf
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Fri Apr 7 09:02:29 2023 +0000

    Bump lib.resilience4j.version from 2.0.1 to 2.0.2

    Bumps `lib.resilience4j.version` from 2.0.1 to 2.0.2.

    Updates `resilience4j-retry` from 2.0.1 to 2.0.2
    - [Release notes](https://github.com/resilience4j/resilience4j/releases)
    - [Changelog](https://github.com/resilience4j/resilience4j/blob/master/RELEASENOTES.adoc)
    - [Commits](resilience4j/resilience4j@v2.0.1...v2.0.2)

    Updates `resilience4j-ratelimiter` from 2.0.1 to 2.0.2
    - [Release notes](https://github.com/resilience4j/resilience4j/releases)
    - [Changelog](https://github.com/resilience4j/resilience4j/blob/master/RELEASENOTES.adoc)
    - [Commits](resilience4j/resilience4j@v2.0.1...v2.0.2)

    Updates `resilience4j-micrometer` from 2.0.1 to 2.0.2
    - [Release notes](https://github.com/resilience4j/resilience4j/releases)
    - [Changelog](https://github.com/resilience4j/resilience4j/blob/master/RELEASENOTES.adoc)
    - [Commits](resilience4j/resilience4j@v2.0.1...v2.0.2)

    ---
    updated-dependencies:
    - dependency-name: io.github.resilience4j:resilience4j-retry
      dependency-type: direct:production
      update-type: version-update:semver-patch
    - dependency-name: io.github.resilience4j:resilience4j-ratelimiter
      dependency-type: direct:production
      update-type: version-update:semver-patch
    - dependency-name: io.github.resilience4j:resilience4j-micrometer
      dependency-type: direct:production
      update-type: version-update:semver-patch
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit d29ab68
Merge: 43be7bb e867283
Author: Niklas <[email protected]>
Date:   Tue Apr 4 18:28:30 2023 +0200

    Merge pull request DependencyTrack#2633 from nscuro/health-check

    Add health endpoint

commit 43be7bb
Merge: 8c825bd ea693f9
Author: Niklas <[email protected]>
Date:   Tue Apr 4 18:28:08 2023 +0200

    Merge pull request DependencyTrack#2635 from DependencyTrack/dependabot/github_actions/actions/setup-java-3.11.0

    Bump actions/setup-java from 3.10.0 to 3.11.0

commit ea693f9
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Apr 3 08:58:34 2023 +0000

    Bump actions/setup-java from 3.10.0 to 3.11.0

    Bumps [actions/setup-java](https://github.com/actions/setup-java) from 3.10.0 to 3.11.0.
    - [Release notes](https://github.com/actions/setup-java/releases)
    - [Commits](actions/setup-java@v3.10.0...v3.11.0)

    ---
    updated-dependencies:
    - dependency-name: actions/setup-java
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit 8c825bd
Merge: 83c8e89 d78826b
Author: Niklas <[email protected]>
Date:   Sat Apr 1 23:19:33 2023 +0200

    Merge pull request DependencyTrack#2631 from ch8matt/master

    fix project URL in mail & cisco webex

commit e867283
Author: nscuro <[email protected]>
Date:   Sat Apr 1 16:21:19 2023 +0200

    Add health check documentation

    Signed-off-by: nscuro <[email protected]>

commit 9c9cb4c
Author: nscuro <[email protected]>
Date:   Fri Mar 31 21:18:33 2023 +0200

    Add health endpoint

    Also reduce default health check interval in Dockerfile from 5m to 30s

    Signed-off-by: nscuro <[email protected]>

commit d78826b
Author: ch8matt <[email protected]>
Date:   Tue Mar 28 18:10:53 2023 +0200

    fix project URL in mail & cisco webex

    Signed-off-by: ch8matt <[email protected]>

commit 83c8e89
Merge: 6c752b9 cc888ba
Author: Niklas <[email protected]>
Date:   Mon Mar 27 19:56:19 2023 +0200

    Merge pull request DependencyTrack#2618 from DependencyTrack/dependabot/maven/org.apache.commons-commons-compress-1.23.0

    Bump commons-compress from 1.22 to 1.23.0

commit 6c752b9
Merge: 485abde 3136353
Author: Niklas <[email protected]>
Date:   Mon Mar 27 19:54:44 2023 +0200

    Merge pull request DependencyTrack#2620 from DependencyTrack/dependabot/maven/net.javacrumbs.json-unit-json-unit-assertj-2.37.0

    Bump json-unit-assertj from 2.36.1 to 2.37.0

commit 485abde
Merge: 6dc7244 298497b
Author: Niklas <[email protected]>
Date:   Mon Mar 27 19:54:28 2023 +0200

    Merge pull request DependencyTrack#2624 from DependencyTrack/dependabot/github_actions/actions/checkout-3.5.0

    Bump actions/checkout from 3.4.0 to 3.5.0

commit 6dc7244
Merge: 61c6538 c092419
Author: Niklas <[email protected]>
Date:   Mon Mar 27 19:54:11 2023 +0200

    Merge pull request DependencyTrack#2625 from DependencyTrack/dependabot/docker/src/main/docker/debian-bullseye-20230320-slim

    Bump debian from bullseye-20230227-slim to bullseye-20230320-slim in /src/main/docker

commit 61c6538
Merge: 09d3492 09ee0b0
Author: Niklas <[email protected]>
Date:   Mon Mar 27 19:53:57 2023 +0200

    Merge pull request DependencyTrack#2626 from Citi/map-published-date-snyk-parsing

    Map Snyk publication time

commit 9c4c339
Author: Anton Soroka <[email protected]>
Date:   Mon Mar 27 19:59:36 2023 +0300

    Codestyle correction

    Signed-off-by: Anton Soroka <[email protected]>

commit de5ca28
Merge: e1990e3 09d3492
Author: Anton Soroka <[email protected]>
Date:   Mon Mar 27 19:42:07 2023 +0300

    Merge remote-tracking branch 'origin/master'

    Signed-off-by: Anton Soroka <[email protected]>

commit e1990e3
Author: Anton Soroka <[email protected]>
Date:   Mon Mar 27 18:56:06 2023 +0300

    Fixed tests

    Also extended PUT method uploadBom with parent.

    Signed-off-by: Anton Soroka <[email protected]>

commit 09ee0b0
Author: sahibamittal <[email protected]>
Date:   Mon Mar 27 13:21:57 2023 +0100

    map Snyk publication time

    Signed-off-by: sahibamittal <[email protected]>

commit c092419
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Mar 27 08:59:06 2023 +0000

    Bump debian in /src/main/docker

    Bumps debian from bullseye-20230227-slim to bullseye-20230320-slim.

    ---
    updated-dependencies:
    - dependency-name: debian
      dependency-type: direct:production
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit 298497b
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Mar 27 08:58:32 2023 +0000

    Bump actions/checkout from 3.4.0 to 3.5.0

    Bumps [actions/checkout](https://github.com/actions/checkout) from 3.4.0 to 3.5.0.
    - [Release notes](https://github.com/actions/checkout/releases)
    - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
    - [Commits](actions/checkout@v3.4.0...v3.5.0)

    ---
    updated-dependencies:
    - dependency-name: actions/checkout
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit 3136353
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Fri Mar 24 08:57:10 2023 +0000

    Bump json-unit-assertj from 2.36.1 to 2.37.0

    Bumps [json-unit-assertj](https://github.com/lukas-krecan/JsonUnit) from 2.36.1 to 2.37.0.
    - [Release notes](https://github.com/lukas-krecan/JsonUnit/releases)
    - [Commits](lukas-krecan/JsonUnit@json-unit-parent-2.36.1...json-unit-parent-2.37.0)

    ---
    updated-dependencies:
    - dependency-name: net.javacrumbs.json-unit:json-unit-assertj
      dependency-type: direct:development
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit 09d3492
Merge: 8a4b59a 946ff0f
Author: Niklas <[email protected]>
Date:   Thu Mar 23 10:56:28 2023 +0100

    Merge pull request DependencyTrack#2617 from nscuro/issue-2494

    Prevent dependency graph deletion during CycloneDX export

commit cc888ba
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Thu Mar 23 08:58:52 2023 +0000

    Bump commons-compress from 1.22 to 1.23.0

    Bumps commons-compress from 1.22 to 1.23.0.

    ---
    updated-dependencies:
    - dependency-name: org.apache.commons:commons-compress
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit 8a4b59a
Merge: 7a6de03 0e82216
Author: Niklas <[email protected]>
Date:   Wed Mar 22 20:15:42 2023 +0100

    Merge pull request DependencyTrack#2610 from Mvld3r/issue-2313-move-jira-configuration

    Fix: Move jira configuration

commit 7a6de03
Merge: 2295e35 ef4f026
Author: Niklas <[email protected]>
Date:   Wed Mar 22 20:13:20 2023 +0100

    Merge pull request DependencyTrack#2608 from DependencyTrack/dependabot/github_actions/actions/checkout-3.4.0

    Bump actions/checkout from 3.3.0 to 3.4.0

commit 2295e35
Merge: 0f14594 9118e2d
Author: Niklas <[email protected]>
Date:   Wed Mar 22 20:13:08 2023 +0100

    Merge pull request DependencyTrack#2607 from DependencyTrack/dependabot/maven/org.slf4j-log4j-over-slf4j-2.0.7

    Bump log4j-over-slf4j from 2.0.6 to 2.0.7

commit 0f14594
Merge: 7a789d5 615141c
Author: Niklas <[email protected]>
Date:   Wed Mar 22 20:12:46 2023 +0100

    Merge pull request DependencyTrack#2606 from DependencyTrack/dependabot/maven/org.apache.maven-maven-artifact-3.9.1

    Bump maven-artifact from 3.9.0 to 3.9.1

commit 7a789d5
Author: rbt-mm <[email protected]>
Date:   Wed Mar 22 20:11:36 2023 +0100

    Add `BOM_PROCESSING_FAILED` notification (DependencyTrack#2600)

    * Add BOM_PROCESSING_FAILED notification

    A new notification is sent if the notification rule includes the
    notification group BOM_PROCESSING_FAILED and if an error happens during
    the upload of a BOM.

    Signed-off-by: RBickert <[email protected]>

    * Add project url and exception to new notification

    Signed-off-by: RBickert <[email protected]>

    * Add BOM format and specVersion

    Detach `bomProcessingFailedProject`

    Rename `exception` to `cause`

    Signed-off-by: RBickert <[email protected]>

    ---------

    Signed-off-by: RBickert <[email protected]>

commit 7fd47cd
Merge: 5c7200c 2226f41
Author: Niklas <[email protected]>
Date:   Wed Mar 22 20:07:58 2023 +0100

    Merge pull request DependencyTrack#2561 from nscuro/db-inspect-dev-docs

    Add developer docs for database inspection

commit 2226f41
Author: nscuro <[email protected]>
Date:   Wed Mar 22 19:38:47 2023 +0100

    Update docs with h2 console instructions

    Signed-off-by: nscuro <[email protected]>

commit 946ff0f
Author: nscuro <[email protected]>
Date:   Wed Mar 22 18:57:11 2023 +0100

    Prevent dependency graph deletion during CycloneDX export

    Fixes DependencyTrack#2494
    Fixes DependencyTrack#2546

    Signed-off-by: nscuro <[email protected]>

commit 0e82216
Author: Enora Germond <[email protected]>
Date:   Thu Mar 16 14:06:30 2023 +0100

    Fix: Move jira configuration

    Signed-off-by: Enora Germond <[email protected]>

commit ef4f026
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Mar 20 09:00:38 2023 +0000

    Bump actions/checkout from 3.3.0 to 3.4.0

    Bumps [actions/checkout](https://github.com/actions/checkout) from 3.3.0 to 3.4.0.
    - [Release notes](https://github.com/actions/checkout/releases)
    - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
    - [Commits](actions/checkout@v3.3.0...v3.4.0)

    ---
    updated-dependencies:
    - dependency-name: actions/checkout
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit 9118e2d
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Mar 20 08:57:39 2023 +0000

    Bump log4j-over-slf4j from 2.0.6 to 2.0.7

    Bumps [log4j-over-slf4j](https://github.com/qos-ch/slf4j) from 2.0.6 to 2.0.7.
    - [Release notes](https://github.com/qos-ch/slf4j/releases)
    - [Commits](https://github.com/qos-ch/slf4j/commits)

    ---
    updated-dependencies:
    - dependency-name: org.slf4j:log4j-over-slf4j
      dependency-type: direct:production
      update-type: version-update:semver-patch
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit 615141c
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Mar 20 08:57:27 2023 +0000

    Bump maven-artifact from 3.9.0 to 3.9.1

    Bumps [maven-artifact](https://github.com/apache/maven) from 3.9.0 to 3.9.1.
    - [Release notes](https://github.com/apache/maven/releases)
    - [Commits](apache/maven@maven-3.9.0...maven-3.9.1)

    ---
    updated-dependencies:
    - dependency-name: org.apache.maven:maven-artifact
      dependency-type: direct:production
      update-type: version-update:semver-patch
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit 5c7200c
Merge: f7ad3b1 fabed3e
Author: Niklas <[email protected]>
Date:   Sun Mar 19 22:03:17 2023 +0100

    Merge pull request DependencyTrack#2592 from syalioune/feature/enabling-h2-web-console-usage

    Feature: Allow H2 web console usage for dev purposes

commit fabed3e
Author: syalioune <[email protected]>
Date:   Sun Mar 19 16:16:16 2023 +0100

    Feature: Allow H2 web console usage for dev purposes

    Taking into account review comments : conditional activation based on a maven profile

    Signed-off-by: syalioune <[email protected]>

commit 0a0dd40
Author: Anton Soroka <[email protected]>
Date:   Fri Mar 17 20:03:37 2023 +0200

    Added a test for bom upload with autocreation of project as a child.

    Signed-off-by: Anton Soroka <[email protected]>

commit 0a461b6
Author: Anton Soroka <[email protected]>
Date:   Fri Mar 17 17:39:08 2023 +0200

    Added access control check for parent project

    Signed-off-by: Anton Soroka <[email protected]>

commit f7ad3b1
Merge: 56e41f0 54e30e0
Author: Niklas <[email protected]>
Date:   Thu Mar 16 21:35:49 2023 +0100

    Merge pull request DependencyTrack#2593 from walterdeboer/feature/639

    Support for CPAN repository

commit 56e41f0
Merge: e94cf55 467c81d
Author: Niklas <[email protected]>
Date:   Thu Mar 16 21:34:31 2023 +0100

    Merge pull request DependencyTrack#2597 from DependencyTrack/dependabot/github_actions/docker/setup-buildx-action-2.5.0

    Bump docker/setup-buildx-action from 2.4.1 to 2.5.0

commit e94cf55
Merge: 3f5bbcd 0971956
Author: Niklas <[email protected]>
Date:   Thu Mar 16 21:34:08 2023 +0100

    Merge pull request DependencyTrack#2598 from DependencyTrack/dependabot/github_actions/aquasecurity/trivy-action-0.9.2

    Bump aquasecurity/trivy-action from 0.9.1 to 0.9.2

commit 3f5bbcd
Merge: 3a5989a 61c9369
Author: Niklas <[email protected]>
Date:   Thu Mar 16 21:33:53 2023 +0100

    Merge pull request DependencyTrack#2603 from Mvld3r/issue-2488-component-author-length

    Fix: Allow component author to be larger than 255 characters

commit 61c9369
Author: Enora Germond <[email protected]>
Date:   Tue Mar 14 18:24:30 2023 +0100

    Fix: Allow component author to be larger than 255 characters

    Signed-off-by: Enora Germond <[email protected]>

commit 54e30e0
Author: Walter de Boer <[email protected]>
Date:   Mon Mar 13 08:33:29 2023 +0100

    Removed invallid cpan support from SnykAnalysisTask

    Signed-off-by: Walter de Boer <[email protected]>

commit 0971956
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Mar 13 08:59:02 2023 +0000

    Bump aquasecurity/trivy-action from 0.9.1 to 0.9.2

    Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.9.1 to 0.9.2.
    - [Release notes](https://github.com/aquasecurity/trivy-action/releases)
    - [Commits](aquasecurity/trivy-action@0.9.1...0.9.2)

    ---
    updated-dependencies:
    - dependency-name: aquasecurity/trivy-action
      dependency-type: direct:production
      update-type: version-update:semver-patch
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit 467c81d
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Mar 13 08:58:57 2023 +0000

    Bump docker/setup-buildx-action from 2.4.1 to 2.5.0

    Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.4.1 to 2.5.0.
    - [Release notes](https://github.com/docker/setup-buildx-action/releases)
    - [Commits](docker/setup-buildx-action@v2.4.1...v2.5.0)

    ---
    updated-dependencies:
    - dependency-name: docker/setup-buildx-action
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit d324a67
Author: Walter de Boer <[email protected]>
Date:   Sun Mar 12 00:34:31 2023 +0100

    Support for CPAN repository

    Signed-off-by: Walter de Boer <[email protected]>

commit 3a5989a
Merge: e47c1d2 3a71894
Author: Niklas <[email protected]>
Date:   Sat Mar 11 21:11:58 2023 +0100

    Merge pull request DependencyTrack#2563 from syalioune/feature/2456-handle-analyzer-errors-gracefully

    Feature: Handle repository meta analyzers errors gracefully

commit e47c1d2
Merge: 48adb8b ca74c26
Author: Niklas <[email protected]>
Date:   Sat Mar 11 21:07:47 2023 +0100

    Merge pull request DependencyTrack#2584 from nscuro/issue-2583

    Fix invalid query filter assembly

commit 48adb8b
Merge: c486415 d3cc980
Author: Niklas <[email protected]>
Date:   Sat Mar 11 21:07:24 2023 +0100

    Merge pull request DependencyTrack#2585 from Citi/Issue-2571-map-snyk-remedies

    Issue-2571 : map Snyk remedies to recommendation

    Closes DependencyTrack#2571

commit c486415
Merge: 97121d4 16cf3d6
Author: Niklas <[email protected]>
Date:   Sat Mar 11 21:06:49 2023 +0100

    Merge pull request DependencyTrack#2586 from Citi/feature/fixPolicyEngineIssue

    Minor bugfix for PolicyEngine

commit 97121d4
Merge: 9a5645a 37fb7c3
Author: Niklas <[email protected]>
Date:   Sat Mar 11 21:06:00 2023 +0100

    Merge pull request DependencyTrack#2594 from walterdeboer/issues/2587

    Match null values

commit 37fb7c3
Author: Walter de Boer <[email protected]>
Date:   Sat Mar 11 16:24:41 2023 +0100

    Match null tags

    Signed-off-by: Walter de Boer <[email protected]>

commit 91fa7e5
Author: Walter de Boer <[email protected]>
Date:   Sat Mar 11 16:10:08 2023 +0100

    Match null values

    Signed-off-by: Walter de Boer <[email protected]>

commit d36df15
Author: syalioune <[email protected]>
Date:   Fri Mar 10 22:05:42 2023 +0100

    Feature: Allow H2 web console usage for dev purposes

    Toggle H2 web servlet exposure and alpine web filters related configuration for dev environment

    Signed-off-by: syalioune <[email protected]>

commit 16cf3d6
Author: mehab <[email protected]>
Date:   Thu Mar 9 15:06:41 2023 +0000

    addressing review comments

    Signed-off-by: mehab <[email protected]>

commit d3cc980
Author: sahibamittal <[email protected]>
Date:   Thu Mar 9 12:11:01 2023 +0000

    map Snyk remedies to recommendation

    Signed-off-by: sahibamittal <[email protected]>

commit 1adb397
Author: mehab <[email protected]>
Date:   Thu Mar 9 11:28:54 2023 +0000

    added bugfix for isPolicyAssignedToProjectTag to scan through all project tags

    Signed-off-by: mehab <[email protected]>

commit ca74c26
Author: nscuro <[email protected]>
Date:   Thu Mar 9 11:46:41 2023 +0100

    Fix invalid query filter assembly

    Fixes DependencyTrack#2583

    Signed-off-by: nscuro <[email protected]>

commit 9a5645a
Merge: 3d208f6 066ec81
Author: Niklas <[email protected]>
Date:   Wed Mar 8 17:27:13 2023 +0000

    Merge pull request DependencyTrack#2564 from DependencyTrack/dependabot/docker/src/main/docker/debian-bullseye-20230227-slim

    Bump debian from bullseye-20230208-slim to bullseye-20230227-slim in /src/main/docker

commit 3d208f6
Author: Sahiba Mittal <[email protected]>
Date:   Wed Mar 8 13:12:26 2023 +0000

    Add support for vulnerability ID policy condition (DependencyTrack#2570)

    * add vulnerability id in policy condition

    Signed-off-by: sahibamittal <[email protected]>

    * fix test

    Signed-off-by: sahibamittal <[email protected]>

    * update violation type

    Signed-off-by: sahibamittal <[email protected]>

    ---------

    Signed-off-by: sahibamittal <[email protected]>

    Closes DependencyTrack#2557

commit 416f824
Merge: f35b129 e49d539
Author: Niklas <[email protected]>
Date:   Wed Mar 8 13:10:46 2023 +0000

    Merge pull request DependencyTrack#2576 from syalioune/fix/issue-2420-empty-mail-content

    Fix: Null subject on project audit change notification mails

    Closes DependencyTrack#2420

commit 3a71894
Author: syalioune <[email protected]>
Date:   Wed Mar 8 10:28:07 2023 +0100

    Feature: Handle repository meta analyzers errors gracefully

    Taking review comments into account : logic inversion. Retryable exceptions should be explicitly declared.

    Signed-off-by: syalioune <[email protected]>

commit e49d539
Author: syalioune <[email protected]>
Date:   Wed Mar 8 09:51:07 2023 +0100

    Fix: Null subject on project audit change notification mails

    See DependencyTrack#2420 for details

    Signed-off-by: syalioune <[email protected]>

commit f35b129
Merge: 64e0f99 8e72253
Author: Niklas <[email protected]>
Date:   Tue Mar 7 15:54:39 2023 +0000

    Merge pull request DependencyTrack#2532 from lme-nca/bugfix/issue_2424_add_do_not_reactivate_flag

    add DefectDojo "do not reactivate" flag, fixes issue 2424

    Closes DependencyTrack#2424

commit 066ec81
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Mar 6 09:00:00 2023 +0000

    Bump debian in /src/main/docker

    Bumps debian from bullseye-20230208-slim to bullseye-20230227-slim.

    ---
    updated-dependencies:
    - dependency-name: debian
      dependency-type: direct:production
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit baf9b37
Author: syalioune <[email protected]>
Date:   Sun Mar 5 12:53:08 2023 +0100

    Feature: Handle repository meta analyzers errors gracefully

    See DependencyTrack#2456. Allowing CacheStampedeBlocker to not retry on specific exceptions and applying that on repometa analyzer.

    Signed-off-by: syalioune <[email protected]>

commit 52b2f01
Author: nscuro <[email protected]>
Date:   Sat Mar 4 20:57:17 2023 +0100

    Add developer docs for database inspection

    Signed-off-by: nscuro <[email protected]>

commit 8e72253
Author: Lars Meijers <[email protected]>
Date:   Fri Mar 3 16:39:59 2023 +0100

    do not reactivate flag documentation

    Signed-off-by: Lars Meijers <[email protected]>

commit 3c35c85
Author: Anton <[email protected]>
Date:   Wed Mar 1 18:23:07 2023 +0200

    Extend POST /api/v1/bom (uploadBom) to select ParentProject for autocreated projects.

    Added 3 params:
    parentName, parentVersion, parentUUID.

    If parentUUID is specified, it is used to find parent project and attach it to newly created one. If not, parentName and parentVersion are used.
    If parentUUID or parentName were specified but such project does not exist, 404 is returned.

    Signed-off-by: Anton Soroka <[email protected]>

commit b0662c3
Author: Anton <[email protected]>
Date:   Wed Mar 1 18:52:22 2023 +0200

    Updated documentation for POST /v1/bom

    Added a sample of autocreating project as a child to some other project/version

    Signed-off-by: Anton Soroka <[email protected]>

commit c480335
Author: Lars Meijers <[email protected]>
Date:   Mon Feb 27 11:46:56 2023 +0100

    add do not reactivate flag

    Signed-off-by: Lars Meijers <[email protected]>

docs/_docs/usage/cicd.md

@@ -73,3 +73,17 @@ curl -X "POST" "http://dtrack.example.com/api/v1/bom" \
      -F "projectVersion=xxxx" \
      -F "bom=@target/bom.xml"
 ```
+
+You can also create a project as a child to some other project if you add `parentUUID` or `parentName` parameters.
+
+```bash
+curl -X "POST" "http://dtrack.example.com/api/v1/bom" \
+     -H 'Content-Type: multipart/form-data' \
+     -H "X-Api-Key: xxxxxxx" \
+     -F "autoCreate=true" \
+     -F "projectName=xxxx" \
+     -F "projectVersion=xxxx.SNAPSHOT" \
+     -F "parentName=xxxx" \
+     -F "parentVersion=xxxx" \
+     -F "bom=@target/bom.xml"
+```

pom.xml

@@ -86,13 +86,13 @@
         <lib.cpe-parser.version>2.0.2</lib.cpe-parser.version>
         <lib.cvss-calculator.version>1.4.1</lib.cvss-calculator.version>
         <lib.owasp-rr-calculator.version>1.0.1</lib.owasp-rr-calculator.version>
-        <lib.cyclonedx-java.version>7.3.0</lib.cyclonedx-java.version>
+        <lib.cyclonedx-java.version>7.3.2</lib.cyclonedx-java.version>
         <lib.jaxb.runtime.version>2.3.6</lib.jaxb.runtime.version>
         <lib.json-unit.version>2.37.0</lib.json-unit.version>
         <lib.lucene.version>8.11.2</lib.lucene.version>
         <lib.packageurl.version>1.4.1</lib.packageurl.version>
         <lib.pebble.version>3.2.0</lib.pebble.version>
-        <lib.resilience4j.version>2.0.1</lib.resilience4j.version>
+        <lib.resilience4j.version>2.0.2</lib.resilience4j.version>
         <lib.woodstox.version>6.5.0</lib.woodstox.version>
         <lib.junit-params.version>1.1.1</lib.junit-params.version>
         <lib.signpost-core.version>2.1.1</lib.signpost-core.version>
@@ -381,7 +381,7 @@
         <dependency>
             <groupId>org.mock-server</groupId>
             <artifactId>mockserver-netty</artifactId>
-            <version>5.14.0</version>
+            <version>5.15.0</version>
             <scope>test</scope>
         </dependency>
     </dependencies>
@@ -429,7 +429,7 @@
                     <dependency>
                         <groupId>com.puppycrawl.tools</groupId>
                         <artifactId>checkstyle</artifactId>
-                        <version>10.6.0</version>
+                        <version>10.9.3</version>
                     </dependency>
                 </dependencies>
             </plugin>

src/main/docker/Dockerfile

@@ -1,4 +1,4 @@
-FROM eclipse-temurin:17.0.5_8-jre-focal@sha256:d98a588cd72194d040c83dad4eabed97c17677d592db7b964d31f12f9686dcbc AS jre-build
+FROM eclipse-temurin:17.0.6_10-jre-focal@sha256:22942ca3ffac6e593063e33a225c458e315afa2c0dddfdbe15d337dd9130c70c AS jre-build
 
 FROM debian:bullseye-20230320-slim@sha256:7acda01e55b086181a6fa596941503648e423091ca563258e2c1657d140355b1
 

src/main/java/org/dependencytrack/model/Vulnerability.java

@@ -53,6 +53,7 @@
 import java.io.Serializable;
 import java.math.BigDecimal;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Date;
 import java.util.List;
 import java.util.Objects;
@@ -107,7 +108,11 @@ public enum Source {
         RETIREJS, // Retire.js
         INTERNAL,  // Internally-managed (and manually entered) vulnerability
         OSV, // Google OSV Advisories
-        SNYK,    // Snyk Purl Vulnerability
+        SNYK;    // Snyk Purl Vulnerability
+
+        public static boolean isKnownSource(String source) {
+            return Arrays.stream(values()).anyMatch(enumSource -> enumSource.name().equalsIgnoreCase(source));
+        }
     }
 
     @PrimaryKey

src/main/java/org/dependencytrack/parser/cyclonedx/CycloneDXVexImporter.java

@@ -42,17 +42,16 @@ public class CycloneDXVexImporter {
 
     public void applyVex(final QueryManager qm, final Bom bom, final Project project) {
         if (bom.getVulnerabilities() == null) return;
-        for (org.cyclonedx.model.vulnerability.Vulnerability cdxVuln: bom.getVulnerabilities()) {
+        List<org.cyclonedx.model.vulnerability.Vulnerability> auditableVulnerabilities = bom.getVulnerabilities().stream().filter(
+                bomVuln -> bomVuln.getSource() == null || Vulnerability.Source.isKnownSource(bomVuln.getSource().getName())
+        ).toList();
+        for (org.cyclonedx.model.vulnerability.Vulnerability cdxVuln: auditableVulnerabilities) {
             if (cdxVuln.getAnalysis() == null) continue;
             final List<Vulnerability> vulns = qm.getVulnerabilities(project, true);
             if (vulns == null) continue;
             for (final Vulnerability vuln: vulns) {
                 // NOTE: These vulnerability objects are detached
-                if ((vuln.getSource().equals(Vulnerability.Source.NVD.name())
-                        || vuln.getSource().equals(Vulnerability.Source.OSSINDEX.name())
-                        || vuln.getSource().equals(Vulnerability.Source.GITHUB.name())
-                        || vuln.getSource().equals(Vulnerability.Source.INTERNAL.name()))
-                        && vuln.getVulnId().equals(cdxVuln.getId())) {
+                if (shouldAuditVulnerability(cdxVuln, vuln)) {
 
                     if (cdxVuln.getAffects() == null) continue;
                     for (org.cyclonedx.model.vulnerability.Vulnerability.Affect affect: cdxVuln.getAffects()) {
@@ -81,6 +80,14 @@ public void applyVex(final QueryManager qm, final Bom bom, final Project project
         }
     }
 
+    private boolean shouldAuditVulnerability(org.cyclonedx.model.vulnerability.Vulnerability bomVulnerability, Vulnerability dtVulnerability) {
+        boolean result = true;
+        result = result && bomVulnerability.getSource() != null;
+        result = result && dtVulnerability.getVulnId().equals(bomVulnerability.getId());
+        result = result && dtVulnerability.getSource().equalsIgnoreCase(bomVulnerability.getSource().getName());
+        return result;
+    }
+
     private void updateAnalysis(final QueryManager qm, final Component component, final Vulnerability vuln,
                                 final org.cyclonedx.model.vulnerability.Vulnerability cdxVuln) {
         // The vulnerability object is detached, so refresh it.

src/main/java/org/dependencytrack/resources/v1/BomResource.java

@@ -225,7 +225,29 @@ public Response uploadBom(BomSubmitRequest request) {
                 Project project = qm.getProject(request.getProjectName(), request.getProjectVersion());
                 if (project == null && request.isAutoCreate()) {
                     if (hasPermission(Permissions.Constants.PORTFOLIO_MANAGEMENT) || hasPermission(Permissions.Constants.PROJECT_CREATION_UPLOAD)) {
-                        project = qm.createProject(StringUtils.trimToNull(request.getProjectName()), null, StringUtils.trimToNull(request.getProjectVersion()), null, null, null, true, true);
+                        Project parent = null;
+                        if (request.getParentUUID() != null || request.getParentName() != null) {
+                            if (request.getParentUUID() != null) {
+                                failOnValidationError(validator.validateProperty(request, "parentUUID"));
+                                parent = qm.getObjectByUuid(Project.class, request.getParentUUID());
+                            } else {
+                                failOnValidationError(
+                                        validator.validateProperty(request, "parentName"),
+                                        validator.validateProperty(request, "parentVersion")
+                                );
+                                final String trimmedParentName = StringUtils.trimToNull(request.getParentName());
+                                final String trimmedParentVersion = StringUtils.trimToNull(request.getParentVersion());
+                                parent = qm.getProject(trimmedParentName, trimmedParentVersion);
+                            }
+
+                            if (parent == null) { // if parent project is specified but not found
+                                return Response.status(Response.Status.NOT_FOUND).entity("The parent component could not be found.").build();
+                            } else if (! qm.hasAccess(super.getPrincipal(), parent)) {
+                                return Response.status(Response.Status.FORBIDDEN).entity("Access to the specified parent project is forbidden").build();
+                            }
+                        }
+
+                        project = qm.createProject(StringUtils.trimToNull(request.getProjectName()), null, StringUtils.trimToNull(request.getProjectVersion()), null, parent, null, true, true);
                         Principal principal = getPrincipal();
                         qm.updateNewProjectACL(project, principal);
                     } else {
@@ -251,6 +273,9 @@ public Response uploadBom(@FormDataParam("project") String projectUuid,
                                @DefaultValue("false") @FormDataParam("autoCreate") boolean autoCreate,
                                @FormDataParam("projectName") String projectName,
                                @FormDataParam("projectVersion") String projectVersion,
+                               @FormDataParam("parentName") String parentName,
+                               @FormDataParam("parentVersion") String parentVersion,
+                               @FormDataParam("parentUUID") String parentUUID,
                                final FormDataMultiPart multiPart) {
 
         final List<FormDataBodyPart> artifactParts = multiPart.getFields("bom");
@@ -266,7 +291,24 @@ public Response uploadBom(@FormDataParam("project") String projectUuid,
                 Project project = qm.getProject(trimmedProjectName, trimmedProjectVersion);
                 if (project == null && autoCreate) {
                     if (hasPermission(Permissions.Constants.PORTFOLIO_MANAGEMENT) || hasPermission(Permissions.Constants.PROJECT_CREATION_UPLOAD)) {
-                        project = qm.createProject(trimmedProjectName, null, trimmedProjectVersion, null, null, null, true, true);
+                        Project parent = null;
+                        if (parentUUID != null || parentName != null) {
+                            if (parentUUID != null) {
+
+                              parent = qm.getObjectByUuid(Project.class, parentUUID);
+                            } else {
+                              final String trimmedParentName = StringUtils.trimToNull(parentName);
+                              final String trimmedParentVersion = StringUtils.trimToNull(parentVersion);
+                              parent = qm.getProject(trimmedParentName, trimmedParentVersion);
+                            }
+
+                            if (parent == null) { // if parent project is specified but not found
+                                return Response.status(Response.Status.NOT_FOUND).entity("The parent component could not be found.").build();
+                            } else if (! qm.hasAccess(super.getPrincipal(), parent)) {
+                                return Response.status(Response.Status.FORBIDDEN).entity("Access to the specified parent project is forbidden").build();
+                            }
+                        }
+                        project = qm.createProject(trimmedProjectName, null, trimmedProjectVersion, null, parent, null, true, true);
                         Principal principal = getPrincipal();
                         qm.updateNewProjectACL(project, principal);
                     } else {

src/main/java/org/dependencytrack/resources/v1/vo/BomSubmitRequest.java

@@ -50,22 +50,47 @@ public final class BomSubmitRequest {
     @Pattern(regexp = RegexSequence.Definition.PRINTABLE_CHARS, message = "The project version may only contain printable characters")
     private final String projectVersion;
 
+    @Pattern(regexp = "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", message = "The parent UUID must be a valid 36 character UUID")
+    private final String parentUUID;
+
+    @JsonDeserialize(using = TrimmedStringDeserializer.class)
+    @Pattern(regexp = RegexSequence.Definition.PRINTABLE_CHARS, message = "The parent name may only contain printable characters")
+    private final String parentName;
+
+    @JsonDeserialize(using = TrimmedStringDeserializer.class)
+    @Pattern(regexp = RegexSequence.Definition.PRINTABLE_CHARS, message = "The parent version may only contain printable characters")
+    private final String parentVersion;
+
     @NotNull
     @Pattern(regexp = "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$", message = "The BOM must be Base64 encoded")
     private final String bom;
 
     private final boolean autoCreate;
 
+    public BomSubmitRequest(String project,
+                            String projectName,
+                            String projectVersion,
+                            boolean autoCreate,
+                            String bom) {
+        this(project, projectName, projectVersion, autoCreate, null, null, null, bom);
+    }
+
     @JsonCreator
     public BomSubmitRequest(@JsonProperty(value = "project", required = false) String project,
                             @JsonProperty(value = "projectName", required = false) String projectName,
                             @JsonProperty(value = "projectVersion", required = false) String projectVersion,
                             @JsonProperty(value = "autoCreate", required = false) boolean autoCreate,
+                            @JsonProperty(value = "parentUUID", required = false) String parentUUID,
+                            @JsonProperty(value = "parentName", required = false) String parentName,
+                            @JsonProperty(value = "parentVersion", required = false) String parentVersion,
                             @JsonProperty(value = "bom", required = true) String bom) {
         this.project = project;
         this.projectName = projectName;
         this.projectVersion = projectVersion;
         this.autoCreate = autoCreate;
+        this.parentUUID = parentUUID;
+        this.parentName = parentName;
+        this.parentVersion = parentVersion;
         this.bom = bom;
     }
 
@@ -81,6 +106,18 @@ public String getProjectVersion() {
         return projectVersion;
     }
 
+    public String getParentUUID() {
+        return parentUUID;
+    }
+
+    public String getParentName() {
+        return parentName;
+    }
+
+    public String getParentVersion() {
+        return parentVersion;
+    }
+
     public boolean isAutoCreate() {
         return autoCreate;
     }

src/main/resources/templates/notification/publisher/msteams.peb

@@ -31,11 +31,11 @@
       "facts": [
         {
           "name": "Project",
-          "value": "{{ subject.dependency.project.toString | escape(strategy="json") }}"
+          "value": "{{ subject.component.project.toString | escape(strategy="json") }}"
         },
         {
           "name": "Component",
-          "value": "{{ subject.dependency.component.toString | escape(strategy="json") }}"
+          "value": "{{ subject.component.toString | escape(strategy="json") }}"
         }
       ],
       {% elseif notification.group == "PROJECT_AUDIT_CHANGE" %}