Merge pull request #2432 from nscuro/prepare-4.7.1

Prepare v4.7.1

Author: nscuro

docs/_docs/getting-started/monitoring.md

@@ -15,7 +15,7 @@ system metrics via Prometheus is crucial for observability.
 > the application itself, not the data managed by it. If exposition of portfolio statistics via Prometheus is desired,
 > refer to [community integrations] like Jetstack's [dependency-track-exporter].
 
-To enable metrics exposition, set the `alpine.metrics.enable` property to `true` (see [Configuration]). 
+To enable metrics exposition, set the `alpine.metrics.enabled` property to `true` (see [Configuration]).
 Metrics will be exposed in the `/metrics` endpoint, and can optionally be protected using 
 basic authentication via `alpine.metrics.auth.username` and `alpine.metrics.auth.password`.
 

docs/_docs/usage/community-usage-examples.md

@@ -0,0 +1,156 @@
+---
+title: Community Usage Examples
+category: Usage
+chapter: 2
+order: 7
+---
+
+This page lists various usage examples of Dependency-Track and its REST API that have been contributed by the community.
+
+### Finding vulnerabilities from CISA KEV in Dependency-Track
+
+> Contributed by [JoergBruenner](https://github.com/JoergBruenner)
+
+CISA maintains a [catalog of known exploited vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) (KEV). 
+The following powershell script may be used to quickly identify projects in the Dependency-Track portfolio that are 
+affected by vulnerabilities listed in KEV.
+
+```powershell
+$api_base_url = 'http://localhost:8081'
+$api_key = 'changeit'
+
+$urlCISA = 'https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json'
+$catalog = (Invoke-WebRequest -Uri $urlCISA -Method Get).content | ConvertFrom-Json
+
+$headers = @{
+    'accept' = 'application/json'
+    'X-Api-Key' = $api_key
+}
+
+foreach ($vulnerability in $catalog.vulnerabilities)
+{
+    $uri = $api_base_url + "/api/v1/vulnerability/source/NVD/vuln/" + $vulnerability.cveID + "/projects"
+    $response = ""
+
+    try
+    {
+        $response = Invoke-WebRequest -Uri $uri -Method Get -Headers $headers
+        $affected_projects = $response | ConvertFrom-Json
+
+        if ($response.StatusCode -eq 200)
+        {
+            forEach ($project in $affected_projects)
+            {
+                $vulnerability.cveID + ': ' + $project.name + " v." + $project.version + " UUID: " + $project.uuid
+            }
+        }
+    }
+    catch
+    {
+        '[ERROR]: ' + $uri + ' / ' + $vulnerability.cveID + " : " + $response
+        '[ERROR] ' + $_.Exception.Message
+        '[ERROR] ' + $_.ScriptStackTrace
+    }
+}
+```
+
+### Creating Excel reports from EPSS data
+
+> Contributed by [JoergBruenner](https://github.com/JoergBruenner)
+
+The FIRST [exploit prediction scoring system](https://www.first.org/epss/) (EPSS) can help with prioritizing remediation
+efforts, by giving estimations of the likelihood that vulnerabilities are being exploited in the wild.
+Dependency-Track has native support for EPSS, and surfaces this data directly in the UI, or in its REST API.
+
+> Note that EPSS is only supported for published CVEs. Vulnerabilities sourced from [GitHub Advisories], [OSV], 
+> or [Snyk] will not have EPSS scores assigned to them.
+
+The following Powershell script may be used to create an Excel report of all vulnerable components in the Dependency-Track
+portfolio, where both the CVSSv3 and EPSS scores exceed a given threshold. For each vulnerable component, the report
+will include identifiers of the component, the vulnerability it is affected by, the project the component belongs to,
+as well as the respective CVSSv3 and EPSS scores. 
+
+```powershell
+$api_base_url = 'http://localhost:8081'
+$api_key = 'changeit'
+$output_file = 'C:\temp\cvss-epss.xlsx'
+$cvssMin = 5
+$epssMin = 0.5
+$headers = @{
+    'accept' = 'application/json'
+    'X-Api-Key' = $api_key
+}
+
+try
+{
+    $my_excel = New-Object -ComObject excel.application
+    $my_excel.visible = $false
+    $my_workbook = $my_excel.workbooks.add()
+    $sheet_1 = $my_workbook.worksheets.item(1)
+    $sheet_1.name = "EPSS-CVSS"
+
+    $sheet_1.cells.item(1, 1) = 'NAME'
+    $sheet_1.cells.item(1, 2) = 'VERSION'
+    $sheet_1.cells.item(1, 3) = 'UUID'
+    $sheet_1.cells.item(1, 4) = 'VULN-ID'
+    $sheet_1.cells.item(1, 5) = 'CVSS'
+    $sheet_1.cells.item(1, 6) = 'EPSS'
+    $sheet_1.cells.item(1, 7) = 'COMPONENT-NAME'
+    $sheet_1.cells.item(1, 8) = 'COMPONENT-VERSION'
+
+    $line = 2
+
+    $response = Invoke-WebRequest -Uri ($api_base_url + '/api/v1/project') -Method Get -Headers $headers
+    $projects = $response | ConvertFrom-Json
+
+    foreach ($project in $projects)
+    {
+        $response = Invoke-WebRequest -Uri ($api_base_url + '/api/v1/vulnerability/project/' + $project.uuid) -Method Get -Headers $headers
+        $vulns = $response | ConvertFrom-Json
+        foreach ($vuln in $vulns)
+        {
+            $cvss = [Float]$vuln.cvssV3BaseScore
+            $epss = [Float]$vuln.epssScore
+            if (($cvss -gt $cvssMin) -and ( $epss -gt $epssMin))
+            {
+                foreach ($comp in $vuln.components)
+                {
+                    $project.name + ";" + $project.version + ";" + $project.uuid + ";" + $vuln.vulnID + ";" + $vuln.cvssV3BaseScore + ";" + $vuln.epssScore + ";" + $comp.name + ";" + $comp.version
+
+                    # Set text format
+                    $sheet_1.cells.item($line, 1).NumberFormat = "@"
+                    $sheet_1.cells.item($line, 1) = $project.name
+                    $sheet_1.cells.item($line, 2).NumberFormat = "@"
+                    $sheet_1.cells.item($line, 2) = $project.version
+
+                    $sheet_1.cells.item($line, 3).NumberFormat = "@"
+                    $sheet_1.cells.item($line, 3) = $project.uuid
+                    $sheet_1.cells.item($line, 4).NumberFormat = "@"
+                    $sheet_1.cells.item($line, 4) = $vuln.vulnID
+                    $sheet_1.cells.item($line, 5).NumberFormat = "@"
+                    $sheet_1.cells.item($line, 5) = $vuln.cvssV3BaseScore
+                    $sheet_1.cells.item($line, 6).NumberFormat = "@"
+                    $sheet_1.cells.item($line, 6) = $vuln.epssScore
+                    $sheet_1.cells.item($line, 7).NumberFormat = "@"
+                    $sheet_1.cells.item($line, 7) = $comp.name
+                    $sheet_1.cells.item($line, 8).NumberFormat = "@"
+                    $sheet_1.cells.item($line, 8) = $comp.version
+                    $line++
+                }
+            }
+        }
+    }
+    $my_workbook.Saveas($output_file)
+    $my_excel.Quit()
+}
+catch
+{
+    'error: ' + $response
+    $_.Exception.Message
+    $_.ScriptStackTrace
+}
+```
+
+[GitHub Advisories]: {{ site.baseurl }}{% link _docs/datasources/github-advisories.md %}
+[OSV]: {{ site.baseurl }}{% link _docs/datasources/osv.md %}
+[Snyk]: {{ site.baseurl }}{% link _docs/datasources/snyk.md %}

docs/_docs/usage/executive-order-14028.md

@@ -2,7 +2,7 @@
 title: U.S. Executive Order 14028
 category: Usage
 chapter: 2
-order: 7
+order: 6
 ---
 
 Since its inception in 2013, OWASP Dependency-Track has been at the forefront of analyzing bill of materials for cybersecurity

docs/_docs/usage/usecases.md

@@ -0,0 +1,66 @@
+---
+title: v4.7.1
+type: patch
+---
+
+**Fixes:**
+
+* Resolved a defect that caused BOM uploads to fail when the BOM file contained a byte order mark - [apiserver/#2312]
+* Resolved a defect that caused updating projects to fail when their `active` status was `null` - [apiserver/#2317]
+* Resolved a defect that prevented teams from being deleted when portfolio access control was enabled - [apiserver/#2374]
+* Move "Use Cases" documentation page to "Community Usage Examples" and clarify its purpose - [apiserver/#2403]
+* Resolved a defect that caused vulnerability alias synchronization to fail for VulnDB - [apiserver/#2428]
+* Fixed typo in monitoring documentation - [apiserver/#2430]
+* Resolved a defect that caused component details to not be displayed in policy violations tab - [frontend/#373]
+
+For a complete list of changes, refer to the respective GitHub milestones:
+
+* [API server milestone 4.7.1](https://github.com/DependencyTrack/dependency-track/milestone/31?closed=1)
+* [Frontend milestone 4.7.1](https://github.com/DependencyTrack/frontend/milestone/13?closed=1)
+
+We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.  
+Special thanks to everyone who contributed code to fix defects:
+
+[@JoergBruenner], [@mehab], [@rbt-mm], [@sergioasantiago], [@syalioune]
+
+###### dependency-track-apiserver.jar
+
+| Algorithm | Checksum |
+|:----------|:---------|
+| SHA-1     |          |
+| SHA-256   |          |
+
+###### dependency-track-bundled.jar
+
+| Algorithm | Checksum |
+|:----------|:---------|
+| SHA-1     |          |
+| SHA-256   |          |
+
+###### frontend-dist.zip
+
+| Algorithm | Checksum                                                         |
+|:----------|:-----------------------------------------------------------------|
+| SHA-1     | 1c1412a09a64d08ae44cb3c9c980bfbb2786ff53                         |
+| SHA-256   | 95aed5a69c6e1db5ab05eaa57f511d5e16f92bafd67839be63f136ea78e11252 |
+
+
+###### Software Bill of Materials (SBOM)
+
+* API Server: [bom.json](https://github.com/DependencyTrack/dependency-track/releases/download/4.7.1/bom.json)
+* Frontend: [bom.json](https://github.com/DependencyTrack/frontend/releases/download/4.7.1/bom.json)
+
+[apiserver/#2312]: https://github.com/DependencyTrack/dependency-track/issues/2312
+[apiserver/#2317]: https://github.com/DependencyTrack/dependency-track/issues/2317
+[apiserver/#2374]: https://github.com/DependencyTrack/dependency-track/issues/2374
+[apiserver/#2403]: https://github.com/DependencyTrack/dependency-track/pull/2403
+[apiserver/#2428]: https://github.com/DependencyTrack/dependency-track/pull/2428
+[apiserver/#2430]: https://github.com/DependencyTrack/dependency-track/pull/2430
+
+[frontend/#373]: https://github.com/DependencyTrack/frontend/issues/373
+
+[@JoergBruenner]: https://github.com/JoergBruenner
+[@mehab]: https://github.com/mehab
+[@rbt-mm]: https://github.com/rbt-mm
+[@sergioasantiago]: https://github.com/sergioasantiago
+[@syalioune]: https://github.com/syalioune

docs/_posts/2023-01-31-v4.7.1.md

@@ -81,7 +81,7 @@
 
     <properties>
         <!-- Dependency Versions -->
-        <frontend.version>4.7.0</frontend.version>
+        <frontend.version>4.7.1</frontend.version>
         <lib.alpine.version>${project.parent.version}</lib.alpine.version>
         <lib.cpe-parser.version>2.0.2</lib.cpe-parser.version>
         <lib.cvss-calculator.version>1.4.1</lib.cvss-calculator.version>

pom.xml

@@ -226,7 +226,7 @@ private boolean checkIfChildrenAreAffected(Project parent, UUID uuid) {
             return false;
         }
         for (Project child : parent.getChildren()) {
-            if ((child.getUuid().equals(uuid) && child.isActive()) || isChild) {
+            if ((child.getUuid().equals(uuid) && Boolean.TRUE.equals(child.isActive())) || isChild) {
                 return true;
             }
             isChild = checkIfChildrenAreAffected(child, uuid);

src/main/java/org/dependencytrack/notification/NotificationRouter.java

@@ -487,10 +487,8 @@ public Project updateProject(UUID uuid, String name, String description, String
         project.setVersion(version);
         project.setPurl(purl);
 
-        if (!active && project.isActive() && hasActiveChild(project)){
+        if (!active && Boolean.TRUE.equals(project.isActive()) && hasActiveChild(project)){
             throw new IllegalArgumentException("Project cannot be set to inactive, if active children are present.");
-        } else {
-            project.setActive(active);
         }
         project.setActive(active);
 
@@ -522,10 +520,8 @@ public Project updateProject(Project transientProject, boolean commitIndex) {
         project.setPurl(transientProject.getPurl());
         project.setSwidTagId(transientProject.getSwidTagId());
 
-        if (project.isActive() && !Boolean.TRUE.equals(transientProject.isActive()) && hasActiveChild(project)){
+        if (Boolean.TRUE.equals(project.isActive()) && !Boolean.TRUE.equals(transientProject.isActive()) && hasActiveChild(project)){
             throw new IllegalArgumentException("Project cannot be set to inactive if active children are present.");
-        } else {
-            project.setActive(transientProject.isActive());
         }
         project.setActive(transientProject.isActive());
 
@@ -1091,7 +1087,7 @@ private static boolean hasActiveChild(Project project) {
         boolean hasActiveChild = false;
         if (project.getChildren() != null){
             for (Project child: project.getChildren()) {
-                if (child.isActive() || hasActiveChild) {
+                if (Boolean.TRUE.equals(child.isActive()) || hasActiveChild) {
                     return true;
                 } else {
                     hasActiveChild = hasActiveChild(child);

src/main/java/org/dependencytrack/persistence/ProjectQueryManager.java

@@ -1272,7 +1272,7 @@ public void recursivelyDeleteTeam(Team team) {
         pm.currentTransaction().begin();
         pm.deletePersistentAll(team.getApiKeys());
         String aclDeleteQuery = """
-            DELETE FROM PROJECT_ACCESS_TEAMS WHERE \"PROJECT_ACCESS_TEAMS\".\"TEAM_ID\" = ?      
+            DELETE FROM \"PROJECT_ACCESS_TEAMS\" WHERE \"PROJECT_ACCESS_TEAMS\".\"TEAM_ID\" = ?      
         """;
         final Query query = pm.newQuery(JDOQuery.SQL_QUERY_LANGUAGE, aclDeleteQuery);
         query.executeWithArray(team.getId());

src/main/java/org/dependencytrack/persistence/QueryManager.java

@@ -560,11 +560,11 @@ public List<VulnerabilityAlias> getVulnerabilityAliases(Vulnerability vulnerabil
         } else if (Vulnerability.Source.SNYK.name().equals(vulnerability.getSource())) {
             query = pm.newQuery(VulnerabilityAlias.class, "snykId == :snykId");
         } else if (Vulnerability.Source.VULNDB.name().equals(vulnerability.getSource())) {
-            query = pm.newQuery(VulnerabilityAlias.class, "vulnDb == :vulnDb");
+            query = pm.newQuery(VulnerabilityAlias.class, "vulnDbId == :vulnDb");
         } else {
             query = pm.newQuery(VulnerabilityAlias.class, "internalId == :internalId");
         }
-        return (List<VulnerabilityAlias>)query.execute(vulnerability.getVulnId());
+            return (List<VulnerabilityAlias>)query.execute(vulnerability.getVulnId());
     }
 
     /**