log suppression when creating new violation analysis

.github/ISSUE_TEMPLATE/defect-report.yml

@@ -73,7 +73,9 @@ body:
     - 4.13.4
     - 4.13.5
     - 4.13.6
-    - 4.14.0-SNAPSHOT
+    - 4.14.0
+    - 4.14.1
+    - 4.15.0-SNAPSHOT
   validations:
     required: true
 - type: dropdown

.github/dependabot.yml

@@ -5,33 +5,45 @@ updates:
   directory: /
   schedule:
     interval: daily
+  cooldown:
+    default-days: 7
 - package-ecosystem: docker
   directory: /src/main/docker
   schedule:
     interval: daily
+  cooldown:
+    default-days: 7
 - package-ecosystem: github-actions
   directory: /
   schedule:
     interval: weekly
+  cooldown:
+    default-days: 7
 - package-ecosystem: bundler
   directory: /docs
   schedule:
     interval: weekly
+  cooldown:
+    default-days: 7
 # Receive minor and patch updates on latest release branch.
 - package-ecosystem: maven
-  target-branch: 4.13.x
+  target-branch: 4.14.x
   directory: /
   schedule:
     interval: daily
+  cooldown:
+    default-days: 7
   ignore:
   - dependency-name: "*"
     update-types:
     - version-update:semver-major
 - package-ecosystem: docker
-  target-branch: 4.13.x
+  target-branch: 4.14.x
   directory: /src/main/docker
   schedule:
     interval: daily
+  cooldown:
+    default-days: 7
   ignore:
   - dependency-name: "*"
     update-types:

.github/workflows/_meta-build.yaml

@@ -29,6 +29,8 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up JDK
         uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # tag=v5.2.0
@@ -78,15 +80,17 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Download Artifacts
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # tag=v8.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # tag=v8.0.1
         with:
           name: assembled-wars
           path: target
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # tag=v3.7.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # tag=v4.0.0
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # tag=v4.0.0
@@ -104,19 +108,22 @@ jobs:
 
       - name: Set Container Tags
         id: tags
+        env:
+          REF_NAME: ${{ inputs.ref-name }}
+          APP_VERSION: ${{ inputs.app-version }}
+          DISTRIBUTION: ${{ matrix.distribution }}
         run: |-
-          IMAGE_NAME="docker.io/dependencytrack/${{ matrix.distribution }}"
-          REF_NAME="${{ inputs.ref-name }}"
+          IMAGE_NAME="docker.io/dependencytrack/${DISTRIBUTION}"
           TAGS=""
           TAGS_ALPINE=""
-          
+
           if [[ $REF_NAME == feature-* ]]; then
             TAGS="${IMAGE_NAME}:${REF_NAME,,}"
             TAGS_ALPINE="${IMAGE_NAME}:${REF_NAME,,}-alpine"
           else
-            TAGS="${IMAGE_NAME}:${{ inputs.app-version }}"
-            TAGS_ALPINE="${IMAGE_NAME}:${{ inputs.app-version }}-alpine"
-            if [[ "${{ inputs.app-version }}" != "snapshot" ]]; then
+            TAGS="${IMAGE_NAME}:${APP_VERSION}"
+            TAGS_ALPINE="${IMAGE_NAME}:${APP_VERSION}-alpine"
+            if [[ "${APP_VERSION}" != "snapshot" ]]; then
               TAGS="${TAGS},${IMAGE_NAME}:latest"
               TAGS_ALPINE="${TAGS_ALPINE},${IMAGE_NAME}:latest-alpine"
             fi
@@ -125,7 +132,7 @@ jobs:
           echo "tags-alpine=${TAGS_ALPINE}" >> $GITHUB_OUTPUT
 
       - name: Build multi-arch Container Image
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # tag=v6.19.2
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # tag=v7.0.0
         with:
           tags: ${{ steps.tags.outputs.tags }}
           build-args: |-
@@ -138,7 +145,7 @@ jobs:
           file: src/main/docker/Dockerfile
 
       - name: Build Alpine multi-arch Container Image
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # tag=v6.19.2
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # tag=v7.0.0
         with:
           tags: ${{ steps.tags.outputs.tags-alpine }}
           build-args: |-
@@ -149,23 +156,3 @@ jobs:
           push: ${{ inputs.publish-container }}
           context: .
           file: src/main/docker/Dockerfile.alpine
-
-      - name: Run Trivy Vulnerability Scanner
-        if: ${{ inputs.publish-container }}
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # tag=0.35.0
-        env:
-          # https://github.com/aquasecurity/trivy-action/issues/389
-          TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:2"
-          TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db:1"
-        with:
-          image-ref: docker.io/dependencytrack/${{ matrix.distribution }}:${{ inputs.app-version }}
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          ignore-unfixed: true
-          vuln-type: 'os'
-
-      - name: Upload Trivy Scan Results to GitHub Security Tab
-        if: ${{ inputs.publish-container }}
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # tag=v3.29.5
-        with:
-          sarif_file: 'trivy-results.sarif'

.github/workflows/ci-publish.yaml

@@ -3,9 +3,9 @@
 name: Publish CI
 
 on:
-  release:
-    types:
-      - released
+  push:
+    tags:
+      - '[0-9]*'
   workflow_dispatch:
 
 permissions: { }
@@ -24,6 +24,8 @@ jobs:
           fi
       - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Parse Version from POM
         id: parse
@@ -47,15 +49,19 @@ jobs:
 
   update-github-release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # Required to update GitHub release assets and notes
     needs:
       - read-version
       - call-build
     steps:
       - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Download Artifacts
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # tag=v8.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # tag=v8.0.1
         with:
           name: assembled-wars
           path: target
@@ -73,23 +79,32 @@ jobs:
 
       - name: Update Release
         env:
-          GITHUB_TOKEN: ${{ secrets.BOT_RELEASE_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ needs.read-version.outputs.version }}
         run: |-
           cat << EOF >> .github/default-release-notes.md
           \`\`\`text
           $(cat target/checksums.txt)
           \`\`\`
           EOF
-          
-          gh release view ${{ needs.read-version.outputs.version }} \
+
+          gh release view "${VERSION}" \
             --json body --jq .body >> .github/default-release-notes.md
 
-          gh release edit ${{ needs.read-version.outputs.version }} \
+          gh release edit "${VERSION}" \
             --notes-file ".github/default-release-notes.md"
 
-          gh release upload ${{ needs.read-version.outputs.version }} \
+          gh release upload "${VERSION}" \
             --clobber \
             target/dependency-track-apiserver.jar \
             target/dependency-track-bundled.jar \
             target/checksums.txt \
             target/bom.json
+
+      - name: Publish Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ needs.read-version.outputs.version }}
+        run: |-
+          gh release edit "${VERSION}" \
+            --draft=false

.github/workflows/ci-release.yaml

@@ -21,11 +21,15 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup Environment
         id: variables
+        env:
+          VERSION_OVERWRITE: ${{ github.event.inputs.version-overwrite }}
         run: |-
-          VERSION="${{ github.event.inputs.version-overwrite }}"
+          VERSION="${VERSION_OVERWRITE}"
           if [[ -z ${VERSION} ]]; then
             CURRENT_SNAPSHOT=`yq -p=xml '.project.version' pom.xml`
             VERSION=${CURRENT_SNAPSHOT%-SNAPSHOT}
@@ -38,10 +42,6 @@ jobs:
 
   create-release:
     runs-on: ubuntu-latest
-    permissions:
-      # Required for pushing changes via git command (rather than via GitHub API).
-      # TODO: Use bot credentials for git, or rewrite the "Commit Version" step to use API instead.
-      contents: write
     needs:
       - prepare-release
 
@@ -52,6 +52,8 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+        with:
+          token: ${{ secrets.BOT_RELEASE_GITHUB_TOKEN }}
 
       - name: Set up JDK
         uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # tag=v5.2.0
@@ -60,54 +62,43 @@ jobs:
           java-version: '21'
           cache: 'maven'
 
-      - name: Set Version
-        run: mvn -B --no-transfer-progress versions:set -DnewVersion=${VERSION}
-
-      - name: Commit Version
-        env:
-          GITHUB_TOKEN: ${{ secrets.BOT_RELEASE_TOKEN }}
+      - name: Set Version and Commit
         run: |-
-          MESSAGE="prepare-release: set version to ${VERSION}"
-          CONTENT=$(base64 -i pom.xml)
-
-          if [[ -z `git ls-remote --quiet --heads origin "${BRANCH_NAME}"` ]]; then
-            SHA=$(git rev-parse ${GITHUB_REF#refs/heads/}:pom.xml)
-
-            # https://gist.github.com/swinton/03e84635b45c78353b1f71e41007fc7c
-            gh api --method PUT /repos/{owner}/{repo}/contents/pom.xml \
-              --field message="${MESSAGE}" \
-              --field content="${CONTENT}" \
-              --field encoding="base64" \
-              --field branch="${GITHUB_REF_NAME}" \
-              --field sha="${SHA}"
-
-            git fetch
-            git reset --hard "origin/${GITHUB_REF_NAME}"
+          git config user.name "dependencytrack-bot"
+          git config user.email "106437498+dependencytrack-bot@users.noreply.github.com"
+
+          if [[ -z $(git ls-remote --quiet --heads origin "${BRANCH_NAME}") ]]; then
             git checkout -b "${BRANCH_NAME}"
-            git push origin "${BRANCH_NAME}"
           else
+            git fetch origin "${BRANCH_NAME}"
             git checkout "${BRANCH_NAME}"
-            SHA=$(git rev-parse ${BRANCH_NAME}:pom.xml)
-
-            gh api --method PUT /repos/{owner}/{repo}/contents/pom.xml \
-              --field message="${MESSAGE}" \
-              --field content="${CONTENT}" \
-              --field encoding="base64" \
-              --field branch="${BRANCH_NAME}" \
-              --field sha="${SHA}"
           fi
 
+          mvn -B --no-transfer-progress versions:set -DnewVersion=${VERSION}
+
+          git add pom.xml
+          git commit -m "prepare-release: set version to ${VERSION}"
+          git push origin "${BRANCH_NAME}"
+
+          git tag "${VERSION}"
+          git push origin "${VERSION}"
+
       - name: Create GitHub Release
         env:
-          GITHUB_TOKEN: ${{ secrets.BOT_RELEASE_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.BOT_RELEASE_GITHUB_TOKEN }}
+          RELEASE_VERSION: ${{ needs.prepare-release.outputs.version }}
+          RELEASE_BRANCH: ${{ needs.prepare-release.outputs.release-branch }}
         run: |-
-          gh release create "${{ needs.prepare-release.outputs.version }}" \
-            --target "${{ needs.prepare-release.outputs.release-branch }}" \
-            --title "${{ needs.prepare-release.outputs.version }}" \
-            --generate-notes
+          gh release create "${RELEASE_VERSION}" \
+            --target "${RELEASE_BRANCH}" \
+            --title "${RELEASE_VERSION}" \
+            --generate-notes \
+            --draft
 
   post-release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # Required to push pom.xml update
     needs:
       - prepare-release
       - create-release
@@ -122,20 +113,20 @@ jobs:
         with:
           ref: ${{ needs.prepare-release.outputs.release-branch }}
 
-      - name: Set SNAPSHOT Version after Release
-        run: mvn -B --no-transfer-progress versions:set -DnewVersion=${NEXT_VERSION}
+      - name: Set up JDK
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # tag=v5.2.0
+        with:
+          distribution: 'temurin'
+          java-version: '21'
+          cache: 'maven'
 
-      - name: Commit SNAPSHOT Version
-        env:
-          GITHUB_TOKEN: ${{ secrets.BOT_RELEASE_TOKEN }}
+      - name: Set SNAPSHOT Version after Release
         run: |-
-          MESSAGE="prepare-iteration: set version to ${NEXT_VERSION}"
-          CONTENT=$(base64 -i pom.xml)
-          SHA=$(git rev-parse ${BRANCH_NAME}:pom.xml)
-
-          gh api --method PUT /repos/{owner}/{repo}/contents/pom.xml \
-            --field message="${MESSAGE}" \
-            --field content="${CONTENT}" \
-            --field encoding="base64" \
-            --field branch="${BRANCH_NAME}" \
-            --field sha="${SHA}"
+          git config user.name "dependencytrack-bot"
+          git config user.email "106437498+dependencytrack-bot@users.noreply.github.com"
+
+          mvn -B --no-transfer-progress versions:set -DnewVersion=${NEXT_VERSION}
+
+          git add pom.xml
+          git commit -m "prepare-iteration: set version to ${NEXT_VERSION}"
+          git push origin "${BRANCH_NAME}"