Skip to content

log suppression when creating new violation analysis#6011

Open
stohrendorf wants to merge 78 commits into
DependencyTrack:4.14.xfrom
stohrendorf:issue-5967
Open

log suppression when creating new violation analysis#6011
stohrendorf wants to merge 78 commits into
DependencyTrack:4.14.xfrom
stohrendorf:issue-5967

Conversation

@stohrendorf
Copy link
Copy Markdown
Contributor

@stohrendorf stohrendorf commented Apr 6, 2026

Description

Logs suppression when initially created policy violation audit is suppressed.

Fixes #5967

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have added corresponding update logic
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

nscuro and others added 30 commits March 9, 2026 23:14
@nscuro
Update release branch in dependabot config
883c190 
Signed-off-by: Niklas <nscuro@protonmail.com>
@nscuro
Update versions in issue template for defects
df1a669 
Signed-off-by: Niklas <nscuro@protonmail.com>
@dependabot
build(deps): bump docker/setup-qemu-action from 3.7.0 to 4.0.0
2bedb4e 
Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 3.7.0 to 4.0.0.
- [Release notes](https://github.com/docker/setup-qemu-action/releases)
- [Commits](docker/setup-qemu-action@c7c5346...ce36039)

---
updated-dependencies:
- dependency-name: docker/setup-qemu-action
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
build(deps): bump docker/build-push-action from 6.19.2 to 7.0.0
a30632d 
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.19.2 to 7.0.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](docker/build-push-action@10e90e3...d08e5c3)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@nscuro
Add release artifact checksums for 4.14.0
f7b8e4f 
Signed-off-by: Niklas <nscuro@protonmail.com>
@nscuro
Fix PURL-specific version matching being bypassed for components with…
8f2702e 
… CPE

The previous logic did not explicitly "parse" the component's PURL when the component also has a CPE. It would still go on to fetch VulnerableSoftware records for CPE *and* PURL as expected, but would not follow the PURL-specific version comparison algorithms.

A leftover logic that pre-dates the introduction of vers caused version range analysis to be performed against VulnerableSoftware records that had no CPE information (i.e. maybeMatchCpe returns null). VulnerableSoftware records with PURL information were thus still considered, but in a logic branch that doesn't leverage ecosystem-aware or distro-aware matching.

Credit to @xavier-calland for identifying this as per DependencyTrack#5343 (comment)

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Merge pull request DependencyTrack#5903 from nscuro/fix-purl-matching
7e1ae16 
Fix PURL-specific version matching being bypassed for components with CPE
@nscuro
Merge pull request DependencyTrack#5892 from DependencyTrack/dependab…
a51ddbb 
…ot/github_actions/docker/build-push-action-7.0.0

build(deps): bump docker/build-push-action from 6.19.2 to 7.0.0
@nscuro
Merge pull request DependencyTrack#5891 from DependencyTrack/dependab…
ca0524b 
…ot/github_actions/docker/setup-qemu-action-4.0.0

build(deps): bump docker/setup-qemu-action from 3.7.0 to 4.0.0
@dependabot
build(deps): bump org.apache.maven:maven-artifact from 3.9.13 to 3.9.14
189c09e 
Bumps org.apache.maven:maven-artifact from 3.9.13 to 3.9.14.

---
updated-dependencies:
- dependency-name: org.apache.maven:maven-artifact
  dependency-version: 3.9.14
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@Zureno
Remove leading whitespace from vulnerability badge SVG template
f8facb1 
Signed-off-by: Zureno <pranshu21freak@gmail.com>
(cherry picked from commit f8910cc)
@nscuro
Merge pull request DependencyTrack#5911 from Zureno/fix-vuln-badge-le…
a0c3352 
…ading-whitespace-clean
@dependabot
build(deps): bump lib.resilience4j.version from 2.3.0 to 2.4.0
6dd7094 
Bumps `lib.resilience4j.version` from 2.3.0 to 2.4.0.

Updates `io.github.resilience4j:resilience4j-retry` from 2.3.0 to 2.4.0
- [Release notes](https://github.com/resilience4j/resilience4j/releases)
- [Changelog](https://github.com/resilience4j/resilience4j/blob/master/RELEASENOTES.adoc)
- [Commits](resilience4j/resilience4j@v2.3.0...v2.4.0)

Updates `io.github.resilience4j:resilience4j-ratelimiter` from 2.3.0 to 2.4.0
- [Release notes](https://github.com/resilience4j/resilience4j/releases)
- [Changelog](https://github.com/resilience4j/resilience4j/blob/master/RELEASENOTES.adoc)
- [Commits](resilience4j/resilience4j@v2.3.0...v2.4.0)

Updates `io.github.resilience4j:resilience4j-micrometer` from 2.3.0 to 2.4.0
- [Release notes](https://github.com/resilience4j/resilience4j/releases)
- [Changelog](https://github.com/resilience4j/resilience4j/blob/master/RELEASENOTES.adoc)
- [Commits](resilience4j/resilience4j@v2.3.0...v2.4.0)

---
updated-dependencies:
- dependency-name: io.github.resilience4j:resilience4j-retry
  dependency-version: 2.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: io.github.resilience4j:resilience4j-ratelimiter
  dependency-version: 2.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: io.github.resilience4j:resilience4j-micrometer
  dependency-version: 2.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
build(deps): bump com.microsoft.sqlserver:mssql-jdbc
8375f5d 
Bumps [com.microsoft.sqlserver:mssql-jdbc](https://github.com/Microsoft/mssql-jdbc) from 13.2.1.jre11 to 13.4.0.jre11.
- [Release notes](https://github.com/Microsoft/mssql-jdbc/releases)
- [Changelog](https://github.com/microsoft/mssql-jdbc/blob/main/CHANGELOG.md)
- [Commits](https://github.com/Microsoft/mssql-jdbc/commits)

---
updated-dependencies:
- dependency-name: com.microsoft.sqlserver:mssql-jdbc
  dependency-version: 13.4.0.jre11
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
build(deps): bump actions/download-artifact from 8.0.0 to 8.0.1
c23d007 
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 8.0.0 to 8.0.1.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@70fc10c...3e5f45b)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
build(deps): bump eclipse-temurin in /src/main/docker
329a380 
Bumps eclipse-temurin from `2866f12` to `a6884e6`.

---
updated-dependencies:
- dependency-name: eclipse-temurin
  dependency-version: 25.0.2_10-jdk-alpine
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
build(deps): bump debian from 85dfcff to 99fc6d2 in /src/main/docker
7659bf9 
Bumps debian from `85dfcff` to `99fc6d2`.

---
updated-dependencies:
- dependency-name: debian
  dependency-version: stable-slim
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@nscuro
Merge pull request DependencyTrack#5919 from DependencyTrack/dependab…
a4e2774 
…ot/docker/src/main/docker/debian-99fc6d2
@nscuro
Merge pull request DependencyTrack#5918 from DependencyTrack/dependab…
7c0022c 
…ot/docker/src/main/docker/eclipse-temurin-a6884e6
@nscuro
Merge pull request DependencyTrack#5913 from DependencyTrack/dependab…
eb3e759 
…ot/maven/com.microsoft.sqlserver-mssql-jdbc-13.4.0.jre11
@nscuro
Merge pull request DependencyTrack#5914 from DependencyTrack/dependab…
3e002e2 
…ot/github_actions/actions/download-artifact-8.0.1
@nscuro
Merge pull request DependencyTrack#5912 from DependencyTrack/dependab…
6e094f1 
…ot/maven/lib.resilience4j.version-2.4.0
@nscuro
Merge pull request DependencyTrack#5904 from DependencyTrack/dependab…
7ed965a 
…ot/maven/org.apache.maven-maven-artifact-3.9.14
@dependabot
build(deps-dev): bump io.swagger.parser.v3:swagger-parser
d3afc3f 
Bumps [io.swagger.parser.v3:swagger-parser](https://github.com/swagger-api/swagger-parser) from 2.1.38 to 2.1.39.
- [Release notes](https://github.com/swagger-api/swagger-parser/releases)
- [Commits](swagger-api/swagger-parser@v2.1.38...v2.1.39)

---
updated-dependencies:
- dependency-name: io.swagger.parser.v3:swagger-parser
  dependency-version: 2.1.39
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@nscuro
Add support for NuGet versioning scheme
7f74805 
Fixes the internal vulnerability analyzer being unable to differentiate pre-release versions from release versions, which led to false positives.

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Merge pull request DependencyTrack#5895 from DependencyTrack/dependab…
f3af82e 
…ot/maven/io.swagger.parser.v3-swagger-parser-2.1.39
@nscuro
Potential fix for pull request finding
4f1a2ff 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Niklas <nscuro@protonmail.com>
@nscuro
Merge pull request DependencyTrack#5924 from nscuro/issue-5923
3037ee5
@dependabot
build(deps): bump org.metaeffekt.core:ae-security
a4d71b8 
Bumps org.metaeffekt.core:ae-security from 0.153.1 to 0.153.2.

---
updated-dependencies:
- dependency-name: org.metaeffekt.core:ae-security
  dependency-version: 0.153.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
build(deps): bump eclipse-temurin in /src/main/docker
39042f3 
Bumps eclipse-temurin from `a6884e6` to `d556bfd`.

---
updated-dependencies:
- dependency-name: eclipse-temurin
  dependency-version: 25.0.2_10-jdk-alpine
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
dependabot Bot and others added 27 commits March 24, 2026 10:05
@dependabot
build(deps): bump lib.protobuf-java.version from 4.34.0 to 4.34.1
0ac17cf 
Bumps `lib.protobuf-java.version` from 4.34.0 to 4.34.1.

Updates `com.google.protobuf:protobuf-java` from 4.34.0 to 4.34.1
- [Release notes](https://github.com/protocolbuffers/protobuf/releases)
- [Commits](https://github.com/protocolbuffers/protobuf/commits)

Updates `com.google.protobuf:protobuf-java-util` from 4.34.0 to 4.34.1

---
updated-dependencies:
- dependency-name: com.google.protobuf:protobuf-java
  dependency-version: 4.34.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: com.google.protobuf:protobuf-java-util
  dependency-version: 4.34.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@nscuro
Merge pull request DependencyTrack#5957 from jonbally/patch-1
15ae4cd
@nscuro
Merge pull request DependencyTrack#5953 from DependencyTrack/dependab…
e7523d8 
…ot/maven/lib.protobuf-java.version-4.34.1
@nscuro
Harden GitHub Actions workflows
512a945 
* Replaces usage of BOT_RELEASE_TOKEN with ephemeral GITHUB_TOKEN where the dedicated PAT is not needed. It's only required during release creation so that the `release: created` event is triggered.
* Updates release workflow to create releases as draft first, and only publish them after all assets have been uploaded. This enables us to use immutable GitHub releases.
* Removes unneeded workflows.

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Merge pull request DependencyTrack#5965 from nscuro/gha-hardening
41380dd 
Harden GitHub Actions workflows
@nscuro
Address zizmor GitHub Actions findings
3a2c5cd 
Fixes findings identified by zizmor (https://github.com/zizmorcore/zizmor)

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Merge pull request DependencyTrack#5970 from nscuro/fix-zizmor-findings
c29d50d 
Address zizmor GitHub Actions findings
@nscuro
Fix scheduled notification query failing when ID columns are not of t…
456dabd 
…ype BIGINT

It's possible that schemas generated by an older version of DT use SERIAL / INT for ID columns. Handle this with explicit casting so the columns can be matched to Java long fields.

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Merge pull request DependencyTrack#5973 from nscuro/issue-5968
ff363a8 
Fix scheduled notification query failing when ID columns are not of type BIGINT
@stohrendorf
Avoid NPE when computing Trivy pkgType (DependencyTrack#5982)
d3ff4c1 
Signed-off-by: Steffen Ohrendorf <steffen.ohrendorf@gmx.de>
@dependabot
build(deps-dev): bump io.github.ascopes:protobuf-maven-plugin
a19ff86 
Bumps [io.github.ascopes:protobuf-maven-plugin](https://github.com/ascopes/protobuf-maven-plugin) from 5.0.2 to 5.1.0.
- [Release notes](https://github.com/ascopes/protobuf-maven-plugin/releases)
- [Commits](ascopes/protobuf-maven-plugin@v5.0.2...v5.1.0)

---
updated-dependencies:
- dependency-name: io.github.ascopes:protobuf-maven-plugin
  dependency-version: 5.1.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
build(deps): bump eclipse-temurin in /src/main/docker
b086d56 
Bumps eclipse-temurin from `d556bfd` to `305fb0c`.

---
updated-dependencies:
- dependency-name: eclipse-temurin
  dependency-version: 25.0.2_10-jdk-alpine
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@nscuro
Merge pull request DependencyTrack#5988 from DependencyTrack/dependab…
34b27a9 
…ot/maven/io.github.ascopes-protobuf-maven-plugin-5.1.0

build(deps-dev): bump io.github.ascopes:protobuf-maven-plugin from 5.0.2 to 5.1.0
@nscuro
Merge pull request DependencyTrack#5989 from DependencyTrack/dependab…
efc8733 
…ot/docker/src/main/docker/eclipse-temurin-305fb0c

build(deps): bump eclipse-temurin from `d556bfd` to `305fb0c` in /src/main/docker
@nscuro
Use ecosystem-aware version comparison for latest version detection
d89365f 
This was missed when originally introducing versatile. Both the Composer and NuGet meta analyzer rely on manual version comparison to determine the latest component version. Both used ComparableVersion before, which is a class from Maven, and thus can only apply Maven-specific semantics.

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Support Sonatype Guide tokens for OSS Index analyzer
28d5f7c 
Sonatype Guide uses bearer tokens, whereas OSS Index expects basic auth using email and token.

Note that the OSS Index API does not yet support Guide tokens, but will soon. This change ensures a smooth transition when the time comes.

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Merge pull request DependencyTrack#5993 from nscuro/ecosystem-aware-l…
4bea950 
…atest-version-detection

Use ecosystem-aware version comparison for latest version detection
@nscuro
Merge pull request DependencyTrack#5994 from nscuro/ossi-guide-token
604b3ba 
Support Sonatype Guide tokens for OSS Index analyzer
@nscuro
Bump bundled frontend to 4.14.1
fc0de5f 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Fix version in docs
5e3aecb 
Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Merge pull request DependencyTrack#6002 from nscuro/fix-doc-version
7d9e2d4 
Fix version in docs
@nscuro
Merge pull request DependencyTrack#6001 from nscuro/bump-frontend-4.14.1
00982b6 
Bump bundled frontend to 4.14.1
@nscuro
Fix release workflow
686817b 
It turns out that creating a draft release doesn't trigger a `release: created` event. Instead, we need to push a tag, which then fires the `push: tags` event.

For this to work, the push must be performed with a non-default PAT. A BOT_RELEASE_GITHUB_TOKEN secrets has been created with minimal privileges, and scoped to this repository.

Note that tags were previously created implicitly when creating the GitHub release.

Also replaces commits via GitHub CLI with actual commits using git.

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro
Merge pull request DependencyTrack#6003 from nscuro/fix-release-workflow
2a4112f 
Fix release workflow
@nscuro
Add changelog for v4.14.1
658be56 
Signed-off-by: Niklas <nscuro@protonmail.com>
@nscuro
Update versions in issue template for defects
626a0cb 
Signed-off-by: Niklas <nscuro@protonmail.com>
@stohrendorf
log suppression when creating new violation analysis
cfef050 
Signed-off-by: Steffen Ohrendorf <steffen.ohrendorf@gmx.de>
@owasp-dt-bot
Copy link
Copy Markdown

owasp-dt-bot commented Apr 6, 2026

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@codacy-production
Copy link
Copy Markdown

codacy-production Bot commented Apr 6, 2026
edited
Loading

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 8 duplication

Metric Results
Complexity 0
Duplication 8

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@stohrendorf stohrendorf changed the base branch from master to 4.14.x May 20, 2026 03:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Policy violation audit supress action sometimes not tracked

5 participants

@stohrendorf @owasp-dt-bot @nscuro @Zureno @jonbally