feat: add UNKNOWN enum value to Vulnerability sources

[fahedouch]

Description

When the system encountered vulnerability sources not defined in the enum, it threw an IllegalArgumentException: No enum constant org.dependencytrack.model.Vulnerability.Source.UNKNOWN and failed to process the vulnerability. Adding the UNKNOWN enum value allows the system to gracefully handle unrecognized vulnerability sources instead of crashing.

I discovered this issue when testing this PR

Addressed Issue

Additional Details

Checklist

• I have read and understand the contributing guidelines
• This PR fixes a defect, and I have provided tests to verify that the fix is effective
• This PR implements an enhancement, and I have provided tests to verify that it works as intended
• This PR introduces changes to the database model, and I have updated the migration changelog accordingly
• This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

[Copilot]

Pull request overview

Adds an UNKNOWN value to Vulnerability.Source so code paths that parse "UNKNOWN" via Vulnerability.Source.valueOf(...) no longer throw IllegalArgumentException, improving resilience when encountering placeholder/unrecognized vulnerability sources.

Changes:

• Add UNKNOWN enum value to Vulnerability.Source.
• Update enum constant list formatting to accommodate the new value.

Comments suppressed due to low confidence (1)

apiserver/src/main/java/org/dependencytrack/model/Vulnerability.java:139

• isKnownSource() currently returns true for UNKNOWN (since it’s now part of values()). Callers like CycloneDXVexImporter use this check to reject unsupported sources, so treating UNKNOWN as "known" may let placeholder/invalid sources through. Consider explicitly excluding UNKNOWN from this predicate (or renaming the method to reflect the new semantics).

        public static boolean isKnownSource(String source) {
            return Arrays.stream(values()).anyMatch(enumSource -> enumSource.name().equalsIgnoreCase(source));
        }

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Source enum now includes UNKNOWN, but the enum-level documentation says it defines sources "supported" by Dependency-Track. Consider updating the wording to explicitly mention that UNKNOWN is a fallback placeholder (i.e., not an authoritative/supported feed) to avoid misleading future readers and API users.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity

Metric	Results
Complexity	0

View in Codacy

🟢 Coverage 100.00% diff coverage · +0.00% coverage variation

Metric	Results
Coverage variation	✅ +0.00% coverage variation (-1.00%)
Diff coverage	✅ 100.00% diff coverage (70.00%)

View coverage diff in Codacy

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (8bd646c)	41913	35824	85.47%
Head commit (55f0451)	41914 (+1)	35825 (+1)	85.47% (+0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#1948)	2	2	100.00%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[nscuro]

Superseded by #2214