Open
Conversation
Bumps debian from `b5ace51` to `5724d31`. --- updated-dependencies: - dependency-name: debian dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Some legacy code ported over from v4 still uses `DbUtil#isPostgreSQL` checks to determine if certain SQL syntax can be used. Since our move to Liquibase, `DbUtil` has not been initialized anymore, and hence always returned `false` for the aforementioned check. Ultimately, usages of `DbUtil` should be removed entirely. Signed-off-by: nscuro <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Bumps `lib.net.javacrumbs.shedlock.version` from 6.2.0 to 6.3.0. Updates `net.javacrumbs.shedlock:shedlock-provider-jdbc` from 6.2.0 to 6.3.0 Updates `net.javacrumbs.shedlock:shedlock-provider-jdbc-internal` from 6.2.0 to 6.3.0 --- updated-dependencies: - dependency-name: net.javacrumbs.shedlock:shedlock-provider-jdbc dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: net.javacrumbs.shedlock:shedlock-provider-jdbc-internal dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Signed-off-by: Jonathan Howard <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Signed-off-by: Jonathan Howard <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Analogue to DependencyTrack/hyades#1672 Signed-off-by: nscuro <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
A mix-up of `"V"."VULNID" != ANY(:vulnIdsToExclude)` and `"V"."VULNID" != ALL(:vulnIdsToExclude)` caused all but one Snyk vulnerability to be suppressed for a component. https://stackoverflow.com/a/11730845 Signed-off-by: nscuro <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Signed-off-by: nscuro <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
…1064) Signed-off-by: Allen Shearin <[email protected]>
Bumps `lib.testcontainers.version` from 1.20.4 to 1.20.5. Updates `org.testcontainers:kafka` from 1.20.4 to 1.20.5 - [Release notes](https://github.com/testcontainers/testcontainers-java/releases) - [Changelog](https://github.com/testcontainers/testcontainers-java/blob/main/CHANGELOG.md) - [Commits](testcontainers/testcontainers-java@1.20.4...1.20.5) Updates `org.testcontainers:postgresql` from 1.20.4 to 1.20.5 - [Release notes](https://github.com/testcontainers/testcontainers-java/releases) - [Changelog](https://github.com/testcontainers/testcontainers-java/blob/main/CHANGELOG.md) - [Commits](testcontainers/testcontainers-java@1.20.4...1.20.5) --- updated-dependencies: - dependency-name: org.testcontainers:kafka dependency-type: direct:development update-type: version-update:semver-patch - dependency-name: org.testcontainers:postgresql dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Bumps [org.apache.maven.plugins:maven-clean-plugin](https://github.com/apache/maven-clean-plugin) from 3.4.0 to 3.4.1. - [Release notes](https://github.com/apache/maven-clean-plugin/releases) - [Commits](apache/maven-clean-plugin@maven-clean-plugin-3.4.0...maven-clean-plugin-3.4.1) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-clean-plugin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Signed-off-by: Jonathan Howard <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Signed-off-by: nscuro <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Signed-off-by: Allen Shearin <[email protected]>
) * Defining new role permissions Signed-off-by: Johnny Mayer <[email protected]> * Defining new role permissions Signed-off-by: Johnny Mayer <[email protected]> * Initial creation of RolesResource Signed-off-by: Johnny Mayer <[email protected]> * address comments Signed-off-by: Johnny Mayer <[email protected]> * Adding logger statement, removing getRoles() stub. Signed-off-by: Johnny Mayer <[email protected]> * update @SInCE, update permissions, added log statement Signed-off-by: Johnny Mayer <[email protected]> --------- Signed-off-by: Johnny Mayer <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Signed-off-by: Philippe <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
* Add POST and DELETE role endpoints to UserResource Signed-off-by: Johnny Mayer <[email protected]> * apply code style suggestions Signed-off-by: Johnny Mayer <[email protected]> * Add CRUD method stubs to RoleQueryManager and QueryManager Signed-off-by: Johnny Mayer <[email protected]> * Apply suggestions from code review Co-authored-by: jhoward-lm <[email protected]> Signed-off-by: Allen Shearin <[email protected]> --------- Signed-off-by: Johnny Mayer <[email protected]> Signed-off-by: Allen Shearin <[email protected]> Co-authored-by: Allen Shearin <[email protected]> Co-authored-by: jhoward-lm <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Signed-off-by: Ephraim Mensah <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Signed-off-by: Allen Shearin <[email protected]>
Bumps org.slf4j:log4j-over-slf4j from 2.0.16 to 2.0.17. --- updated-dependencies: - dependency-name: org.slf4j:log4j-over-slf4j dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Signed-off-by: Allen Shearin <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Signed-off-by: Allen Shearin <[email protected]>
* fix: add role UUID field Signed-off-by: Jonathan Howard <[email protected]> * fix: add uuid field to fetch group Signed-off-by: Jonathan Howard <[email protected]> --------- Signed-off-by: Jonathan Howard <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
* refactor: implement role endpoint methods Signed-off-by: Jonathan Howard <[email protected]> * style: restore original method order Signed-off-by: Jonathan Howard <[email protected]> --------- Signed-off-by: Jonathan Howard <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Signed-off-by: nscuro <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.9.0 to 3.10.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@v3.9.0...v3.10.0) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.13.0 to 6.15.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@v6.13.0...v6.15.0) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.1.8 to 4.1.9. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@v4.1.8...v4.1.9) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 3.4.0 to 3.6.0. - [Release notes](https://github.com/docker/setup-qemu-action/releases) - [Commits](docker/setup-qemu-action@v3.4.0...v3.6.0) --- updated-dependencies: - dependency-name: docker/setup-qemu-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.0 to 4.6.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4.6.0...v4.6.1) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Allen Shearin <[email protected]>
Signed-off-by: Jonathan Howard <[email protected]>
* feat: add endpoint to set role permissions in bulk with validation Signed-off-by: Emmanuel Meremikwu <[email protected]> * feat: add endpoint to retrieve users with optional filtering by type and username Signed-off-by: Emmanuel Meremikwu <[email protected]> * refactor: optimize user retrieval logic and enhance permission handling Signed-off-by: Emmanuel Meremikwu <[email protected]> * refactor: remove unused WireMockConfiguration import from GitLabClientTest causing checkstyle violation Signed-off-by: Emmanuel Meremikwu <[email protected]> * refactor: rename variable 'principal' to 'user' for clarity in PermissionResource and UserResource Signed-off-by: Emmanuel Meremikwu <[email protected]> * feat: add UserType enum and update user retrieval logic to support user type differentiation Signed-off-by: Emmanuel Meremikwu <[email protected]> * test: add unit test for retrieving users by type in UserResourceAuthenticatedTest Signed-off-by: Emmanuel Meremikwu <[email protected]> * refactor: cleanup Signed-off-by: Emmanuel Meremikwu <[email protected]> * Update apiserver/src/main/java/org/dependencytrack/resources/v1/UserResource.java Co-authored-by: jhoward-lm <[email protected]> Signed-off-by: Emmanuel Meremikwu <[email protected]> * PR Revisions Co-authored-by: jhoward-lm <[email protected]> Signed-off-by: Emmanuel Meremikwu <[email protected]> * refactor: remove UserType enum and related deserialization logic, update user retrieval to use string type Signed-off-by: Emmanuel Meremikwu <[email protected]> --------- Signed-off-by: Emmanuel Meremikwu <[email protected]> Co-authored-by: jhoward-lm <[email protected]>
Signed-off-by: Allen Shearin <[email protected]>
…erver into gitlab-integration-bom-upload Signed-off-by: Jonathan Howard <[email protected]>
* fix: duplicate user error on sso Signed-off-by: Emmanuel Meremikwu <[email protected]> * Update apiserver/src/main/java/org/dependencytrack/tasks/GitLabSyncTask.java Co-authored-by: Allen Shearin <[email protected]> Signed-off-by: emeremikwu-lm <[email protected]> --------- Signed-off-by: Emmanuel Meremikwu <[email protected]> Signed-off-by: emeremikwu-lm <[email protected]> Co-authored-by: Allen Shearin <[email protected]>
* feat: uploadBomGitLab validates a GitLab ID Token with a public JWKS and then uploads a bom file Signed-off-by: Alexis Lamb <[email protected]> * update uploadBomGitLab and GitLabAuthenticationCustomizer Signed-off-by: Alexis Lamb <[email protected]> * fix: remove build error Signed-off-by: Alexis Lamb <[email protected]> * fix: remove unused imports Signed-off-by: Alexis Lamb <[email protected]> * update autocreate flag usage and project creation logic Signed-off-by: Alexis Lamb <[email protected]> * fix PR comments for GitLab SBOM Push Signed-off-by: Alexis Lamb <[email protected]> * update updateNewProjectACL to add GitLabRole to user Signed-off-by: Alexis Lamb <[email protected]> * update gitLabToken parameter name Signed-off-by: Alexis Lamb <[email protected]> --------- Signed-off-by: Alexis Lamb <[email protected]>
…erver into gitlab-integration-bom-upload Signed-off-by: Jonathan Howard <[email protected]>
Signed-off-by: Alexis Lamb <[email protected]>
Signed-off-by: Allen Shearin <[email protected]>
5 tasks
…to gitlab-integration-bom-upload-fix-mcs
1 task
nscuro
requested changes
Jul 27, 2025
apiserver/src/main/java/org/dependencytrack/resources/v1/BomResource.java
Outdated
Show resolved
Hide resolved
apiserver/src/main/java/org/dependencytrack/resources/v1/BomResource.java
Show resolved
Hide resolved
apiserver/src/main/java/org/dependencytrack/persistence/jdbi/mapping/ProjectRowMapper.java
Outdated
Show resolved
Hide resolved
apiserver/src/main/java/org/dependencytrack/integrations/gitlab/GitLabRole.java
Show resolved
Hide resolved
Comment on lines
+54
to
+71
| Permissions.Constants.POLICY_MANAGEMENT, | ||
| Permissions.Constants.POLICY_MANAGEMENT_CREATE, | ||
| Permissions.Constants.POLICY_MANAGEMENT_READ, | ||
| Permissions.Constants.POLICY_MANAGEMENT_UPDATE, | ||
| Permissions.Constants.POLICY_MANAGEMENT_DELETE)), | ||
| OWNER(50, "GitLab Project Owner", Set.of( | ||
| Permissions.Constants.ACCESS_MANAGEMENT, | ||
| Permissions.Constants.ACCESS_MANAGEMENT_CREATE, | ||
| Permissions.Constants.ACCESS_MANAGEMENT_READ, | ||
| Permissions.Constants.ACCESS_MANAGEMENT_UPDATE, | ||
| Permissions.Constants.ACCESS_MANAGEMENT_DELETE, | ||
| Permissions.Constants.SYSTEM_CONFIGURATION, | ||
| Permissions.Constants.SYSTEM_CONFIGURATION_CREATE, | ||
| Permissions.Constants.SYSTEM_CONFIGURATION_READ, | ||
| Permissions.Constants.SYSTEM_CONFIGURATION_UPDATE, | ||
| Permissions.Constants.SYSTEM_CONFIGURATION_DELETE, | ||
| Permissions.Constants.TAG_MANAGEMENT, | ||
| Permissions.Constants.TAG_MANAGEMENT_DELETE)); |
Member
There was a problem hiding this comment.
These permissions are currently not scoped to projects, but apply to the entire system. This would make all project owners also system administrators, which is not what we want.
Contributor
Author
There was a problem hiding this comment.
@nscuro I pushed a revised version of this (and removed the duplicate definitions in GitLabClient.java). Let me know what you think
| @FormDataParam("isLatest") @DefaultValue("false") boolean isLatest) { | ||
|
|
||
| try (QueryManager qm = new QueryManager()) { | ||
| Function<ConfigPropertyConstants, ConfigProperty> propertyGetter = cpc -> qm.getConfigProperty( |
Member
There was a problem hiding this comment.
Please wrap this in a transaction using qm.callInTransaction.
Contributor
Author
There was a problem hiding this comment.
Is this still necessary if the new method performs only read operations? At the end it makes a call to the pre-existing uploadBom method, which already uses a transaction
alpine/alpine-infra/src/main/java/alpine/persistence/AlpineQueryManager.java
Outdated
Show resolved
Hide resolved
apiserver/src/main/java/org/dependencytrack/resources/v1/IntegrationResource.java
Outdated
Show resolved
Hide resolved
apiserver/src/main/java/org/dependencytrack/resources/v1/BomResource.java
Outdated
Show resolved
Hide resolved
apiserver/src/main/java/org/dependencytrack/resources/v1/BomResource.java
Outdated
Show resolved
Hide resolved
…load-fix-mcs Resolve merge conflicts
Signed-off-by: Jonathan Howard <[email protected]>
…RL (#16) Signed-off-by: Emmanuel Meremikwu <[email protected]>
5 tasks
1 task
Signed-off-by: Allen Shearin <[email protected]>
* fix: add null check for access level field in gitlab token Signed-off-by: Allen Shearin <[email protected]> * Update apiserver/src/main/java/org/dependencytrack/resources/v1/BomResource.java Signed-off-by: Allen Shearin <[email protected]> --------- Signed-off-by: Allen Shearin <[email protected]>
This was referenced Jul 29, 2025
Signed-off-by: Jonathan Howard <[email protected]>
…erver into gitlab-integration-bom-upload
Signed-off-by: Jonathan Howard <[email protected]>
Signed-off-by: Jonathan Howard <[email protected]>
Signed-off-by: Jonathan Howard <[email protected]>
2 tasks
…gitlab-integration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR adds an integration for authentication and authorization using GitLab as an OIDC issuer. Its purpose is to synchronize a user's projects and roles/max access levels per project within GitLab to a DependencyTrack instance.
It includes:
OidcAuthenticationCustomizerservice provider interface specific to GitLabGitLabSyncerintegration classGitLabClientclass for querying the GraphQL API to retrieve user's projects and access levels per projectSupersedes #1052
Addressed Issue
Additional Details
Checklist
This PR fixes a defect, and I have provided tests to verify that the fix is effectiveThis PR introduces changes to the database model, and I have updated the migration changelog accordinglyThis PR introduces new or alters existing behavior, and I have updated the documentation accordingly