Open
Conversation
Bumps debian from `b5ace51` to `5724d31`. --- updated-dependencies: - dependency-name: debian dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Some legacy code ported over from v4 still uses `DbUtil#isPostgreSQL` checks to determine if certain SQL syntax can be used. Since our move to Liquibase, `DbUtil` has not been initialized anymore, and hence always returned `false` for the aforementioned check. Ultimately, usages of `DbUtil` should be removed entirely. Signed-off-by: nscuro <nscuro@protonmail.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps `lib.net.javacrumbs.shedlock.version` from 6.2.0 to 6.3.0. Updates `net.javacrumbs.shedlock:shedlock-provider-jdbc` from 6.2.0 to 6.3.0 Updates `net.javacrumbs.shedlock:shedlock-provider-jdbc-internal` from 6.2.0 to 6.3.0 --- updated-dependencies: - dependency-name: net.javacrumbs.shedlock:shedlock-provider-jdbc dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: net.javacrumbs.shedlock:shedlock-provider-jdbc-internal dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Signed-off-by: Jonathan Howard <jonathan.w.howard@lmco.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Signed-off-by: Jonathan Howard <jonathan.w.howard@lmco.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Analogue to DependencyTrack/hyades#1672 Signed-off-by: nscuro <nscuro@protonmail.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
A mix-up of `"V"."VULNID" != ANY(:vulnIdsToExclude)` and `"V"."VULNID" != ALL(:vulnIdsToExclude)` caused all but one Snyk vulnerability to be suppressed for a component. https://stackoverflow.com/a/11730845 Signed-off-by: nscuro <nscuro@protonmail.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Signed-off-by: nscuro <nscuro@protonmail.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
…1064) Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps `lib.testcontainers.version` from 1.20.4 to 1.20.5. Updates `org.testcontainers:kafka` from 1.20.4 to 1.20.5 - [Release notes](https://github.com/testcontainers/testcontainers-java/releases) - [Changelog](https://github.com/testcontainers/testcontainers-java/blob/main/CHANGELOG.md) - [Commits](testcontainers/testcontainers-java@1.20.4...1.20.5) Updates `org.testcontainers:postgresql` from 1.20.4 to 1.20.5 - [Release notes](https://github.com/testcontainers/testcontainers-java/releases) - [Changelog](https://github.com/testcontainers/testcontainers-java/blob/main/CHANGELOG.md) - [Commits](testcontainers/testcontainers-java@1.20.4...1.20.5) --- updated-dependencies: - dependency-name: org.testcontainers:kafka dependency-type: direct:development update-type: version-update:semver-patch - dependency-name: org.testcontainers:postgresql dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [org.apache.maven.plugins:maven-clean-plugin](https://github.com/apache/maven-clean-plugin) from 3.4.0 to 3.4.1. - [Release notes](https://github.com/apache/maven-clean-plugin/releases) - [Commits](apache/maven-clean-plugin@maven-clean-plugin-3.4.0...maven-clean-plugin-3.4.1) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-clean-plugin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Signed-off-by: Jonathan Howard <jonathan.w.howard@lmco.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Signed-off-by: nscuro <nscuro@protonmail.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
) * Defining new role permissions Signed-off-by: Johnny Mayer <johnny.w.mayer.iii@lmco.com> * Defining new role permissions Signed-off-by: Johnny Mayer <johnny.w.mayer.iii@lmco.com> * Initial creation of RolesResource Signed-off-by: Johnny Mayer <johnny.w.mayer.iii@lmco.com> * address comments Signed-off-by: Johnny Mayer <johnny.w.mayer.iii@lmco.com> * Adding logger statement, removing getRoles() stub. Signed-off-by: Johnny Mayer <johnny.w.mayer.iii@lmco.com> * update @SInCE, update permissions, added log statement Signed-off-by: Johnny Mayer <johnny.w.mayer.iii@lmco.com> --------- Signed-off-by: Johnny Mayer <johnny.w.mayer.iii@lmco.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Signed-off-by: Philippe <philippe.a.aviles@lmco.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* Add POST and DELETE role endpoints to UserResource Signed-off-by: Johnny Mayer <johnny.w.mayer.iii@lmco.com> * apply code style suggestions Signed-off-by: Johnny Mayer <johnny.w.mayer.iii@lmco.com> * Add CRUD method stubs to RoleQueryManager and QueryManager Signed-off-by: Johnny Mayer <johnny.w.mayer.iii@lmco.com> * Apply suggestions from code review Co-authored-by: jhoward-lm <140011346+jhoward-lm@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> --------- Signed-off-by: Johnny Mayer <johnny.w.mayer.iii@lmco.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> Co-authored-by: Allen Shearin <allen.p.shearin@gmail.com> Co-authored-by: jhoward-lm <140011346+jhoward-lm@users.noreply.github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Signed-off-by: Ephraim Mensah <ephraim.e.mensah@lmco.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps org.slf4j:log4j-over-slf4j from 2.0.16 to 2.0.17. --- updated-dependencies: - dependency-name: org.slf4j:log4j-over-slf4j dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* fix: add role UUID field Signed-off-by: Jonathan Howard <jonathan.w.howard@lmco.com> * fix: add uuid field to fetch group Signed-off-by: Jonathan Howard <jonathan.w.howard@lmco.com> --------- Signed-off-by: Jonathan Howard <jonathan.w.howard@lmco.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* refactor: implement role endpoint methods Signed-off-by: Jonathan Howard <jonathan.w.howard@lmco.com> * style: restore original method order Signed-off-by: Jonathan Howard <jonathan.w.howard@lmco.com> --------- Signed-off-by: Jonathan Howard <jonathan.w.howard@lmco.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Signed-off-by: nscuro <nscuro@protonmail.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.9.0 to 3.10.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@v3.9.0...v3.10.0) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.13.0 to 6.15.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@v6.13.0...v6.15.0) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.1.8 to 4.1.9. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@v4.1.8...v4.1.9) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 3.4.0 to 3.6.0. - [Release notes](https://github.com/docker/setup-qemu-action/releases) - [Commits](docker/setup-qemu-action@v3.4.0...v3.6.0) --- updated-dependencies: - dependency-name: docker/setup-qemu-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.0 to 4.6.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4.6.0...v4.6.1) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
Signed-off-by: Jonathan Howard <jonathan.w.howard@lmco.com>
* feat: add endpoint to set role permissions in bulk with validation Signed-off-by: Emmanuel Meremikwu <emmanuel.meremikwu@lmco.com> * feat: add endpoint to retrieve users with optional filtering by type and username Signed-off-by: Emmanuel Meremikwu <emmanuel.meremikwu@lmco.com> * refactor: optimize user retrieval logic and enhance permission handling Signed-off-by: Emmanuel Meremikwu <emmanuel.meremikwu@lmco.com> * refactor: remove unused WireMockConfiguration import from GitLabClientTest causing checkstyle violation Signed-off-by: Emmanuel Meremikwu <emmanuel.meremikwu@lmco.com> * refactor: rename variable 'principal' to 'user' for clarity in PermissionResource and UserResource Signed-off-by: Emmanuel Meremikwu <emmanuel.meremikwu@lmco.com> * feat: add UserType enum and update user retrieval logic to support user type differentiation Signed-off-by: Emmanuel Meremikwu <emmanuel.meremikwu@lmco.com> * test: add unit test for retrieving users by type in UserResourceAuthenticatedTest Signed-off-by: Emmanuel Meremikwu <emmanuel.meremikwu@lmco.com> * refactor: cleanup Signed-off-by: Emmanuel Meremikwu <emmanuel.meremikwu@lmco.com> * Update apiserver/src/main/java/org/dependencytrack/resources/v1/UserResource.java Co-authored-by: jhoward-lm <140011346+jhoward-lm@users.noreply.github.com> Signed-off-by: Emmanuel Meremikwu <emmanuel.meremikwu@lmco.com> * PR Revisions Co-authored-by: jhoward-lm <140011346+jhoward-lm@users.noreply.github.com> Signed-off-by: Emmanuel Meremikwu <emmanuel.meremikwu@lmco.com> * refactor: remove UserType enum and related deserialization logic, update user retrieval to use string type Signed-off-by: Emmanuel Meremikwu <emmanuel.meremikwu@lmco.com> --------- Signed-off-by: Emmanuel Meremikwu <emmanuel.meremikwu@lmco.com> Co-authored-by: jhoward-lm <140011346+jhoward-lm@users.noreply.github.com>
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
…erver into gitlab-integration-bom-upload Signed-off-by: Jonathan Howard <jonathan.w.howard@lmco.com>
* fix: duplicate user error on sso Signed-off-by: Emmanuel Meremikwu <emmanuel.meremikwu@lmco.com> * Update apiserver/src/main/java/org/dependencytrack/tasks/GitLabSyncTask.java Co-authored-by: Allen Shearin <allen.p.shearin@gmail.com> Signed-off-by: emeremikwu-lm <emmanuel.meremikwu@lmco.com> --------- Signed-off-by: Emmanuel Meremikwu <emmanuel.meremikwu@lmco.com> Signed-off-by: emeremikwu-lm <emmanuel.meremikwu@lmco.com> Co-authored-by: Allen Shearin <allen.p.shearin@gmail.com>
* feat: uploadBomGitLab validates a GitLab ID Token with a public JWKS and then uploads a bom file Signed-off-by: Alexis Lamb <alexis.lamb@lmco.com> * update uploadBomGitLab and GitLabAuthenticationCustomizer Signed-off-by: Alexis Lamb <alexis.lamb@lmco.com> * fix: remove build error Signed-off-by: Alexis Lamb <alexis.lamb@lmco.com> * fix: remove unused imports Signed-off-by: Alexis Lamb <alexis.lamb@lmco.com> * update autocreate flag usage and project creation logic Signed-off-by: Alexis Lamb <alexis.lamb@lmco.com> * fix PR comments for GitLab SBOM Push Signed-off-by: Alexis Lamb <alexis.lamb@lmco.com> * update updateNewProjectACL to add GitLabRole to user Signed-off-by: Alexis Lamb <alexis.lamb@lmco.com> * update gitLabToken parameter name Signed-off-by: Alexis Lamb <alexis.lamb@lmco.com> --------- Signed-off-by: Alexis Lamb <alexis.lamb@lmco.com>
…erver into gitlab-integration-bom-upload Signed-off-by: Jonathan Howard <jonathan.w.howard@lmco.com>
Signed-off-by: Alexis Lamb <alexis.lamb@lmco.com>
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
5 tasks
…to gitlab-integration-bom-upload-fix-mcs
1 task
nscuro
requested changes
Jul 27, 2025
Comment on lines
+54
to
+71
| Permissions.Constants.POLICY_MANAGEMENT, | ||
| Permissions.Constants.POLICY_MANAGEMENT_CREATE, | ||
| Permissions.Constants.POLICY_MANAGEMENT_READ, | ||
| Permissions.Constants.POLICY_MANAGEMENT_UPDATE, | ||
| Permissions.Constants.POLICY_MANAGEMENT_DELETE)), | ||
| OWNER(50, "GitLab Project Owner", Set.of( | ||
| Permissions.Constants.ACCESS_MANAGEMENT, | ||
| Permissions.Constants.ACCESS_MANAGEMENT_CREATE, | ||
| Permissions.Constants.ACCESS_MANAGEMENT_READ, | ||
| Permissions.Constants.ACCESS_MANAGEMENT_UPDATE, | ||
| Permissions.Constants.ACCESS_MANAGEMENT_DELETE, | ||
| Permissions.Constants.SYSTEM_CONFIGURATION, | ||
| Permissions.Constants.SYSTEM_CONFIGURATION_CREATE, | ||
| Permissions.Constants.SYSTEM_CONFIGURATION_READ, | ||
| Permissions.Constants.SYSTEM_CONFIGURATION_UPDATE, | ||
| Permissions.Constants.SYSTEM_CONFIGURATION_DELETE, | ||
| Permissions.Constants.TAG_MANAGEMENT, | ||
| Permissions.Constants.TAG_MANAGEMENT_DELETE)); |
Member
There was a problem hiding this comment.
These permissions are currently not scoped to projects, but apply to the entire system. This would make all project owners also system administrators, which is not what we want.
Contributor
Author
There was a problem hiding this comment.
@nscuro I pushed a revised version of this (and removed the duplicate definitions in GitLabClient.java). Let me know what you think
| @FormDataParam("isLatest") @DefaultValue("false") boolean isLatest) { | ||
|
|
||
| try (QueryManager qm = new QueryManager()) { | ||
| Function<ConfigPropertyConstants, ConfigProperty> propertyGetter = cpc -> qm.getConfigProperty( |
Member
There was a problem hiding this comment.
Please wrap this in a transaction using qm.callInTransaction.
Contributor
Author
There was a problem hiding this comment.
Is this still necessary if the new method performs only read operations? At the end it makes a call to the pre-existing uploadBom method, which already uses a transaction
…load-fix-mcs Resolve merge conflicts
Signed-off-by: Jonathan Howard <jonathan.w.howard@lmco.com>
…RL (#16) Signed-off-by: Emmanuel Meremikwu <emmanuel.meremikwu@lmco.com>
5 tasks
1 task
Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
* fix: add null check for access level field in gitlab token Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> * Update apiserver/src/main/java/org/dependencytrack/resources/v1/BomResource.java Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com> --------- Signed-off-by: Allen Shearin <allen.p.shearin@gmail.com>
This was referenced Jul 29, 2025
Signed-off-by: Jonathan Howard <jonathan.w.howard@lmco.com>
…erver into gitlab-integration-bom-upload
Signed-off-by: Jonathan Howard <jonathan.w.howard@lmco.com>
Signed-off-by: Jonathan Howard <jonathan.w.howard@lmco.com>
Signed-off-by: Jonathan Howard <jonathan.w.howard@lmco.com>
2 tasks
…gitlab-integration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR adds an integration for authentication and authorization using GitLab as an OIDC issuer. Its purpose is to synchronize a user's projects and roles/max access levels per project within GitLab to a DependencyTrack instance.
It includes:
OidcAuthenticationCustomizerservice provider interface specific to GitLabGitLabSyncerintegration classGitLabClientclass for querying the GraphQL API to retrieve user's projects and access levels per projectSupersedes #1052
Addressed Issue
Additional Details
Checklist
This PR fixes a defect, and I have provided tests to verify that the fix is effectiveThis PR introduces changes to the database model, and I have updated the migration changelog accordinglyThis PR introduces new or alters existing behavior, and I have updated the documentation accordingly