feat: add UNKNOWN enum value to Vulnerability sources

[fahedouch]

Description

When the system encountered vulnerability sources not defined in the enum, it threw an IllegalArgumentException: No enum constant org.dependencytrack.model.Vulnerability.Source.UNKNOWN and failed to process the vulnerability. Adding the UNKNOWN enum value allows the system to gracefully handle unrecognized vulnerability sources instead of crashing.

I discovered this issue when testing this PR

Addressed Issue

Additional Details

Checklist

• I have read and understand the contributing guidelines
• This PR fixes a defect, and I have provided tests to verify that the fix is effective
• This PR implements an enhancement, and I have provided tests to verify that it works as intended
• This PR introduces changes to the database model, and I have updated the migration changelog accordingly
• This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

[Copilot]

Pull request overview

Adds an UNKNOWN value to Vulnerability.Source so code paths that parse "UNKNOWN" via Vulnerability.Source.valueOf(...) no longer throw IllegalArgumentException, improving resilience when encountering placeholder/unrecognized vulnerability sources.

Changes:

• Add UNKNOWN enum value to Vulnerability.Source.
• Update enum constant list formatting to accommodate the new value.

Comments suppressed due to low confidence (1)

apiserver/src/main/java/org/dependencytrack/model/Vulnerability.java:139

• isKnownSource() currently returns true for UNKNOWN (since it’s now part of values()). Callers like CycloneDXVexImporter use this check to reject unsupported sources, so treating UNKNOWN as "known" may let placeholder/invalid sources through. Consider explicitly excluding UNKNOWN from this predicate (or renaming the method to reflect the new semantics).

        public static boolean isKnownSource(String source) {
            return Arrays.stream(values()).anyMatch(enumSource -> enumSource.name().equalsIgnoreCase(source));
        }

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Source enum now includes UNKNOWN, but the enum-level documentation says it defines sources "supported" by Dependency-Track. Consider updating the wording to explicitly mention that UNKNOWN is a fallback placeholder (i.e., not an authoritative/supported feed) to avoid misleading future readers and API users.

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
Report missing for d89d8951	✅ 100.00% (target: 70.00%)

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (d89d895)	Report Missing	Report Missing	Report Missing
Head commit (c60f8db)	25827	22100	85.57%

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#1948)	2	2	100.00%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

Footnotes

1. Codacy didn't receive coverage data for the commit, or there was an error processing the received data. Check your integration for errors and validate that your coverage setup is correct. ↩