Resolve merge conflicts

.github/workflows/_meta-build.yaml

@@ -67,13 +67,20 @@ jobs:
           mvn -B -Pquick -Dservices.bom.merge.skip=false package
 
       - name: Upload Artifacts
-        uses: actions/[email protected]
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # tag=v4.6.2
         with:
           name: assembled-wars
           path: |-
             apiserver/target/*.jar
             apiserver/target/bom.json
 
+      - name: Upload OpenAPI Spec
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # tag=v4.6.2
+        with:
+          name: openapi-spec
+          path: |-
+            api/target/classes/**/openapi.yaml
+
   build-container:
     runs-on: ubuntu-latest
     timeout-minutes: 5

.github/workflows/ci-openapi.yaml

@@ -0,0 +1,59 @@
+# This file is part of Dependency-Track.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+name: OpenAPI
+
+on:
+  pull_request:
+    paths:
+    - api/src/main/openapi/**
+    - api/src/main/spectral/**
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+permissions: { }
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    permissions:
+      checks: write
+    timeout-minutes: 5
+    steps:
+    - name: Checkout Repository
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+    - name: Lint OpenAPI Spec
+      uses: stoplightio/spectral-action@6416fd018ae38e60136775066eb3e98172143141 # tag=v0.8.13
+      with:
+        spectral_ruleset: "api/src/main/spectral/ruleset.yaml"
+        file_glob: "api/src/main/openapi/openapi.yaml"
+
+  breaking-changes:
+    name: Breaking Changes
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+    - name: Checkout Repository
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+    - name: Detect Breaking Changes
+      uses: oasdiff/oasdiff-action/breaking@1c611ffb1253a72924624aa4fb662e302b3565d3 # tag=v0.0.21
+      with:
+        base: https://raw.githubusercontent.com/${{ github.repository }}/refs/heads/main/api/src/main/openapi/openapi.yaml
+        revision: api/src/main/openapi/openapi.yaml
+        fail-on: ERR

.mvn/maven-build-cache-config.xml

@@ -31,7 +31,7 @@
     </configuration>
     <input>
         <global>
-            <glob>{*.java,*.properties,*.proto,*.sql,*.xml}</glob>
+            <glob>{*.java,*.properties,*.proto,*.sql,*.xml,*.yaml}</glob>
             <includes>
                 <include>src/</include>
             </includes>

alpine/alpine-executable-war/src/main/java/alpine/embedded/EmbeddedJettyServer.java

@@ -43,6 +43,7 @@
 
 /**
  * The primary class that starts an embedded Jetty server
+ *
  * @author Steve Springett
  * @since 1.0.0
  */
@@ -73,7 +74,7 @@ public static void main(final String[] args) throws Exception {
 
         final Server server = new Server();
         final HttpConfiguration httpConfig = new HttpConfiguration();
-        httpConfig.addCustomizer( new org.eclipse.jetty.server.ForwardedRequestCustomizer() ); // Add support for X-Forwarded headers
+        httpConfig.addCustomizer(new org.eclipse.jetty.server.ForwardedRequestCustomizer()); // Add support for X-Forwarded headers
 
         // Enable legacy (mimicking Jetty 9) URI compliance.
         // This is required to allow URL encoding in path segments, e.g. "/foo/bar%2Fbaz".
@@ -89,7 +90,7 @@ public static void main(final String[] args) throws Exception {
         //  here, the only viable long-term solution is to adapt REST APIs to follow Servlet API 6 spec.
         httpConfig.setUriCompliance(UriCompliance.LEGACY);
 
-        final HttpConnectionFactory connectionFactory = new HttpConnectionFactory( httpConfig );
+        final HttpConnectionFactory connectionFactory = new HttpConnectionFactory(httpConfig);
         final ServerConnector connector = new ServerConnector(server, connectionFactory);
         connector.setHost(host);
         connector.setPort(port);
@@ -102,6 +103,7 @@ public static void main(final String[] args) throws Exception {
         context.setErrorHandler(new ErrorHandler());
         context.setInitParameter("org.eclipse.jetty.servlet.Default.dirAllowed", "false");
         context.setAttribute("org.eclipse.jetty.server.webapp.ContainerIncludeJarPattern", ".*/[^/]*taglibs.*\\.jar$");
+        context.setThrowUnavailableOnStartupException(true);
 
         // Prevent loading of logging classes
         context.getProtectedClassMatcher().add("org.apache.log4j.");

alpine/alpine-infra/pom.xml

@@ -31,10 +31,12 @@
         <dependency>
             <groupId>org.dependencytrack</groupId>
             <artifactId>alpine-common</artifactId>
+            <version>${project.version}</version>
         </dependency>
         <dependency>
             <groupId>org.dependencytrack</groupId>
             <artifactId>alpine-model</artifactId>
+            <version>${project.version}</version>
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>

alpine/alpine-model/pom.xml

@@ -31,6 +31,7 @@
         <dependency>
             <groupId>org.dependencytrack</groupId>
             <artifactId>alpine-common</artifactId>
+            <version>${project.version}</version>
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>

alpine/alpine-server/pom.xml

@@ -34,14 +34,17 @@
         <dependency>
             <groupId>org.dependencytrack</groupId>
             <artifactId>alpine-common</artifactId>
+            <version>${project.version}</version>
         </dependency>
         <dependency>
             <groupId>org.dependencytrack</groupId>
             <artifactId>alpine-infra</artifactId>
+            <version>${project.version}</version>
         </dependency>
         <dependency>
             <groupId>org.dependencytrack</groupId>
             <artifactId>alpine-model</artifactId>
+            <version>${project.version}</version>
         </dependency>
         <!-- Misc helper libraries -->
         <dependency>

alpine/alpine-server/src/main/java/alpine/server/filters/AuthenticationFilter.java

@@ -20,23 +20,24 @@
 
 import alpine.common.logging.Logger;
 import alpine.model.ApiKey;
-import alpine.server.auth.ApiKeyAuthenticationService;
 import alpine.server.auth.AllowApiKeyInQueryParameter;
+import alpine.server.auth.ApiKeyAuthenticationService;
 import alpine.server.auth.JwtAuthenticationService;
 import org.glassfish.jersey.server.ContainerRequest;
 import org.owasp.security.logging.SecurityMarkers;
 import org.slf4j.MDC;
 
 import jakarta.annotation.Priority;
 import jakarta.ws.rs.HttpMethod;
+import jakarta.ws.rs.NotAuthorizedException;
 import jakarta.ws.rs.Priorities;
 import jakarta.ws.rs.container.ContainerRequestContext;
 import jakarta.ws.rs.container.ContainerRequestFilter;
 import jakarta.ws.rs.container.ContainerResponseContext;
 import jakarta.ws.rs.container.ContainerResponseFilter;
-import jakarta.ws.rs.core.Response;
 import jakarta.ws.rs.container.ResourceInfo;
 import jakarta.ws.rs.core.Context;
+import jakarta.ws.rs.core.Response;
 import javax.naming.AuthenticationException;
 import java.io.IOException;
 import java.security.Principal;
@@ -79,8 +80,7 @@ public void filter(ContainerRequestContext requestContext) {
                     }
                 } catch (AuthenticationException e) {
                     LOGGER.info(SecurityMarkers.SECURITY_FAILURE, "Invalid API key asserted");
-                    requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
-                    return;
+                    throw new NotAuthorizedException(Response.status(Response.Status.UNAUTHORIZED).build());
                 }
             }
 
@@ -90,13 +90,12 @@ public void filter(ContainerRequestContext requestContext) {
                     principal = jwtAuthService.authenticate();
                 } catch (AuthenticationException e) {
                     LOGGER.info(SecurityMarkers.SECURITY_FAILURE, "Invalid JWT asserted");
-                    requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
-                    return;
+                    throw new NotAuthorizedException(Response.status(Response.Status.UNAUTHORIZED).build());
                 }
             }
 
             if (principal == null) {
-                requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
+                throw new NotAuthorizedException(Response.status(Response.Status.UNAUTHORIZED).build());
             } else {
                 requestContext.setProperty("Principal", principal);
                 MDC.put("principal", principal.getName());

alpine/alpine-server/src/main/java/alpine/server/filters/AuthorizationFilter.java

@@ -27,6 +27,7 @@
 import org.owasp.security.logging.SecurityMarkers;
 
 import jakarta.annotation.Priority;
+import jakarta.ws.rs.ForbiddenException;
 import jakarta.ws.rs.Priorities;
 import jakarta.ws.rs.container.ContainerRequestContext;
 import jakarta.ws.rs.container.ContainerRequestFilter;
@@ -62,8 +63,7 @@ public void filter(ContainerRequestContext requestContext) {
         final Principal principal = (Principal) requestContext.getProperty("Principal");
         if (principal == null) {
             LOGGER.info(SecurityMarkers.SECURITY_FAILURE, "A request was made without the assertion of a valid user principal");
-            requestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
-            return;
+            throw new ForbiddenException(Response.status(Response.Status.FORBIDDEN).build());
         }
 
         final Set<String> effectivePermissions;
@@ -97,7 +97,7 @@ public void filter(ContainerRequestContext requestContext) {
             LOGGER.info(SecurityMarkers.SECURITY_FAILURE, "Unauthorized access attempt made by %s to %s"
                     .formatted(requestPrincipal, requestUri));
 
-            requestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
+            throw new ForbiddenException(Response.status(Response.Status.FORBIDDEN).build());
         } else {
             requestContext.setProperty(EFFECTIVE_PERMISSIONS_PROPERTY, effectivePermissions);
         }

alpine/alpine-server/src/main/java/alpine/server/persistence/PersistenceManagerFactory.java

@@ -25,6 +25,7 @@
 import alpine.persistence.JdoProperties;
 import com.zaxxer.hikari.HikariConfig;
 import com.zaxxer.hikari.HikariDataSource;
+import com.zaxxer.hikari.metrics.micrometer.MicrometerMetricsTrackerFactory;
 import io.micrometer.core.instrument.FunctionCounter;
 import io.micrometer.core.instrument.Gauge;
 import org.datanucleus.PropertyNames;
@@ -347,7 +348,7 @@ private HikariConfig createBaseHikariConfig(final String poolName) {
         hikariConfig.setPassword(Config.getInstance().getPropertyOrFile(Config.AlpineKey.DATABASE_PASSWORD));
 
         if (Config.getInstance().getPropertyAsBoolean(Config.AlpineKey.METRICS_ENABLED)) {
-            hikariConfig.setMetricRegistry(Metrics.getRegistry());
+            hikariConfig.setMetricsTrackerFactory(new MicrometerMetricsTrackerFactory(Metrics.getRegistry()));
         }
 
         return hikariConfig;

alpine/pom.xml

@@ -76,12 +76,12 @@
         <!-- Dependency Versions -->
         <lib.angus-mail.version>2.0.3</lib.angus-mail.version>
         <lib.bcrypt.version>0.4</lib.bcrypt.version>
-        <lib.caffeine.version>3.2.1</lib.caffeine.version>
+        <lib.caffeine.version>3.2.2</lib.caffeine.version>
         <lib.commons.collections4.version>4.5.0</lib.commons.collections4.version>
-        <lib.commons.io.version>2.19.0</lib.commons.io.version>
-        <lib.commons.lang3.version>3.17.0</lib.commons.lang3.version>
+        <lib.commons.io.version>2.20.0</lib.commons.io.version>
+        <lib.commons.lang3.version>3.18.0</lib.commons.lang3.version>
         <lib.h2.version>2.3.232</lib.h2.version>
-        <lib.hikaricp.version>6.3.0</lib.hikaricp.version>
+        <lib.hikaricp.version>6.3.2</lib.hikaricp.version>
         <lib.javassist.version>3.30.2-GA</lib.javassist.version>
         <lib.jaxb-runtime.version>4.0.5</lib.jaxb-runtime.version>
         <lib.jdo.api.version>3.2.1</lib.jdo.api.version>
@@ -90,9 +90,9 @@
         <lib.jsr305.version>3.0.2</lib.jsr305.version>
         <lib.logback.version>1.5.18</lib.logback.version>
         <lib.logstash-logback-encoder.version>8.1</lib.logstash-logback-encoder.version>
-        <lib.micrometer.version>1.15.1</lib.micrometer.version>
+        <lib.micrometer.version>1.15.2</lib.micrometer.version>
         <lib.microprofile-health-api.version>4.0.1</lib.microprofile-health-api.version>
-        <lib.nimbus-oauth2-oidc-sdk.version>11.26</lib.nimbus-oauth2-oidc-sdk.version>
+        <lib.nimbus-oauth2-oidc-sdk.version>11.26.1</lib.nimbus-oauth2-oidc-sdk.version>
         <lib.owasp.encoder.version>1.3.1</lib.owasp.encoder.version>
         <lib.owasp.security-logging.version>1.1.7</lib.owasp.security-logging.version>
         <lib.parsson.version>1.1.7</lib.parsson.version>

api/README.md

@@ -0,0 +1,15 @@
+# api
+
+Definition of Dependency-Track's REST API, in [OpenAPI v3.0] format.
+
+The API draws inspiration from [Zalando's RESTful API Guidelines].
+
+Conformance to API guidelines is enforced with [spectral] in CI.  
+Validation may be performed locally using [`openapi-lint.sh`](../dev/scripts/openapi-lint.sh).
+
+Interfaces and model classes are generated as part of the build using [openapi-generator].
+
+[OpenAPI v3.0]: https://spec.openapis.org/oas/v3.0.3.html
+[Zalando's RESTful API Guidelines]: https://opensource.zalando.com/restful-api-guidelines/
+[openapi-generator]: https://github.com/OpenAPITools/openapi-generator
+[spectral]: https://github.com/stoplightio/spectral