Merge remote-tracking branch 'upstream/master' into osv-support-enable-flag

Author: sahibamittal

.github/workflows/ci-publish.yaml

@@ -66,8 +66,7 @@ jobs:
 
       - name: Update Release
         env:
-          # or change it to a custom PAT that should be credited for the release
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.BOT_RELEASE_TOKEN }}
         run: |-
           cat << EOF >> .github/default-release-notes.md
           \`\`\`text

.github/workflows/ci-release.yaml

@@ -30,20 +30,17 @@ jobs:
           cache: 'npm'
 
       - name: Bump version and tag via NodeJS
-        # if you use a bot-user to create the release in the next step
-        # then it might be a solid idea to change the git config values below to the bot-user's name + email
         run: |-
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config user.name "dependencytrack-bot"
+          git config user.email "106437498+dependencytrack-[email protected]"
 
           npm version ${{ github.event.inputs.version-to-bump }} -m "prepare-release: set version to %s"
 
           git push origin "HEAD:refs/heads/master"
 
       - name: Create GitHub Release
         env:
-          # or change it to a custom PAT that should be credited for the release
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.BOT_RELEASE_TOKEN }}
           GH_OPTS: ""
         run: |-
           VERSION=`jq -r '.version' package.json`

package-lock.json

@@ -8,7 +8,8 @@
         boundary="viewport"
         tag="div"
         class="text-center">
-        <strong>{{ $t('message.profile') }}</strong>
+        {{ $t('message.connected_as') }}
+        <strong>{{ user }}</strong>
       </b-dropdown-header>
       <b-dropdown-item v-if="canUpdateProfile()" v-b-modal.profileEditModal><i class="fa fa-user text-primary" /> {{ $t('message.profile_update') }}</b-dropdown-item>
       <b-dropdown-item v-if="canChangePassword()" to="/change-password"><i class="fa fa-key text-primary" /> {{ $t('message.change_password') }}</b-dropdown-item>
@@ -22,18 +23,25 @@
   import { HeaderDropdown as AppHeaderDropdown } from '@coreui/vue'
   import EventBus from '../shared/eventbus';
   import { decodeToken, getToken } from '../shared/permissions'
+  import globalVarsMixin from "../mixins/globalVarsMixin";
 
   export default {
     name: 'DefaultHeaderProfileDropdown',
+    mixins: [globalVarsMixin],
     components: {
       AppHeaderDropdown
     },
     data: () => {
-      return { 
+      return {
         itemsCount: 42,
         identityProvider: decodeToken(getToken()).idp
       }
     },
+    computed: {
+      user() {
+        return this.currentUser.fullname || this.currentUser.username
+      }
+    },
     methods: {
       logout: function () {
         // Instructs all tabs (via localStorage event) that the session is being invalidated

src/containers/DefaultHeaderProfileDropdown.vue

@@ -59,6 +59,7 @@
     "name": "Name",
     "published": "Published",
     "cwe": "CWE",
+    "cwe_full": "Common Weakness Enumeration (CWE)",
     "cwe_id": "CWE ID",
     "cwe_desc": "Common Weakness Enumeration (CWE) is a taxonomy of software and hardware weakness types",
     "select_cwe": "Select CWE",
@@ -99,6 +100,7 @@
     "component_created": "Component created",
     "component_updated": "Component updated",
     "component_deleted": "Component deleted",
+    "component_hash": "Component Hash",
     "property_created": "Property created",
     "property_deleted": "Property deleted",
     "create_project": "Create Project",
@@ -237,6 +239,7 @@
     "hashes": "Hashes",
     "component_name": "Component name",
     "component_namespace_group_vendor": "Namespace / group / vendor",
+    "component_author": "Author",
     "coordinates": "Coordinates",
     "coordinates_version_tooltip": "You can use the comparison operators >, <, >=, <=, == and != to match specific versions or version ranges",
     "package_url_full": "Package URL (PURL)",
@@ -262,6 +265,7 @@
     "component_name_desc": "The name of the component as provided by the supplier",
     "component_version_desc": "The version of the component as provided by the supplier",
     "component_group_desc": "The suppliers higher-level namespace, group, or vendor identifier",
+    "component_author_desc": "The author of the component",
     "component_package_url_desc": "A Valid Package URL is required for libraries and frameworks. PURL syntax: pkg:type/namespace/name@version?qualifiers#subpath",
     "component_cpe_desc": "The CPE v2.2 or v2.3 URI as provided by MITRE or NIST. All assets (applications, operating systems, and hardware) should have a CPE specified",
     "component_swid_tagid_desc": "The ISO/IEC 19770-2:2015 (SWID) tag ID provided by the software vendor",
@@ -275,7 +279,7 @@
     "component_removed": "Component removed",
     "required_project_name": "The project name is required",
     "project_name_desc": "The name of the project or component as provided by the supplier",
-    "profile": "Profile",
+    "connected_as": "Connected as",
     "profile_update": "Update Profile",
     "profile_updated": "Profile updated",
     "logout": "Logout",
@@ -436,6 +440,9 @@
     "internal_identification_queued": "Internal component identification queued",
     "internal_identification_error": "An error occurred queueing internal component identification. Check server logs for details",
     "analyzer_internal_enable": "Enable internal analyzer",
+    "analyzer_internal_fuzzy_enable": "Enable fuzzy CPE matching. Helps with inconsistent NVD data, highlighting missing risks but also increasing false positives",
+    "analyzer_internal_fuzzy_exclude_purl": "Enable fuzzy CPE matching on components that have a Package URL (PURL) defined",
+    "analyzer_internal_fuzzy_exclude_internal": "Enable fuzzy CPE matching on internal components",
     "analyzer_internal_desc": "The internal analyzer evaluates components against an internal vulnerability database derived from the National Vulnerability Database, GitHub Advisories (if enabled) and VulnDB (if enabled). This analyzer makes use of the Common Platform Enumeration (CPE) defined in components. Components with a valid CPE will be evaluated with this analyzer.",
     "analyzer_ossindex_enable": "Enable OSS Index analyzer",
     "analyzer_ossindex_desc": "OSS Index is a service provided by Sonatype which identifies vulnerabilities in third-party components. Dependency-Track integrates natively with the OSS Index service to provide highly accurate results. Use of this analyzer requires a valid PackageURL for the components being analyzed.",
@@ -460,6 +467,7 @@
     "enabled": "Enabled",
     "integration_fortify_ssc_enable": "Enable Fortify SSC integration",
     "integration_defectdojo_enable": "Enable DefectDojo integration",
+    "integration_defectdojo_reimport_enable": "Enable reimport",
     "synchronization_cadence_minutes": "Synchronization cadence (in minutes)",
     "synchronization_cadence_restart_required": "Restarting Dependency-Track is required for cadence changes to take effect",
     "integration_kenna_enable": "Enable Kenna Security integration",
@@ -529,7 +537,23 @@
     "repository_deleted": "Repository deleted",
     "portfolio_access_control": "Portfolio Access Control",
     "project_access": "Project access",
-    "select_project": "Select Project"
+    "select_project": "Select Project",
+    "create_template": "Create Template",
+    "template_created": "Template created",
+    "delete_template": "Delete Template",
+    "template_deleted": "Template deleted",
+    "template_basedir": "Template base directory",
+    "template_basedir_tooltip": "This property is used as base directory for notification templates search",
+    "general_template_configuration": "General template configuration",
+    "template_override_description": "Switching the template override control on and providing a template base directory allow you to override Dependency Track default notification publisher templates.",
+    "template_override_file_hierarchy": "Any Pebble templates available in the template base directory with the appropriate directory hierarchy and naming scheme (e.g ${base directory}/templates/notification/publisher/email.peb) will override Dependency Track default one.",
+    "template_override_security_warning": "You must set appropriate rights to the template base directory to prevent untrusted third party from supplying fraudulent Pebble templates that could lead to potential remote code execution.",
+    "template_override_restart_needed": "Dependency Track restart is required for the modifications to be taken into account.",
+    "enable_default_template_override": "Enable default template override",
+    "restore_default_template": "Restore default templates",
+    "default_template_restored": "Default templates restored",
+    "clone_template": "Clone Template",
+    "template_cloned": "Template cloned"
   },
   "condition": {
     "warning": "Warning",
@@ -547,7 +571,23 @@
     "is": "is",
     "is_not": "is not",
     "matches": "matches",
-    "no_match": "does not match"
+    "no_match": "does not match",
+    "contains_any": "contains any",
+    "contains_all": "contains all"
+  },
+  "hashes" : {
+    "md5": "MD5",
+    "sha_1": "SHA-1",
+    "sha_256": "SHA-256",
+    "sha_384": "SHA-384",
+    "sha_512": "SHA-512",
+    "sha3_256": "SHA3-256",
+    "sha3_384": "SHA3-384",
+    "sha3_512": "SHA3-512",
+    "blake_256": "BLAKE2b-256",
+    "blake_384": "BLAKE2b-384",
+    "blake_512": "BLAKE2b-512",
+    "blake3": "BLAKE3"
   },
   "policy_violation": {
     "fails": "Violation Failures",

src/i18n/locales/en.json

@@ -1,10 +1,12 @@
 import Vue from 'vue'
 import axios from "axios";
+import EventBus from "@/shared/eventbus";
 
 export default {
   data () {
     return {
-      dtrack: Object
+      dtrack: Object,
+      currentUser: Object
     }
   },
   created() {
@@ -17,5 +19,19 @@ export default {
           }
         );
     }
+    if (this.$currentUser) {
+      this.currentUser = this.$currentUser;
+    } else {
+      EventBus.$emit('profileUpdated');
+    }
+  },
+  mounted() {
+    EventBus.$on('profileUpdated', () => {
+      axios.get(`${Vue.prototype.$api.BASE_URL}/${Vue.prototype.$api.URL_USER_SELF}`)
+        .then((result) => {
+            this.currentUser = result.data;
+          }
+        );
+    });
   }
 }

src/mixins/globalVarsMixin.js

@@ -262,7 +262,8 @@ router.beforeEach((to, from, next) => {
       // let backend verify the token
       router.app.axios.get(`${router.app.$api.BASE_URL}/${router.app.$api.URL_USER_SELF}`, {
         headers: { 'Authorization': `Bearer ${jwt}` }
-      }).then(() => {
+      }).then((result) => {
+        Vue.prototype.$currentUser = result.data
         // allowed to proceed
         next();
       }).catch(() => {

src/router/index.js

@@ -82,7 +82,7 @@ export default {
               <b-row class="expanded-row">
                   <b-col sm="6">
                     <b-input-group-form-input id="input-oidcgroup-name" :label="$t('admin.oidc_group_name')" input-group-size="mb-3"
-                                              required="true" type="text" v-model="oidcGroup.name" lazy="true"
+                                              required="true" type="text" v-model="oidcGroup.name" lazy="true" autofocus="true"
                                               v-debounce:750ms="updateOidcGroup" :debounce-events="'keyup'" />
                     <b-form-group :label="this.$t('admin.mapped_teams')">
                       <div class="list-group">

src/views/administration/accessmanagement/OidcGroups.vue

@@ -112,7 +112,7 @@
                 <b-row class="expanded-row">
                   <b-col sm="6">
                     <b-input-group-form-input id="input-team-name" :label="$t('admin.team_name')" input-group-size="mb-3"
-                                              required="true" type="text" v-model="name" lazy="true"
+                                              required="true" type="text" v-model="name" lazy="true" autofocus="true"
                                               v-debounce:750ms="updateTeam" :debounce-events="'keyup'" />
                     <b-form-group :label="this.$t('admin.api_keys')">
                       <div class="list-group">

src/views/administration/accessmanagement/Teams.vue

@@ -2,12 +2,12 @@
   <b-card no-body :header="header">
     <b-card-body>
       <c-switch id="scannerEnabled" color="primary" v-model="scannerEnabled" label v-bind="labelIcon" />{{$t('admin.analyzer_internal_enable')}}
-      <!--
       <br/>
       <c-switch id="scannerCpeFuzzyEnableInput" color="primary" v-model="scannerCpeFuzzyEnableInput" label v-bind="labelIcon" />{{$t('admin.analyzer_internal_fuzzy_enable')}}
       <br/>
       <c-switch id="scannerCpeFuzzyExcludePurlInput" color="primary" v-model="scannerCpeFuzzyExcludePurlInput" label v-bind="labelIcon" />{{$t('admin.analyzer_internal_fuzzy_exclude_purl')}}
-      -->
+      <br/>
+      <c-switch id="scannerCpeFuzzyExcludeInternalInput" color="primary" v-model="scannerCpeFuzzyExcludeInternalInput" label v-bind="labelIcon" />{{$t('admin.analyzer_internal_fuzzy_exclude_internal')}}
       <hr/>
       {{ $t('admin.analyzer_internal_desc') }}
     </b-card-body>
@@ -34,7 +34,8 @@
       return {
         scannerEnabled: false,
         scannerCpeFuzzyEnableInput: false,
-        scannerCpeFuzzyExcludePurlInput: false,
+        scannerCpeFuzzyExcludePurlInput: true,
+        scannerCpeFuzzyExcludeInternalInput: true,
         labelIcon: {
           dataOn: '\u2713',
           dataOff: '\u2715'
@@ -44,11 +45,15 @@
     methods: {
       saveChanges: function() {
         this.updateConfigProperties([
-          {groupName: 'scanner', propertyName: 'internal.enabled', propertyValue: this.scannerEnabled}
-          // TODO: Future
-          // {groupName: 'scanner', propertyName: 'internal.fuzzy.enabled', propertyValue: this.fuzzyEnabled}
-          // {groupName: 'scanner', propertyName: 'internal.fuzzy.exclude.purl', propertyValue: this.fuzzyExcludePurl}
+          {groupName: 'scanner', propertyName: 'internal.enabled', propertyValue: this.scannerEnabled},
+          {groupName: 'scanner', propertyName: 'internal.fuzzy.enabled', propertyValue: this.scannerCpeFuzzyEnableInput},
+          {groupName: 'scanner', propertyName: 'internal.fuzzy.exclude.purl', propertyValue: !this.scannerCpeFuzzyEnableInput || !this.scannerCpeFuzzyExcludePurlInput},
+          {groupName: 'scanner', propertyName: 'internal.fuzzy.exclude.internal', propertyValue: !this.scannerCpeFuzzyEnableInput || !this.scannerCpeFuzzyExcludeInternalInput}
         ]);
+        if (!this.scannerCpeFuzzyEnableInput){
+          this.scannerCpeFuzzyExcludePurlInput = false;
+          this.scannerCpeFuzzyExcludeInternalInput = false;
+        }
       }
     },
     created () {
@@ -62,7 +67,9 @@
             case "internal.fuzzy.enabled":
               this.scannerCpeFuzzyEnableInput = common.toBoolean(item.propertyValue); break;
             case "internal.fuzzy.exclude.purl":
-              this.scannerCpeFuzzyExcludePurlInput = common.toBoolean(item.propertyValue); break;
+              this.scannerCpeFuzzyExcludePurlInput = !common.toBoolean(item.propertyValue); break;
+            case "internal.fuzzy.exclude.internal":
+              this.scannerCpeFuzzyExcludeInternalInput = !common.toBoolean(item.propertyValue); break;
           }
         }
       });