Merge branch 'main' into fix/deprecate_old_commons

.github/workflows/docker_deploy.yml

@@ -173,7 +173,7 @@ jobs:
             type=ref,event=tag
 
       - name: Build image
-        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
         with:
           context: .
           target: sw360

backend/common/src/main/java/org/eclipse/sw360/cyclonedx/CycloneDxBOMImporter.java

@@ -154,7 +154,7 @@ private Map<String, List<org.cyclonedx.model.Component>> getVcsToComponentMap(Li
     }
 
     @SuppressWarnings("unchecked")
-    public RequestSummary importFromBOM(InputStream inputStream, AttachmentContent attachmentContent, String projectId, User user) {
+    public RequestSummary importFromBOM(InputStream inputStream, AttachmentContent attachmentContent, String projectId, User user, boolean doNotReplacePackageAndRelease) {
         RequestSummary requestSummary = new RequestSummary();
         Map<String, String> messageMap = new HashMap<>();
         requestSummary.setRequestStatus(RequestStatus.FAILURE);
@@ -192,15 +192,14 @@ public RequestSummary importFromBOM(InputStream inputStream, AttachmentContent a
 
             if (!IS_PACKAGE_PORTLET_ENABLED) {
                 vcsToComponentMap.put("", components);
-                requestSummary = importSbomAsProject(compMetadata, vcsToComponentMap, projectId, attachmentContent);
+                requestSummary = importSbomAsProject(compMetadata, vcsToComponentMap, projectId, attachmentContent, doNotReplacePackageAndRelease);
             } else {
                 vcsToComponentMap = getVcsToComponentMap(components);
                 if (componentsCount == vcsCount) {
 
-                    requestSummary = importSbomAsProject(compMetadata, vcsToComponentMap, projectId, attachmentContent);
+                    requestSummary = importSbomAsProject(compMetadata, vcsToComponentMap, projectId, attachmentContent, doNotReplacePackageAndRelease);
                 } else if (componentsCount > vcsCount) {
-
-                    requestSummary = importSbomAsProject(compMetadata, vcsToComponentMap, projectId, attachmentContent);
+                    requestSummary = importSbomAsProject(compMetadata, vcsToComponentMap, projectId, attachmentContent, doNotReplacePackageAndRelease);
 
                     if (requestSummary.requestStatus.equals(RequestStatus.SUCCESS)) {
 
@@ -365,7 +364,7 @@ public RequestSummary importFromBOM(InputStream inputStream, AttachmentContent a
     }
 
     public RequestSummary importSbomAsProject(org.cyclonedx.model.Component compMetadata,
-            Map<String, List<org.cyclonedx.model.Component>> vcsToComponentMap, String projectId, AttachmentContent attachmentContent)
+            Map<String, List<org.cyclonedx.model.Component>> vcsToComponentMap, String projectId, AttachmentContent attachmentContent, boolean doNotReplacePackageAndRelease)
                     throws SW360Exception {
         final RequestSummary summary = new RequestSummary();
         summary.setRequestStatus(RequestStatus.FAILURE);
@@ -418,7 +417,7 @@ public RequestSummary importSbomAsProject(org.cyclonedx.model.Component compMeta
         }
 
         if (IS_PACKAGE_PORTLET_ENABLED) {
-            messageMap = importAllComponentsAsPackages(vcsToComponentMap, project);
+            messageMap = importAllComponentsAsPackages(vcsToComponentMap, project, doNotReplacePackageAndRelease);
         } else {
             messageMap = importAllComponentsAsReleases(vcsToComponentMap, project);
         }
@@ -548,19 +547,25 @@ private Map<String, String> importAllComponentsAsReleases(Map<String, List<org.c
         return messageMap;
     }
 
-    private Map<String, String> importAllComponentsAsPackages(Map<String, List<org.cyclonedx.model.Component>> vcsToComponentMap, Project project) {
-
+    private Map<String, String> importAllComponentsAsPackages(Map<String, List<org.cyclonedx.model.Component>> vcsToComponentMap, Project project, boolean doNotReplacePackageAndRelease) throws SW360Exception {
         final var countMap = new HashMap<String, Integer>();
         final Set<String> duplicateComponents = new HashSet<>();
         final Set<String> duplicateReleases = new HashSet<>();
         final Set<String> duplicatePackages = new HashSet<>();
         final Set<String> invalidReleases = new HashSet<>();
         final Set<String> invalidPackages = new HashSet<>();
         final Map<String, ProjectReleaseRelationship> releaseRelationMap = CommonUtils.isNullOrEmptyMap(project.getReleaseIdToUsage()) ? new HashMap<>() : project.getReleaseIdToUsage();
+        final Set<String> projectPkgIds = CommonUtils.isNullOrEmptyCollection(project.getPackageIds()) ? new HashSet<>() : project.getPackageIds();
         countMap.put(REL_CREATION_COUNT_KEY, 0); countMap.put(REL_REUSE_COUNT_KEY, 0);
         countMap.put(PKG_CREATION_COUNT_KEY, 0); countMap.put(PKG_REUSE_COUNT_KEY, 0);
         int relCreationCount = 0, relReuseCount = 0, pkgCreationCount = 0, pkgReuseCount = 0;
 
+        if (!doNotReplacePackageAndRelease) {
+            releaseRelationMap.clear();
+            projectPkgIds.clear();
+            log.info("Cleared existing releases and packages for project: " + project.getName());
+        }
+
         for (Map.Entry<String, List<org.cyclonedx.model.Component>> entry : vcsToComponentMap.entrySet()) {
             Component comp = createComponent(entry.getKey());
             List<org.cyclonedx.model.Component> componentsFromBom = entry.getValue();

backend/common/src/main/java/org/eclipse/sw360/datahandler/db/ProjectDatabaseHandler.java

@@ -1859,6 +1859,10 @@ public RequestSummary importBomFromAttachmentContent(User user, String attachmen
     }
 
     public RequestSummary importCycloneDxFromAttachmentContent(User user, String attachmentContentId, String projectId) throws SW360Exception {
+        return importCycloneDxFromAttachmentContent(user, attachmentContentId, projectId, false);
+    }
+
+    public RequestSummary importCycloneDxFromAttachmentContent(User user, String attachmentContentId, String projectId, boolean doNotReplacePackageAndRelease) throws SW360Exception {
         final AttachmentContent attachmentContent = attachmentConnector.getAttachmentContent(attachmentContentId);
         final Duration timeout = Duration.durationOf(30, TimeUnit.SECONDS);
         try {
@@ -1867,7 +1871,7 @@ public RequestSummary importCycloneDxFromAttachmentContent(User user, String att
                     .unsafeGetAttachmentStream(attachmentContent)) {
                 final CycloneDxBOMImporter cycloneDxBOMImporter = new CycloneDxBOMImporter(this,
                         componentDatabaseHandler, packageDatabaseHandler, attachmentConnector, user);
-                return cycloneDxBOMImporter.importFromBOM(inputStream, attachmentContent, projectId, user);
+                return cycloneDxBOMImporter.importFromBOM(inputStream, attachmentContent, projectId, user, doNotReplacePackageAndRelease);
             }
         } catch (IOException e) {
             log.error("Error while importing / parsing CycloneDX SBOM! ", e);

backend/projects/src/main/java/org/eclipse/sw360/projects/ProjectHandler.java

@@ -274,6 +274,13 @@ public RequestSummary importCycloneDxFromAttachmentContent(User user, String att
         return handler.importCycloneDxFromAttachmentContent(user, attachmentContentId, projectId);
     }
 
+    @Override
+    public RequestSummary importCycloneDxFromAttachmentContentWithReplacePackageAndReleaseFlag(User user, String attachmentContentId, String projectId, boolean doNotReplacePackageAndRelease) throws SW360Exception {
+        assertId(attachmentContentId);
+        assertUser(user);
+        return handler.importCycloneDxFromAttachmentContent(user, attachmentContentId, projectId, doNotReplacePackageAndRelease);
+    }
+
     @Override
     public RequestSummary exportCycloneDxSbom(String projectId, String bomType, boolean includeSubProjReleases, User user) throws SW360Exception {
         assertId(projectId);

libraries/datahandler/src/main/thrift/projects.thrift

@@ -612,6 +612,12 @@ service ProjectService {
      */
     RequestSummary importCycloneDxFromAttachmentContent(1: User user, 2: string attachmentContentId, 3: string projectId) throws (1: SW360Exception exp);
 
+    /**
+    * Parse a CycloneDx SBoM file (XML or JSON) during re-import on a project and write the information to SW360 as Project / Component / Release / Package
+    * with replaceReleaseAndPackageFlag
+    */
+    RequestSummary importCycloneDxFromAttachmentContentWithReplacePackageAndReleaseFlag(1: User user, 2: string attachmentContentId, 3: string projectId, 4: bool doNotReplacePackageAndRelease) throws (1: SW360Exception exp);
+
     /**
      * Export a CycloneDx SBoM file (XML or JSON) for a Project
      */

pom.xml

@@ -77,7 +77,7 @@
     <maven-assembly-plugin.version>3.4.2</maven-assembly-plugin.version>
     <maven-bundle-plugin.version>5.1.8</maven-bundle-plugin.version>
     <maven-compiler-plugin.version>3.13.0</maven-compiler-plugin.version>
-    <maven-dependency-plugin.version>3.3.0</maven-dependency-plugin.version>
+    <maven-dependency-plugin.version>3.8.1</maven-dependency-plugin.version>
     <maven-enforcer-plugin.version>3.5.0</maven-enforcer-plugin.version>
     <maven-failsafe-plugin.version>3.3.0</maven-failsafe-plugin.version>
     <maven-jar-plugin.version>3.4.2</maven-jar-plugin.version>
@@ -92,7 +92,7 @@
     <json-path.version>2.9.0</json-path.version>
     <json-smart.version>2.4.10</json-smart.version>
     <json-simple.version>4.0.1</json-simple.version>
-    <jackson.version>2.18.1</jackson.version>
+    <jackson.version>2.18.2</jackson.version>
 
     <!-- Dependencies version properties -->
     <assertj.version>3.26.3</assertj.version>
@@ -105,7 +105,7 @@
     <commons-configuration.version>1.10</commons-configuration.version>
     <commons-csv.version>1.12.0</commons-csv.version>
     <commons-io.version>2.17.0</commons-io.version>
-    <commons-lang3.version>3.12.0</commons-lang3.version>
+    <commons-lang3.version>3.17.0</commons-lang3.version>
     <commons-text.version>1.12.0</commons-text.version>
     <dom4j.version>2.1.4</dom4j.version>
     <equalsverifier.version>3.17.3</equalsverifier.version>
@@ -150,17 +150,13 @@
     <spring-boot.version>3.3.3</spring-boot.version>
     <spring-restdocs.version>3.0.1</spring-restdocs.version>
     <spring-security-jwt.version>1.1.1.RELEASE</spring-security-jwt.version>
-    <spring-security-oauth2-authorization-server.version>1.3.3</spring-security-oauth2-authorization-server.version>
+    <spring-security-oauth2-authorization-server.version>1.4.0</spring-security-oauth2-authorization-server.version>
     <spring-security.version>6.4.1</spring-security.version>
-    <springdoc-openapi-hateos.version>2.6.0</springdoc-openapi-hateos.version>
-    <springdoc-openapi-security.version>2.6.0</springdoc-openapi-security.version>
-    <springdoc-openapi-stater-common.version>2.6.0</springdoc-openapi-stater-common.version>
-    <springdoc-openapi-ui.version>1.7.0</springdoc-openapi-ui.version>
-    <springdoc-openapi-webmvc.version>2.6.0</springdoc-openapi-webmvc.version>
+    <springdoc-openapi-stater-common.version>2.7.0</springdoc-openapi-stater-common.version>
     <springframework.version>6.2.0</springframework.version>
     <thrift.version>0.20.0</thrift.version>
     <tika.version>1.28.5</tika.version>
-    <wiremock.version>2.26.0</wiremock.version>
+    <wiremock.version>2.35.2</wiremock.version>
     <version.hibernate.javax.persistence>1.0.0.Final</version.hibernate.javax.persistence>
     <arquillian-graphene.version>2.5.4</arquillian-graphene.version>
     <version.jee.jaxb.api>2.3.1</version.jee.jaxb.api>

rest/resource-server/pom.xml

@@ -197,7 +197,7 @@
         <dependency>
             <groupId>org.springdoc</groupId>
             <artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
-            <version>${springdoc-openapi-webmvc.version}</version>
+            <version>${springdoc-openapi-stater-common.version}</version>
         </dependency>
         <dependency>
             <groupId>org.springdoc</groupId>

rest/resource-server/src/docs/asciidoc/projects.adoc

@@ -930,7 +930,15 @@ include::{snippets}/should_document_import_cyclonedx/http-response.adoc[]
 [[resources-import-sbom-on-project]]
 ==== Import SBOM on project
 
-A `POST` request is used to import a SBOM on a project. Currently only CycloneDX(.xml/.json) files are supported.
+A `POST` request is used to import a SBOM on a project. The project’s releases and packages will be replaced with the latest data from the SBOM. Currently only CycloneDX(.xml/.json) files are supported.
+
+[red]#Request parameter#
+|===
+|Parameter |Description
+
+|doNotReplacePackageAndRelease
+|When importing an SBOM into an existing project, the project’s releases and packages will be replaced with the latest data from the SBOM. Use the parameter `doNotReplacePackageAndRelease=true` to import new data without replacing the existing releases and packages.
+|===
 
 [red]#Request body#
 |===

rest/resource-server/src/docs/asciidoc/schedule.adoc

@@ -90,3 +90,102 @@ include::{snippets}/should_document_schedule_cve_search/curl-request.adoc[]
 
 ===== Example response
 include::{snippets}/should_document_schedule_cve_search/http-response.adoc[]
+
+[[schedule-svmsync]]
+==== Schedule svm sync for user.
+
+A `POST` request will schedule svm sync for user.
+
+===== Example request
+include::{snippets}/should_document_schedule_svm_sync/curl-request.adoc[]
+
+===== Example response
+include::{snippets}/should_document_schedule_svm_sync/http-response.adoc[]
+
+[[unschedule-svmSync]]
+==== Cancel schedule svm sync for user.
+
+A `DELETE` request will cancel schedule svm sync for user.
+
+===== Example request
+include::{snippets}/should_document_cancel_schedule_svm_sync/curl-request.adoc[]
+
+===== Example response
+include::{snippets}/should_document_cancel_schedule_svm_sync/http-response.adoc[]
+
+[[reverse-svmmatch]]
+==== Svm reverse match for user.
+
+A `POST` request will reverse svm match.
+
+===== Example request
+include::{snippets}/should_document_reverse_svm_match/curl-request.adoc[]
+
+===== Example response
+include::{snippets}/should_document_reverse_svm_match/http-response.adoc[]
+
+[[unschedule-reversematch]]
+==== Cancel reverse match for user.
+
+A `DELETE` request will cancel the reverse match.
+
+===== Example request
+include::{snippets}/should_document_cancel_reverse_match/curl-request.adoc[]
+
+===== Example response
+include::{snippets}/should_document_cancel_reverse_match/http-response.adoc[]
+
+[[tracking-feedback]]
+==== Tracking feedback for user.
+
+A `POST` request will track the user feedback.
+
+===== Example request
+include::{snippets}/should_document_track_feedback/curl-request.adoc[]
+
+===== Example response
+include::{snippets}/should_document_track_feedback/http-response.adoc[]
+
+[[monitoring-listUpdate]]
+==== Monitoring a svm list Update.
+
+A `POST` request will update svm list.
+
+===== Example request
+include::{snippets}/should_document_svm_list_update/curl-request.adoc[]
+
+===== Example response
+include::{snippets}/should_document_svm_list_update/http-response.adoc[]
+
+[[cancel-monitoringlist]]
+==== Cancel monitoring svm list and update.
+
+A `DELETE` request will cancel the monitoring svm list and update.
+
+===== Example request
+include::{snippets}/should_document_cancel_monitoring_svm_list/curl-request.adoc[]
+
+===== Example response
+include::{snippets}/should_document_cancel_monitoring_svm_list/http-response.adoc[]
+
+[[src-upload]]
+==== Source attachment upload service.
+
+A `POST` request will upload the source attachment.
+
+===== Example request
+include::{snippets}/should_document_src_upload/curl-request.adoc[]
+
+===== Example response
+include::{snippets}/should_document_src_upload/http-response.adoc[]
+
+[[cancel-srcupload]]
+==== Cancel source attachment upload service.
+
+A `DELETE` request will cancel the src upload.
+
+===== Example request
+include::{snippets}/should_document_cancel_monitoring_cancel_svm_list/curl-request.adoc[]
+
+===== Example response
+include::{snippets}/should_document_cancel_monitoring_cancel_svm_list/http-response.adoc[]

rest/resource-server/src/main/java/org/eclipse/sw360/rest/resourceserver/project/ProjectController.java

@@ -2063,7 +2063,7 @@ public ResponseEntity<?> importSBOM(
             }
             projectId = requestSummary.getMessage();
         } else {
-            requestSummary = projectService.importCycloneDX(sw360User, attachment.getAttachmentContentId(), "");
+            requestSummary = projectService.importCycloneDX(sw360User, attachment.getAttachmentContentId(), "", true);
 
             if (requestSummary.getRequestStatus() == RequestStatus.FAILURE) {
                 return new ResponseEntity<String>(requestSummary.getMessage(), HttpStatus.BAD_REQUEST);
@@ -2117,7 +2117,9 @@ public ResponseEntity<?> importSBOMonProject(
             @Parameter(description = "Project ID", example = "376576")
             @PathVariable(value = "id", required = true) String id,
             @Parameter(description = "SBOM file")
-            @RequestBody MultipartFile file
+            @RequestBody MultipartFile file,
+            @Parameter(description = "Don't overwrite existing project releases and packages while re-importing SBOM")
+            @RequestParam(value = "doNotReplacePackageAndRelease", required = false) boolean doNotReplacePackageAndRelease
     ) throws TException {
         final User sw360User = restControllerHelper.getSw360UserFromAuthentication();
         Attachment attachment = null;
@@ -2132,7 +2134,7 @@ public ResponseEntity<?> importSBOMonProject(
             throw new RuntimeException("failed to upload attachment", e);
         }
 
-        requestSummary = projectService.importCycloneDX(sw360User, attachment.getAttachmentContentId(), id);
+        requestSummary = projectService.importCycloneDX(sw360User, attachment.getAttachmentContentId(), id, doNotReplacePackageAndRelease);
 
         if (requestSummary.getRequestStatus() == RequestStatus.FAILURE) {
             return new ResponseEntity<String>(requestSummary.getMessage(), HttpStatus.BAD_REQUEST);

rest/resource-server/src/main/java/org/eclipse/sw360/rest/resourceserver/project/Sw360ProjectService.java

@@ -1150,9 +1150,9 @@ public RequestSummary importSPDX(User user, String attachmentContentId) throws T
      * @return RequestSummary
      * @throws TException
      */
-    public RequestSummary importCycloneDX(User user, String attachmentContentId, String projectId) throws TException {
+    public RequestSummary importCycloneDX(User user, String attachmentContentId, String projectId, boolean doNotReplacePackageAndRelease) throws TException {
         ProjectService.Iface sw360ProjectClient = getThriftProjectClient();
-        return sw360ProjectClient.importCycloneDxFromAttachmentContent(user, attachmentContentId, CommonUtils.nullToEmptyString(projectId));
+        return sw360ProjectClient.importCycloneDxFromAttachmentContentWithReplacePackageAndReleaseFlag(user, attachmentContentId, CommonUtils.nullToEmptyString(projectId), doNotReplacePackageAndRelease);
     }
 
     /**