Licensedb integration

.github/dependabot.yml

@@ -18,4 +18,4 @@ updates:
   - package-ecosystem: pre-commit
     directory: /
     schedule:
-      interval: weekly
+      interval: monthly

.github/workflows/build_and_test.yml

@@ -53,7 +53,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit
 

.github/workflows/codeql.yml

@@ -59,7 +59,7 @@ jobs:
         # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit
 

.github/workflows/dependency-review.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit
 

.github/workflows/scorecard.yml

@@ -31,7 +31,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit
 

.github/workflows/sw360_container.yml

@@ -44,9 +44,10 @@ jobs:
     runs-on: ubuntu-24.04
     outputs:
       sw360_version: ${{ steps.pom_version.outputs.SW360_VERSION }}
+      timestamp: ${{ steps.pom_version.outputs.TIMESTAMP }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit
 
@@ -64,6 +65,7 @@ jobs:
         id: pom_version
         run: |
           echo "SW360_VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)" >> "$GITHUB_OUTPUT"
+          echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> "$GITHUB_ENV"
 
   sw360_image:
     name: SW360 Runtime image
@@ -73,10 +75,11 @@ jobs:
       packages: write
     env:
       SW360_VERSION: ${{ needs.sw360_version.outputs.sw360_version }}
+      TIMESTAMP: ${{ needs.sw360_version.outputs.timestamp }}
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit
 
@@ -97,7 +100,7 @@ jobs:
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Extract components metadata (tags, labels) runtime image
-        id: meta
+        id: meta_sw360
         uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
         with:
           images: |
@@ -114,14 +117,46 @@ jobs:
             org.opencontainers.image.licenses=EPL-2.0
             org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
 
-      - name: Assembly image
+      - name: Extract components metadata (tags, labels) KeyCloak image
+        id: meta_keycloak
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ github.repository }}/keycloak
+          tags: |
+            type=schedule,pattern=nightly
+            type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/') }}
+            type=ref,event=tag
+            type=raw,value=main,enable={{is_default_branch}}
+            type=raw,value=26.5.5,enable=true
+          labels: |
+            org.opencontainers.image.licenses=EPL-2.0
+            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
+
+      - name: SW360 image
         uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: .
           target: sw360
           push: ${{ github.event_name != 'pull_request' }}
           platforms: linux/amd64
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.meta_sw360.outputs.tags }}
+          labels: ${{ steps.meta_sw360.outputs.labels }}
+          provenance: mode=max
+          sbom: true
+        env:
+          SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
+
+      - name: KeyCloak image
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        with:
+          context: .
+          target: keycloak
+          push: ${{ github.event_name != 'pull_request' }}
+          platforms: linux/amd64
+          tags: ${{ steps.meta_keycloak.outputs.tags }}
+          labels: ${{ steps.meta_keycloak.outputs.labels }}
           provenance: mode=max
           sbom: true
+        env:
+          SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}

.github/workflows/thrift_container.yml

@@ -37,7 +37,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           egress-policy: audit
 

AGENTS.md

@@ -0,0 +1,26 @@
+<!--
+Part of the SW360 Portal Project.
+
+SPDX-License-Identifier: EPL-2.0
+-->
+# Instructions for AI Agents
+
+Welcome to the SW360 project. To ensure consistency in contributions and
+alignment with the project's architecture, all AI agents and coding assistants
+must adhere to the following guidelines:
+
+## Git Commit Guidelines
+Before suggesting or performing any commits, read and follow the instructions
+in:
+* [.github/instructions/git-commit.instructions.md](.github/instructions/git-commit.instructions.md)
+
+This document contains the project's preferred commit message format,
+conventional commit types, and styling rules.
+
+## Backend Development and Architecture
+To understand the design patterns, functional flow, and specific "tips and
+tricks" for the SW360 backend, refer to:
+* [.github/instructions/sw360_backend.instructions.md](.github/instructions/sw360_backend.instructions.md)
+
+Following these instructions is mandatory to maintain the quality and integrity
+of the SW360 codebase.

Dockerfile

@@ -71,7 +71,7 @@ COPY --from=sw360build /sw360_tomcat_webapps /sw360_tomcat_webapps
 COPY --from=sw360build /sw360_keycloak_listener /sw360_keycloak_listener
 
 #--------------------------------------------------------------------------------------------------
-# Runtime image
+# Runtime SW360 image
 
 # FROM tomcat:11-jre21-temurin-noble
 FROM tomcat@sha256:59cb924b1a76508eb7769f102299293d6abcd0e62d22b1b2ba18324090e3b38a AS sw360
@@ -82,6 +82,7 @@ FROM tomcat@sha256:59cb924b1a76508eb7769f102299293d6abcd0e62d22b1b2ba18324090e3b
 # CouchDB settings
 ENV COUCHDB_URL="http://couchdb:5984"
 ENV COUCHDB_LUCENESEARCH_LIMIT="1000"
+ENV CLOUDANT_ENABLE_RETRIES="true"
 #
 # Spring controllers
 ENV ENABLE_DISKSPACE="false"
@@ -113,6 +114,12 @@ ENV SW360_CORS_ALLOWED_ORIGIN="*"
 ENV SW360_THRIFT_SERVER_URL="http://localhost:8080"
 ENV SW360_BASE_URL="http://localhost:8080"
 
+# Install dependencies for entrypoint
+RUN apt-get update -qq \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -qq -y --no-install-recommends \
+    gettext-base \
+    && rm -rf /var/lib/apt/lists/*
+
 # Streamlined wars
 COPY --from=binaries /sw360_tomcat_webapps/slim-wars/*.war ${CATALINA_HOME}/webapps/
 # org.eclipse.sw360 jar artifacts
@@ -134,3 +141,63 @@ RUN mv ${CATALINA_HOME}/webapps.dist/manager ${CATALINA_HOME}/webapps/manager \
 EXPOSE 8080
 
 ENTRYPOINT ["/app/sw360/docker-entrypoint.sh"]
+
+#--------------------------------------------------------------------------------------------------
+# Build custom Keycloak with SW360 providers
+# For guide, see https://www.keycloak.org/server/containers
+
+# FROM quay.io/keycloak/keycloak:26.5.5
+FROM quay.io/keycloak/keycloak@sha256:a7b0cb7a43a1235a61872883414d3f1d9a3ceac9df6e5907bd12202778a6265c AS keycloak-build
+
+# Enable health and metrics support
+ENV KC_HEALTH_ENABLED=true
+ENV KC_METRICS_ENABLED=true
+
+# Configure a database vendor
+ENV KC_DB=postgres
+
+WORKDIR /opt/keycloak
+
+# Copy always does root:root with 644. Thus cp within container to get
+# keycloak:root with 644
+COPY --from=binaries /sw360_keycloak_listener /tmp/providers/
+
+RUN cp /tmp/providers/*jar /opt/keycloak/providers/ \
+ && /opt/keycloak/bin/kc.sh build
+
+# Copy the optimized KC
+# FROM quay.io/keycloak/keycloak:26.5.5
+FROM quay.io/keycloak/keycloak@sha256:a7b0cb7a43a1235a61872883414d3f1d9a3ceac9df6e5907bd12202778a6265c AS keycloak
+
+# Default environment variables that can be overridden at runtime
+# For more information, please check the documentation.
+#
+# CouchDB settings
+ENV COUCHDB_URL="http://couchdb:5984"
+ENV COUCHDB_USER="admin"
+ENV COUCHDB_LUCENESEARCH_LIMIT="1000"
+ENV CLOUDANT_ENABLE_RETRIES="true"
+
+# Create the /etc/sw360
+USER root
+
+RUN mkdir -p /etc/sw360 \
+ && chown -R keycloak:keycloak /etc/sw360
+
+USER keycloak
+
+# Copy the configs required in /etc/sw360
+WORKDIR /app/docker-config
+
+# Copy the configs and entrypoint
+COPY --chown=keycloak ./scripts/docker-config/docker-entrypoint-keycloak.sh .
+
+# Make entrypoint executable
+RUN chmod a+x ./docker-entrypoint-keycloak.sh
+
+# Copy the optimized KC
+COPY --from=keycloak-build /opt/keycloak/ /opt/keycloak/
+
+ENTRYPOINT ["/app/docker-config/docker-entrypoint-keycloak.sh"]
+
+CMD ["start", "--optimized"]

README_DOCKER.md

@@ -60,6 +60,7 @@ file to tweak SW360 behaviour.
 **CouchDB Settings**
 * `COUCHDB_URL`: URL of the CouchDB instance (default: `http://couchdb:5984`).
 * `COUCHDB_LUCENESEARCH_LIMIT`: Limit for Lucene search results (default: `1000`).
+* `CLOUDANT_ENABLE_RETRIES`: Enable retries in Cloudant (default: `true`).
 
 **Spring Controllers**
 * `ENABLE_DISKSPACE`: Enable disk space health check (default: `false`).

backend/attachments/src/main/java/org/eclipse/sw360/attachments/AttachmentHandler.java

@@ -71,12 +71,6 @@ public AttachmentContent getAttachmentContent(String id) throws SW360Exception {
         return handler.getAttachmentContent(id);
     }
 
-    @Override
-    public void updateAttachmentContent(AttachmentContent attachment) throws TException {
-        validateAttachment(attachment);
-        handler.updateAttachmentContent(attachment);
-    }
-
     @Override
     public RequestSummary bulkDelete(List<String> ids) throws TException {
         assertNotNull(ids);

backend/common/src/main/java/org/eclipse/sw360/cyclonedx/CycloneDxBOMImporter.java

@@ -85,6 +85,7 @@
  */
 public class CycloneDxBOMImporter {
     private static final Logger log = LogManager.getLogger(CycloneDxBOMImporter.class);
+    private static final Gson GSON = new Gson();
     private static final String DOT_GIT = ".git";
     private static final String SLASH = "/";
     private static final String DOT = ".";
@@ -214,7 +215,7 @@ public RequestSummary importFromBOM(InputStream inputStream, AttachmentContent a
                     if (requestSummary.requestStatus.equals(RequestStatus.SUCCESS)) {
 
                         String jsonMessage = requestSummary.getMessage();
-                        messageMap = new Gson().fromJson(jsonMessage, Map.class);
+                        messageMap = GSON.fromJson(jsonMessage, Map.class);
                         String projId = messageMap.get("projectId");
 
                         if (CommonUtils.isNullEmptyOrWhitespace(projId)) {
@@ -316,7 +317,7 @@ public RequestSummary importFromBOM(InputStream inputStream, AttachmentContent a
 
             if (RequestStatus.SUCCESS.equals(requestSummary.getRequestStatus())) {
                 String jsonMessage = requestSummary.getMessage();
-                messageMap = new Gson().fromJson(jsonMessage, Map.class);
+                messageMap = GSON.fromJson(jsonMessage, Map.class);
                 String projId = messageMap.get("projectId");
                 Project project = projectDatabaseHandler.getProjectById(projId, user);
                 try {

backend/common/src/main/java/org/eclipse/sw360/datahandler/db/AttachmentDatabaseHandler.java

@@ -85,9 +85,7 @@ public AttachmentContent getAttachmentContent(String id) throws SW360Exception {
 
         return attachment;
     }
-    public void updateAttachmentContent(AttachmentContent attachment) throws TException {
-        attachmentConnector.updateAttachmentContent(attachment);
-    }
+
     public RequestSummary bulkDelete(List<String> ids) {
         final List<DocumentResult> documentOperationResults = attachmentContentRepository.deleteIds(ids);
         return CommonUtils.getRequestSummary(ids, documentOperationResults);
@@ -269,7 +267,6 @@ public List<Attachment> getAttachmentsBySha1s(Set<String> sha1s) {
     public List<Source> getAttachmentOwnersByIds(Set<String> ids) {
         return attachmentOwnerRepository.getOwnersByIds(ids);
     }
-
     public List<AttachmentUsage> getAttachmentUsagesByReleaseId(String releaseId) {
         return attachmentUsageRepository.getUsagesByReleaseId(releaseId);
     }

backend/common/src/main/java/org/eclipse/sw360/spdx/SpdxBOMImporter.java

@@ -66,6 +66,7 @@
 
 public class SpdxBOMImporter {
     private static final Logger log = LogManager.getLogger(SpdxBOMImporter.class);
+    private static final Gson GSON = new Gson();
     private final SpdxBOMImporterSink sink;
 
     public SpdxBOMImporter(SpdxBOMImporterSink sink) {
@@ -963,7 +964,7 @@ private Optional<SpdxBOMImporterSink.Response> importAsProject(SpdxElement spdxE
                     response.setReleaseRelationship(ReleaseRelationship.valueOf(releaseNode.releaseRelationship));
                     releases.add(response);
                 });
-                project.setReleaseRelationNetwork(new Gson().toJson(releaseNodes));
+                project.setReleaseRelationNetwork(GSON.toJson(releaseNodes));
             }
 
             Map<String, ProjectReleaseRelationship> releaseIdToProjectRelationship = makeReleaseIdToProjectRelationship(releases);

backend/fossology/src/main/java/org/eclipse/sw360/fossology/FossologyHandler.java

@@ -355,6 +355,7 @@ private void handleScanStepV2(Iface componentClient,
                                   scanningJobId, statusResponse.get("eta"));
                     }
                     // leave in_work for next cycle
+
                 }
                 break;
 

backend/licenses-core/pom.xml

@@ -33,5 +33,6 @@
             <groupId>org.spdx</groupId>
             <artifactId>tools-java</artifactId>
         </dependency>
+
     </dependencies>
 </project>