Add missing fields to example JSON

.dockerignore

@@ -3,6 +3,7 @@
 docs/
 scripts/
 src/
+!src/main/docker/create-jre.sh
 !src/main/docker/logback*.xml
 target/
 !target/*.jar

.github/ISSUE_TEMPLATE/config.yml

@@ -3,6 +3,9 @@ contact_links:
 - name: Slack Channel
   url: https://dependencytrack.org/slack
   about: Our Slack channel is the best way to get in touch!
+- name: Slack Invite
+  url: https://dependencytrack.org/slack/invite
+  about: The Slack workspace requires an invite, click here to join!
 - name: GitHub Discussions
   url: https://github.com/DependencyTrack/dependency-track/discussions
   about: A good place to ask questions, share ideas and more!

.github/ISSUE_TEMPLATE/defect-report.yml

@@ -65,15 +65,16 @@ body:
     - 4.9.x
     - 4.10.x
     - 4.11.x
-    - 4.12.0
-    - 4.12.1
-    - 4.12.2
-    - 4.12.3
-    - 4.12.4
-    - 4.12.5
-    - 4.12.6
-    - 4.12.7
-    - 4.13.0-SNAPSHOT
+    - 4.12.x
+    - 4.13.0
+    - 4.13.1
+    - 4.13.2
+    - 4.13.3
+    - 4.13.4
+    - 4.13.5
+    - 4.13.6
+    - 4.14.0
+    - 4.15.0-SNAPSHOT
   validations:
     required: true
 - type: dropdown

.github/dependabot.yml

@@ -1,18 +1,38 @@
 version: 2
 updates:
-  - package-ecosystem: maven
-    directory: /
-    schedule:
-      interval: daily
-  - package-ecosystem: docker
-    directory: /src/main/docker
-    schedule:
-      interval: daily
-  - package-ecosystem: github-actions
-    directory: /
-    schedule:
-      interval: weekly
-  - package-ecosystem: bundler
-    directory: /docs
-    schedule:
-      interval: weekly
+# Keep everything on the main branch up-to-date.
+- package-ecosystem: maven
+  directory: /
+  schedule:
+    interval: daily
+- package-ecosystem: docker
+  directory: /src/main/docker
+  schedule:
+    interval: daily
+- package-ecosystem: github-actions
+  directory: /
+  schedule:
+    interval: weekly
+- package-ecosystem: bundler
+  directory: /docs
+  schedule:
+    interval: weekly
+# Receive minor and patch updates on latest release branch.
+- package-ecosystem: maven
+  target-branch: 4.14.x
+  directory: /
+  schedule:
+    interval: daily
+  ignore:
+  - dependency-name: "*"
+    update-types:
+    - version-update:semver-major
+- package-ecosystem: docker
+  target-branch: 4.14.x
+  directory: /src/main/docker
+  schedule:
+    interval: daily
+  ignore:
+  - dependency-name: "*"
+    update-types:
+    - version-update:semver-major

.github/workflows/_meta-build.yaml

@@ -28,10 +28,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
 
       - name: Set up JDK
-        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # tag=v4.7.0
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # tag=v5.2.0
         with:
           distribution: 'temurin'
           java-version: '21'
@@ -47,15 +47,14 @@ jobs:
 
       - name: Build with Maven
         run: |-
-          mvn -B --no-transfer-progress clean
-          mvn -B --no-transfer-progress package -Dmaven.test.skip=true -P enhance -P embedded-jetty -Dservices.bom.merge.skip=false -Dlogback.configuration.file=src/main/docker/logback.xml
-          mvn -B --no-transfer-progress clean -P clean-exclude-wars
-          mvn -B --no-transfer-progress package -Dmaven.test.skip=true -P enhance -P embedded-jetty -P bundle-ui -Dservices.bom.merge.skip=false -Dlogback.configuration.file=src/main/docker/logback.xml
-          mvn -B --no-transfer-progress clean -P clean-exclude-wars
-          mvn -B --no-transfer-progress cyclonedx:makeBom -Dservices.bom.merge.skip=false org.codehaus.mojo:exec-maven-plugin:exec@merge-services-bom
+          mvn -B package -P quick -P enhance -P embedded-jetty -Dservices.bom.merge.skip=false -Dlogback.configuration.file=src/main/docker/logback.xml
+          mvn -B clean -P clean-exclude-wars
+          mvn -B package -P quick -P enhance -P embedded-jetty -P bundle-ui -Dservices.bom.merge.skip=false -Dlogback.configuration.file=src/main/docker/logback.xml
+          mvn -B clean -P clean-exclude-wars
+          mvn -B cyclonedx:makeBom -Dservices.bom.merge.skip=false org.codehaus.mojo:exec-maven-plugin:exec@merge-services-bom
 
       - name: Upload Artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # tag=v4.6.2
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # tag=v7.0.0
         with:
           name: assembled-wars
           path: |-
@@ -78,25 +77,25 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
 
       - name: Download Artifacts
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # tag=v4.2.1
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # tag=v8.0.0
         with:
           name: assembled-wars
           path: target
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # tag=v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # tag=v3.7.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # tag=v3.10.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # tag=v4.0.0
         id: buildx
         with:
           install: true
 
       - name: Login to Docker.io
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # tag=v3.4.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # tag=v4.0.0
         if: ${{ inputs.publish-container }}
         with:
           registry: docker.io
@@ -109,19 +108,24 @@ jobs:
           IMAGE_NAME="docker.io/dependencytrack/${{ matrix.distribution }}"
           REF_NAME="${{ inputs.ref-name }}"
           TAGS=""
+          TAGS_ALPINE=""
 
           if [[ $REF_NAME == feature-* ]]; then
             TAGS="${IMAGE_NAME}:${REF_NAME,,}"
+            TAGS_ALPINE="${IMAGE_NAME}:${REF_NAME,,}-alpine"
           else
             TAGS="${IMAGE_NAME}:${{ inputs.app-version }}"
+            TAGS_ALPINE="${IMAGE_NAME}:${{ inputs.app-version }}-alpine"
             if [[ "${{ inputs.app-version }}" != "snapshot" ]]; then
               TAGS="${TAGS},${IMAGE_NAME}:latest"
+              TAGS_ALPINE="${TAGS_ALPINE},${IMAGE_NAME}:latest-alpine"
             fi
           fi
           echo "tags=${TAGS}" >> $GITHUB_OUTPUT
+          echo "tags-alpine=${TAGS_ALPINE}" >> $GITHUB_OUTPUT
 
       - name: Build multi-arch Container Image
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # tag=v6.15.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # tag=v6.19.2
         with:
           tags: ${{ steps.tags.outputs.tags }}
           build-args: |-
@@ -133,9 +137,22 @@ jobs:
           context: .
           file: src/main/docker/Dockerfile
 
+      - name: Build Alpine multi-arch Container Image
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # tag=v6.19.2
+        with:
+          tags: ${{ steps.tags.outputs.tags-alpine }}
+          build-args: |-
+            APP_VERSION=${{ inputs.app-version }}
+            COMMIT_SHA=${{ github.sha }}
+            WAR_FILENAME=dependency-track-${{ matrix.distribution }}.jar
+          platforms: linux/amd64,linux/arm64
+          push: ${{ inputs.publish-container }}
+          context: .
+          file: src/main/docker/Dockerfile.alpine
+
       - name: Run Trivy Vulnerability Scanner
         if: ${{ inputs.publish-container }}
-        uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # tag=0.30.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # tag=0.35.0
         env:
           # https://github.com/aquasecurity/trivy-action/issues/389
           TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:2"
@@ -149,6 +166,6 @@ jobs:
 
       - name: Upload Trivy Scan Results to GitHub Security Tab
         if: ${{ inputs.publish-container }}
-        uses: github/codeql-action/upload-sarif@5f8171a638ada777af81d42b55959a643bb29017 # tag=v3.28.12
+        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # tag=v3.29.5
         with:
           sarif_file: 'trivy-results.sarif'

.github/workflows/ci-publish.yaml

@@ -23,7 +23,7 @@ jobs:
             exit 1
           fi
       - name: Checkout Repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
 
       - name: Parse Version from POM
         id: parse
@@ -52,10 +52,10 @@ jobs:
       - call-build
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
 
       - name: Download Artifacts
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # tag=v4.2.1
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # tag=v8.0.0
         with:
           name: assembled-wars
           path: target

.github/workflows/ci-release.yaml

@@ -20,7 +20,7 @@ jobs:
       release-branch: ${{ steps.variables.outputs.release-branch }}
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
 
       - name: Setup Environment
         id: variables
@@ -51,10 +51,10 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
 
       - name: Set up JDK
-        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # tag=v4.7.0
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # tag=v5.2.0
         with:
           distribution: 'temurin'
           java-version: '21'
@@ -118,7 +118,7 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
         with:
           ref: ${{ needs.prepare-release.outputs.release-branch }}
 

.github/workflows/ci-test-pr-coverage.yml

@@ -18,7 +18,7 @@ jobs:
         && github.event.workflow_run.conclusion == 'success'
     steps:
     - name: Download PR test coverage report
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # tag=v4.2.1
+      uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # tag=v8.0.0
       with:
         name: pr-test-coverage-report
         github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ci-test.yaml

@@ -33,10 +33,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
 
       - name: Set up JDK
-        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # tag=v4.7.0
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # tag=v5.2.0
         with:
           distribution: 'temurin'
           java-version: '21'
@@ -66,7 +66,7 @@ jobs:
 
       - name: Upload PR test coverage report
         if: ${{ github.event_name == 'pull_request' }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # tag=v4.6.2
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # tag=v7.0.0
         with:
           name: pr-test-coverage-report
           path: |-

.github/workflows/dependency-review.yaml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
 
       - name: Dependency Review
-        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # tag=v4.5.0
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # tag=v4.9.0

.github/workflows/lock.yaml

@@ -15,7 +15,7 @@ jobs:
     # don't run on forks
     if: ${{ contains(github.repository, 'DependencyTrack/') }}
     steps:
-      - uses: dessant/lock-threads@be8aa5be94131386884a6da4189effda9b14aa21 # tag=v4.0.1
+      - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # tag=v6.0.0
         with:
           github-token: ${{ github.token }}
           issue-inactive-days: '30'

.github/workflows/pr-detect-merge-conflicts

@@ -0,0 +1,22 @@
+name: "Detect Merge Conflicts"
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - master
+      - 4*
+
+  pull_request_target:
+    types: [synchronize]
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    steps:
+      - name: check if prs are conflicted
+        uses: eps1lon/actions-label-merge-conflict@v3
+        with:
+          dirtyLabel: "conflicts-detected"
+          repoToken: "${{ secrets.GITHUB_TOKEN }}"
+          commentOnDirty: "This pull request has conflicts, please resolve those before we can evaluate the pull request."
+          commentOnClean: "Conflicts have been resolved. A maintainer will review the pull request shortly."