From cd18a8b59b01e4d184438f24cf8155f072c7c12d Mon Sep 17 00:00:00 2001 From: nscuro Date: Mon, 1 Jun 2026 00:32:54 +0200 Subject: [PATCH 1/3] Add upgrade notes for 5.0.0-rc.2 Also updates references of renamed config properties. Signed-off-by: nscuro --- .../architecture/design/durable-execution.md | 2 +- .../administration/configuring-http-proxy.md | 24 +-- .../guides/administration/configuring-ldap.md | 128 +++++++-------- .../guides/administration/configuring-oidc.md | 38 ++--- .../configuring-vulnerability-sources.md | 10 +- docs/guides/upgrading/.pages | 1 + docs/guides/upgrading/v5.0.0-rc.2.md | 152 ++++++++++++++++++ docs/reference/configuration/application.md | 4 +- docs/reference/configuration/file-storage.md | 12 +- .../policies/vulnerability-policies.md | 10 +- 10 files changed, 269 insertions(+), 112 deletions(-) create mode 100644 docs/guides/upgrading/v5.0.0-rc.2.md diff --git a/docs/concepts/architecture/design/durable-execution.md b/docs/concepts/architecture/design/durable-execution.md index f33bc3e..cb9aa50 100644 --- a/docs/concepts/architecture/design/durable-execution.md +++ b/docs/concepts/architecture/design/durable-execution.md @@ -691,7 +691,7 @@ mechanism. ### Maintenance A leader-only maintenance worker periodically deletes terminal workflow runs older than -[`dt.dex-engine.maintenance.run-retention-duration`](../../../reference/configuration/properties.md#dtdex-enginemaintenancerun-retention-duration). +[`dt.dex-engine.maintenance.run-retention-ms`](../../../reference/configuration/properties.md#dtdex-enginemaintenancerun-retention-ms). Deletion happens in batches of [`dt.dex-engine.maintenance.run-deletion-batch-size`](../../../reference/configuration/properties.md#dtdex-enginemaintenancerun-deletion-batch-size) rows using `FOR NO KEY UPDATE SKIP LOCKED` to coexist with active workloads. Cascade foreign keys remove the associated history, inbox, and task rows in the same transaction. diff --git a/docs/guides/administration/configuring-http-proxy.md b/docs/guides/administration/configuring-http-proxy.md index ea5787b..d2533e2 100644 --- a/docs/guides/administration/configuring-http-proxy.md +++ b/docs/guides/administration/configuring-http-proxy.md @@ -16,10 +16,10 @@ user's browser; any requests it appears to make actually originate from the brow The API server reads proxy settings from two sources, in this order: -1. App properties (`dt.http.proxy.*`, `dt.no.proxy`). +1. App properties (`dt.http.proxy.*`). 2. The standard `HTTPS_PROXY`, `HTTP_PROXY`, and `NO_PROXY` environment variables. -If `dt.http.proxy.address` has a value, app properties win and the API server ignores the environment variables. +If `dt.http.proxy.host` has a value, app properties win and the API server ignores the environment variables. Otherwise, the API server falls back to the environment. ## Configuring via app properties @@ -27,21 +27,21 @@ Otherwise, the API server falls back to the environment. Set the following properties (see [Application configuration](../../reference/configuration/application.md#environment-variable-mapping) for how property names map to environment variables): -- [`dt.http.proxy.address`](../../reference/configuration/properties.md#dthttpproxyaddress): proxy hostname or IP address. +- [`dt.http.proxy.host`](../../reference/configuration/properties.md#dthttpproxyhost): proxy hostname or IP address. - [`dt.http.proxy.port`](../../reference/configuration/properties.md#dthttpproxyport): proxy port. Required when - `dt.http.proxy.address` has a value. -- [`dt.http.proxy.username`](../../reference/configuration/properties.md#dthttpproxyusername): optional, for + `dt.http.proxy.host` has a value. +- [`dt.http.proxy.auth.username`](../../reference/configuration/properties.md#dthttpproxyauthusername): optional, for authenticated proxies. -- [`dt.http.proxy.password`](../../reference/configuration/properties.md#dthttpproxypassword): optional, for +- [`dt.http.proxy.auth.password`](../../reference/configuration/properties.md#dthttpproxyauthpassword): optional, for authenticated proxies. -- [`dt.no.proxy`](../../reference/configuration/properties.md#dtnoproxy): comma-separated bypass list. +- [`dt.http.proxy.exclusions`](../../reference/configuration/properties.md#dthttpproxyexclusions): comma-separated bypass list. Example: ```properties linenums="1" -dt.http.proxy.address=proxy.example.com +dt.http.proxy.host=proxy.example.com dt.http.proxy.port=8080 -dt.no.proxy=localhost,127.0.0.1,example.com +dt.http.proxy.exclusions=localhost,127.0.0.1,example.com ``` ## Configuring via standard environment variables @@ -62,7 +62,7 @@ The API server uses the same proxy for both HTTP and HTTPS upstream calls. URIs ## Bypass list -Both `dt.no.proxy` and `NO_PROXY` accept a comma-separated list of entries. Each entry takes the form of either a +Both `dt.http.proxy.exclusions` and `NO_PROXY` accept a comma-separated list of entries. Each entry takes the form of either a hostname or IP address, optionally with `:port`. CIDR ranges, IP-address ranges, leading-dot notation, and protocol schemes are not supported. @@ -75,7 +75,7 @@ The matching rules are: - If an entry includes a port (`host:port`), the host must match (exact or subdomain) and the port must match exactly. - Only `http` and `https` URIs go through the proxy; other schemes always bypass it. -For example, given `dt.no.proxy=example.com,localhost:5432`: +For example, given `dt.http.proxy.exclusions=example.com,localhost:5432`: - `https://api.example.com/` bypasses the proxy (subdomain match). - `https://localhost:5432/` bypasses the proxy (host and port match). @@ -83,7 +83,7 @@ For example, given `dt.no.proxy=example.com,localhost:5432`: ## Authenticated proxies -For Basic-authenticated proxies, set `dt.http.proxy.username` and `dt.http.proxy.password`. Avoid placing the password +For Basic-authenticated proxies, set `dt.http.proxy.auth.username` and `dt.http.proxy.auth.password`. Avoid placing the password in plain text; see [Loading values from files](../../reference/configuration/application.md#loading-values-from-files). For NTLM-authenticated proxies, supply the username in `domain\username` form. The API server splits on the first diff --git a/docs/guides/administration/configuring-ldap.md b/docs/guides/administration/configuring-ldap.md index 2fb51fd..8c8d5d6 100644 --- a/docs/guides/administration/configuring-ldap.md +++ b/docs/guides/administration/configuring-ldap.md @@ -36,18 +36,18 @@ Enable LDAP and configure the server connection: ```properties linenums="1" dt.ldap.enabled=true -dt.ldap.server.url=ldap://ldap.example.com:389 -dt.ldap.basedn=dc=example,dc=com -dt.ldap.security.auth=simple -dt.ldap.bind.username=cn=dt-service,dc=example,dc=com -dt.ldap.bind.password=changeme -dt.ldap.auth.username.format=uid={0},ou=users,dc=example,dc=com -dt.ldap.attribute.name=cn -dt.ldap.attribute.mail=mail +dt.ldap.server-url=ldap://ldap.example.com:389 +dt.ldap.base-dn=dc=example,dc=com +dt.ldap.security-auth=simple +dt.ldap.bind-username=cn=dt-service,dc=example,dc=com +dt.ldap.bind-password=changeme +dt.ldap.username-format=uid={0},ou=users,dc=example,dc=com +dt.ldap.name-attribute=cn +dt.ldap.mail-attribute=mail ``` !!! tip - Dependency-Track substitutes the `{0}` placeholder in `dt.ldap.auth.username.format` + Dependency-Track substitutes the `{0}` placeholder in `dt.ldap.username-format` with the username entered at login. ### User provisioning @@ -57,7 +57,7 @@ user logs in. Otherwise, an administrator must create each account before its us log in. ```properties -dt.ldap.user.provisioning=true +dt.ldap.user-provisioning=true ``` ### Team synchronisation @@ -66,11 +66,11 @@ When enabled, Dependency-Track keeps team membership in sync with LDAP group mem Map teams to LDAP groups under **Administration > Access Management > Teams**. ```properties -dt.ldap.team.synchronization=true -dt.ldap.groups.filter=(&(objectClass=groupOfUniqueNames)) -dt.ldap.user.groups.filter=(&(objectClass=groupOfUniqueNames)(uniqueMember={USER_DN})) -dt.ldap.groups.search.filter=(&(objectClass=groupOfUniqueNames)(cn=*{SEARCH_TERM}*)) -dt.ldap.users.search.filter=(&(objectClass=inetOrgPerson)(cn=*{SEARCH_TERM}*)) +dt.ldap.team-synchronization=true +dt.ldap.group-filter=(&(objectClass=groupOfUniqueNames)) +dt.ldap.user-groups-filter=(&(objectClass=groupOfUniqueNames)(uniqueMember={USER_DN})) +dt.ldap.group-search-filter=(&(objectClass=groupOfUniqueNames)(cn=*{SEARCH_TERM}*)) +dt.ldap.user-search-filter=(&(objectClass=inetOrgPerson)(cn=*{SEARCH_TERM}*)) ``` !!! tip @@ -91,18 +91,18 @@ Users typically authenticate with their User Principal Name (`user@domain.com`). ```properties linenums="1" dt.ldap.enabled=true -dt.ldap.server.url=ldap://ldap.example.com:3268 -dt.ldap.basedn=dc=example,dc=com -dt.ldap.security.auth=simple -dt.ldap.bind.username=CN=DT Service Account,DC=example,DC=com -dt.ldap.bind.password=changeme -dt.ldap.auth.username.format={0}@example.com -dt.ldap.attribute.name=userPrincipalName -dt.ldap.attribute.mail=mail -dt.ldap.groups.filter=(&(objectClass=group)(objectCategory=Group)) -dt.ldap.user.groups.filter=(&(objectClass=group)(objectCategory=Group)(member:1.2.840.113556.1.4.1941:={USER_DN})) -dt.ldap.groups.search.filter=(&(objectClass=group)(objectCategory=Group)(cn=*{SEARCH_TERM}*)) -dt.ldap.users.search.filter=(&(objectClass=user)(objectCategory=Person)(cn=*{SEARCH_TERM}*)) +dt.ldap.server-url=ldap://ldap.example.com:3268 +dt.ldap.base-dn=dc=example,dc=com +dt.ldap.security-auth=simple +dt.ldap.bind-username=CN=DT Service Account,DC=example,DC=com +dt.ldap.bind-password=changeme +dt.ldap.username-format={0}@example.com +dt.ldap.name-attribute=userPrincipalName +dt.ldap.mail-attribute=mail +dt.ldap.group-filter=(&(objectClass=group)(objectCategory=Group)) +dt.ldap.user-groups-filter=(&(objectClass=group)(objectCategory=Group)(member:1.2.840.113556.1.4.1941:={USER_DN})) +dt.ldap.group-search-filter=(&(objectClass=group)(objectCategory=Group)(cn=*{SEARCH_TERM}*)) +dt.ldap.user-search-filter=(&(objectClass=user)(objectCategory=Person)(cn=*{SEARCH_TERM}*)) ``` !!! tip @@ -113,43 +113,43 @@ dt.ldap.users.search.filter=(&(objectClass=user)(objectCategory=Person)(cn=*{SEA For LDAPS (recommended in production), change the port to `3269` and update the URL: ```properties -dt.ldap.server.url=ldaps://ldap.example.com:3269 +dt.ldap.server-url=ldaps://ldap.example.com:3269 ``` ### ApacheDS ```properties linenums="1" dt.ldap.enabled=true -dt.ldap.server.url=ldap://ldap.example.com:389 -dt.ldap.basedn=dc=example,dc=com -dt.ldap.security.auth=simple -dt.ldap.bind.username=uid=admin,ou=system -dt.ldap.bind.password=changeme -dt.ldap.auth.username.format=uid={0},ou=users,dc=example,dc=com -dt.ldap.attribute.name=cn -dt.ldap.attribute.mail=mail -dt.ldap.groups.filter=(&(objectClass=groupOfUniqueNames)) -dt.ldap.user.groups.filter=(&(objectClass=groupOfUniqueNames)(uniqueMember={USER_DN})) -dt.ldap.groups.search.filter=(&(objectClass=groupOfUniqueNames)(cn=*{SEARCH_TERM}*)) -dt.ldap.users.search.filter=(&(objectClass=inetOrgPerson)(cn=*{SEARCH_TERM}*)) +dt.ldap.server-url=ldap://ldap.example.com:389 +dt.ldap.base-dn=dc=example,dc=com +dt.ldap.security-auth=simple +dt.ldap.bind-username=uid=admin,ou=system +dt.ldap.bind-password=changeme +dt.ldap.username-format=uid={0},ou=users,dc=example,dc=com +dt.ldap.name-attribute=cn +dt.ldap.mail-attribute=mail +dt.ldap.group-filter=(&(objectClass=groupOfUniqueNames)) +dt.ldap.user-groups-filter=(&(objectClass=groupOfUniqueNames)(uniqueMember={USER_DN})) +dt.ldap.group-search-filter=(&(objectClass=groupOfUniqueNames)(cn=*{SEARCH_TERM}*)) +dt.ldap.user-search-filter=(&(objectClass=inetOrgPerson)(cn=*{SEARCH_TERM}*)) ``` ### Fedora 389 Directory Server ```properties linenums="1" dt.ldap.enabled=true -dt.ldap.server.url=ldap://ldap.example.com:389 -dt.ldap.basedn=dc=example,dc=com -dt.ldap.security.auth=simple -dt.ldap.bind.username=cn=Directory Manager -dt.ldap.bind.password=changeme -dt.ldap.auth.username.format=uid={0},ou=people,dc=example,dc=com -dt.ldap.attribute.name=uid -dt.ldap.attribute.mail=mail -dt.ldap.groups.filter=(&(objectClass=groupOfUniqueNames)) -dt.ldap.user.groups.filter=(&(objectClass=groupOfUniqueNames)(uniqueMember={USER_DN})) -dt.ldap.groups.search.filter=(&(objectClass=groupOfUniqueNames)(cn=*{SEARCH_TERM}*)) -dt.ldap.users.search.filter=(&(objectClass=inetOrgPerson)(uid=*{SEARCH_TERM}*)) +dt.ldap.server-url=ldap://ldap.example.com:389 +dt.ldap.base-dn=dc=example,dc=com +dt.ldap.security-auth=simple +dt.ldap.bind-username=cn=Directory Manager +dt.ldap.bind-password=changeme +dt.ldap.username-format=uid={0},ou=people,dc=example,dc=com +dt.ldap.name-attribute=uid +dt.ldap.mail-attribute=mail +dt.ldap.group-filter=(&(objectClass=groupOfUniqueNames)) +dt.ldap.user-groups-filter=(&(objectClass=groupOfUniqueNames)(uniqueMember={USER_DN})) +dt.ldap.group-search-filter=(&(objectClass=groupOfUniqueNames)(cn=*{SEARCH_TERM}*)) +dt.ldap.user-search-filter=(&(objectClass=inetOrgPerson)(uid=*{SEARCH_TERM}*)) ``` ### NetIQ / Novell eDirectory @@ -158,18 +158,18 @@ eDirectory typically uses LDAPS on port 636 and an organisation-based DN structu ```properties linenums="1" dt.ldap.enabled=true -dt.ldap.server.url=ldaps://ldap.example.com:636 -dt.ldap.basedn=o=example -dt.ldap.security.auth=simple -dt.ldap.bind.username=cn=admin,o=example -dt.ldap.bind.password=changeme -dt.ldap.auth.username.format=uid={0},ou=users,o=example -dt.ldap.attribute.name=uid -dt.ldap.attribute.mail=mail -dt.ldap.groups.filter=(&(objectClass=groupOfUniqueNames)) -dt.ldap.user.groups.filter=(&(objectClass=groupOfUniqueNames)(uniqueMember={USER_DN})) -dt.ldap.groups.search.filter=(&(objectClass=groupOfUniqueNames)(cn=*{SEARCH_TERM}*)) -dt.ldap.users.search.filter=(&(objectClass=inetOrgPerson)(uid=*{SEARCH_TERM}*)) +dt.ldap.server-url=ldaps://ldap.example.com:636 +dt.ldap.base-dn=o=example +dt.ldap.security-auth=simple +dt.ldap.bind-username=cn=admin,o=example +dt.ldap.bind-password=changeme +dt.ldap.username-format=uid={0},ou=users,o=example +dt.ldap.name-attribute=uid +dt.ldap.mail-attribute=mail +dt.ldap.group-filter=(&(objectClass=groupOfUniqueNames)) +dt.ldap.user-groups-filter=(&(objectClass=groupOfUniqueNames)(uniqueMember={USER_DN})) +dt.ldap.group-search-filter=(&(objectClass=groupOfUniqueNames)(cn=*{SEARCH_TERM}*)) +dt.ldap.user-search-filter=(&(objectClass=inetOrgPerson)(uid=*{SEARCH_TERM}*)) ``` --- diff --git a/docs/guides/administration/configuring-oidc.md b/docs/guides/administration/configuring-oidc.md index 8c265d5..847193b 100644 --- a/docs/guides/administration/configuring-oidc.md +++ b/docs/guides/administration/configuring-oidc.md @@ -34,8 +34,8 @@ for how property names map to environment variables. ```properties linenums="1" dt.oidc.enabled=true dt.oidc.issuer=https://idp.example.com -dt.oidc.client.id=dependency-track -dt.oidc.username.claim=preferred_username +dt.oidc.client-id=dependency-track +dt.oidc.username-claim=preferred_username ``` ### User provisioning @@ -43,7 +43,7 @@ dt.oidc.username.claim=preferred_username When enabled, Dependency-Track creates user accounts automatically on first login: ```properties -dt.oidc.user.provisioning=true +dt.oidc.user-provisioning=true ``` ### Team synchronisation @@ -56,8 +56,8 @@ easiest to emit. Map teams to those group names under **Administration > Access Management > Teams**. ```properties -dt.oidc.team.synchronization=true -dt.oidc.teams.claim=groups +dt.oidc.team-synchronization=true +dt.oidc.teams-claim=groups ``` ## Frontend configuration @@ -101,8 +101,8 @@ etc.) to match your environment. ```properties dt.oidc.issuer=https://keycloak.example.com/realms/your-realm -dt.oidc.client.id=dependency-track -dt.oidc.username.claim=preferred_username +dt.oidc.client-id=dependency-track +dt.oidc.username-claim=preferred_username ``` ### Microsoft Entra ID (Azure AD) @@ -115,8 +115,8 @@ dt.oidc.username.claim=preferred_username ```properties dt.oidc.issuer=https://login.microsoftonline.com//v2.0 -dt.oidc.client.id= -dt.oidc.username.claim=preferred_username +dt.oidc.client-id= +dt.oidc.username-claim=preferred_username ``` !!! note @@ -134,8 +134,8 @@ dt.oidc.username.claim=preferred_username ```properties dt.oidc.issuer=https://your-tenant.auth0.com/ -dt.oidc.client.id= -dt.oidc.username.claim=nickname +dt.oidc.client-id= +dt.oidc.username-claim=nickname ``` ### GitLab @@ -146,8 +146,8 @@ dt.oidc.username.claim=nickname ```properties dt.oidc.issuer=https://gitlab.com -dt.oidc.client.id= -dt.oidc.username.claim=nickname +dt.oidc.client-id= +dt.oidc.username-claim=nickname ``` For self-hosted GitLab, replace `https://gitlab.com` with your GitLab instance URL. @@ -160,8 +160,8 @@ For self-hosted GitLab, replace `https://gitlab.com` with your GitLab instance U ```properties dt.oidc.issuer=https://accounts.google.com -dt.oidc.client.id=.apps.googleusercontent.com -dt.oidc.username.claim=email +dt.oidc.client-id=.apps.googleusercontent.com +dt.oidc.username-claim=email ``` !!! warning @@ -188,8 +188,8 @@ dt.oidc.username.claim=email ```properties dt.oidc.issuer=https://your-subdomain.onelogin.com/oidc/2 -dt.oidc.client.id= -dt.oidc.username.claim=preferred_username +dt.oidc.client-id= +dt.oidc.username-claim=preferred_username ``` ### AWS Cognito @@ -203,8 +203,8 @@ dt.oidc.username.claim=preferred_username ```properties dt.oidc.issuer=https://cognito-idp..amazonaws.com/ -dt.oidc.client.id= -dt.oidc.username.claim=cognito:username +dt.oidc.client-id= +dt.oidc.username-claim=cognito:username ``` --- diff --git a/docs/guides/administration/configuring-vulnerability-sources.md b/docs/guides/administration/configuring-vulnerability-sources.md index e9cf9d3..e99bf64 100644 --- a/docs/guides/administration/configuring-vulnerability-sources.md +++ b/docs/guides/administration/configuring-vulnerability-sources.md @@ -81,10 +81,14 @@ what each mirror is doing. Each source has its own cron property. Mirrors also run on instance startup. To change the schedule, set the corresponding property: -- NVD: [`dt.task.nist.mirror.cron`](../../reference/configuration/properties.md#dttasknistmirrorcron) +- NVD: [`dt.task.nvd-vuln-data-source-mirror.cron`](../../reference/configuration/properties.md#dttasknvd-vuln-data-source-mirrorcron) - GitHub advisories: - [`dt.task.git.hub.advisory.mirror.cron`](../../reference/configuration/properties.md#dttaskgithubadvisorymirrorcron) -- OSV: [`dt.task.osv.mirror.cron`](../../reference/configuration/properties.md#dttaskosvmirrorcron) + [`dt.task.github-advisory-vuln-data-source-mirror.cron`](../../reference/configuration/properties.md#dttaskgithub-advisory-vuln-data-source-mirrorcron) +- OSV: [`dt.task.osv-vuln-data-source-mirror.cron`](../../reference/configuration/properties.md#dttaskosv-vuln-data-source-mirrorcron) + +!!! note + The `dt.vuln-analyzer.*` namespace (analyzer extension point) is unchanged. + Only mirror task cron properties were renamed. ## Verifying findings diff --git a/docs/guides/upgrading/.pages b/docs/guides/upgrading/.pages index 2580b80..5bafbbd 100644 --- a/docs/guides/upgrading/.pages +++ b/docs/guides/upgrading/.pages @@ -1,6 +1,7 @@ title: Upgrade guides nav: - index.md + - v5.0.0-rc.2.md - v5.0.0-rc.1.md - v0.7.0-alpha.9.md - v0.7.0-alpha.8.md diff --git a/docs/guides/upgrading/v5.0.0-rc.2.md b/docs/guides/upgrading/v5.0.0-rc.2.md new file mode 100644 index 0000000..335a8ab --- /dev/null +++ b/docs/guides/upgrading/v5.0.0-rc.2.md @@ -0,0 +1,152 @@ +# Upgrading to v5.0.0-rc.2 + +!!! danger "Legacy `alpine.*` and unprefixed property names no longer accepted" + This release drops the compatibility shim that translated v4-era + `alpine.*` and unprefixed property names (for example + `alpine.ldap.enabled`, `database.url`, `bcrypt.rounds`) into their + `dt.*` equivalents. Migrate any configuration still using those names + to the current `dt.*` properties. **The API server refuses to start when + it encounters a legacy key** to prevent silent misconfiguration. + + The original `alpine.*` to `dt.*` migration is documented in the + [v0.7.0-alpha.3 upgrade notes](v0.7.0-alpha.3.md). See + [Configuration Properties](../../reference/configuration/properties.md) + for the authoritative list of supported properties and their corresponding + environment variable spellings. + + Apologies for introducing breaking changes in an RC build. + +!!! warning + This release renames roughly 100 configuration properties for naming + consistency ahead of the GA release. No aliases or backward-compatibility + shims exist. Update affected configuration before upgrading. + +* **Configuration properties renamed**. The renames consistently use kebab-case + segments and align related properties under shared namespaces. The full list of + old-to-new names follows, grouped by section. + + **CORS** + + | Old | New | + | --- | --- | + | `dt.cors.allow.credentials` | `dt.cors.allow-credentials` | + | `dt.cors.allow.headers` | `dt.cors.allowed-headers` | + | `dt.cors.allow.methods` | `dt.cors.allowed-methods` | + | `dt.cors.allow.origin` | `dt.cors.allowed-origins` | + | `dt.cors.expose.headers` | `dt.cors.exposed-headers` | + | `dt.cors.max.age` | `dt.cors.max-age` | + + **Durable execution engine** + + The run retention unit changed from an ISO-8601 duration to milliseconds. + + | Old | New | + | --- | --- | + | `dt.dex-engine.maintenance.run-retention-duration=P1D` | `dt.dex-engine.maintenance.run-retention-ms=86400000` | + | `dt.dex-engine.maintenance.worker.initial-delay-ms` | `dt.dex-engine.maintenance.worker-initial-delay-ms` | + | `dt.dex-engine.maintenance.worker.interval-ms` | `dt.dex-engine.maintenance.worker-interval-ms` | + | `dt.dex-engine.metrics.collector.*` | `dt.dex-engine.metrics-collector.*` | + + **File storage** + + | Old | New | + | --- | --- | + | `dt.file-storage.local.compression.level` | `dt.file-storage.local.compression-level` | + | `dt.file-storage.s3.access.key` | `dt.file-storage.s3.access-key` | + | `dt.file-storage.s3.compression.level` | `dt.file-storage.s3.compression-level` | + | `dt.file-storage.s3.secret.key` | `dt.file-storage.s3.secret-key` | + + **General** + + | Old | New | + | --- | --- | + | `dt.config.log.values` | `dt.config.log-values` | + | `dt.data.directory` | `dt.data-directory` | + | `dt.telemetry.submission.enabled.default` | `dt.telemetry.submission.default-enabled` | + | `dt.tmp.delay.bom.processed.notification` | `dt.tmp.delay-bom-processed-notification` | + + **HTTP** + + The HTTP connect timeout unit changed from seconds to milliseconds. + Note that the standard `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables are still supported. + + | Old | New | + | --- | --- | + | `dt.http.proxy.address` | `dt.http.proxy.host` | + | `dt.http.proxy.password` | `dt.http.proxy.auth.password` | + | `dt.http.proxy.username` | `dt.http.proxy.auth.username` | + | `dt.http.timeout.connection` (seconds) | `dt.http.connect-timeout-ms` (milliseconds, default `30000`) | + | `dt.no.proxy` | `dt.http.proxy.exclusions` | + + **Init tasks** + + | Old | New | + | --- | --- | + | `dt.init.and.exit` | `dt.init-tasks.exit-after-completion` | + | `dt.init.task.database.migration.enabled` | `dt.init-task.database-migration.enabled` | + | `dt.init.task.database.partition.maintenance.enabled` | `dt.init-task.database-partition-maintenance.enabled` | + | `dt.init.task.database.seeding.enabled` | `dt.init-task.database-seeding.enabled` | + | `dt.init.task.dex.engine.database.migration.enabled` | `dt.init-task.dex-engine-database-migration.enabled` | + | `dt.init.tasks.datasource.close-after-use` | `dt.init-tasks.datasource.close-after-completion` | + | `dt.init.tasks.datasource.name` | `dt.init-tasks.datasource.name` | + | `dt.init.tasks.enabled` | `dt.init-tasks.enabled` | + + **LDAP** + + | Old | New | + | --- | --- | + | `dt.ldap.attribute.mail` | `dt.ldap.mail-attribute` | + | `dt.ldap.attribute.name` | `dt.ldap.name-attribute` | + | `dt.ldap.auth.username.format` | `dt.ldap.username-format` | + | `dt.ldap.basedn` | `dt.ldap.base-dn` | + | `dt.ldap.bind.password` | `dt.ldap.bind-password` | + | `dt.ldap.bind.username` | `dt.ldap.bind-username` | + | `dt.ldap.groups.filter` | `dt.ldap.group-filter` | + | `dt.ldap.groups.search.filter` | `dt.ldap.group-search-filter` | + | `dt.ldap.security.auth` | `dt.ldap.security-auth` | + | `dt.ldap.server.url` | `dt.ldap.server-url` | + | `dt.ldap.team.synchronization` | `dt.ldap.team-synchronization` | + | `dt.ldap.user.groups.filter` | `dt.ldap.user-groups-filter` | + | `dt.ldap.user.provisioning` | `dt.ldap.user-provisioning` | + | `dt.ldap.users.search.filter` | `dt.ldap.user-search-filter` | + + **OIDC** + + | Old | New | + | --- | --- | + | `dt.oidc.auth.customizer` | `dt.oidc.auth-customizer` | + | `dt.oidc.client.id` | `dt.oidc.client-id` | + | `dt.oidc.team.synchronization` | `dt.oidc.team-synchronization` | + | `dt.oidc.teams.claim` | `dt.oidc.teams-claim` | + | `dt.oidc.teams.default` | `dt.oidc.default-teams` | + | `dt.oidc.user.provisioning` | `dt.oidc.user-provisioning` | + | `dt.oidc.username.claim` | `dt.oidc.username-claim` | + + **Task Scheduling** + + | Old | New | + | --- | --- | + | `dt.task.defect.dojo.upload.cron` | `dt.task.defect-dojo-upload.cron` | + | `dt.task.epss.mirror.cron` | `dt.task.epss-mirror.cron` | + | `dt.task.fortify.ssc.upload.cron` | `dt.task.fortify-ssc-upload.cron` | + | `dt.task.git.hub.advisory.mirror.cron` | `dt.task.github-advisory-vuln-data-source-mirror.cron` | + | `dt.task.kenna.security.upload.cron` | `dt.task.kenna-security-upload.cron` | + | `dt.task.metrics.maintenance.cron` | `dt.task.metrics-maintenance.cron` | + | `dt.task.nist.mirror.cron` | `dt.task.nvd-vuln-data-source-mirror.cron` | + | `dt.task.osv.mirror.cron` | `dt.task.osv-vuln-data-source-mirror.cron` | + | `dt.task.package.metadata.maintenance.cron` | `dt.task.package-metadata-maintenance.cron` | + | `dt.task.project.maintenance.cron` | `dt.task.project-maintenance.cron` | + | `dt.task.tag.maintenance.cron` | `dt.task.tag-maintenance.cron` | + | `dt.task.vulnerability-policy-bundle-sync.cron` | `dt.task.vuln-policy-bundle-sync.cron` | + | `dt.task.vulnerability.analysis.cron` | `dt.task.portfolio-analysis.cron` | + | `dt.task.vulnerability.database.maintenance.cron` | `dt.task.vuln-database-maintenance.cron` | + | `dt.task.vulnerability.metrics.update.cron` | `dt.task.vuln-metrics-update.cron` | + + **Vulnerability policy bundle** + + | Old | New | + | --- | --- | + | `dt.vulnerability.policy.bundle.auth.bearer.token` | `dt.vuln-policy-bundle.auth.bearer-token` | + | `dt.vulnerability.policy.bundle.auth.password` | `dt.vuln-policy-bundle.auth.password` | + | `dt.vulnerability.policy.bundle.auth.username` | `dt.vuln-policy-bundle.auth.username` | + | `dt.vulnerability.policy.bundle.url` | `dt.vuln-policy-bundle.url` | diff --git a/docs/reference/configuration/application.md b/docs/reference/configuration/application.md index 1ae903e..fd92920 100644 --- a/docs/reference/configuration/application.md +++ b/docs/reference/configuration/application.md @@ -44,7 +44,7 @@ secrets: ```ini linenums="1" dt.datasource.password=${file::/var/run/secrets/database-password} -dt.ldap.bind.password=${file::/var/run/secrets/ldap-bind-password} +dt.ldap.bind-password=${file::/var/run/secrets/ldap-bind-password} ``` The file is read once at startup, decoded as UTF-8, and trailing whitespace is stripped. Files @@ -102,7 +102,7 @@ values for the same flag. ## Debugging Configuration Resolution To verify whether config values are properly resolved and from which source, enable debug logging -via [`dt.config.log.values`](properties.md#dtconfiglogvalues) and +via [`dt.config.log-values`](properties.md#dtconfiglog-values) and [`dt.logging.level."io.smallrye.config"`](properties.md) set to `DEBUG`. !!! warning diff --git a/docs/reference/configuration/file-storage.md b/docs/reference/configuration/file-storage.md index 26cfe63..9558c4f 100644 --- a/docs/reference/configuration/file-storage.md +++ b/docs/reference/configuration/file-storage.md @@ -27,7 +27,7 @@ A shared persistent volume (for example, NFS) works well for this. Configuration: - [`dt.file-storage.local.directory`](properties.md#dtfile-storagelocaldirectory) -- [`dt.file-storage.local.compression.level`](properties.md#dtfile-storagelocalcompressionlevel) +- [`dt.file-storage.local.compression-level`](properties.md#dtfile-storagelocalcompressionlevel) ### S3 @@ -41,8 +41,8 @@ and fail to start if it's not found. dt.file-storage.provider=s3 dt.file-storage.s3.endpoint=https://s3.amazonaws.com dt.file-storage.s3.bucket=dtrack-files -dt.file-storage.s3.access.key= -dt.file-storage.s3.secret.key= +dt.file-storage.s3.access-key= +dt.file-storage.s3.secret-key= dt.file-storage.s3.region=us-east-1 ``` @@ -50,10 +50,10 @@ Configuration: - [`dt.file-storage.s3.endpoint`](properties.md#dtfile-storages3endpoint) - [`dt.file-storage.s3.bucket`](properties.md#dtfile-storages3bucket) -- [`dt.file-storage.s3.access.key`](properties.md#dtfile-storages3accesskey) -- [`dt.file-storage.s3.secret.key`](properties.md#dtfile-storages3secretkey) +- [`dt.file-storage.s3.access-key`](properties.md#dtfile-storages3accesskey) +- [`dt.file-storage.s3.secret-key`](properties.md#dtfile-storages3secretkey) - [`dt.file-storage.s3.region`](properties.md#dtfile-storages3region) -- [`dt.file-storage.s3.compression.level`](properties.md#dtfile-storages3compressionlevel) +- [`dt.file-storage.s3.compression-level`](properties.md#dtfile-storages3compressionlevel) - [`dt.file-storage.s3.connect-timeout-ms`](properties.md#dtfile-storages3connect-timeout-ms) - [`dt.file-storage.s3.read-timeout-ms`](properties.md#dtfile-storages3read-timeout-ms) - [`dt.file-storage.s3.write-timeout-ms`](properties.md#dtfile-storages3write-timeout-ms) diff --git a/docs/reference/policies/vulnerability-policies.md b/docs/reference/policies/vulnerability-policies.md index 45c98a5..670a6b9 100644 --- a/docs/reference/policies/vulnerability-policies.md +++ b/docs/reference/policies/vulnerability-policies.md @@ -54,11 +54,11 @@ A policy can have up to three ratings. Each rating specifies a method (`CVSSv2`, | Property | Description | |:---------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------| -| [`dt.vulnerability.policy.bundle.url`](../configuration/properties.md#dtvulnerabilitypolicybundleurl) | HTTP(S) URL of the bundle ZIP | -| [`dt.vulnerability.policy.bundle.auth.username`](../configuration/properties.md#dtvulnerabilitypolicybundleauthusername) | Basic-auth username | -| [`dt.vulnerability.policy.bundle.auth.password`](../configuration/properties.md#dtvulnerabilitypolicybundleauthpassword) | Basic-auth password | -| [`dt.vulnerability.policy.bundle.auth.bearer.token`](../configuration/properties.md#dtvulnerabilitypolicybundleauthbearertoken) | Bearer token, used when basic-auth isn't set | -| [`dt.task.vulnerability-policy-bundle-sync.cron`](../configuration/properties.md#dttaskvulnerability-policy-bundle-synccron) | Cron expression for the scheduled sync | +| [`dt.vuln-policy-bundle.url`](../configuration/properties.md#dtvuln-policy-bundleurl) | HTTP(S) URL of the bundle ZIP | +| [`dt.vuln-policy-bundle.auth.username`](../configuration/properties.md#dtvuln-policy-bundleauthusername) | Basic-auth username | +| [`dt.vuln-policy-bundle.auth.password`](../configuration/properties.md#dtvuln-policy-bundleauthpassword) | Basic-auth password | +| [`dt.vuln-policy-bundle.auth.bearer-token`](../configuration/properties.md#dtvuln-policy-bundleauthbearer-token) | Bearer token, used when basic-auth isn't set | +| [`dt.task.vuln-policy-bundle-sync.cron`](../configuration/properties.md#dttaskvuln-policy-bundle-synccron) | Cron expression for the scheduled sync | ## Bundle layout From ee5201b3001c3ed3b70fbfb4368ff7d50f589eec Mon Sep 17 00:00:00 2001 From: Niklas Date: Mon, 1 Jun 2026 00:46:11 +0200 Subject: [PATCH 2/3] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Niklas --- docs/reference/configuration/file-storage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/configuration/file-storage.md b/docs/reference/configuration/file-storage.md index 9558c4f..54ddd5a 100644 --- a/docs/reference/configuration/file-storage.md +++ b/docs/reference/configuration/file-storage.md @@ -27,7 +27,7 @@ A shared persistent volume (for example, NFS) works well for this. Configuration: - [`dt.file-storage.local.directory`](properties.md#dtfile-storagelocaldirectory) -- [`dt.file-storage.local.compression-level`](properties.md#dtfile-storagelocalcompressionlevel) +- [`dt.file-storage.local.compression-level`](properties.md#dtfile-storagelocalcompression-level) ### S3 From e427017634db935d57f13e1112d6b22251db069f Mon Sep 17 00:00:00 2001 From: nscuro Date: Mon, 1 Jun 2026 00:48:30 +0200 Subject: [PATCH 3/3] Fix property links Signed-off-by: nscuro --- docs/reference/configuration/file-storage.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/reference/configuration/file-storage.md b/docs/reference/configuration/file-storage.md index 54ddd5a..9f5f002 100644 --- a/docs/reference/configuration/file-storage.md +++ b/docs/reference/configuration/file-storage.md @@ -50,10 +50,10 @@ Configuration: - [`dt.file-storage.s3.endpoint`](properties.md#dtfile-storages3endpoint) - [`dt.file-storage.s3.bucket`](properties.md#dtfile-storages3bucket) -- [`dt.file-storage.s3.access-key`](properties.md#dtfile-storages3accesskey) -- [`dt.file-storage.s3.secret-key`](properties.md#dtfile-storages3secretkey) +- [`dt.file-storage.s3.access-key`](properties.md#dtfile-storages3access-key) +- [`dt.file-storage.s3.secret-key`](properties.md#dtfile-storages3secret-key) - [`dt.file-storage.s3.region`](properties.md#dtfile-storages3region) -- [`dt.file-storage.s3.compression-level`](properties.md#dtfile-storages3compressionlevel) +- [`dt.file-storage.s3.compression-level`](properties.md#dtfile-storages3compression-level) - [`dt.file-storage.s3.connect-timeout-ms`](properties.md#dtfile-storages3connect-timeout-ms) - [`dt.file-storage.s3.read-timeout-ms`](properties.md#dtfile-storages3read-timeout-ms) - [`dt.file-storage.s3.write-timeout-ms`](properties.md#dtfile-storages3write-timeout-ms)