Add upgrade notes for 5.0.0-rc.2

docs/concepts/architecture/design/durable-execution.md

@@ -691,7 +691,7 @@ mechanism.
 ### Maintenance
 
 A leader-only maintenance worker periodically deletes terminal workflow runs older than
-[`dt.dex-engine.maintenance.run-retention-duration`](../../../reference/configuration/properties.md#dtdex-enginemaintenancerun-retention-duration).
+[`dt.dex-engine.maintenance.run-retention-ms`](../../../reference/configuration/properties.md#dtdex-enginemaintenancerun-retention-ms).
 Deletion happens in batches of [`dt.dex-engine.maintenance.run-deletion-batch-size`](../../../reference/configuration/properties.md#dtdex-enginemaintenancerun-deletion-batch-size)
 rows using `FOR NO KEY UPDATE SKIP LOCKED` to coexist with active workloads.
 Cascade foreign keys remove the associated history, inbox, and task rows in the same transaction.

docs/guides/administration/configuring-http-proxy.md

@@ -16,32 +16,32 @@ user's browser; any requests it appears to make actually originate from the brow
 
 The API server reads proxy settings from two sources, in this order:
 
-1. App properties (`dt.http.proxy.*`, `dt.no.proxy`).
+1. App properties (`dt.http.proxy.*`).
 2. The standard `HTTPS_PROXY`, `HTTP_PROXY`, and `NO_PROXY` environment variables.
 
-If `dt.http.proxy.address` has a value, app properties win and the API server ignores the environment variables.
+If `dt.http.proxy.host` has a value, app properties win and the API server ignores the environment variables.
 Otherwise, the API server falls back to the environment.
 
 ## Configuring via app properties
 
 Set the following properties (see [Application configuration](../../reference/configuration/application.md#environment-variable-mapping)
 for how property names map to environment variables):
 
-- [`dt.http.proxy.address`](../../reference/configuration/properties.md#dthttpproxyaddress): proxy hostname or IP address.
+- [`dt.http.proxy.host`](../../reference/configuration/properties.md#dthttpproxyhost): proxy hostname or IP address.
 - [`dt.http.proxy.port`](../../reference/configuration/properties.md#dthttpproxyport): proxy port. Required when
-  `dt.http.proxy.address` has a value.
-- [`dt.http.proxy.username`](../../reference/configuration/properties.md#dthttpproxyusername): optional, for
+  `dt.http.proxy.host` has a value.
+- [`dt.http.proxy.auth.username`](../../reference/configuration/properties.md#dthttpproxyauthusername): optional, for
   authenticated proxies.
-- [`dt.http.proxy.password`](../../reference/configuration/properties.md#dthttpproxypassword): optional, for
+- [`dt.http.proxy.auth.password`](../../reference/configuration/properties.md#dthttpproxyauthpassword): optional, for
   authenticated proxies.
-- [`dt.no.proxy`](../../reference/configuration/properties.md#dtnoproxy): comma-separated bypass list.
+- [`dt.http.proxy.exclusions`](../../reference/configuration/properties.md#dthttpproxyexclusions): comma-separated bypass list.
 
 Example:
 
 ```properties linenums="1"
-dt.http.proxy.address=proxy.example.com
+dt.http.proxy.host=proxy.example.com
 dt.http.proxy.port=8080
-dt.no.proxy=localhost,127.0.0.1,example.com
+dt.http.proxy.exclusions=localhost,127.0.0.1,example.com
 ```
 
 ## Configuring via standard environment variables
@@ -62,7 +62,7 @@ The API server uses the same proxy for both HTTP and HTTPS upstream calls. URIs
 
 ## Bypass list
 
-Both `dt.no.proxy` and `NO_PROXY` accept a comma-separated list of entries. Each entry takes the form of either a
+Both `dt.http.proxy.exclusions` and `NO_PROXY` accept a comma-separated list of entries. Each entry takes the form of either a
 hostname or IP address, optionally with `:port`. CIDR ranges, IP-address ranges, leading-dot notation, and protocol
 schemes are not supported.
 
@@ -75,15 +75,15 @@ The matching rules are:
 - If an entry includes a port (`host:port`), the host must match (exact or subdomain) and the port must match exactly.
 - Only `http` and `https` URIs go through the proxy; other schemes always bypass it.
 
-For example, given `dt.no.proxy=example.com,localhost:5432`:
+For example, given `dt.http.proxy.exclusions=example.com,localhost:5432`:
 
 - `https://api.example.com/` bypasses the proxy (subdomain match).
 - `https://localhost:5432/` bypasses the proxy (host and port match).
 - `https://localhost:5433/` goes through the proxy (port mismatch).
 
 ## Authenticated proxies
 
-For Basic-authenticated proxies, set `dt.http.proxy.username` and `dt.http.proxy.password`. Avoid placing the password
+For Basic-authenticated proxies, set `dt.http.proxy.auth.username` and `dt.http.proxy.auth.password`. Avoid placing the password
 in plain text; see [Loading values from files](../../reference/configuration/application.md#loading-values-from-files).
 
 For NTLM-authenticated proxies, supply the username in `domain\username` form. The API server splits on the first

docs/guides/administration/configuring-ldap.md

@@ -36,18 +36,18 @@ Enable LDAP and configure the server connection:
 
 ```properties linenums="1"
 dt.ldap.enabled=true
-dt.ldap.server.url=ldap://ldap.example.com:389
-dt.ldap.basedn=dc=example,dc=com
-dt.ldap.security.auth=simple
-dt.ldap.bind.username=cn=dt-service,dc=example,dc=com
-dt.ldap.bind.password=changeme
-dt.ldap.auth.username.format=uid={0},ou=users,dc=example,dc=com
-dt.ldap.attribute.name=cn
-dt.ldap.attribute.mail=mail
+dt.ldap.server-url=ldap://ldap.example.com:389
+dt.ldap.base-dn=dc=example,dc=com
+dt.ldap.security-auth=simple
+dt.ldap.bind-username=cn=dt-service,dc=example,dc=com
+dt.ldap.bind-password=changeme
+dt.ldap.username-format=uid={0},ou=users,dc=example,dc=com
+dt.ldap.name-attribute=cn
+dt.ldap.mail-attribute=mail
 ```
 
 !!! tip
-    Dependency-Track substitutes the `{0}` placeholder in `dt.ldap.auth.username.format`
+    Dependency-Track substitutes the `{0}` placeholder in `dt.ldap.username-format`
     with the username entered at login.
 
 ### User provisioning
@@ -57,7 +57,7 @@ user logs in. Otherwise, an administrator must create each account before its us
 log in.
 
 ```properties
-dt.ldap.user.provisioning=true
+dt.ldap.user-provisioning=true
 ```
 
 ### Team synchronisation
@@ -66,11 +66,11 @@ When enabled, Dependency-Track keeps team membership in sync with LDAP group mem
 Map teams to LDAP groups under **Administration > Access Management > Teams**.
 
 ```properties
-dt.ldap.team.synchronization=true
-dt.ldap.groups.filter=(&(objectClass=groupOfUniqueNames))
-dt.ldap.user.groups.filter=(&(objectClass=groupOfUniqueNames)(uniqueMember={USER_DN}))
-dt.ldap.groups.search.filter=(&(objectClass=groupOfUniqueNames)(cn=*{SEARCH_TERM}*))
-dt.ldap.users.search.filter=(&(objectClass=inetOrgPerson)(cn=*{SEARCH_TERM}*))
+dt.ldap.team-synchronization=true
+dt.ldap.group-filter=(&(objectClass=groupOfUniqueNames))
+dt.ldap.user-groups-filter=(&(objectClass=groupOfUniqueNames)(uniqueMember={USER_DN}))
+dt.ldap.group-search-filter=(&(objectClass=groupOfUniqueNames)(cn=*{SEARCH_TERM}*))
+dt.ldap.user-search-filter=(&(objectClass=inetOrgPerson)(cn=*{SEARCH_TERM}*))
 ```
 
 !!! tip
@@ -91,18 +91,18 @@ Users typically authenticate with their User Principal Name (`user@domain.com`).
 
 ```properties linenums="1"
 dt.ldap.enabled=true
-dt.ldap.server.url=ldap://ldap.example.com:3268
-dt.ldap.basedn=dc=example,dc=com
-dt.ldap.security.auth=simple
-dt.ldap.bind.username=CN=DT Service Account,DC=example,DC=com
-dt.ldap.bind.password=changeme
-dt.ldap.auth.username.format={0}@example.com
-dt.ldap.attribute.name=userPrincipalName
-dt.ldap.attribute.mail=mail
-dt.ldap.groups.filter=(&(objectClass=group)(objectCategory=Group))
-dt.ldap.user.groups.filter=(&(objectClass=group)(objectCategory=Group)(member:1.2.840.113556.1.4.1941:={USER_DN}))
-dt.ldap.groups.search.filter=(&(objectClass=group)(objectCategory=Group)(cn=*{SEARCH_TERM}*))
-dt.ldap.users.search.filter=(&(objectClass=user)(objectCategory=Person)(cn=*{SEARCH_TERM}*))
+dt.ldap.server-url=ldap://ldap.example.com:3268
+dt.ldap.base-dn=dc=example,dc=com
+dt.ldap.security-auth=simple
+dt.ldap.bind-username=CN=DT Service Account,DC=example,DC=com
+dt.ldap.bind-password=changeme
+dt.ldap.username-format={0}@example.com
+dt.ldap.name-attribute=userPrincipalName
+dt.ldap.mail-attribute=mail
+dt.ldap.group-filter=(&(objectClass=group)(objectCategory=Group))
+dt.ldap.user-groups-filter=(&(objectClass=group)(objectCategory=Group)(member:1.2.840.113556.1.4.1941:={USER_DN}))
+dt.ldap.group-search-filter=(&(objectClass=group)(objectCategory=Group)(cn=*{SEARCH_TERM}*))
+dt.ldap.user-search-filter=(&(objectClass=user)(objectCategory=Person)(cn=*{SEARCH_TERM}*))
 ```
 
 !!! tip
@@ -113,43 +113,43 @@ dt.ldap.users.search.filter=(&(objectClass=user)(objectCategory=Person)(cn=*{SEA
 For LDAPS (recommended in production), change the port to `3269` and update the URL:
 
 ```properties
-dt.ldap.server.url=ldaps://ldap.example.com:3269
+dt.ldap.server-url=ldaps://ldap.example.com:3269
 ```
 
 ### ApacheDS
 
 ```properties linenums="1"
 dt.ldap.enabled=true
-dt.ldap.server.url=ldap://ldap.example.com:389
-dt.ldap.basedn=dc=example,dc=com
-dt.ldap.security.auth=simple
-dt.ldap.bind.username=uid=admin,ou=system
-dt.ldap.bind.password=changeme
-dt.ldap.auth.username.format=uid={0},ou=users,dc=example,dc=com
-dt.ldap.attribute.name=cn
-dt.ldap.attribute.mail=mail
-dt.ldap.groups.filter=(&(objectClass=groupOfUniqueNames))
-dt.ldap.user.groups.filter=(&(objectClass=groupOfUniqueNames)(uniqueMember={USER_DN}))
-dt.ldap.groups.search.filter=(&(objectClass=groupOfUniqueNames)(cn=*{SEARCH_TERM}*))
-dt.ldap.users.search.filter=(&(objectClass=inetOrgPerson)(cn=*{SEARCH_TERM}*))
+dt.ldap.server-url=ldap://ldap.example.com:389
+dt.ldap.base-dn=dc=example,dc=com
+dt.ldap.security-auth=simple
+dt.ldap.bind-username=uid=admin,ou=system
+dt.ldap.bind-password=changeme
+dt.ldap.username-format=uid={0},ou=users,dc=example,dc=com
+dt.ldap.name-attribute=cn
+dt.ldap.mail-attribute=mail
+dt.ldap.group-filter=(&(objectClass=groupOfUniqueNames))
+dt.ldap.user-groups-filter=(&(objectClass=groupOfUniqueNames)(uniqueMember={USER_DN}))
+dt.ldap.group-search-filter=(&(objectClass=groupOfUniqueNames)(cn=*{SEARCH_TERM}*))
+dt.ldap.user-search-filter=(&(objectClass=inetOrgPerson)(cn=*{SEARCH_TERM}*))
 ```
 
 ### Fedora 389 Directory Server
 
 ```properties linenums="1"
 dt.ldap.enabled=true
-dt.ldap.server.url=ldap://ldap.example.com:389
-dt.ldap.basedn=dc=example,dc=com
-dt.ldap.security.auth=simple
-dt.ldap.bind.username=cn=Directory Manager
-dt.ldap.bind.password=changeme
-dt.ldap.auth.username.format=uid={0},ou=people,dc=example,dc=com
-dt.ldap.attribute.name=uid
-dt.ldap.attribute.mail=mail
-dt.ldap.groups.filter=(&(objectClass=groupOfUniqueNames))
-dt.ldap.user.groups.filter=(&(objectClass=groupOfUniqueNames)(uniqueMember={USER_DN}))
-dt.ldap.groups.search.filter=(&(objectClass=groupOfUniqueNames)(cn=*{SEARCH_TERM}*))
-dt.ldap.users.search.filter=(&(objectClass=inetOrgPerson)(uid=*{SEARCH_TERM}*))
+dt.ldap.server-url=ldap://ldap.example.com:389
+dt.ldap.base-dn=dc=example,dc=com
+dt.ldap.security-auth=simple
+dt.ldap.bind-username=cn=Directory Manager
+dt.ldap.bind-password=changeme
+dt.ldap.username-format=uid={0},ou=people,dc=example,dc=com
+dt.ldap.name-attribute=uid
+dt.ldap.mail-attribute=mail
+dt.ldap.group-filter=(&(objectClass=groupOfUniqueNames))
+dt.ldap.user-groups-filter=(&(objectClass=groupOfUniqueNames)(uniqueMember={USER_DN}))
+dt.ldap.group-search-filter=(&(objectClass=groupOfUniqueNames)(cn=*{SEARCH_TERM}*))
+dt.ldap.user-search-filter=(&(objectClass=inetOrgPerson)(uid=*{SEARCH_TERM}*))
 ```
 
 ### NetIQ / Novell eDirectory
@@ -158,18 +158,18 @@ eDirectory typically uses LDAPS on port 636 and an organisation-based DN structu
 
 ```properties linenums="1"
 dt.ldap.enabled=true
-dt.ldap.server.url=ldaps://ldap.example.com:636
-dt.ldap.basedn=o=example
-dt.ldap.security.auth=simple
-dt.ldap.bind.username=cn=admin,o=example
-dt.ldap.bind.password=changeme
-dt.ldap.auth.username.format=uid={0},ou=users,o=example
-dt.ldap.attribute.name=uid
-dt.ldap.attribute.mail=mail
-dt.ldap.groups.filter=(&(objectClass=groupOfUniqueNames))
-dt.ldap.user.groups.filter=(&(objectClass=groupOfUniqueNames)(uniqueMember={USER_DN}))
-dt.ldap.groups.search.filter=(&(objectClass=groupOfUniqueNames)(cn=*{SEARCH_TERM}*))
-dt.ldap.users.search.filter=(&(objectClass=inetOrgPerson)(uid=*{SEARCH_TERM}*))
+dt.ldap.server-url=ldaps://ldap.example.com:636
+dt.ldap.base-dn=o=example
+dt.ldap.security-auth=simple
+dt.ldap.bind-username=cn=admin,o=example
+dt.ldap.bind-password=changeme
+dt.ldap.username-format=uid={0},ou=users,o=example
+dt.ldap.name-attribute=uid
+dt.ldap.mail-attribute=mail
+dt.ldap.group-filter=(&(objectClass=groupOfUniqueNames))
+dt.ldap.user-groups-filter=(&(objectClass=groupOfUniqueNames)(uniqueMember={USER_DN}))
+dt.ldap.group-search-filter=(&(objectClass=groupOfUniqueNames)(cn=*{SEARCH_TERM}*))
+dt.ldap.user-search-filter=(&(objectClass=inetOrgPerson)(uid=*{SEARCH_TERM}*))
 ```
 
 ---

docs/guides/administration/configuring-oidc.md

@@ -34,16 +34,16 @@ for how property names map to environment variables.
 ```properties linenums="1"
 dt.oidc.enabled=true
 dt.oidc.issuer=https://idp.example.com
-dt.oidc.client.id=dependency-track
-dt.oidc.username.claim=preferred_username
+dt.oidc.client-id=dependency-track
+dt.oidc.username-claim=preferred_username
 ```
 
 ### User provisioning
 
 When enabled, Dependency-Track creates user accounts automatically on first login:
 
 ```properties
-dt.oidc.user.provisioning=true
+dt.oidc.user-provisioning=true
 ```
 
 ### Team synchronisation
@@ -56,8 +56,8 @@ easiest to emit. Map teams to those group names under
 **Administration > Access Management > Teams**.
 
 ```properties
-dt.oidc.team.synchronization=true
-dt.oidc.teams.claim=groups
+dt.oidc.team-synchronization=true
+dt.oidc.teams-claim=groups
 ```
 
 ## Frontend configuration
@@ -101,8 +101,8 @@ etc.) to match your environment.
 
 ```properties
 dt.oidc.issuer=https://keycloak.example.com/realms/your-realm
-dt.oidc.client.id=dependency-track
-dt.oidc.username.claim=preferred_username
+dt.oidc.client-id=dependency-track
+dt.oidc.username-claim=preferred_username
 ```
 
 ### Microsoft Entra ID (Azure AD)
@@ -115,8 +115,8 @@ dt.oidc.username.claim=preferred_username
 
 ```properties
 dt.oidc.issuer=https://login.microsoftonline.com/<tenant-id>/v2.0
-dt.oidc.client.id=<application-client-id>
-dt.oidc.username.claim=preferred_username
+dt.oidc.client-id=<application-client-id>
+dt.oidc.username-claim=preferred_username
 ```
 
 !!! note
@@ -134,8 +134,8 @@ dt.oidc.username.claim=preferred_username
 
 ```properties
 dt.oidc.issuer=https://your-tenant.auth0.com/
-dt.oidc.client.id=<auth0-client-id>
-dt.oidc.username.claim=nickname
+dt.oidc.client-id=<auth0-client-id>
+dt.oidc.username-claim=nickname
 ```
 
 ### GitLab
@@ -146,8 +146,8 @@ dt.oidc.username.claim=nickname
 
 ```properties
 dt.oidc.issuer=https://gitlab.com
-dt.oidc.client.id=<application-id>
-dt.oidc.username.claim=nickname
+dt.oidc.client-id=<application-id>
+dt.oidc.username-claim=nickname
 ```
 
 For self-hosted GitLab, replace `https://gitlab.com` with your GitLab instance URL.
@@ -160,8 +160,8 @@ For self-hosted GitLab, replace `https://gitlab.com` with your GitLab instance U
 
 ```properties
 dt.oidc.issuer=https://accounts.google.com
-dt.oidc.client.id=<client-id>.apps.googleusercontent.com
-dt.oidc.username.claim=email
+dt.oidc.client-id=<client-id>.apps.googleusercontent.com
+dt.oidc.username-claim=email
 ```
 
 !!! warning
@@ -188,8 +188,8 @@ dt.oidc.username.claim=email
 
 ```properties
 dt.oidc.issuer=https://your-subdomain.onelogin.com/oidc/2
-dt.oidc.client.id=<client-id>
-dt.oidc.username.claim=preferred_username
+dt.oidc.client-id=<client-id>
+dt.oidc.username-claim=preferred_username
 ```
 
 ### AWS Cognito
@@ -203,8 +203,8 @@ dt.oidc.username.claim=preferred_username
 
 ```properties
 dt.oidc.issuer=https://cognito-idp.<region>.amazonaws.com/<user-pool-id>
-dt.oidc.client.id=<app-client-id>
-dt.oidc.username.claim=cognito:username
+dt.oidc.client-id=<app-client-id>
+dt.oidc.username-claim=cognito:username
 ```
 
 ---

docs/guides/administration/configuring-vulnerability-sources.md

@@ -81,10 +81,14 @@ what each mirror is doing.
 Each source has its own cron property. Mirrors also run on instance startup. To change the schedule, set the
 corresponding property:
 
-- NVD: [`dt.task.nist.mirror.cron`](../../reference/configuration/properties.md#dttasknistmirrorcron)
+- NVD: [`dt.task.nvd-vuln-data-source-mirror.cron`](../../reference/configuration/properties.md#dttasknvd-vuln-data-source-mirrorcron)
 - GitHub advisories:
-  [`dt.task.git.hub.advisory.mirror.cron`](../../reference/configuration/properties.md#dttaskgithubadvisorymirrorcron)
-- OSV: [`dt.task.osv.mirror.cron`](../../reference/configuration/properties.md#dttaskosvmirrorcron)
+  [`dt.task.github-advisory-vuln-data-source-mirror.cron`](../../reference/configuration/properties.md#dttaskgithub-advisory-vuln-data-source-mirrorcron)
+- OSV: [`dt.task.osv-vuln-data-source-mirror.cron`](../../reference/configuration/properties.md#dttaskosv-vuln-data-source-mirrorcron)
+
+!!! note
+    The `dt.vuln-analyzer.*` namespace (analyzer extension point) is unchanged.
+    Only mirror task cron properties were renamed.
 
 ## Verifying findings
 

docs/guides/upgrading/.pages

@@ -1,6 +1,7 @@
 title: Upgrade guides
 nav:
   - index.md
+  - v5.0.0-rc.2.md
   - v5.0.0-rc.1.md
   - v0.7.0-alpha.9.md
   - v0.7.0-alpha.8.md