Merged PR 33251: Rebase with main / ES8 update

Also requires https://agiv.visualstudio.com/Metadata/_git/MetadataDcatAp/pullrequest/33239 Also contains 2 main editor UI changes : * geonetwork#7468 * geonetwork#7669 (not yet merged) but those changes will only be visible in advanced view. Not that many conflicts. Main migration required was in DCAT and XslUtil in getRecordResourceURI. Tested in DCAT record https://metadata.vlaanderen.be/srv/dut/catalog.search#/metadata/a5920c90-fc85-3e15-851a-61dd3eec85b8 which properly links. Related work items: #190764
Informatievlaanderen · May 6, 2024 · df2a4d1 · df2a4d1
2 parents f952a8b + 7bb1662
commit df2a4d1
Show file tree

Hide file tree

Showing 709 changed files with 21,085 additions and 9,831 deletions.
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
@@ -0,0 +1,25 @@
+name: ♻ Backport
+on:
+  pull_request_target:
+    types:
+      - closed
+      - labeled
+
+permissions:
+  contents: read
+
+jobs:
+  backport:
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+    runs-on: ubuntu-20.04
+    name: Backport
+    steps:
+      - name: Backport Bot
+        id: backport
+        if: github.event.pull_request.merged && ( ( github.event.action == 'closed' && contains( join( github.event.pull_request.labels.*.name ), 'backport') ) || contains( github.event.label.name, 'backport' ) )
+        uses: m-kuhn/[email protected]
+        with:
+          github_token: ${{ secrets.GH_TOKEN_BOT }}
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -43,7 +43,7 @@ jobs:
         show-progress: 'false'
 
     - name: Setup Java JDK
-      uses: actions/setup-java@v3.12.0
+      uses: actions/setup-java@v4.1.0
       with:
         java-version: 11
         # Java distribution. See the list of supported distributions in README file
@@ -55,7 +55,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -66,7 +66,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -80,11 +80,8 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
 
     - name: Remove SNAPSHOT jars from repository
       run: |
         find ~/.m2/repository -name "*SNAPSHOT*" -type d | xargs rm -rf {}
-    - name: Remove Schema 3.8 jars from repository
-      run: |
-        find ~/.m2/repository -name "*3.8*" -type d | xargs rm -rf {}
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
@@ -22,7 +22,7 @@ jobs:
         submodules: 'recursive'
         show-progress: 'false'
     - name: Set up JDK
-      uses: actions/setup-java@v3.12.0
+      uses: actions/setup-java@v4.1.0
       with:
         distribution: 'temurin'
         java-version: ${{ matrix.jdk }}
@@ -35,18 +35,15 @@ jobs:
       working-directory: docs/manual
       run: pip install --upgrade pip && pip install -r requirements.txt
     - name: Set up Maven
-      uses: stCarolas/setup-maven@v4
+      uses: stCarolas/setup-maven@v5
       with:
-        maven-version: 3.6.3
+        maven-version: 3.8.3
     - name: Build with Maven
       run: |
-        mvn -B -ntp -V install -DskipTests=true -Dmaven.javadoc.skip=true -Pwith-doc
+        mvn -B -ntp -V install -DskipTests=true -Dmaven.javadoc.skip=true -Drelease -Pwith-doc
     - name: Remove SNAPSHOT jars from repository
       run: |
         find ~/.m2/repository -name "*SNAPSHOT*" -type d | xargs rm -rf {}
-    - name: Remove Schema 3.8 jars from repository
-      run: |
-        find ~/.m2/repository -name "*3.8*" -type d | xargs rm -rf {}
 
   QA:
     runs-on: ubuntu-22.04
@@ -58,22 +55,19 @@ jobs:
         submodules: 'recursive'
         show-progress: 'false'
     - name: Set up JDK
-      uses: actions/setup-java@v3.12.0
+      uses: actions/setup-java@v4.1.0
       with:
         distribution: 'temurin'
         java-version: 11
         cache: 'maven'
     - name: Set up Maven
-      uses: stCarolas/setup-maven@v4
+      uses: stCarolas/setup-maven@v5
       with:
-        maven-version: 3.6.3
+        maven-version: 3.8.3
     - name: Test with maven
       run: |
         mvn -B resources:resources@copy-index-schema-to-source -f web
-        mvn -B -ntp -V -fae verify -Pit
+        mvn -B -ntp -V -fae verify -Drelesae -Pit
     - name: Remove SNAPSHOT jars from repository
       run: |
         find ~/.m2/repository -name "*SNAPSHOT*" -type d | xargs rm -rf {}
-    - name: Remove Schema 3.8 jars from repository
-      run: |
-        find ~/.m2/repository -name "*3.8*" -type d | xargs rm -rf {}
diff --git a/.github/workflows/mvn-dep-tree.yml b/.github/workflows/mvn-dep-tree.yml
@@ -20,7 +20,7 @@ jobs:
           show-progress: 'false'
 
       - name: Setup Java JDK
-        uses: actions/setup-java@v3.12.0
+        uses: actions/setup-java@v4.1.0
         with:
           java-version: 11
           # Java distribution. See the list of supported distributions in README file
@@ -30,4 +30,4 @@ jobs:
           cache: maven
 
       - name: Submit Dependency Snapshot
-        uses: advanced-security/maven-dependency-submission-action@v3
+        uses: advanced-security/maven-dependency-submission-action@v4
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -0,0 +1,72 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '26 10 * * 5'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
@@ -19,20 +19,26 @@ jobs:
           submodules: 'recursive'
           show-progress: 'false'
       - name: Set up JDK 11
-        uses: actions/setup-java@v3.12.0
+        uses: actions/setup-java@v4.1.0
         with:
           distribution: 'temurin'
           java-version: '11'
           cache: 'maven'
       - name: Cache SonarCloud packages
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
           restore-keys: ${{ runner.os }}-sonar
       - name: Build GN
         run: mvn -B package -DskipTests
 
+      - name: Set up JDK 21 # Sonarcloud analyzer needs at least JDK 17
+        uses: actions/[email protected]
+        with:
+          distribution: 'temurin'
+          java-version: '21'
+          cache: 'maven'
       - name: Analyze with Sonar
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any

diff --git a/.gitignore b/.gitignore
@@ -28,6 +28,7 @@ eclipse/
 es/elasticsearch-*
 es/es-dashboards/kibana-*
 es/es-dashboards/data/nodes/
+es/es-dashboards/data/index/
 harvesters/harvester_*.log
 idea/
 jcs_caching/
@@ -39,8 +40,13 @@ release/jetty/*
 schemas/*/doc/*/*.rst
 schematrons/.build
 target/
+
+# build and release
 transifex/transifex-format/
 .env
+build/
+web-ui/LICENSE
+web-ui/tx
 
 # web-app, clear using: mvn -f web/pom.xml clean:clean@reset
 
@@ -70,6 +76,7 @@ web/src/main/webapp/WEB-INF/data/data/metadata_data
 web/src/main/webapp/WEB-INF/data/data/metadata_subversion
 web/src/main/webapp/WEB-INF/data/data/resources/htmlcache
 web/src/main/webapp/WEB-INF/data/data/resources/images
+web/src/main/webapp/WEB-INF/data/data/resources/schemapublication
 web/src/main/webapp/WEB-INF/data/data/resources/xml
 web/src/main/webapp/WEB-INF/data/data/upload/
 web/src/main/webapp/WEB-INF/data/harvester_*

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -1,31 +1,31 @@
 # Contributing
 
-Thank you for contributing to GeoNetwork:
+Thank you for contributing to GeoNetwork!
 
 * Free-software: GeoNetwork is free-software, using the [GNU GENERAL PUBLIC LICENSE](LICENSE.md). Contributions provided by you, or your employer, are required to be compatible with this free-software license.
 * Pull-request: GeoNetwork uses a pull-request workflow to review and accept changes. Pull-requests must be submitted against the *main* branch first, and may be back ported as required.
 
 # Pull requests
 
-* Pull request is required, even if you have commit access, so the tests are run and other developer can check your code.
+* Pull request is required, even if you have commit access, so the tests are run and another developer can check your code.
 
 * Pull requests must be applied to `main`, before being backported.
 
-* Before merging a pull request, should be defined the following properties:
+* Before merging a pull request, the following properties should be defined:
 
   - Milestone to include the change.
-  - Add the label `changelog` when  the change is relevant to be added to the release changelog file .
-  - Add the label(s) to the backport to previous branch(es), when the change is a bug fix or if it is a small improvement that may be relevant to the backport.
+  - Add the label `changelog` when the change is relevant to be added to the release changelog file.
+  - Add `backport <branch>` to indicate when the change is a bug fix or when it is a small improvement that is relevant to be backported.
 
-* Good housekeeping: Anytime you commit, try and clean the code around it to latest style guide. If you improve a function without comments: add comments. If you modify functionality that does not have tests: write a test. If you fix functionality without documentation: add documentation.
+* Good housekeeping: Anytime you commit, try and clean the code around it according to the latest style guide. If you improve a function without comments: _add comments!!_ If you modify functionality that does not have tests: _write a test!!_ If you fix functionality without documentation: _add documentation!!_
 
-* History: Clean commit messages and history: avoid big commits with hundreds of files, break commits up into understandable chunks, longer verbose commit messages are encouraged. Avoid reformatting and needless whitespace changes.
+* History: Clean commit messages and history. Avoid big commits with hundreds of files, break commits up into understandable chunks. Longer, verbose commit messages are encouraged. Avoid reformatting and needless whitespace changes.
 
-* Draft: Use pull request *Draft** (or even the text "WIP") to identify work in progress.
+* Draft: Use pull request **Draft** (or even the text "WIP") to identify _Work In Progress_.
 
-* Rebase / Squash and merge: No merge commits with current branch, use Rebase or Squash and merge!
+* Rebase / Squash and merge: Do not merge commits with the current branch, use Rebase or Squash and merge!
 
-* API Change: Please identify any API change or behavior changes in commit messages. Also make sure that a [process for deprecation](PROCESS_FOR_DEPRECATION.md) of a feature is carefully dealt with.
+* API Changes: Please identify any API change or behavior changes in commit messages. Also make sure that a [process for deprecation](PROCESS_FOR_DEPRECATION.md) of a feature is carefully dealt with.
 
 * Review: Review is required by another person, or more than one! Don't be shy asking for help or reviewing.
 

diff --git a/README.md b/README.md
@@ -36,3 +36,6 @@ Developer documentation located in ``README.md`` files in the code-base:
 * General documentation for the project as a whole is in this [README.md](README.md)
 * [Software Development Documentation](/software_development/) provides instructions for setting up a development environment, building GeoNetwork, compiling user documentation, and making a releases.
 * Module specific documentation can be found in each module:
+
+## Open Source Security Foundation (OpenSSF) best practices status
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8626/badge)](https://www.bestpractices.dev/projects/8626)
diff --git a/SECURITY.md b/SECURITY.md
@@ -2,7 +2,7 @@
 
 The GeoNetwork community takes the security of the software and all services based on the software product seriously. On this page you can find the versions for which the community provides security patches. 
 
-If you believe you have found a security vulnerability in the software or an implementation of the software, please report it to [email protected] as described below. Do not publish the vulnerability in any public forums (such as Twitter/X, email list or issue tracker).
+If you believe you have found a security vulnerability in the software or an implementation of the software, please report it [here](https://github.com/geonetwork/core-geonetwork/security/advisories/new) as described below. Do not publish the vulnerability in any public forums (such as Twitter/X, email list or issue tracker).
 
 ## Supported Versions
 
@@ -23,8 +23,8 @@ If your organisation is making use of a GeoNetwork version that is no longer in
 
 If you encounter a security vulnerability in GeoNetwork please take care to report in a responsible fashion:
 
-* Keep exploit details out of mailing list and issue tracker (send details to the Project Steering Committee via [email protected])
+* Keep exploit details out of mailing list and issue tracker (instead provide details to the Project Steering Committee via the GitHub [Report a vulnerability](https://github.com/geonetwork/core-geonetwork/security/advisories/new) option link at the top of this page or send an email to [email protected])
 * Be prepared to work with community members on a solution
-* Keep in mind community members are volunteers and an extensive fix may require fundraising / resources
+* Keep in mind that community members are volunteers and an extensive fix may require fundraising / resources
 
 For more information see [How to contribute](https://github.com/geonetwork/core-geonetwork/wiki/How-to-contribute).
diff --git a/cachingxslt/pom.xml b/cachingxslt/pom.xml
@@ -31,7 +31,7 @@
   <parent>
     <groupId>org.geonetwork-opensource</groupId>
     <artifactId>geonetwork</artifactId>
-    <version>4.4.2-SNAPSHOT</version>
+    <version>4.4.5-SNAPSHOT</version>
   </parent>
 
 

diff --git a/common/pom.xml b/common/pom.xml
@@ -31,7 +31,7 @@
   <parent>
     <groupId>org.geonetwork-opensource</groupId>
     <artifactId>geonetwork</artifactId>
-    <version>4.4.2-SNAPSHOT</version>
+    <version>4.4.5-SNAPSHOT</version>
   </parent>
 
 
@@ -175,8 +175,6 @@
     <dependency>
       <groupId>org.json</groupId>
       <artifactId>json</artifactId>
-      <version>20140107</version>
-      <scope>compile</scope>
     </dependency>
     <dependency>
       <groupId>org.bitbucket.cowwoc</groupId>