DependencyTrack
diff --git a/‎src/main/java/org/dependencytrack/integrations/kenna/KennaDataTransformer.java
+2-1 b/‎src/main/java/org/dependencytrack/integrations/kenna/KennaDataTransformer.java
+2-1
diff --git a/‎src/main/java/org/dependencytrack/model/NotificationRule.java
+4-5 b/‎src/main/java/org/dependencytrack/model/NotificationRule.java
+4-5
diff --git a/‎src/main/java/org/dependencytrack/model/Policy.java
+9-9 b/‎src/main/java/org/dependencytrack/model/Policy.java
+9-9
diff --git a/‎src/main/java/org/dependencytrack/model/Project.java
+4-5 b/‎src/main/java/org/dependencytrack/model/Project.java
+4-5
diff --git a/‎src/main/java/org/dependencytrack/model/Tag.java
+22-26 b/‎src/main/java/org/dependencytrack/model/Tag.java
+22-26
diff --git a/‎src/main/java/org/dependencytrack/model/Vulnerability.java
+9-9 b/‎src/main/java/org/dependencytrack/model/Vulnerability.java
+9-9
diff --git a/‎src/main/java/org/dependencytrack/parser/dependencytrack/NotificationModelConverter.java
+1-1 b/‎src/main/java/org/dependencytrack/parser/dependencytrack/NotificationModelConverter.java
+1-1
diff --git a/‎src/main/java/org/dependencytrack/persistence/NotificationQueryManager.java
+4-3 b/‎src/main/java/org/dependencytrack/persistence/NotificationQueryManager.java
+4-3
diff --git a/‎src/main/java/org/dependencytrack/persistence/PolicyQueryManager.java
+4-2 b/‎src/main/java/org/dependencytrack/persistence/PolicyQueryManager.java
+4-2
@@ -36,6 +36,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 import static org.dependencytrack.persistence.jdbi.JdbiFactory.withJdbiHandle;
 
@@ -115,7 +116,7 @@ private JSONObject generateKdiAsset(final Project project, final String external
         asset.put("application", application);
         asset.put("external_id", externalId);
         // If the project has tags, add them to the KDI
-        final List<Tag> tags = project.getTags();
+        final Set<Tag> tags = project.getTags();
         if (CollectionUtils.isNotEmpty(tags)) {
             final ArrayList<String> tagArray = new ArrayList<>();
             for (final Tag tag: tags) {
 
@@ -119,10 +119,9 @@ public class NotificationRule implements Serializable {
     private List<Project> projects;
 
     @Persistent(table = "NOTIFICATIONRULE_TAGS", defaultFetchGroup = "true", mappedBy = "notificationRules")
-    @Join(column = "NOTIFICATIONRULE_ID", foreignKey = "NOTIFICATIONRULE_TAGS_NOTIFICATIONRULE_FK", deleteAction = ForeignKeyAction.CASCADE)
+    @Join(column = "NOTIFICATIONRULE_ID", primaryKey = "NOTIFICATIONRULE_TAGS_PK", foreignKey = "NOTIFICATIONRULE_TAGS_NOTIFICATIONRULE_FK", deleteAction = ForeignKeyAction.CASCADE)
     @Element(column = "TAG_ID", foreignKey = "NOTIFICATIONRULE_TAGS_TAG_FK", deleteAction = ForeignKeyAction.CASCADE)
-    @Order(extensions = @Extension(vendorName = "datanucleus", key = "list-ordering", value = "name ASC"))
-    private List<Tag> tags;
+    private Set<Tag> tags;
 
     @Persistent(table = "NOTIFICATIONRULE_TEAMS", defaultFetchGroup = "true")
     @Join(column = "NOTIFICATIONRULE_ID", primaryKey = "NOTIFICATIONRULE_TEAMS_PK", foreignKey = "NOTIFICATIONRULE_TEAMS_NOTIFICATIONRULE_FK", deleteAction = ForeignKeyAction.CASCADE)
@@ -223,11 +222,11 @@ public void setProjects(List<Project> projects) {
         this.projects = projects;
     }
 
-    public List<Tag> getTags() {
+    public Set<Tag> getTags() {
         return tags;
     }
 
-    public void setTags(final List<Tag> tags) {
+    public void setTags(final Set<Tag> tags) {
         this.tags = tags;
     }
 
 
@@ -23,6 +23,10 @@
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonInclude;
 
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Pattern;
+import jakarta.validation.constraints.Size;
 import javax.jdo.annotations.Column;
 import javax.jdo.annotations.Element;
 import javax.jdo.annotations.Extension;
@@ -35,13 +39,10 @@
 import javax.jdo.annotations.Persistent;
 import javax.jdo.annotations.PrimaryKey;
 import javax.jdo.annotations.Unique;
-import jakarta.validation.constraints.NotBlank;
-import jakarta.validation.constraints.NotNull;
-import jakarta.validation.constraints.Pattern;
-import jakarta.validation.constraints.Size;
 import java.io.Serializable;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Set;
 import java.util.UUID;
 
 /**
@@ -122,10 +123,9 @@ public enum ViolationState {
      * A list of zero-to-n tags
      */
     @Persistent(table = "POLICY_TAGS", defaultFetchGroup = "true", mappedBy = "policies")
-    @Join(column = "POLICY_ID", foreignKey = "POLICY_TAGS_POLICY_FK", deleteAction = ForeignKeyAction.CASCADE)
+    @Join(column = "POLICY_ID", primaryKey = "POLICY_TAGS_PK", foreignKey = "POLICY_TAGS_POLICY_FK", deleteAction = ForeignKeyAction.CASCADE)
     @Element(column = "TAG_ID", foreignKey = "POLICY_TAGS_TAG_FK", deleteAction = ForeignKeyAction.CASCADE)
-    @Order(extensions = @Extension(vendorName = "datanucleus", key = "list-ordering", value = "name ASC"))
-    private List<Tag> tags;
+    private Set<Tag> tags;
 
     /**
      * The unique identifier of the object.
@@ -206,11 +206,11 @@ public boolean isGlobal() {
         return (projects == null || projects.size() == 0) && (tags == null || tags.size() == 0);
     }
 
-    public List<Tag> getTags() {
+    public Set<Tag> getTags() {
         return tags;
     }
 
-    public void setTags(List<Tag> tags) {
+    public void setTags(Set<Tag> tags) {
         this.tags = tags;
     }
 
 
@@ -265,10 +265,9 @@ public enum FetchGroup {
     private List<ProjectProperty> properties;
 
     @Persistent(table = "PROJECTS_TAGS", defaultFetchGroup = "true", mappedBy = "projects")
-    @Join(column = "PROJECT_ID", foreignKey = "PROJECTS_TAGS_PROJECT_FK", deleteAction = ForeignKeyAction.CASCADE)
+    @Join(column = "PROJECT_ID", primaryKey = "PROJECTS_TAGS_PK", foreignKey = "PROJECTS_TAGS_PROJECT_FK", deleteAction = ForeignKeyAction.CASCADE)
     @Element(column = "TAG_ID", foreignKey = "PROJECTS_TAGS_TAG_FK", deleteAction = ForeignKeyAction.CASCADE)
-    @Order(extensions = @Extension(vendorName = "datanucleus", key = "list-ordering", value = "name ASC"))
-    private List<Tag> tags;
+    private Set<Tag> tags;
 
     /**
      * Convenience field which will contain the date of the last entry in the {@link Bom} table
@@ -487,11 +486,11 @@ public void setProperties(List<ProjectProperty> properties) {
         this.properties = properties;
     }
 
-    public List<Tag> getTags() {
+    public Set<Tag> getTags() {
         return tags;
     }
 
-    public void setTags(List<Tag> tags) {
+    public void setTags(Set<Tag> tags) {
         this.tags = tags;
     }
 
 
@@ -24,19 +24,18 @@
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.Pattern;
+import jakarta.validation.constraints.Size;
 import javax.jdo.annotations.Column;
-import javax.jdo.annotations.Extension;
 import javax.jdo.annotations.IdGeneratorStrategy;
-import javax.jdo.annotations.Order;
+import javax.jdo.annotations.Index;
 import javax.jdo.annotations.PersistenceCapable;
 import javax.jdo.annotations.Persistent;
 import javax.jdo.annotations.PrimaryKey;
-import jakarta.validation.constraints.NotBlank;
-import jakarta.validation.constraints.Pattern;
-import jakarta.validation.constraints.Size;
 import java.io.Serializable;
-import java.util.List;
 import java.util.Objects;
+import java.util.Set;
 
 /**
  * Model for assigning tags to specific objects.
@@ -64,6 +63,7 @@ public Tag(final String name) {
 
     @Persistent
     @Column(name = "NAME", allowsNull = "false")
+    @Index(name = "TAG_NAME_IDX", unique = "true")
     @NotBlank
     @Size(min = 1, max = 255)
     @JsonDeserialize(using = TrimmedStringDeserializer.class)
@@ -72,23 +72,19 @@ public Tag(final String name) {
 
     @Persistent
     @JsonIgnore
-    @Order(extensions = @Extension(vendorName = "datanucleus", key = "list-ordering", value = "name ASC"))
-    private List<Policy> policies;
+    private Set<Policy> policies;
 
     @Persistent
     @JsonIgnore
-    @Order(extensions = @Extension(vendorName = "datanucleus", key = "list-ordering", value = "name ASC"))
-    private List<Project> projects;
+    private Set<Project> projects;
 
     @Persistent
     @JsonIgnore
-    @Order(extensions = @Extension(vendorName = "datanucleus", key = "list-ordering", value = "vulnId ASC"))
-    private List<Vulnerability> vulnerabilities;
+    private Set<Vulnerability> vulnerabilities;
 
     @Persistent
     @JsonIgnore
-    @Order(extensions = @Extension(vendorName = "datanucleus", key = "list-ordering", value = "name ASC"))
-    private List<NotificationRule> notificationRules;
+    private Set<NotificationRule> notificationRules;
 
     public long getId() {
         return id;
@@ -106,48 +102,48 @@ public void setName(String name) {
         this.name = name;
     }
 
-    public List<Policy> getPolicies() {
+    public Set<Policy> getPolicies() {
         return policies;
     }
 
-    public void setPolicies(List<Policy> policies) {
+    public void setPolicies(Set<Policy> policies) {
         this.policies = policies;
     }
 
-    public List<Project> getProjects() {
+    public Set<Project> getProjects() {
         return projects;
     }
 
-    public void setProjects(List<Project> projects) {
+    public void setProjects(Set<Project> projects) {
         this.projects = projects;
     }
 
-    public List<Vulnerability> getVulnerabilities() {
+    public Set<Vulnerability> getVulnerabilities() {
         return vulnerabilities;
     }
 
-    public void setVulnerabilities(List<Vulnerability> vulnerabilities) {
+    public void setVulnerabilities(Set<Vulnerability> vulnerabilities) {
         this.vulnerabilities = vulnerabilities;
     }
 
-    public List<NotificationRule> getNotificationRules() {
+    public Set<NotificationRule> getNotificationRules() {
         return notificationRules;
     }
 
-    public void setNotificationRules(final List<NotificationRule> notificationRules) {
+    public void setNotificationRules(final Set<NotificationRule> notificationRules) {
         this.notificationRules = notificationRules;
     }
 
     @Override
-    public boolean equals(Object object) {
-        if (object instanceof Tag) {
-            return this.id == ((Tag) object).id;
+    public boolean equals(Object other) {
+        if (other instanceof final Tag otherTag) {
+            return Objects.equals(this.name, otherTag.name);
         }
         return false;
     }
 
     @Override
     public int hashCode() {
-        return Objects.hash(id);
+        return Objects.hash(name);
     }
 }
@@ -26,16 +26,16 @@
 import com.fasterxml.jackson.databind.annotation.JsonSerialize;
 import io.swagger.v3.oas.annotations.media.ArraySchema;
 import io.swagger.v3.oas.annotations.media.Schema;
-import jakarta.validation.constraints.NotBlank;
-import jakarta.validation.constraints.NotNull;
-import jakarta.validation.constraints.Pattern;
-import jakarta.validation.constraints.Size;
 import org.dependencytrack.persistence.CollectionIntegerConverter;
 import org.dependencytrack.resources.v1.serializers.CweDeserializer;
 import org.dependencytrack.resources.v1.serializers.CweSerializer;
 import org.dependencytrack.resources.v1.serializers.Iso8601DateSerializer;
 import org.dependencytrack.resources.v1.vo.AffectedComponent;
 
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Pattern;
+import jakarta.validation.constraints.Size;
 import javax.jdo.annotations.Column;
 import javax.jdo.annotations.Convert;
 import javax.jdo.annotations.Element;
@@ -59,6 +59,7 @@
 import java.util.Date;
 import java.util.List;
 import java.util.Objects;
+import java.util.Set;
 import java.util.UUID;
 
 /**
@@ -327,10 +328,9 @@ public static boolean isKnownSource(String source) {
     private UUID uuid;
 
     @Persistent(table = "VULNERABILITIES_TAGS", defaultFetchGroup = "true", mappedBy = "vulnerabilities")
-    @Join(column = "VULNERABILITY_ID", foreignKey = "VULNERABILITIES_TAGS_VULNERABILITY_FK", deleteAction = ForeignKeyAction.CASCADE)
+    @Join(column = "VULNERABILITY_ID", primaryKey = "VULNERABILITIES_TAGS_PK",  foreignKey = "VULNERABILITIES_TAGS_VULNERABILITY_FK", deleteAction = ForeignKeyAction.CASCADE)
     @Element(column = "TAG_ID", foreignKey = "VULNERABILITIES_TAGS_TAG_FK", deleteAction = ForeignKeyAction.CASCADE)
-    @Order(extensions = @Extension(vendorName = "datanucleus", key = "list-ordering", value = "name ASC"))
-    private List<Tag> tags;
+    private Set<Tag> tags;
 
     private transient Epss epss;
 
@@ -713,11 +713,11 @@ public BigDecimal getEpssPercentile() {
         return epss != null ? epss.getPercentile() : null;
     }
 
-    public List<Tag> getTags() {
+    public Set<Tag> getTags() {
         return tags;
     }
 
-    public void setTags(List<Tag> tags) {
+    public void setTags(Set<Tag> tags) {
         this.tags = tags;
     }
 }
@@ -339,7 +339,7 @@ private static Project convert(final org.dependencytrack.model.Project project)
         Optional.ofNullable(project.getDescription()).ifPresent(builder::setDescription);
         Optional.ofNullable(project.getPurl()).map(PackageURL::canonicalize).ifPresent(builder::setPurl);
         Optional.ofNullable(project.getTags())
-                .orElseGet(Collections::emptyList).stream()
+                .orElseGet(Collections::emptySet).stream()
                 .map(Tag::getName)
                 .forEach(builder::addTags);
 
 
@@ -31,9 +31,10 @@
 
 import javax.jdo.PersistenceManager;
 import javax.jdo.Query;
-import java.util.ArrayList;
 import java.util.Collection;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 
 import static org.dependencytrack.util.PersistenceUtil.assertPersistent;
 import static org.dependencytrack.util.PersistenceUtil.assertPersistentAll;
@@ -281,8 +282,8 @@ public boolean bind(final NotificationRule notificationRule, final Collection<Ta
                     notificationRule.getTags().add(tag);
 
                     if (tag.getNotificationRules() == null) {
-                        tag.setNotificationRules(new ArrayList<>(List.of(notificationRule)));
-                    } else if (!tag.getNotificationRules().contains(notificationRule)) {
+                        tag.setNotificationRules(new HashSet<>(Set.of(notificationRule)));
+                    } else {
                         tag.getNotificationRules().add(notificationRule);
                     }
 
 
@@ -39,8 +39,10 @@
 import java.util.Collection;
 import java.util.Date;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.UUID;
 
 import static org.dependencytrack.util.PersistenceUtil.assertPersistent;
@@ -647,8 +649,8 @@ public boolean bind(final Policy policy, final Collection<Tag> tags, final boole
                 if (!policy.getTags().contains(tag)) {
                     policy.getTags().add(tag);
                     if (tag.getPolicies() == null) {
-                        tag.setPolicies(new ArrayList<>(List.of(policy)));
-                    } else if (!tag.getPolicies().contains(policy)) {
+                        tag.setPolicies(new HashSet<>(Set.of(policy)));
+                    } else {
                         tag.getPolicies().add(policy);
                     }
                     modified = true;