v3.8.0

Bundled frontend: v1.0.0

Features:

New user interface based on Vue.js and Bootstrap.
User interface can optionally be deployed and upgraded independently of the Dependency-Track server.
Package repositories are now configurable.
Package repositories can now be identified as ‘internal’. Components identified as ‘internal’ will be analyzed using internal repositories.
Added additional logging and notifications for OSS Index and NPM Audit analyzers.
Added the ability to publish system notifications when vulnerability analyzers encounter communication or other errors.
Added several occurrences of counts for various items throughout the UI.

Fixes:

Corrected the percentage value of findings audited.
Fixed URL to Maven Central which prevented the MavenMetaAnalyzer from retrieving component metadata.
Changed logging behavior when internal components are identified.
Improved accuracy of internal CPE analyzer which may have lead to false negatives in some situations.
Fixed issue where the CPE value defined in a BOM was not being persisted if the component previously existed.
Fixed issue which prevented the HexMetaAnalyzer from executing preventing it from retrieving component metadata for Erlang or Elixir components.

Security:

All Dependency-Track server releases now include a complete CycloneDX software bill-of-materials.
Added missing permission checks to repository API endpoints.

Upgrade Notes:

The nist and index directories inside the Dependency-Track data directory will be deleted upon upgrade. This will force the NVD to be downloaded and reprocessed and the indexes to be rebuilt.
The internal vulnerable software dictionary, generated automatically from the NVD, will be wiped upon upgrade. This will take several minutes to complete and should not be interrupted.

Dependency-Track