Features:
- Flexible, project-centric data model
- Added policy engine, configurable policies, policy evaluation, and auditing workflow
- Added default license groups
- Anonymous access to Sonatype OSS Index is now enabled by default
- Component vulnerabilities are now attributed to the analyzers responsible for finding them
- Added support for CycloneDX 1.2 and SPDX 2.2
- Added component support for Blake2b and Blake3 hash algorithms
- Added component support for SWID Tag ID
- Projects now have identity, similar to components, and support coordinates (group, name, version), CPE, Package URL, and SWID Tag ID
- Added support for firmware and container component types
- When generating a CycloneDX BOM from a project or component, v1.2 of the spec is now produced
- Updated SPDX license list to v3.11
- Dropped support for NVD JSON v1.0 data feeds
- Optimized NVD mirroring logic
- Inactive projects are omitted from portfolio metrics
- Updates to the notification email template for BOM consumed and BOM processed
Fixes:
- Fixed issue with scoped NPM packages not being identified correctly
- Fixed issue that failed to report new vulnerabilities on existing components
- Fixed broken weakness (CWE) link on some vulnerabilities
- Fixed failure on mail notifications when multiple addresses were configured
- Fixed container healthcheck to specify use of no-proxy
- Fixed issue where component descriptions in a BOM were not being saved
Security:
Upgrade Notes:
- The Dependency-Track v4 data model is incompatible with previous releases. As a result, it is not possible to simply upgrade as with previous versions. A data migration is required to update from 3.8 to 4.0. The migration is a standalone set of scripts that must be executed against the database in order to migrate the data to the new model. Refer to the official v3.8.0 to v4.0.0 Migration Project for more information.
- Four Dependency-Track distribution variants are provided. Refer to Distributions for details.
- The traditional WAR distribution is deprecated and no longer supported. It is still being produced as of this release but will be discontinued in a future release.
- Docker images have been moved from the OWASP organization on Docker Hub to a dedicated Dependency-Track organization.
- The FrontEnd requires deployment to the root (“/”) context. Deploying to any context other than root is no longer supported.
- Some APIs have changed as of this release. APIs that were specific to the global component model have been removed. APIs that referenced a ‘dependency’ in the model have changed. Components are now assigned directly to projects themselves, thus eliminating the need for ‘dependency’ objects in v4.
- The MySQL Connector distributed with the Docker image has been updated to version 8.0.22. When using MySQL,
ALPINE_DATABASE_DRIVER_PATHhas to be set to/extlib/mysql-connector-java-8.0.22.jar. Note thatALPINE_DATABASE_DRIVERmay need to be updated as well. Refer to the official upgrading instructions. - The Postgres driver distributed with the Docker image has been updated to version 42.2.18. When using Postgres,
ALPINE_DATABASE_DRIVER_PATHhas to be set to/extlib/postgresql-42.2.18.jar.
dependency-track-apiserver.war #
| Algorithm | Checksum |
| SHA-1 | 9124352542544c5662d3ebf34d951e61f08ff231 |
| SHA-256 | 6b6b8d608b467da087fb7ebe12fb6bbb2a418d97168baa186b1320fdb3b49a91 |
dependency-track-bundled.war #
| Algorithm | Checksum |
| SHA-1 | 9a4f516e5fcd6eae117465732e3dcaa69227d238 |
| SHA-256 | 2e66976b5f890186e64255484f262564e23e8a3ce482769374959c7ddc55c42c |
dependency-track.war #
| Algorithm | Checksum |
| SHA-1 | a489586be032890ec6cddc5ec839da57026837a7 |
| SHA-256 | 152819d9b80377f6b672fbdc6448d7ea250f3bba43c479c335404faa700d9b24 |