Highlights:
- Vulnerability Aliases. By ingesting data from multiple sources of vulnerability intelligence, there will be cases where different advisories describe the same vulnerability. For example, CVE-2022-31197 and GHSA-r38f-c4h4-hqq2 describe the same defect, yet their descriptions and risk ratings differ. Dependency-Track 4.6 now recognizes when multiple advisories alias each other, and includes this information in notifications and REST API responses. Aliases will additionally be considered when calculating portfolio metrics, so that duplicate vulnerabilities do not skyrocket the risk scoring. Further improvements to aliases will be coming in future releases.
- OSV Integration (Beta). Dependency-Track now optionally mirrors vulnerability intelligence data from the Open Source Vulnerabilities database (OSV). OSV normalizes and enriches data from multiple other vulnerability databases. Mirroring can be limited to a configurable selection of ecosystems.
- New Policy Conditions.
- Using the tag condition, policies can be restricted to projects with certain properties or priorities (e.g. high-risk, internet-facing, etc.)
- Using the CWE condition, policies can assist in prioritizing findings of certain weaknesses
- Using the component hash condition, policies can be used to flag usage of malicious or tainted packages
- Performance. Various improvements, most prominently regarding metrics updates. Organizations, especially those with large portfolios of multiple thousands of projects, will see a drastic reduction in runtime and resource usage.
- Observability. By exposition of system metrics via the Prometheus text-based format, operators can now monitor their instances using Prometheus, Grafana, or other compatible observability stacks. Metrics exposition is optional and must be enabled, refer to the monitoring documentation for details.
- Customization. Users with advanced customization needs can now create and modify notification templates, as well as specify custom intervals for recurring tasks. Refer to the notifications and recurring tasks documentation for details.
- Authentication for Internal Repositories. Dependency-Track can now authenticate with artifact repositories like Nexus Repository Manager or Artifactory to fetch information about internal artifacts.
Features:
- Added support for authentication with internal package repositories - #881
- Added support for configuration of recurring tasks intervals - #1542
- Added support for policy violation badges - #1690
- Added support for disabling alerts - #1173
- Added support for CWEs in policy conditions - #1768
- Added support for component hashes in policy conditions - #1775
- Added support for tags in policy conditions - #1565
- Added support for fuzzy CPE matching - #1799
- Added support for notification publishing via Mattermost - #1702
- Added support for reimporting findings to an existing DefectDojo test instead of creating a new test upon each upload - #1622
- Added support for ingesting and displaying component author information - #1726
- Added support for vulnerability aliases - #1912
- Added support for custom notification templates - #275
- Added experimental OSV integration - #931
- Added support for Prometheus metrics exposition - #1796
- Refactored metrics update functionality to be faster and more efficient - #1704
- Upgraded to Java 17 - #1804
- Removed source maps from frontend production build - #192
- Added name of the authenticated user to the profile menu in the UI - #167
- Added support for performing cross-site frontend requests with cookies - #156
- Added columns for CVSS and EPSS to the component vulnerabilities view - #1948
- Added listing of affected projects to email notification templates - #2005
Fixes:
- Resolved defect that made it impossible to delete a project when assigned to a policy - #1852
- Resolved defect related non-thread-safe usage of the internal Lucene search index - #1791
- Resolved defect that caused the subject of email notifications saying
nullin certain situations - #1818 - Resolved defect that caused the VulnDB analyzer failing to mark components as vulnerable - #1780
- Resolved defect where the
affectedComponentsfield of vulnerabilities would not be populated - #1766 - Resolved defect that caused vulnerability details taking too long to load - #1765
- Resolved defect that caused an internal server error when uploading a VEX document via HTTP
PUT- #1836 - Resolved defect that caused an internal server error when creating a vulnerability without CWEs - #1664
- Resolved defect that caused an internal server error when submitting analysis details with more than 255 characters - #1661
- Resolved defect that caused an internal server error when importing a SaaSBOM - #1790
- Resolved defect that caused NVD mirroring notifications not working correctly - #1429
- Resolved defect that caused VEX import not ingesting analyses for internal vulnerabilities - #1692
- Resolved defect that caused excessive memory utilization when identifying internal components - #1947
- Resolved defect that caused wrong project tags to be displayed after switching versions - #188
- Resolved defect that caused component licenses to not be displayed on some occasions - #223
- Resolved defect that caused horizontal scroll bars to be displayed unnecessarily in the UI - #248
- Resolved defect that made it impossible to provide component hashes in uppercase - #1174
- Resolved defect that prevented vulnerabilities in PHP components to be identified based on GitHub Advisories data - #1998
- Resolved defect that caused a
NumberFormatExceptionto be thrown when resolving CWEs for findings - #2029 - Resolved projects search filter not working when viewing projects by tag - #405
- Resolved notifications with group
NEW_VULNERABLE_DEPENDENCYnot working at all - #1611 - Resolved multiple minor UI defects related to API key management - #240
- Resolved UI defect that caused vulnerability details not being displayed when only the CVSS vector, but not the scores were returned by the API - #239
- Resolved UI defect that caused an incorrect tooltip being displayed for the email field in the email configuration test modal - #161
- Resolved UI defect that caused the policy management view to not be updated when restricting a policy to a project - #169
- Resolved UI defect that caused input fields losing focus after saving - #98
Security:
- Fixed a defect that could cause API keys to be logged in clear text when handling API requests using keys with insufficient permissions - GHSA-gh7v-4hxp-gqp4
Upgrade Notes:
- The new baseline Java version is 17 (#1804)
- Java versions later than 17 may work as well, but haven’t been tested
- Users deploying DT via executable WAR will need to upgrade Java accordingly
- Users deploying DT via containers don’t need to do anything
- The embedded H2 database has been upgraded to major version 2
- Manual upgrade steps are required, refer to the H2 v2 migration guide
- Without the manual migration, Dependency-Track 4.6 will not work with H2 databases created by earlier versions
- Reminder: H2 is not, and never has been, supported for production usage
- With #1429, handling of notification levels has changed
- Previously, an alert with level
ERRORwould trigger on notifications with levelsERROR,WARNING, andINFORMATIONAL - Now, an alert with level
ERRORwill only trigger on notifications with levelERROR - An alert with level
WARNINGwill trigger on notifications with levelWARNINGandERRORetc. - The new behavior is similar to how structured logging libraries work
- This change primarily affects notifications of the
SYSTEMscope, which are used to report statuses of various tasks, e.g.DATASOURCE_MIRRORING - Notifications in the
PORTFOLIOscope (e.g.NEW_VULNERABILITY) all have theINFORMATIONALlevel - Users who configured alerts with scope
PORTFOLIOand levelERRORshould change the level toINFORMATIONALafter the upgrade
- Previously, an alert with level
For a complete list of changes, refer to the respective GitHub milestones:
We thank all organizations and individuals who contributed to this release.
Special thanks to everyone who contributed code to implement enhancements and fix defects:
@AbdelHajou, @awegg, @dGuerr, @k3rnelpan1c-dev, @maaheeb, @officerNordberg, @rbt-mm, @rkg-mm, @s-spindler, @sahibamittal, @stephan-strate, @syalioune, @tmehnert, @yangsec888
dependency-track-apiserver.jar #
| Algorithm | Checksum |
|---|---|
| SHA-1 | e40fb14764fb5eb9fcd654472434c3701c44f208 |
| SHA-256 | 29d422816b593ddef89b07e9bc1c72a5cfb141eaea4a1d59615309089bab03ea |
dependency-track-bundled.jar #
| Algorithm | Checksum |
|---|---|
| SHA-1 | 9e1b283c442e1bfb2c5c4ea23b1a1590cf7afc5d |
| SHA-256 | 1e6ba17e6dc1f6422826a020ece5ec6ae2bef1aa9ae563f57653ed6bc0944f14 |
frontend-dist.zip #
| Algorithm | Checksum |
|---|---|
| SHA-1 | 0f8967a4f777d33fd285d7fe8786f08690ffedd9 |
| SHA-256 | 14791981d23850b72e39cee8c6378c6e25de0f8f5ee46b5c244c28bd6262db9a |