Highlights:

• Hierarchical Project Relationships. Projects can now be organized in hierarchies, using simple parent-child-relationships. Hierarchies are visualized in the UI, and allow projects to inherit various configurations from their parent, including notification rules and applicable policies.
• Improved Dependency Graph. The dependency graph can now be displayed in its entirety. Previously, the depth was limited to only three levels. Additionally, it’s now possible to navigate from a specific component (e.g. from the Audit Vulnerabilities tab) directly to the dependency graph. In doing so, Dependency-Track will show all paths in the graph leading up to this component, making it easy to understand how a given component is introduced to the project.
• Snyk Integration (Beta). Dependency-Track can now make use of Snyk to scan and continuously monitor components for vulnerabilities. This provides access to Snyk’s proprietary vulnerability database, maintained by their dedicated research team. The Snyk integration requires a paid subscription with REST API access.
• Jira Integration. It is now possible to publish notifications to Jira, making it easier to integrate events that require action to be taken into existing Jira workflows.

Features:

• Added support for hierarchical project relationships - apiserver/#84
  • Added support for including project children in alert rule limitations - apiserver/#2013
  • Added support for including project children in policies - apiserver/#2215
• Added support for vulnerability analysis with Snyk - apiserver/#365
• Added ability to focus on certain components in the dependency graph - frontend/#336
• Added support for OWASP Risk Rating methodology - apiserver/#1493
• Added source attributions for affected component version ranges of mirrored vulnerabilities - apiserver/#1815
• Added support for limiting alerts to selection of teams - apiserver/#1608
• Added support for optional EXTRA_JAVA_OPTIONS environment variable in API server container - apiserver/#2040
• Improved component batching behavior and resilience of the OSS Index analyzer - apiserver/#2023
• Added option to include ACLs when cloning a project - apiserver/#1534
• Added Reanalyze button to the Audit Vulnerabilities tab - apiserver/#2128
• Added support for custom licenses - apiserver/#2153
• Added Jira notification publisher - apiserver/#2118
• Added documentation for setting up OIDC with Google - apiserver/#2185
• Added support for license URLs - apiserver/#1977
• Allow bypassing of system requirements check - apiserver/#2197
• Added Swagger types for BOM operations of the REST API - apiserver/#2230
• Include commenter in PROJECT_AUDIT_CHANGE email notifications - apiserver/#2227
• Added ability to check for unresolved licenses in policy conditions - apiserver/#1518
• Added proper caching for repository meta analysis - apiserver/#1943
• Added health check, corruption check, and ability to manually trigger rebuilds for search indexes - apiserver/#2200
• Added support for project metadata, including ingestion from uploaded BOMs - apiserver/#1200
• Added use case examples to documentation - apiserver/#2211
• Added Azure DevOps extension to community integrations - apiserver/#2258
• Added total heap size and CPU usage lines to sample Grafana dashboard - apiserver/#2256
• Do not create temporary database connection pools when executing upgrades - apiserver/#2232
• Added persistence metrics to sample Grafana dashboard - apiserver/#2245
• Added ability to search for components by identity within a specific project - apiserver/#2228
• Treat tag names as case-insensitive - apiserver/#1717
• Added notification for newly created projects - apiserver/#2173
• Added ability to configure database connection pools separately - apiserver/#2238
• Added ability to configure the secret key path - apiserver/#2238
• Include services in the BOM distributed for the API server - apiserver/#2175
• Added support for Vulnerability Disclosure Report (VDR) exports - apiserver/#1800
• Make projects clickable in ACL configuration view - frontend/#320
• Display component version status in Audit Vulnerabilities and Exploit Predictions tab - frontend/#356
• Display last BOM import timestamp in project overview - frontend/#147

Fixes:

• Fix dependency graph only showing 3 levels of transitive relationships - frontend/#85
• Fix alert limitations to not be applied for POLICY_VIOLATION and PROJECT_AUDIT_CHANGE notifications - apiserver/#975
• Fix NVD mirroring to fail when using CIFS volumes - apiserver/#2048
• When determining the latest version of a Maven component, use the release version advertised by the repository, instead of latest - apiserver/#2075
• Fix incorrect project URL in email notifications - apiserver/#2172
• Fix missing project information in NEW_VULNERABLE_DEPENDENCY notification emails - apiserver/#2139
• Fix search indexes not being (re-) built - apiserver/#2104
• Fix Component in Affected Components tab of vulnerability details showing undefined in some cases - apiserver/#2231
• Fix incorrect datasource for instance dropdown in sample Grafana dashboard - apiserver/#2068
• Fix broke heap usage gauge in sample Grafana dashboard - apiserver/#2073
• Fix CPEs not matching on identical versions - apiserver/#2240
• Fix inability to delete teams that are part of one or more ACL - apiserver/#1532

Upgrade Notes:

• Creating new or searching for existing tags will now treat tag names as case-insensitive (apiserver/#1717). Users relying on tags being treated as case-sensitive (e.g. critical and CRITICAL being treated as different) should review their use of tags prior to upgrading.
• Names of the HikariCP connection pools in the exposed Prometheus metrics have changed from HikariPool-3 and HikariPool-4 to transactional and non-transactional (apiserver/#2238). Users monitoring those pools are advised to update their monitoring configuration accordingly (e.g. Grafana dashboards).
• Distribution of the API server SBOM in XML format has been dropped (apiserver/#2175). Users consuming the API server BOM in XML format should migrate to consuming the JSON-formatted BOM instead.

For a complete list of changes, refer to the respective GitHub milestones:

• API server milestone 4.7.0
• Frontend milestone 4.7.0

We thank all organizations and individuals who contributed to this release.
Special thanks to everyone who contributed code to implement enhancements and fix defects:

@AZenker, @JoergBruenner, @KramNamez, @Mvld3r, @Zargath, @awegg, @ch8matt, @japurva1502, @kekkegenkai, @mehab, @nathan-mittelette, @omerlh, @rbt-mm, @ribbybibby, @s-spindler, @sahibamittal, @syalioune, @valentijnscholten

dependency-track-apiserver.jar #

Algorithm	Checksum
SHA-1	99f1a012a983b8256d9346e64d3dd27e92d1c808
SHA-256	373e8efa1a8995193b7c068ea34974040627553647905d38e1dce053333eeb10

dependency-track-bundled.jar #

Algorithm	Checksum
SHA-1	c7faee42162e1712377fbd8a03dfd9e3ef251a23
SHA-256	631807c24fd76c0f44d4494a44147e0414ab471ac1e12fe4ebff054f363a8f0f

frontend-dist.zip #

Algorithm	Checksum
SHA-1	8696218e07d438896f236f691f2ca658faf0377a
SHA-256	23cc72eea3361edeaff84efe0a1a0327e47367419466307867103bac2b14ad75

Software Bill of Materials (SBOM) #

• API Server: bom.json
• Frontend: bom.json