Highlights:
- Hierarchical Project Relationships. Projects can now be organized in hierarchies, using simple parent-child-relationships. Hierarchies are visualized in the UI, and allow projects to inherit various configurations from their parent, including notification rules and applicable policies.
- Improved Dependency Graph. The dependency graph can now be displayed in its entirety. Previously, the depth was limited to only three levels. Additionally, it’s now possible to navigate from a specific component (e.g. from the Audit Vulnerabilities tab) directly to the dependency graph. In doing so, Dependency-Track will show all paths in the graph leading up to this component, making it easy to understand how a given component is introduced to the project.
- Snyk Integration (Beta). Dependency-Track can now make use of Snyk to scan and continuously monitor components for vulnerabilities. This provides access to Snyk’s proprietary vulnerability database, maintained by their dedicated research team. The Snyk integration requires a paid subscription with REST API access.
- Jira Integration. It is now possible to publish notifications to Jira, making it easier to integrate events that require action to be taken into existing Jira workflows.
Features:
- Added support for hierarchical project relationships - apiserver/#84
- Added support for including project children in alert rule limitations - apiserver/#2013
- Added support for including project children in policies - apiserver/#2215
- Added support for vulnerability analysis with Snyk - apiserver/#365
- Added ability to focus on certain components in the dependency graph - frontend/#336
- Added support for OWASP Risk Rating methodology - apiserver/#1493
- Added source attributions for affected component version ranges of mirrored vulnerabilities - apiserver/#1815
- Added support for limiting alerts to selection of teams - apiserver/#1608
- Added support for optional
EXTRA_JAVA_OPTIONS
environment variable in API server container - apiserver/#2040 - Improved component batching behavior and resilience of the OSS Index analyzer - apiserver/#2023
- Added option to include ACLs when cloning a project - apiserver/#1534
- Added Reanalyze button to the Audit Vulnerabilities tab - apiserver/#2128
- Added support for custom licenses - apiserver/#2153
- Added Jira notification publisher - apiserver/#2118
- Added documentation for setting up OIDC with Google - apiserver/#2185
- Added support for license URLs - apiserver/#1977
- Allow bypassing of system requirements check - apiserver/#2197
- Added Swagger types for BOM operations of the REST API - apiserver/#2230
- Include commenter in
PROJECT_AUDIT_CHANGE
email notifications - apiserver/#2227 - Added ability to check for unresolved licenses in policy conditions - apiserver/#1518
- Added proper caching for repository meta analysis - apiserver/#1943
- Added health check, corruption check, and ability to manually trigger rebuilds for search indexes - apiserver/#2200
- Added support for project metadata, including ingestion from uploaded BOMs - apiserver/#1200
- Added use case examples to documentation - apiserver/#2211
- Added Azure DevOps extension to community integrations - apiserver/#2258
- Added total heap size and CPU usage lines to sample Grafana dashboard - apiserver/#2256
- Do not create temporary database connection pools when executing upgrades - apiserver/#2232
- Added persistence metrics to sample Grafana dashboard - apiserver/#2245
- Added ability to search for components by identity within a specific project - apiserver/#2228
- Treat tag names as case-insensitive - apiserver/#1717
- Added notification for newly created projects - apiserver/#2173
- Added ability to configure database connection pools separately - apiserver/#2238
- Added ability to configure the secret key path - apiserver/#2238
- Include services in the BOM distributed for the API server - apiserver/#2175
- Added support for Vulnerability Disclosure Report (VDR) exports - apiserver/#1800
- Make projects clickable in ACL configuration view - frontend/#320
- Display component version status in Audit Vulnerabilities and Exploit Predictions tab - frontend/#356
- Display last BOM import timestamp in project overview - frontend/#147
Fixes:
- Fix dependency graph only showing 3 levels of transitive relationships - frontend/#85
- Fix alert limitations to not be applied for
POLICY_VIOLATION
andPROJECT_AUDIT_CHANGE
notifications - apiserver/#975 - Fix NVD mirroring to fail when using CIFS volumes - apiserver/#2048
- When determining the latest version of a Maven component, use the
release
version advertised by the repository, instead oflatest
- apiserver/#2075 - Fix incorrect project URL in email notifications - apiserver/#2172
- Fix missing project information in
NEW_VULNERABLE_DEPENDENCY
notification emails - apiserver/#2139 - Fix search indexes not being (re-) built - apiserver/#2104
- Fix Component in Affected Components tab of vulnerability details showing
undefined
in some cases - apiserver/#2231 - Fix incorrect datasource for
instance
dropdown in sample Grafana dashboard - apiserver/#2068 - Fix broke heap usage gauge in sample Grafana dashboard - apiserver/#2073
- Fix CPEs not matching on identical versions - apiserver/#2240
- Fix inability to delete teams that are part of one or more ACL - apiserver/#1532
Upgrade Notes:
- Creating new or searching for existing tags will now treat tag names as case-insensitive (apiserver/#1717).
Users relying on tags being treated as case-sensitive (e.g.
critical
andCRITICAL
being treated as different) should review their use of tags prior to upgrading. - Names of the HikariCP connection pools in the exposed Prometheus metrics have changed from
HikariPool-3
andHikariPool-4
totransactional
andnon-transactional
(apiserver/#2238). Users monitoring those pools are advised to update their monitoring configuration accordingly (e.g. Grafana dashboards). - Distribution of the API server SBOM in XML format has been dropped (apiserver/#2175). Users consuming the API server BOM in XML format should migrate to consuming the JSON-formatted BOM instead.
For a complete list of changes, refer to the respective GitHub milestones:
We thank all organizations and individuals who contributed to this release.
Special thanks to everyone who contributed code to implement enhancements and fix defects:
@AZenker, @JoergBruenner, @KramNamez, @Mvld3r, @Zargath, @awegg, @ch8matt, @japurva1502, @kekkegenkai, @mehab, @nathan-mittelette, @omerlh, @rbt-mm, @ribbybibby, @s-spindler, @sahibamittal, @syalioune, @valentijnscholten
dependency-track-apiserver.jar
Algorithm | Checksum |
---|---|
SHA-1 | 99f1a012a983b8256d9346e64d3dd27e92d1c808 |
SHA-256 | 373e8efa1a8995193b7c068ea34974040627553647905d38e1dce053333eeb10 |
dependency-track-bundled.jar
Algorithm | Checksum |
---|---|
SHA-1 | c7faee42162e1712377fbd8a03dfd9e3ef251a23 |
SHA-256 | 631807c24fd76c0f44d4494a44147e0414ab471ac1e12fe4ebff054f363a8f0f |
frontend-dist.zip
Algorithm | Checksum |
---|---|
SHA-1 | 8696218e07d438896f236f691f2ca658faf0377a |
SHA-256 | 23cc72eea3361edeaff84efe0a1a0327e47367419466307867103bac2b14ad75 |