Celebrating 10 years of OWASP Dependency-Track
Dependency-Track is celebrating its 10th anniversary this year!
Read the announcement from Steve Springett, creator of Dependency-Track, on the OWASP blog.
Highlights:
- Improved frontend UX.
- Navigating through the UI, switching tabs etc. now properly updates the URL in the browser. This makes it possible to share links to specific pages with others, and not lose context entirely when using the browser’s “go back” functionality.
- Criteria for the component search is now encoded in the URL, which allows “deep-linking” to searches, making it easier to collaborate with colleagues.
- The UI will now remember various user preferences, i.e. selected columns, numbers of search results per page, whether to show inactive projects, and much more.
- The dependency graph now optionally displays indicator icons for outdated components.
- Polished policy engine. The policy engine received lots of love in this release, ranging from various bugfixes, to newly supported policy conditions.
- Reduced resource footprint for vulnerability database mirroring. Downloading and processing vulnerability data from the NVD, GitHub, and OSV has historically been a heavy task that could cause large spikes in JVM heap usage. Due to various improvements, mirroring will now be faster, and a lot more lightweight (see apiserver/#2575 for comparisons).
Features:
- Reduce log level for some recurring tasks to
debug- apiserver/#2325 - Reduce log level for Defect Dojo pagination advancement to
info- apiserver/#2338 - Add User-Agent header to Snyk requests - apiserver/#2396
- Allow updating only the project’s parent via
PATCH, without having to worry about any other project properties. - apiserver/#2401 - Include version of affected projects in Jira notification template - apiserver/#2408
- Add support for regular expressions in policy conditions - apiserver/#2144
- Show version status information on dependency graph nodes - apiserver/#2273
- Add support for component age in policy conditions - apiserver/#772
- Skip superfluous component metrics calculation during OSS Index analysis - apiserver/#2466
- Handle deleted projects gracefully when processing uploaded BOMs - apiserver/#2467
- Include persistence framework in logging configuration - apiserver/#2483
- Drop dependency on Unirest library - apiserver/#2350
- Simplify and speed up vulnerability metrics calculation - apiserver/#2481
- Add developer documentation for skipping NVD mirroring - apiserver/#2547
- Execute NVD and EPSS mirroring on multi-threaded event service - apiserver/#2526
- Reduce memory footprint of vulnerability mirroring tasks - apiserver/#2525
- Allow for prevention of re-opening Defect Dojo findings via “do not reactivate” flag - apiserver/#2424
- Add support for vulnerability ID in policy conditions - apiserver/#2557
- Add support for matching of non-existent CPEs and Package URLs in policy conditions - apiserver/#2587
- Ingest remediation details from Snyk - apiserver/#2571
- Handle errors from repository metadata analyzers more gracefully - apiserver/#2563
- Add support for CPAN repositories - apiserver/#639
- Allow inclusion of H2 web console for local development purposes - apiserver/#2592
- Add
BOM_PROCESSING_FAILEDnotification - apiserver/#2264 - Ingest vulnerability publication time from Snyk - apiserver/#2626
- Add health endpoints - apiserver/#1001
- Include dependency graph in CycloneDX exports - apiserver/#2616
- Allow for vulnerability alias synchronization to be disabled for each source that supports it - apiserver/#2670
- Reduce heap usage during NVD mirroring - apiserver/#2575
- Support Jira authentication with personal access token - apiserver/#2641
- Allow parent project to be specified when upload a BOM - apiserver/#2412
- Update branding - frontend/#387
- Add deep linking capability throughout the entire UI - frontend/#391
- Remember UI user preferences (selected columns, page sizes, etc.) - frontend/#348
- Add deep linking for component search - frontend/#425
- Make removing a project parent relationship more convenient - frontend/#424
- Display multiple aliases in a vertical rather than horizontal list - frontend/#315
- Display aliases column in all vulnerability list views - frontend/#315
- Add optional tags column to projects list view - frontend/#319
Fixes:
- Fix unhandled exceptions when fetching repository metadata for Composer components that no longer exist - apiserver/#2134
- Fix invalid group name of Jira configuration properties - apiserver/#2313
- Fix duplicate policy violations caused by the “Package URL” policy condition - apiserver/#1925
- Fix policies with operator
ALLbehaving as if operatorANYwas used - apiserver/#2212 - Fix 2023 NVD feeds not being fetched unless DT is restarted in new year - apiserver/#2349
- Fix VulnDB analysis results not being cached properly - apiserver/#2436
- Fix incomplete ingestion of dependency graph from hierarchically merged BOMs - apiserver/#2411
- Remove unnecessary
parentUuidfield from project model - apiserver/#2439 - Fix
AlreadyClosedExceptionwhen committing search indexes - apiserver/#2379 - Prevent OSV ecosystems being selected multiple times - apiserver/#2473
- Fix
NullPointerExceptionwhen computing enabled OSV ecosystems - apiserver/#2527 - Fix Finding Packaging Format (FPF) export containing internal technical fields - apiserver/#2469
- Fix ACL definitions not being cloned when cloning a project - apiserver/#2493
- Fix email notification for
PROJECT_AUDIT_CHANGEmissing some information - apiserver/#2420 - Fix not all tags being checked when evaluating “limit to” for policies - apiserver/#2586
- Fix internal server error when fetching all projects while ACL is enabled - apiserver/#2583
- Fix failures to import BOMs when component author fields exceed 255 characters - apiserver/#2488
- Fix incomplete implementation of apiserver/#2313 - apiserver/#2610
- Fix dependency graph in UI being deleted after exporting project as CycloneDX - apiserver/#2494
- Fix project URL in email and Cisco WebEx notifications - apiserver/#2631
- Fix OSV overriding CVE data when NVD mirroring is also enabled - apiserver/#2293
- Fix redundant
POLICY_VIOLATIONnotifications for existing violations - apiserver/#2655 - Fix email of LDAP users not being persisted - apiserver/#2320
- Fix email of OIDC users not being persisted - apiserver/#2647
- Fix VEX import not working for vulnerabilities from OSV, Snyk, and VulnDB - apiserver/#2538
- Fix missing project and component information in Microsoft Teams notifications - apiserver/#2638
- Fix API server not respecting HTTP proxy settings when communicating with OIDC Identity Provider - apiserver/#1940
- Fix potential Invalid state. Transaction has already started error during repository metadata analysis - apiserver/#2678
- Fix broken link to affected projects - frontend/#417
- Fix duplicate PURL version in Affected Components tab of vulnerability details - frontend/#454
Upgrade Notes:
- The
parentUuidfield has been removed from the project model and will thus no longer be returned by the REST API (apiserver/#2439) - Due to apiserver/#2469, the File Packaging Format (FPF) version has been bumped to 1.2; Refer to File Formats for details
- Synchronization of vulnerability aliases is now disabled by default for OSV and Snyk (apiserver/#2670)
For a complete list of changes, refer to the respective GitHub milestones:
We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.
Special thanks to everyone who contributed code to implement enhancements and fix defects:
@Ehoky, @Gator8, @Hunroll, @StephenKing, @ch8matt, @jkowalleck, @lme-nca, @malice00, @mcombuechen, @msymons, @mvandermade, @rbt-mm, @roadSurfer, @s-spindler, @sahibamittal, @syalioune, @walterdeboer, @zgael
dependency-track-apiserver.jar #
| Algorithm | Checksum |
|---|---|
| SHA-1 | 883754d3ed227a124976c3f9247345be48cc0561 |
| SHA-256 | 0ab7e3a1d0cd308a9193a6bec7b561f3911d19052312a82e4a59607d4ff50fd0 |
dependency-track-bundled.jar #
| Algorithm | Checksum |
|---|---|
| SHA-1 | 979f02a5bf3ea5d8b0bba7d4e73a725de1920219 |
| SHA-256 | af9f6d79e7828b4f744f9f82215486c0b5649abf6544d0374c945b2ab5d8b58a |
frontend-dist.zip #
| Algorithm | Checksum |
|---|---|
| SHA-1 | 852b8a16aa8d07ccd46b4bec38cda736c6271c42 |
| SHA-256 | 40cffc6fcaafe4a23d2c347958c2e3f43e3c02afe3def238bfd4615684803537 |