Features:
- Support import of CycloneDX v1.5 BOMs - apiserver/#2850
- Introduce
odt_
prefix for API keys to ease leak detection - apiserver/#3047 - Add support for SPDX license expressions - apiserver/#2400
- Refer to Policy Compliance for details on how license expressions behave in policies
- Update SPDX license list to v3.21 - apiserver/#3006
- Support resolving of custom licenses by name, instead of only by ID - apiserver/#2769
- Add version distance policy condition - apiserver/#2537
- Separate policy evaluation into its own background task - apiserver/#2523
- Allow policy violation state to be set via API - apiserver/#2997
- Add “Outdated only” and “Direct only” options for viewing components of a project - apiserver/#2568
- Update bundled CWE dictionary to v4.12 - apiserver/#2877
- Reduce number of API requests necessary to populate the dependency graph of a project - apiserver/#2623
- Include JDBC connectors for Google Cloud SQL - apiserver/#2651
- Update default Snyk API version to
2023-06-22
- apiserver/#2911 - Log warnings when analyses from VEX could not be applied - apiserver/#2989
- Update Docker base image latest Debian stable - apiserver/#2904
- Update temurin base image to
17.0.8.1_1
- apiserver/#3069 - Add extensive test suite for CPE matching logic - apiserver/#2243
- Update documentation for private vulnerability database - apiserver/#2990
- Add docs and example config for logging in JSON format - apiserver/#2933
- Add note about required plan for the Snyk integration to docs - apiserver/#2899
- Update example Grafana dashboard - apiserver/#2788
- Add Docker Compose files for simplified local testing - apiserver/#2675
- Add auto-provisioning of Grafana to Docker Compose development setup - apiserver/#2879
- Hide username and password fields on login view when OIDC is enabled - frontend/#613
- Make NGINX listen on both IPv4 and IPv6 interfaces - frontend/#427
- Display external references and description in project overview - frontend/#485
- Use separate icons for current and out-of-date components to improve accessibility - frontend/#311
- Propagate
searchText
query parameter to list views - frontend/#563 - Raise baseline NodeJS version to 18 - frontend/#470
- Upgrade CoreJS to 3.x - frontend/#548
Fixes:
- Fix memory leak in policy evaluation - apiserver/#2872
- Fix memory leak in VEX upload processing - apiserver/#2873
- Fix VDR export erroneously containing non-vulnerable components - apiserver/#2878
- Fix VEX export erroneously containing dependency graph - apiserver/#3067
- Fix false positives in CPE matching when version attribute of a CVE’s CPE is
NA
- apiserver/#1832 - Fix false negatives in CPE matching when part or vendor attribute of a component’s CPE is
ANY
- apiserver/#2988 - Fix Uncaught internal server error when fetching components by hash if Portfolio Access Control is enabled - apiserver/#2953
- Fix Affected Component format for CPEs with version ranges - apiserver/#2967
- Fix missing duplicate check when cloning projects - apiserver/#2966
- Fix
NullPointerException
when checking for existence of projects without version - apiserver/#3068 - Fix module import issues when working on the code base with Eclipse - apiserver/#2971
- Fix version distance policy being evaluated despite not being configured - apiserver/#2980
- Fix
@JsonIgnore
having no effect ontransient
fields - apiserver/#3051 - Fix misleading docs about authentication and authorization enforcement being optional - apiserver/#3047
- Fix default Slack notification template producing invalid JSON for
PROJECT_AUDIT_CHANGE
notifications - apiserver/#2838 - Fix default Mattermost notification template producing invalid JSON for
NEW_VULNERABLE_DEPENDENCY
notifications - apiserver/#3093 - Fix number of project versions displayed in dropdown being limited to 10 - frontend/#397
- Fix unauthenticated users not being redirected to login page - frontend/#502
- Fix no permissions being defined for dashboard route - frontend/#506
- Fix regression in Docker Compose file regarding application directory - frontend/#494
- Fix external references dropdown rendering outside the screen - frontend/#539
- Fix vulnerability aliases not being displayed in expanded rows of findings table - frontend/#559
- Fix type error in external references dropdown - frontend/#565
- Fix license expression input fields - frontend/#580
- Fix wrong message being displayed when creating policies - frontend/#610
- Fix file permissions of NGINX config file - frontend/#611
Upgrade Notes:
- API keys generated after the upgrade will be prefixed with
odt_
. Existing API keys without this prefix will continue to work. The prefix is configurable viaalpine.api.key.prefix
, although customization is not recommended. Refer to Configuration for details. - Users ingesting SBOMs with CPE data may notice an uptick in vulnerabilities being identified by the internal analyzer. This is expected as a result of apiserver/#2988 being fixed. If newly identified vulnerabilities turn out to be largely false positives, let the project team know by reporting a defect.
For a complete list of changes, refer to the respective GitHub milestones:
We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.
Special thanks to everyone who contributed code to implement enhancements and fix defects:
@HagarJNode, @Meroje, @Nikemare, @RingoDev, @Shawyeok, @dustin-decker, @hborchardt, @heubeck,
@mattmatician, @melba-lopez, @muellerst-hg, @nathan-mittelette, @sahibamittal, @sephiroth-j, @syalioune,
@takumakume, @valentijnscholten, @walterdeboer
dependency-track-apiserver.jar
Algorithm | Checksum |
---|---|
SHA-1 | cd4ec4f1ed075f37476f46da11451158d7460502 |
SHA-256 | 281f091107ef79d9b1e9361dc78608260b364eaa7dbbaeb29d4f7aef1a4bf67b |
dependency-track-bundled.jar
Algorithm | Checksum |
---|---|
SHA-1 | 6f3a077219fb49a502a88fcbb40e05865a23f5c5 |
SHA-256 | 4ca0b061ed83fa0b34ede8158f3ec0e2a7380c2736731995cf330f809076951f |
frontend-dist.zip
Algorithm | Checksum |
---|---|
SHA-1 | 151f24f7b92e93dcf6600c4b8ee9e0ebd7b3560b |
SHA-256 | 1ff2ace778d08529b42ee297fb6e3b0bbe8b2593b2b8686e8b3e3c9472663c2a |