Features:

• Support import of CycloneDX v1.5 BOMs - apiserver/#2850
• Introduce odt_ prefix for API keys to ease leak detection - apiserver/#3047
• Add support for SPDX license expressions - apiserver/#2400
  • Refer to Policy Compliance for details on how license expressions behave in policies
• Update SPDX license list to v3.21 - apiserver/#3006
• Support resolving of custom licenses by name, instead of only by ID - apiserver/#2769
• Add version distance policy condition - apiserver/#2537
• Separate policy evaluation into its own background task - apiserver/#2523
• Allow policy violation state to be set via API - apiserver/#2997
• Add “Outdated only” and “Direct only” options for viewing components of a project - apiserver/#2568
• Update bundled CWE dictionary to v4.12 - apiserver/#2877
• Reduce number of API requests necessary to populate the dependency graph of a project - apiserver/#2623
• Include JDBC connectors for Google Cloud SQL - apiserver/#2651
• Update default Snyk API version to 2023-06-22 - apiserver/#2911
• Log warnings when analyses from VEX could not be applied - apiserver/#2989
• Update Docker base image latest Debian stable - apiserver/#2904
• Update temurin base image to 17.0.8.1_1 - apiserver/#3069
• Add extensive test suite for CPE matching logic - apiserver/#2243
• Update documentation for private vulnerability database - apiserver/#2990
• Add docs and example config for logging in JSON format - apiserver/#2933
• Add note about required plan for the Snyk integration to docs - apiserver/#2899
• Update example Grafana dashboard - apiserver/#2788
• Add Docker Compose files for simplified local testing - apiserver/#2675
• Add auto-provisioning of Grafana to Docker Compose development setup - apiserver/#2879
• Hide username and password fields on login view when OIDC is enabled - frontend/#613
• Make NGINX listen on both IPv4 and IPv6 interfaces - frontend/#427
• Display external references and description in project overview - frontend/#485
• Use separate icons for current and out-of-date components to improve accessibility - frontend/#311
• Propagate searchText query parameter to list views - frontend/#563
• Raise baseline NodeJS version to 18 - frontend/#470
• Upgrade CoreJS to 3.x - frontend/#548

Fixes:

• Fix memory leak in policy evaluation - apiserver/#2872
• Fix memory leak in VEX upload processing - apiserver/#2873
• Fix VDR export erroneously containing non-vulnerable components - apiserver/#2878
• Fix VEX export erroneously containing dependency graph - apiserver/#3067
• Fix false positives in CPE matching when version attribute of a CVE’s CPE is NA - apiserver/#1832
• Fix false negatives in CPE matching when part or vendor attribute of a component’s CPE is ANY - apiserver/#2988
• Fix Uncaught internal server error when fetching components by hash if Portfolio Access Control is enabled - apiserver/#2953
• Fix Affected Component format for CPEs with version ranges - apiserver/#2967
• Fix missing duplicate check when cloning projects - apiserver/#2966
• Fix NullPointerException when checking for existence of projects without version - apiserver/#3068
• Fix module import issues when working on the code base with Eclipse - apiserver/#2971
• Fix version distance policy being evaluated despite not being configured - apiserver/#2980
• Fix @JsonIgnore having no effect on transient fields - apiserver/#3051
• Fix misleading docs about authentication and authorization enforcement being optional - apiserver/#3047
• Fix default Slack notification template producing invalid JSON for PROJECT_AUDIT_CHANGE notifications - apiserver/#2838
• Fix default Mattermost notification template producing invalid JSON for NEW_VULNERABLE_DEPENDENCY notifications - apiserver/#3093
• Fix number of project versions displayed in dropdown being limited to 10 - frontend/#397
• Fix unauthenticated users not being redirected to login page - frontend/#502
• Fix no permissions being defined for dashboard route - frontend/#506
• Fix regression in Docker Compose file regarding application directory - frontend/#494
• Fix external references dropdown rendering outside the screen - frontend/#539
• Fix vulnerability aliases not being displayed in expanded rows of findings table - frontend/#559
• Fix type error in external references dropdown - frontend/#565
• Fix license expression input fields - frontend/#580
• Fix wrong message being displayed when creating policies - frontend/#610
• Fix file permissions of NGINX config file - frontend/#611

Upgrade Notes:

• API keys generated after the upgrade will be prefixed with odt_. Existing API keys without this prefix will continue to work. The prefix is configurable via alpine.api.key.prefix, although customization is not recommended. Refer to Configuration for details.
• Users ingesting SBOMs with CPE data may notice an uptick in vulnerabilities being identified by the internal analyzer. This is expected as a result of apiserver/#2988 being fixed. If newly identified vulnerabilities turn out to be largely false positives, let the project team know by reporting a defect.

For a complete list of changes, refer to the respective GitHub milestones:

• API server milestone 4.9.0
• Frontend milestone 4.9.0

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

Special thanks to everyone who contributed code to implement enhancements and fix defects:
@HagarJNode, @Meroje, @Nikemare, @RingoDev, @Shawyeok, @dustin-decker, @hborchardt, @heubeck, @mattmatician, @melba-lopez, @muellerst-hg, @nathan-mittelette, @sahibamittal, @sephiroth-j, @syalioune, @takumakume, @valentijnscholten, @walterdeboer

dependency-track-apiserver.jar #

Algorithm	Checksum
SHA-1	cd4ec4f1ed075f37476f46da11451158d7460502
SHA-256	281f091107ef79d9b1e9361dc78608260b364eaa7dbbaeb29d4f7aef1a4bf67b

dependency-track-bundled.jar #

Algorithm	Checksum
SHA-1	6f3a077219fb49a502a88fcbb40e05865a23f5c5
SHA-256	4ca0b061ed83fa0b34ede8158f3ec0e2a7380c2736731995cf330f809076951f

frontend-dist.zip #

Algorithm	Checksum
SHA-1	151f24f7b92e93dcf6600c4b8ee9e0ebd7b3560b
SHA-256	1ff2ace778d08529b42ee297fb6e3b0bbe8b2593b2b8686e8b3e3c9472663c2a

Software Bill of Materials (SBOM) #

• API Server: bom.json
• Frontend: bom.json