Dependency-Track has historically relied on file-based data feeds to mirror contents of the National Vulnerability Database (NVD). These feeds are being retired on December 15th 2023, although they may be available up until December 18th.
As a consequence, this release includes support for mirroring the NVD via its REST API instead. This integration will be optional for Dependency-Track v4.10, but mandatory for later releases. Users are encouraged to enable REST API mirroring now, to ensure a smooth transition. Refer to the NVD datasource documentation to learn more.
Features:
- Add support for mirroring the NVD via its REST API - apiserver/#3175
- Refer to the NVD datasource documentation for details
- Add retries with exponential backoff for NVD feed downloads - apiserver/#3154
- Add support for CycloneDX
metadata.supplier
,metadata.manufacturer
,metadata.authors
, andcomponent.supplier
- apiserver/#3090, apiserver/#3179 - Add support for authenticating with public / non-internal repositories - apiserver/#2876
- Add support for fetching latest versions from GitHub - apiserver/#3112
- Applicable to components with
pkg:github/<owner>/<repository>@<version>
package URLs
- Applicable to components with
- Improve efficiency of search index operations - apiserver/#3116
- Add option to emit log for successfully published notifications, and improve logging around notifications in general - apiserver/#3211
- Use Java 21 JRE in container images - apiserver/#3089
- Tweak container health check to prevent
wget
zombie processes on slow hosts - apiserver/#3245 - Expose
alpine_event_processing_seconds
metric for monitoring of event processing durations - Add average event processing duration to Grafana dashboard - apiserver/#3173
- Add guidance for
413 Content Too Large
errors upon BOM upload - apiserver/#3167 - Improve OIDC documentation - apiserver/#3186
- Add “Show in Dependency-Graph” button to component search results - frontend/#572
Fixes:
- Fix false positives in CPE matching due to ambiguous vendor-product relations - apiserver/#3209
- Fix failure to delete policy violations when they have an audit trail - apiserver/#3228
- Fix teams not being assignable to alerts with custom email publishers - apiserver/#3232
- Fix inability to rebuild search indexes for more than one entity type at a time - apiserver/#2987
- Fix trailing comma in default Slack notification template - apiserver/#3172
- Fix NPE when affected node in OSV does not define a package - apiserver/#3194
- Fix NPE for BOM_PROCESSING_FAILED notifications when parsing of the BOM failed - apiserver/#3198
- Fix gradual performance degradation of portfolio vulnerability analysis - apiserver/#3222
- Fix erroneous warning log during VEX import - apiserver/#3233
- Fix
project.active
defaulting tofalse
when creating projects via REST API - apiserver/#3244 - Fix OIDC login button moving before it can be clicked - frontend/#616
- Fix input fields losing focus while editing alerts - frontend/#619
- Fix switching between project versions being broken on tabs other than “Overview” - frontend/#659
- Fix notification level not being modifiable for existing alerts - frontend/#661
Upgrade Notes:
- The
CPE
table is no longer needed and will be dropped automatically upon upgrade - apiserver/#3117 - A warning will be logged when mirroring the NVD through its legacy data feeds
- Refer to the NVD datasource documentation to learn how to switch to API-based mirroring
- As the Grafana dashboard is not managed by Dependency-Track, users wishing to update it will need to re-import it into their Grafana instance.
For a complete list of changes, refer to the respective GitHub milestones:
We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.
Special thanks to everyone who contributed code to implement enhancements and fix defects:
@AbdelHajou, @Nikemare, @acdha, @dimitri-rebrikov, @jadyndev, @leec94, @mehab, @melba-lopez, @rbt-mm, @rkg-mm, @willienel, @ybelMekk
dependency-track-apiserver.jar
Algorithm | Checksum |
---|---|
SHA-1 | c308b1f6a2d73fc2bba9da2cc33bf7e3ec49e851 |
SHA-256 | d06f4550e16451ccb7843c36534172744934a7dc69e1d48e970a6eec24e49dc3 |
dependency-track-bundled.jar
Algorithm | Checksum |
---|---|
SHA-1 | b94fb9cbaa91c4e332bcec266e10a0f325f12e22 |
SHA-256 | cf27db44e637b4bc551c16e659e81890f4c5d4f3b4ea9893ebf1717bff98b999 |
frontend-dist.zip
Algorithm | Checksum |
---|---|
SHA-1 | 217bcaab3a7da2ae2fab3103055f9503aef5db07 |
SHA-256 | 2f6f524c45afcc4a90128cab22a557bf41b88c716aaf0992eb6bb2239ce1469c |