Dependency-Track logov4.11

Dependency-Track has historically relied on file-based data feeds to mirror contents of the National Vulnerability Database (NVD). These feeds are being retired on December 15th 2023, although they may be available up until December 18th.

As a consequence, this release includes support for mirroring the NVD via its REST API instead. This integration will be optional for Dependency-Track v4.10, but mandatory for later releases. Users are encouraged to enable REST API mirroring now, to ensure a smooth transition. Refer to the NVD datasource documentation to learn more.



Upgrade Notes:

For a complete list of changes, refer to the respective GitHub milestones:

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

Special thanks to everyone who contributed code to implement enhancements and fix defects:
@AbdelHajou, @Nikemare, @acdha, @dimitri-rebrikov, @jadyndev, @leec94, @mehab, @melba-lopez, @rbt-mm, @rkg-mm, @willienel, @ybelMekk

dependency-track-apiserver.jar #
Algorithm Checksum
SHA-1 c308b1f6a2d73fc2bba9da2cc33bf7e3ec49e851
SHA-256 d06f4550e16451ccb7843c36534172744934a7dc69e1d48e970a6eec24e49dc3
dependency-track-bundled.jar #
Algorithm Checksum
SHA-1 b94fb9cbaa91c4e332bcec266e10a0f325f12e22
SHA-256 cf27db44e637b4bc551c16e659e81890f4c5d4f3b4ea9893ebf1717bff98b999 #
Algorithm Checksum
SHA-1 217bcaab3a7da2ae2fab3103055f9503aef5db07
SHA-256 2f6f524c45afcc4a90128cab22a557bf41b88c716aaf0992eb6bb2239ce1469c
Software Bill of Materials (SBOM) #