Highlights:

• Optimized BOM Ingestion. The logic that governs how uploaded BOMs are processed and ingested into Dependency-Track has been overhauled to be more reliable and efficient. Further, BOM processing is now an atomic operation, such that errors occurring midway do not cause a partial state to be left behind. De-duplication of components and services is more predictable, and log messages emitted during processing contain additional context, making them easier to correlate. Because the new implementation can have a big impact on how Dependency-Track behaves regarding BOM uploads, it is disabled by default for this release. It may be enabled in the administration panel under Configuration -> Experimental.
• BOM Validation. Historically, Dependency-Track did not validate uploaded BOMs and VEXs against the CycloneDX schema. While this allowed BOMs to be processed that did not strictly adhere to the schema, it could also lead to confusion when uploaded files were accepted, but then failed to be ingested during asynchronous processing. Starting with this release, uploaded files will be rejected if they fail schema validation. Note that this may reveal issues in BOM generators that currently produce invalid CycloneDX documents. Validation may be turned off in the administration panel under Configuration -> BOM Formats.
  • This feature was demoed in our April community meeting! Watch it here
• Global Vulnerability Audit View. This new interface allows users to discover and filter vulnerabilities that affect their portfolio, across all projects. When portfolio access control is enabled, this view is limited to projects a user has explicit access to. It is possible to inspect individual findings, or aggregates grouped by vulnerability, making it possible to spot the most prevalent vulnerabilities.
  • This feature was demoed in our April community meeting! Watch it here.
• Trivy Analyzer Integration. It is now possible to leverage Trivy in server mode for vulnerability analysis.
  • Refer to the analyzer’s documentation for further details, in particular the known limitations.
  • This feature was demoed in our April community meeting! Watch it here.
• Extended Localization. The UI now supports 12 additional languages. Users can change their language preference in their profile settings. While the Portuguese, Brazilian Portuguese, and Spanish translations were provided by a native speaker (thanks @fnxpt!), the majority of languages are currently machine-translated. Translation improvements are a great way to contribute to the project, please find additional details here.
• Official Helm Chart. The Dependency-Track project now offers an official Helm chart for Kubernetes deployments. Community input and contributions are highly requested. The chart repository can be found at https://github.com/DependencyTrack/helm-charts. It is also available through Artifact Hub.

Features:

• Add global vulnerability audit view - apiserver/#2472
• Add support for vulnerability analysis with Trivy - apiserver/#3259
• Return processing token when cloning a project - apiserver/#3260
• Only show projects that haven’t been added to the team yet when configuring ACLs - apiserver/#3261
• Clarify OpenID Connect group mapping to teams - apiserver/#3269
• Add option to configure token for Webhook notifications - apiserver/#3275
• Add notifications for user creation and deletion - apiserver/#3275
• Pre-process CWE dictionary, drop CWE table - apiserver/#3284
• Add “Show in Dependency Graph” button in “Affected Projects” list - apiserver/#3285
• Document risk score calculation - apiserver/#3347
• Make processing of uploaded BOMs atomic - apiserver/#3357
• Improve performance of BOM processing - apiserver/#3357
• Add more context to logs emitted during BOM processing - apiserver/#3357
  • BOM format, spec version, serial number, and version
  • Project UUID, name, and version
• Store severities in database instead of computing them ad-hoc in-memory - apiserver/#3408
• Add OIDC docs for large enterprise configuration using Azure AD - apiserver/#3414
• Make subject prefix for email notifications configurable - apiserver/#3422
• Support toggling between active / inactive projects in the “Affected Projects” list - apiserver/#3425
• Add attribution notice to NVD documentation - apiserver/#3490
• Bump CWE dictionary to v4.13 - apiserver/#3491
• Align retry configuration and behavior across analyzers - apiserver/#3494
• Add support for component properties - apiserver/#3499
• Add auto-generated changelog to GitHub releases - apiserver/#3502
• Bump SPDX license list to v3.23, bringing in 91 new licenses - apiserver/#3508
• Validate uploaded BOMs against CycloneDX schema prior to processing them - apiserver/#3522
• Improve observability of Lucene search indexes - apiserver/#3535
• Add support for Hackage repositories - apiserver/#3549
• Add support for Nix repositories - apiserver/#3549
• Add required permissions to OpenAPI descriptions of endpoints - apiserver/#3557
• Add support for exporting findings in SARIF format - apiserver/#3561
• Ingest vulnerability alias information from VulnDB - apiserver/#3588
• Properly validate UUID request parameters to prevent internal server errors - apiserver/#3590
• Document pagination query parameters in OpenAPI specification - apiserver/#3625
• Document sorting query parameters in OpenAPI specification - apiserver/#3631
• Gracefully handle unique constraint violations - apiserver/#3648
• Log debug information upon possible secret key corruption - apiserver/#3651
• Add support for worker pool drain timeout - apiserver/#3657
• Fall back to no authentication when OSS Index API token decryption fails - apiserver/#3661
• Include project details in MS Teams notification for BOM_PROCESSING_FAILED - apiserver/#3666
• Show component count in projects list - frontend/#683
• Add current fail, warn, and info values to bottom of policy violation metrics - frontend/#707
• Remove unused policy violation widget - frontend/#710
• Use consistent coloring for “Suppressed” metrics - frontend/#712
• Show policy violations by state and classification - frontend/#717
• Show footer counters in “Portfolio Vulnerabilities” metrics - frontend/#718
• Improve UX of the project active / inactive toggle - frontend/#721
• Show publisher name when expanding rows in the “Alerts” table - frontend/#728
• Improve tooltip clarity for project vulnerabilities - frontend/#733
• Show badges on “Policy Violations” tab - frontend/#744
• Add ESLint and prettier for consistent code formatting - frontend/#752
• Display created and last used timestamps for API keys - frontend/#768
• Display API key comments and make them editable - frontend/#768
• Add internal column to component search view - frontend/#775
• Add classification badge to component details to highlight internal components - frontend/#776
• Add group to component breadcrumb - frontend/#777
• Add deprecated column to license list - frontend/#792
• Use concise endpoint to populate license list - frontend/#793
• Display comment field of external references - frontend/#803
• Add support for 12 new languages, and localization based on browser language or custom preference - frontend/#805
• Improve contrast ratio on progress bars - frontend/#816
• Add language picker to profile dropdown - frontend/#824
• Display EPSS score and percentile on vulnerability view - frontend/#832

Fixes:

• Fix policy violations not being considered when cloning a project - apiserver/#3248
• Fix StackOverflowError when processing BOMs with deeply nested component structures - apiserver/#3357
• Fix inconsistent component de-duplication during BOM processing, causing varying components counts in successive uploads - apiserver/#3357
• Fix components erroneously being de-duplicated when only a single attribute of their component identity is identical - apiserver/#3357
• Fix components defined in the BOM node metadata.component.components not being imported - apiserver/#3357
• Fix withdrawn GitHub Advisories being mirrored - apiserver/#3394
• Fix broken image in OIDC documentation - apiserver/#3411
• Fix VulnDB parser being unable to import vulnerability records when nvd_additional_information is empty - apiserver/#3437
• Fix URISyntaxException when NPM PURL contains special characters - apiserver/#3456
• Fix finding attribution date not being retained when cloning a project - apiserver/#3488
• Fix Cargo repository metadata analyzer not being invoked - apiserver/#3511
• Fix type of purl fields in Swagger docs - apiserver/#3512
• Fix CI build status badge - apiserver/#3513
• Fix bom and vex request fields not being visible in OpenAPI spec - apiserver/#3557
• Fix unclear error response when base64 encoded bom and vex values exceed character limit - apiserver/#3558
• Fix unhandled NotFoundExceptions causing a HTTP 500 response - apiserver/#3559
• Fix inability to store PURLs longer than 255 characters - apiserver/#3560
• Disable automatic API key generation for newly created teams - apiserver/#3574
• Fix severity not being set for vulnerabilities from VulnDB - apiserver/#3595
• Fix JDOFatalUserException for long reference URLs from OSS Index - apiserver/#3650
• Fix unhandled ClientErrorExceptions causing a HTTP 500 response - apiserver/#3659
• Fix unique constraint violation during NVD mirroring via feed files - apiserver/#3664
• Fix VUE_APP_SERVER_URL being ignored - frontend/#682
• Fix visibility of “Vulnerabilities” and “Policy Violations” columns not being toggle-able individually - frontend/#686
• Fix finding search routes - frontend/#689
• Fix CI build status badge - frontend/#699
• Fix incorrect calculation of “Audited Violations” and “Audited Vulnerabilities” percentages - frontend/#704
• Fix percentage calculation to consistently round to two decimal places - frontend/#708
• Fix percentage calculation edge cases - frontend/#719
• Fix “Outdated Only” button being disabled when dependency graph is not available - frontend/#725
• Fix redundant requests to /api/v1/component when loading project page - frontend/#726
• Fix column visibility preferences triggering redundant requests - frontend/#727
• Fix @<version> being appended when rendering CPEs in “Affected Components” view - frontend/#748
• Fix aliases not being displayed in vulnerabilities list - frontend/#766
• Fix link to portfolio access control view - frontend/#774
• Fix Download BOM button requiring higher privileges than necessary - frontend/#812

Upgrade Notes:

• To enable the optimized BOM ingestion, toggle the BOM Processing V2 option in the administration panel under Configuration -> Experimental
• Validation of uploaded BOMs and VEXs is enabled per default, but can be disabled in the administration panel under Configuration -> BOM Formats -> BOM Validation
• The CWE table is dropped automatically upon upgrade, it has been unused since v4.5
• The default logging configuration (logback.xml) was updated to include the Mapped Diagnostic Context (MDC)
  • Users who customized their logging configuration are recommended to follow this change
• Severities of vulnerabilities that previously had NULL severities in the database will be computed and updated automatically upon upgrade, based on CVSSv2, CVSSv3, and OWASP Risk Rating scores
  • Database updates are batched, the entire procedure should complete 30s to 1min
• The following configuration properties were renamed:
  • ossindex.retry.backoff.max.duration → ossindex.retry.backoff.max.duration.ms
  • snyk.retry.exponential.backoff.multiplier → snyk.retry.backoff.multiplier
  • snyk.retry.exponential.backoff.initial.duration.seconds → snyk.retry.backoff.initial.duration.ms
  • snyk.retry.exponential.backoff.max.duration.seconds → snyk.retry.backoff.max.duration.ms
• Configuration properties for retry durations are now specified in milliseconds instead of seconds
• The following default values for configuration properties have changed:
  • ossindex.retry.backoff.max.duration.ms: 600000ms (10min) → 60000ms (1min)
• The name tag of the resilience4j_retry_calls_total for OSS Index has changed from ossIndexRetryer to ossindex-api
• The types of the following columns are changed from VARCHAR(255) to VARCHAR(786) automatically upon upgrade:
  • COMPONENT.PURL
  • COMPONENT.PURLCOORDINATES
  • COMPONENTANALYSISCACHE.TARGET
  • PROJECT.PURL

For a complete list of changes, refer to the respective GitHub milestones:

• API server milestone 4.11.0
• Frontend milestone 4.11.0

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

Special thanks to everyone who contributed code to implement enhancements and fix defects:
@2000rosser, @AnthonyMastrean, @LaVibeX, @MangoIV, @Robbilie, @VithikaS, @a5a351e7, @acdha, @aravindparappil46, @baburkin, @fnxpt, @kepten, @leec94, @lukas-braune, @malice00, @mehab, @mge-mm, @mykter, @rbt-mm, @rkesters, @rkg-mm, @sahibamittal, @sebD, @setchy, @validide

dependency-track-apiserver.jar #

Algorithm	Checksum
SHA-1	a9dae58a25c8aeeb54134ff054214505eb170db9
SHA-256	03160957fced99c3d923bbb5c6cb352740da1970bd4775b52bb451b95c4cefaf

dependency-track-bundled.jar #

Algorithm	Checksum
SHA-1	59b78c3f6b1979ba29c1bd754b7dc1005101fc49
SHA-256	1a34808cd6c7a9bf7b181e4f175c077f1ee5d5a9daf327b330db9b1c63aac2d3

frontend-dist.zip #

Algorithm	Checksum
SHA-1	80cddddaf5c9c73676065d4ab6fe7b3eff3ec8de
SHA-256	9c51c337f4b2a7e78730c70473cd24070773a0982d1c0ee6c13f9a6f18a756d5 frontend-dist.zip

Software Bill of Materials (SBOM) #

• API Server: bom.json
• Frontend: bom.json