Highlights:
- Optimized BOM Ingestion. The logic that governs how uploaded BOMs are processed and ingested into Dependency-Track has been overhauled to be more reliable and efficient. Further, BOM processing is now an atomic operation, such that errors occurring midway do not cause a partial state to be left behind. De-duplication of components and services is more predictable, and log messages emitted during processing contain additional context, making them easier to correlate. Because the new implementation can have a big impact on how Dependency-Track behaves regarding BOM uploads, it is disabled by default for this release. It may be enabled in the administration panel under Configuration -> Experimental.
- BOM Validation. Historically, Dependency-Track did not validate uploaded BOMs and VEXs against the CycloneDX
schema. While this allowed BOMs to be processed that did not strictly adhere to the schema, it could also lead to confusion
when uploaded files were accepted, but then failed to be ingested during asynchronous processing. Starting with this
release, uploaded files will be rejected if they fail schema validation. Note that this may reveal issues in BOM
generators that currently produce invalid CycloneDX documents. Validation may be turned off in the
administration panel under Configuration -> BOM Formats.
- This feature was demoed in our April community meeting! Watch it here
- Global Vulnerability Audit View. This new interface allows users to discover and filter vulnerabilities that affect
their portfolio, across all projects. When portfolio access control is enabled, this view is limited to projects a user
has explicit access to. It is possible to inspect individual findings, or aggregates grouped by vulnerability,
making it possible to spot the most prevalent vulnerabilities.
- This feature was demoed in our April community meeting! Watch it here.
- Trivy Analyzer Integration. It is now possible to leverage Trivy in server mode for vulnerability analysis.
- Refer to the analyzer’s documentation for further details, in particular the known limitations.
- This feature was demoed in our April community meeting! Watch it here.
- Extended Localization. The UI now supports 12 additional languages. Users can change their language preference in their profile settings. While the Portuguese, Brazilian Portuguese, and Spanish translations were provided by a native speaker (thanks @fnxpt!), the majority of languages are currently machine-translated. Translation improvements are a great way to contribute to the project, please find additional details here.
- Official Helm Chart. The Dependency-Track project now offers an official Helm chart for Kubernetes deployments. Community input and contributions are highly requested. The chart repository can be found at https://github.com/DependencyTrack/helm-charts. It is also available through Artifact Hub.
Features:
- Add global vulnerability audit view - apiserver/#2472
- Add support for vulnerability analysis with Trivy - apiserver/#3259
- Return processing token when cloning a project - apiserver/#3260
- Only show projects that haven’t been added to the team yet when configuring ACLs - apiserver/#3261
- Clarify OpenID Connect group mapping to teams - apiserver/#3269
- Add option to configure token for Webhook notifications - apiserver/#3275
- Add notifications for user creation and deletion - apiserver/#3275
- Pre-process CWE dictionary, drop
CWE
table - apiserver/#3284 - Add “Show in Dependency Graph” button in “Affected Projects” list - apiserver/#3285
- Document risk score calculation - apiserver/#3347
- Make processing of uploaded BOMs atomic - apiserver/#3357
- Improve performance of BOM processing - apiserver/#3357
- Add more context to logs emitted during BOM processing - apiserver/#3357
- BOM format, spec version, serial number, and version
- Project UUID, name, and version
- Store severities in database instead of computing them ad-hoc in-memory - apiserver/#3408
- Add OIDC docs for large enterprise configuration using Azure AD - apiserver/#3414
- Make subject prefix for email notifications configurable - apiserver/#3422
- Support toggling between active / inactive projects in the “Affected Projects” list - apiserver/#3425
- Add attribution notice to NVD documentation - apiserver/#3490
- Bump CWE dictionary to v4.13 - apiserver/#3491
- Align retry configuration and behavior across analyzers - apiserver/#3494
- Add support for component properties - apiserver/#3499
- Add auto-generated changelog to GitHub releases - apiserver/#3502
- Bump SPDX license list to v3.23, bringing in 91 new licenses - apiserver/#3508
- Validate uploaded BOMs against CycloneDX schema prior to processing them - apiserver/#3522
- Improve observability of Lucene search indexes - apiserver/#3535
- Add support for Hackage repositories - apiserver/#3549
- Add support for Nix repositories - apiserver/#3549
- Add required permissions to OpenAPI descriptions of endpoints - apiserver/#3557
- Add support for exporting findings in SARIF format - apiserver/#3561
- Ingest vulnerability alias information from VulnDB - apiserver/#3588
- Properly validate UUID request parameters to prevent internal server errors - apiserver/#3590
- Document pagination query parameters in OpenAPI specification - apiserver/#3625
- Document sorting query parameters in OpenAPI specification - apiserver/#3631
- Gracefully handle unique constraint violations - apiserver/#3648
- Log debug information upon possible secret key corruption - apiserver/#3651
- Add support for worker pool drain timeout - apiserver/#3657
- Fall back to no authentication when OSS Index API token decryption fails - apiserver/#3661
- Include project details in MS Teams notification for BOM_PROCESSING_FAILED - apiserver/#3666
- Show component count in projects list - frontend/#683
- Add current fail, warn, and info values to bottom of policy violation metrics - frontend/#707
- Remove unused policy violation widget - frontend/#710
- Use consistent coloring for “Suppressed” metrics - frontend/#712
- Show policy violations by state and classification - frontend/#717
- Show footer counters in “Portfolio Vulnerabilities” metrics - frontend/#718
- Improve UX of the project active / inactive toggle - frontend/#721
- Show publisher name when expanding rows in the “Alerts” table - frontend/#728
- Improve tooltip clarity for project vulnerabilities - frontend/#733
- Show badges on “Policy Violations” tab - frontend/#744
- Add ESLint and prettier for consistent code formatting - frontend/#752
- Display created and last used timestamps for API keys - frontend/#768
- Display API key comments and make them editable - frontend/#768
- Add internal column to component search view - frontend/#775
- Add classification badge to component details to highlight internal components - frontend/#776
- Add group to component breadcrumb - frontend/#777
- Add deprecated column to license list - frontend/#792
- Use concise endpoint to populate license list - frontend/#793
- Display comment field of external references - frontend/#803
- Add support for 12 new languages, and localization based on browser language or custom preference - frontend/#805
- Improve contrast ratio on progress bars - frontend/#816
- Add language picker to profile dropdown - frontend/#824
- Display EPSS score and percentile on vulnerability view - frontend/#832
Fixes:
- Fix policy violations not being considered when cloning a project - apiserver/#3248
- Fix
StackOverflowError
when processing BOMs with deeply nested component structures - apiserver/#3357 - Fix inconsistent component de-duplication during BOM processing, causing varying components counts in successive uploads - apiserver/#3357
- Fix components erroneously being de-duplicated when only a single attribute of their component identity is identical - apiserver/#3357
- Fix components defined in the BOM node
metadata.component.components
not being imported - apiserver/#3357 - Fix withdrawn GitHub Advisories being mirrored - apiserver/#3394
- Fix broken image in OIDC documentation - apiserver/#3411
- Fix VulnDB parser being unable to import vulnerability records when
nvd_additional_information
is empty - apiserver/#3437 - Fix
URISyntaxException
when NPM PURL contains special characters - apiserver/#3456 - Fix finding attribution date not being retained when cloning a project - apiserver/#3488
- Fix Cargo repository metadata analyzer not being invoked - apiserver/#3511
- Fix type of
purl
fields in Swagger docs - apiserver/#3512 - Fix CI build status badge - apiserver/#3513
- Fix
bom
andvex
request fields not being visible in OpenAPI spec - apiserver/#3557 - Fix unclear error response when base64 encoded
bom
andvex
values exceed character limit - apiserver/#3558 - Fix unhandled
NotFoundException
s causing aHTTP 500
response - apiserver/#3559 - Fix inability to store PURLs longer than 255 characters - apiserver/#3560
- Disable automatic API key generation for newly created teams - apiserver/#3574
- Fix severity not being set for vulnerabilities from VulnDB - apiserver/#3595
- Fix
JDOFatalUserException
for long reference URLs from OSS Index - apiserver/#3650 - Fix unhandled
ClientErrorException
s causing aHTTP 500
response - apiserver/#3659 - Fix unique constraint violation during NVD mirroring via feed files - apiserver/#3664
- Fix
VUE_APP_SERVER_URL
being ignored - frontend/#682 - Fix visibility of “Vulnerabilities” and “Policy Violations” columns not being toggle-able individually - frontend/#686
- Fix finding search routes - frontend/#689
- Fix CI build status badge - frontend/#699
- Fix incorrect calculation of “Audited Violations” and “Audited Vulnerabilities” percentages - frontend/#704
- Fix percentage calculation to consistently round to two decimal places - frontend/#708
- Fix percentage calculation edge cases - frontend/#719
- Fix “Outdated Only” button being disabled when dependency graph is not available - frontend/#725
- Fix redundant requests to
/api/v1/component
when loading project page - frontend/#726 - Fix column visibility preferences triggering redundant requests - frontend/#727
- Fix
@<version>
being appended when rendering CPEs in “Affected Components” view - frontend/#748 - Fix aliases not being displayed in vulnerabilities list - frontend/#766
- Fix link to portfolio access control view - frontend/#774
- Fix Download BOM button requiring higher privileges than necessary - frontend/#812
Upgrade Notes:
- To enable the optimized BOM ingestion, toggle the BOM Processing V2 option in the administration panel under Configuration -> Experimental
- Validation of uploaded BOMs and VEXs is enabled per default, but can be disabled in the administration panel under Configuration -> BOM Formats -> BOM Validation
- The
CWE
table is dropped automatically upon upgrade, it has been unused since v4.5 - The default logging configuration (logback.xml) was updated to include the Mapped Diagnostic Context (MDC)
- Users who customized their logging configuration are recommended to follow this change
- Severities of vulnerabilities that previously had
NULL
severities in the database will be computed and updated automatically upon upgrade, based on CVSSv2, CVSSv3, and OWASP Risk Rating scores- Database updates are batched, the entire procedure should complete 30s to 1min
- The following configuration properties were renamed:
ossindex.retry.backoff.max.duration
→ossindex.retry.backoff.max.duration.ms
snyk.retry.exponential.backoff.multiplier
→snyk.retry.backoff.multiplier
snyk.retry.exponential.backoff.initial.duration.seconds
→snyk.retry.backoff.initial.duration.ms
snyk.retry.exponential.backoff.max.duration.seconds
→snyk.retry.backoff.max.duration.ms
- Configuration properties for retry durations are now specified in milliseconds instead of seconds
- The following default values for configuration properties have changed:
ossindex.retry.backoff.max.duration.ms
: 600000ms (10min) → 60000ms (1min)
- The
name
tag of theresilience4j_retry_calls_total
for OSS Index has changed fromossIndexRetryer
toossindex-api
- The types of the following columns are changed from
VARCHAR(255)
toVARCHAR(786)
automatically upon upgrade:COMPONENT.PURL
COMPONENT.PURLCOORDINATES
COMPONENTANALYSISCACHE.TARGET
PROJECT.PURL
For a complete list of changes, refer to the respective GitHub milestones:
We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.
Special thanks to everyone who contributed code to implement enhancements and fix defects:
@2000rosser, @AnthonyMastrean, @LaVibeX, @MangoIV, @Robbilie, @VithikaS, @a5a351e7, @acdha, @aravindparappil46,
@baburkin, @fnxpt, @kepten, @leec94, @lukas-braune, @malice00, @mehab, @mge-mm, @mykter, @rbt-mm, @rkesters, @rkg-mm, @sahibamittal, @sebD, @setchy, @validide
dependency-track-apiserver.jar
Algorithm | Checksum |
---|---|
SHA-1 | a9dae58a25c8aeeb54134ff054214505eb170db9 |
SHA-256 | 03160957fced99c3d923bbb5c6cb352740da1970bd4775b52bb451b95c4cefaf |
dependency-track-bundled.jar
Algorithm | Checksum |
---|---|
SHA-1 | 59b78c3f6b1979ba29c1bd754b7dc1005101fc49 |
SHA-256 | 1a34808cd6c7a9bf7b181e4f175c077f1ee5d5a9daf327b330db9b1c63aac2d3 |
frontend-dist.zip
Algorithm | Checksum |
---|---|
SHA-1 | 80cddddaf5c9c73676065d4ab6fe7b3eff3ec8de |
SHA-256 | 9c51c337f4b2a7e78730c70473cd24070773a0982d1c0ee6c13f9a6f18a756d5 frontend-dist.zip |