Dependency-Track logov4.11

This release primarily addresses an inability to mirror the NVD via its REST API. The NVD REST API recently experienced increased load, causing service disruptions. Dependency-Track users who opted into API mirroring will have seen symptoms of this as NvdApiException: NVD Returned Status Code: 503 errors in the logs.

To reduce load on their systems, NIST started to block requests with a certain User-Agent header, which Dependency-Track happens to use. Upgrading to v4.11.5 will allow Dependency-Track to no longer be subject to this block.

Users who can’t immediately update, yet are reliant on NVD data being current, can switch back to the feed file based mirroring by disabling Enable mirroring via API in the administration panel.


For a complete list of changes, refer to the respective GitHub milestones:

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

Special thanks to everyone who contributed code to implement enhancements and fix defects:

dependency-track-apiserver.jar #
Algorithm Checksum
SHA-1 8fd45ea6ae725e8e7dac59ec9d471fcdaeb42c6d
SHA-256 c39c15849cbb7dd19833ea689c20aaf92bc9f6965b758961e1d2a01a2b09f86f
dependency-track-bundled.jar #
Algorithm Checksum
SHA-1 eba6cbaa6c2da9ffb295da83ed39af68ff4130a8
SHA-256 7ebb11573b2a59084ed98fe92d363240c910dc7b5aa7ebeda64bee7d47089d9a #
Algorithm Checksum
SHA-1 0992c02871d536eaa1d3971a01ce815daf115129
SHA-256 fa427fd6dde55fe6a327a82f52edcdbe29a04f23d360742fe446b0c8e1714647
Software Bill of Materials (SBOM) #