Fixes:

• Fix possible enumeration of managed users via /api/v1/user/login endpoint - GHSA-9w3m-hm36-w32w
• Reduce memory usage of metrics update tasks - apiserver/#4377
• Fix CPE matching for NVD mirroring via REST API - apiserver/#4378
• Fix incorrect CWE schema in OpenAPI spec - apiserver/#4379
• Fix NullPointerException when fetching findings - apiserver/#4380
• Fix policy evaluation not happening upon creation of update of individual components - apiserver/#4381
• Fix nullable metrics fields having getters of primitive type - apiserver/#4382
• Fix Trivy analyzer vulnerability matching for Go packages - apiserver/#4395
• Fix too frequent notifications during GHSA mirroring - apiserver/#4417
• Fix project.active field being nullable - apiserver/#4418
• Fix NullPointerException when cloning projects with broken dependency graph - apiserver/#4419
• Fix missing CycloneDX JSON content type for /api/v1/bom/cyclonedx/component/{uuid} endpoint - apiserver/#4420
• Fix no error being displayed when submitting and invalid welcome message - frontend/#1099
• Fix tags with special characters breaking the tags table - frontend/#1100
• Fix broken NGINX IPv6 listening - frontend/#1101
• Fix viewing of component properties requiring the PORTFOLIO_MANAGEMENT permission - frontend/#1102
• Fix missing URI encoding for vulnerability IDs - frontend/#1103
• Improve Russian translation - frontend/#1109

Upgrade Notes:

• ACTIVE columns in the PROJECT table that previously had NULL values will be updated to TRUE automatically upon upgrade. The column is further assigned a default value of TRUE. No manual action is required. The SQL statements executed by Dependency-Track can be found here.

For a complete list of changes, refer to the respective GitHub milestones:

• API server milestone 4.12.1
• Frontend milestone 4.12.1

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

Special thanks to everyone who contributed code to implement enhancements and fix defects:
@Gepardgame, @Shortfinga, @WoozyMasta, @antoinbo, @calderonth, @fupgang, @rissson, @wratner

dependency-track-apiserver.jar

Algorithm	Checksum
SHA-1	114d6a9f8b87a307be324f155daf3454dcc269bb
SHA-256	ef6bb4ce3ebea410b620a91cf8347ab1e95c32b3f166103c749ece97f4098591

dependency-track-bundled.jar

Algorithm	Checksum
SHA-1	a15db1b85d0ac29977724deb3f9a65428c929d39
SHA-256	a8aba7cd926de3deeea31290be830ee90282128f1820fddde3ec8b346bba1bdd

frontend-dist.zip

Algorithm	Checksum
SHA-1	b1e520a4aa0d3a3dc65aa5ab7da93b81c84edf43
SHA-256	0a8790def4abe6ab3c5294928cc816a266c2b746ec39b0c1f140b8a2f4c0ad74

Software Bill of Materials (SBOM)

• API Server: bom.json
• Frontend: bom.json