Highlights:

• API Key Overhaul. API keys are no longer stored as plain text values in the database, but as SHA3-256 hashes. It will no longer be possible to view the full, plain text API keys in the administration panel. Instead, full keys will only be shown once after their creation. To allow keys to be identifiable despite this change, the API key format was adjusted to include a public identifier portion. Keys generated by version 4.13.0 and later will follow the format odt_<publicId>_<key>, where publicId consists of 8 random characters, and key of the usual 32 random characters. The public ID is intended to identify API keys without disclosing their secret. It will be visible in the UI, and it will also appear in logs.
  • Keys generated by earlier versions of Dependency-Track will continue to work, in their case the first 5 characters are assumed to be the public ID.
  • This feature was discussed and demoed in our February community meeting! Watch it here
• Collection Projects. Dependency-Track has had support for project hierarchies for a while, but until now their utility was still somewhat limited. Collection projects change this, as they allow parent projects to act as aggregates of their children. While they are a major improvement to the project hierarchy mechanism, there is still more work to be done. And the team is always looking for feedback on how to make it better.
  • This feature was discussed and demoed in our January community meeting! Watch it here
• Scheduled Summary Notifications. Instead of publishing notifications immediately when a new vulnerability or policy violation is identified, it is now possible to configure scheduled summary notifications. This aids in reducing alert fatigue. Refer to the notifications documentation for more details.
• Reduced Memory Footprint. The persistence framework used by Dependency-Track to interact with the database comes with overambitious caching enabled per default. Disabling this cache mechanism has been a recommendation the team gave to users struggling with memory requirements for a while. After evaluating whether it provides any justifiable benefit at all, it was decided to turn this feature off entirely. Users with large portfolios should see a noticeable drop in heap utilization and pressure on the garbage collector.
• Observability Improvements. Logs emitted while handling REST API requests now include context about the authenticated user, the path of the endpoint being called, as well as the request method. This makes it easier to trace where problems are occurring, and who initiated the requests that cause them.

Features:

• Introduce collection projects for better utilization of project hierarchies - apiserver/#3258
• Add property to control verified flag in DefectDojo integration - apiserver/#4273
• Disable DataNucleus L2 cache globally - apiserver/#4310
• Optimize vulnerability synchronization logic to not perform redundant writes - apiserver/#4359
• Add REST API endpoint for batch deletion of projects - apiserver/#4383
• Update link to Azure DevOps Extension in docs - apiserver/#4423
• Reduce database round-trips during BOM processing - apiserver/#4486
• Postpone deprecation of unauthenticated access to Badge API - apiserver/#4502
• Clarify descriptions of component analysis cache properties - apiserver/#4504
• Add debug logging for Composer meta analyzer - apiserver/#4546
• Clarify OpenAPI endpoint location in the docs - apiserver/#4556
• Migrate API keys to new format - apiserver/#4566, apiserver/#4682
• Update quickstart Compose file to use Postgres instead of H2 - apiserver/#4576
• Add SecObserve to community integrations - apiserver/#4580
• Track “last vulnerability analysis” timestamp for projects - apiserver/#4642
• Implement basic telemetry collection - apiserver/#4651
• Prevent application startup when migrations fail - apiserver/#4681
• Add support for Snyk API version 2024-10-15 - apiserver/#4715
• Add REST API endpoint for bulk creation of tags - apiserver/#4766
• Update Azure AD configuration docs to Entra ID - apiserver/#4778
• Make it configurable whether Trivy should scan only OS packages, only libraries, or both - apiserver/#4782
• Add support for scheduled summary notifications - apiserver/#4783
• Add ability to configure the DefectDojo test title - apiserver/#4796
• Bump SPDX license list to v3.26.0 - apiserver/#4800
• Bump CWE dictionary to v4.16 - apiserver/#4801
• Add new optional column Classifier in project component view - frontend/#1058
• Remove deprecation notice of toggle for unauthenticated access to SVG badges - frontend/#1129
• Add timestamp formatting to chart tooltips - frontend/#1152
• Handle new API key format and generation process - frontend/#1157
• Add telemetry admin view - frontend/#1164
• Add autocomplete to project collection logic tag dropdown - frontend/#1198

Fixes:

• Fix failure to synchronize vulnerability aliases when the source of a vulnerability is unrecognized - apiserver/#4767
• Fix possible NPE during affected version attribution sync - apiserver/#4798
• Fix occasional JsonParseException during NVD API mirroring - apiserver/#4814
• Fix UpgradeInitializer halting the entire process upon failure - apiserver/#4818
• Fix column visibility preference not considered for project list - frontend/#1169
• Fix tag autocomplete dropdown library style overriding issue - frontend/#1213

Upgrade Notes:

Please make a database backup before upgrading! Some changes in this release are irreversible,
and you won’t be able to roll back simply by downgrading the application version!

• Existing API keys will be automatically hashed during this upgrade. It will not be possible to view them in plain text ever again after the upgrade completed. Outside of making a database backup, consider noting down all the keys you might need somewhere safe before performing this upgrade.
• Dependency-Track instances will automatically share minimal telemetry information on a daily basis. Find a list of collected data, as well as instructions for opting out, in the telemetry documentation.

For a complete list of changes, refer to the respective GitHub milestones:

• API server milestone 4.13.0
• Frontend milestone 4.13.0

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

Special thanks to everyone who contributed code to implement enhancements and fix defects:

@2000rosser, @AndreVirtimo, @Gepardgame, @Granjow, @LaVibeX, @MM-msr, @Malaydewangan09, @Rudra-Garg, @SaberStrat, @StefanFl, @VinodAnandan, @Zargath, @ad8-adriant, @dhfherna, @jayolee, @mge-mm, @mikael-carneholm-2-wcar, @mjwrona, @rbt-mm, @rkg-mm, @stohrendorf, @valentijnscholten

dependency-track-apiserver.jar

Algorithm	Checksum
SHA-1	c5ef70f1e8df186a929a7c2ad24962a3b97af379
SHA-256	0f2af7a93a21850da62c2b2e86babfb0b0f18abd80f380dfb80bf84c59f605e4

dependency-track-bundled.jar

Algorithm	Checksum
SHA-1	feeac3362ae6ea5d42cf6dde7e5e079599372eaa
SHA-256	a81e61f1e21a732474a11345d71e7853d50ec2faea1f7d44bacfb29902673ebd

frontend-dist.zip

Algorithm	Checksum
SHA-1	5f18d23205cff4627ff6330bca9f70f71810da89
SHA-256	e64676821351096cce62735d28a15b2ae62c4ba66c1b295ab119a9b83f94eef0

Software Bill of Materials (SBOM)

• API Server: bom.json
• Frontend: bom.json