This release primarily addresses the removal of NVD 1.1 data feeds, which caused Dependency-Track’s NVD mirroring process to fail. With this release, Dependency-Track will consume the new 2.0 data feeds.
Users who cannot perform this upgrade immediately can configure NVD mirroring to be performed via the NVD REST API instead. Refer to the NVD datasource documentation for details.
Features:
- Migrate to NVD 2.0 data feeds - apiserver/#5236
Fixes:
- Handle URLs in composer package metadata pattern - apiserver/#5234
- Fix failing TrivyAnalysisTaskIntegrationTest - apiserver/#5241
- Handle
adduser/addgroupremoval in Debian base image - apiserver/#5246 - Fix inconsistent ordering in findings endpoints - apiserver/#5247
- Fix failing Trivy OS matching for distro versions with special characters - apiserver/#5249
For a complete list of changes, refer to the respective GitHub milestones:
We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.
dependency-track-apiserver.jar
| Algorithm | Checksum |
|---|---|
| SHA-1 | 048b46829358cfde1f4d90b9298984224c75f6ae |
| SHA-256 | 2ca674108a08bf71642ddec6704125fae720161c4c40268fd19557e8b116d9d0 |
dependency-track-bundled.jar
| Algorithm | Checksum |
|---|---|
| SHA-1 | b3eb198254783462dc7d147791537fa50b11483e |
| SHA-256 | a8252f66f9b3c9253553e1d2a40fb0169f90c31895e36f57bc5992068ff473f5 |
frontend-dist.zip
| Algorithm | Checksum |
|---|---|
| SHA-1 | 827522ca8079450a8560a58a1b4e71add0a5d630 |
| SHA-256 | d0e604300d52047c32a98a51aa32e1cf2276525fa81557c4c95f1ad49f30d820 |