Important Notice:
Sonatype has started to enforce an authentication requirement for OSS Index.
The OSS Index analyzer has historically been enabled by default for Dependency-Track, and configuration of credentials for authentication was not strictly necessary.
This has now changed, and users who wish to continue using OSS Index will need to register for a free account, and configure credentials in the analyzer’s settings.
Please refer to Sonatype’s announcement for further details.
In the midterm, we’ll be looking into enabling OSV per default to compensate for this change.
Fixes:
- Fix CPE matching not being fully case-insensitive - apiserver/#5299
- Improve detection whether version of a github PURL is a commit SHA or release tag - apiserver/#5350
- Make OSS Index credentials required - apiserver/#5351
- Fix occasional NullPointerException when mirroring the NVD via REST API - apiserver/#5352
- Fix
/api/v1/tag/policy/{uuid}endpoint returning more tags than are assigned to a policy - apiserver/#5353 - Fix possible failure of NVD mirroring due to corrupted timestamp files - apiserver/#5354
- Fix BOM validation failing due to unrecognized new SPDX license IDs - apiserver/#5355
- Fix new SPDX license IDs not being recognized - apiserver/#5356
- Fix high CPU utilization when watchdog logger is configured - apiserver/#5357
- Fix NullPointerException in GithubMetaAnalyzer when analyzing GitHub Actions - apiserver/#5359
- Fix connection reset during OSV mirroring - apiserver/#5360
- Fix compatibility of custom NuGet repositories with JFrog Artifactory - apiserver/#5381
- Fix custom NuGet repositories not working with Sonatype Nexus - apiserver/#5381
- Fix possible disclosure of private NuGet repository credentials to api.nuget.org - apiserver/#5381 / GHSA-83g2-vgqh-mgxc
For a complete list of changes, refer to the respective GitHub milestones:
We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.
Special thanks to everyone who contributed code to implement enhancements and fix defects:
@colinfyfe, @framayo, @jonbally, @snieguu, @stohrendorf
dependency-track-apiserver.jar
| Algorithm | Checksum |
|---|---|
| SHA-1 | f38abe7b93f7cb88f3bba4c78c30a9ce7dc45c0d |
| SHA-256 | bf55097e63b46ed16042024636b855f676ba67e6e5824e7da80f3cec863a3f77 |
dependency-track-bundled.jar
| Algorithm | Checksum |
|---|---|
| SHA-1 | 5aea8e0662f8aa4d9e53b52c14367c5345602e34 |
| SHA-256 | 4a373de4d5aca924fb533ebfc7e1eb4fb5a249d81c948bd367a52fa53125a610 |
frontend-dist.zip
| Algorithm | Checksum |
|---|---|
| SHA-1 | e441f28a656b710766a9fd85360872bc9330d14c |
| SHA-256 | fb67bf767e2142b72dbd226b984a1faee9e491d108ccfd29860a49e0b5b15a12 |