Highlights:
- Ecosystem-aware version matching. Vulnerability analysis now uses version comparison algorithms native to the component’s ecosystem, rather than relying on generic semantic versioning. For example, Debian versions are compared using the dpkg sorting algorithm. Supported ecosystems are Alpine Linux, Debian, Go, Maven, NPM, PyPI, and RPM.
- Distro-aware vulnerability matching. Linux distributions like Debian backport security fixes
to older releases, meaning a component may be vulnerable in one distro release but not another.
Dependency-Track now uses the
distroqualifier of package URLs (e.g.,pkg:deb/debian/[email protected]%2Bdeb13u2?distro=debian-13.3) to determine the OS release and match vulnerabilities accordingly. Currently supported for Alpine Linux, Debian, and Ubuntu.- Note: Requires vulnerability data from OSV, as the NVD does not contextualize
version ranges by OS release. Not all BOM generators populate the
distroPURL qualifier today.
- Note: Requires vulnerability data from OSV, as the NVD does not contextualize
version ranges by OS release. Not all BOM generators populate the
- CVSSv4 support. Upstream vulnerability sources are increasingly publishing CVSSv4 scores. Dependency-Track now ingests and displays CVSSv4 vectors and derived severities alongside existing CVSSv2 and CVSSv3 data.
Features:
- Include project UUID in log messages - apiserver/#5500
- Add support for incremental mirroring of OSV - apiserver/#5537
- Add internal status policy condition support - apiserver/#5570
- Implement VERS approach for PURL version matching - apiserver/#5591
- Add projectUuid via MDC to logger statements within VEX upload - apiserver/#5615
- Specify newer version of Docker Compose in README - apiserver/#5648
- Add configurable base URL for OSS Index API - apiserver/#5736
- Update OSS Index documentation - apiserver/#5774
- Improve efficiency and caching behaviour of OSS Index analyzer - apiserver/#5793
- Switch to G1GC and limit default Docker Compose memory to 4GB - apiserver/#5794
- Add EPSS score support for GitHub Advisory vulnerabilities - apiserver/#5829
- Add page on users and permissions to documentation - apiserver/#5831
- Include CVSS vectors and metadata in Finding model - apiserver/#5844
- Tweak vulnerability persistence logic - apiserver/#5862
- Add CVSSv4 support - apiserver/#5863
- Delete NVD feed timestamp files during v4.14.0 upgrade - apiserver/#5886
- Bump SPDX license list to v3.28.0 - apiserver/#5888
- Bump CWE dictionary to v4.19.1 - apiserver/#5889
- Make username optional for Repositories Bearer Auth - frontend/#1128
- Improve German Translation - frontend/#1227
- Add suffix to vulnerability locale keys - frontend/#1276
- Add match mode selector to internal component config - frontend/#1283
- Display license ID - frontend/#1311
- Support for scope mentioned in CycloneDX format - frontend/#1319
- Add support for IS_INTERNAL policy condition - frontend/#1394
- Add Traditional Chinese (zh-TW) language support - frontend/#1412
- Remove database information from About dialogue - frontend/#1421
- Add OSS Index Base URL configuration field - frontend/#1431
- Add CVSSv4 support - frontend/#1455
- Add missing internal_status i18n key for zh-TW locale - frontend/#1456
Fixes:
- Fix sneaky double quote - apiserver/#5420
- Fix incorrect UTF-8 encoding in notification payload - apiserver/#5574
- Fix excessive memory usage of Nix analyzer - apiserver/#5653
- Fix wrong NPM component coordinate separator for Trivy analysis - apiserver/#5679
- Fix performance issue with PURL lookups - apiserver/#5711
- Fall back to generic versioning scheme if no PURL is available - apiserver/#5714
- Fix incorrect URL for VulnDB analyzer - apiserver/#5751
- Ensure container zombie processes are reaped - apiserver/#5758
- Fix singleton events not being labelled as such - apiserver/#5775
- Consider OS distro during vulnerability matching - apiserver/#5783
- Fix re-initialization of teams when opening create-modal - frontend/#1410
Upgrade Notes:
- To backfill CVSSv4 and EPSS data, mirror watermarks for NVD and GitHub Advisories will be reset,
triggering a full re-mirror on next invocation.
For a complete list of changes, refer to the respective GitHub milestones:
We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.
Special thanks to everyone who contributed code to implement enhancements and fix defects:
@anantk24, @AndreVirtimo, @arjavdongaonkar, @brianf, @ch8matt, @ElenaStroebele, @fupgang, @Granjow, @jonbally, @jvirgovic, @setchy, @snieguu, @stohrendorf, @tobiasgies, @valentijnscholten, @WoozyMasta, @wengct
dependency-track-apiserver.jar
| Algorithm | Checksum |
|---|---|
| SHA-1 | a06d7f57876befc80b6653fcc44b321958388f12 |
| SHA-256 | 2e3d5bcfb7b5d4ad4daf789bc5ca3802ef05d012c516090e8bc5323f46585f53 |
dependency-track-bundled.jar
| Algorithm | Checksum |
|---|---|
| SHA-1 | 6573a4522dd84520859ab951d86d8a9e4dd43fb2 |
| SHA-256 | a8edd7c94ba811bae73d9213d769687c493e1bd95435dbe39dfeee28ff1f8008 |
frontend-dist.zip
| Algorithm | Checksum |
|---|---|
| SHA-1 | 8a822e22c6c087b0e46f9478f9b342d2e2bad162 |
| SHA-256 | 9a96be982a80c6c8714ad8d22a932d013a6b3593744083d551a7fb2b4a281aa3 |