Dependency-Track logo

Subscribe with RSS to keep up with the latest changes.


March 22, 2020 major

Bundled frontend: v1.0.0


  • New user interface based on Vue.js and Bootstrap.
  • User interface can optionally be deployed and upgraded independently of the Dependency-Track server.
  • Package repositories are now configurable.
  • Package repositories can now be identified as ‘internal’. Components identified as ‘internal’ will be analyzed using internal repositories.
  • Added additional logging and notifications for OSS Index and NPM Audit analyzers.
  • Added the ability to publish system notifications when vulnerability analyzers encounter communication or other errors.
  • Added several occurrences of counts for various items throughout the UI.


  • Corrected the percentage value of findings audited.
  • Fixed URL to Maven Central which prevented the MavenMetaAnalyzer from retrieving component metadata.
  • Changed logging behavior when internal components are identified.
  • Improved accuracy of internal CPE analyzer which may have lead to false negatives in some situations.
  • Fixed issue where the CPE value defined in a BOM was not being persisted if the component previously existed.
  • Fixed issue which prevented the HexMetaAnalyzer from executing preventing it from retrieving component metadata for Erlang or Elixir components.


  • All Dependency-Track server releases now include a complete CycloneDX software bill-of-materials.
  • Added missing permission checks to repository API endpoints.

Upgrade Notes:

  • The nist and index directories inside the Dependency-Track data directory will be deleted upon upgrade. This will force the NVD to be downloaded and reprocessed and the indexes to be rebuilt.
  • The internal vulnerable software dictionary, generated automatically from the NVD, will be wiped upon upgrade. This will take several minutes to complete and should not be interrupted.
Algorithm Checksum
SHA-1 091627dfa144a1313bf9090d8f67b4760e635b23
SHA-256 56674c40da9dc4277b6c8238d0dc6cc28bdf3b4cc51b7b845606b1a2c149070b
Algorithm Checksum
SHA-1 1db04afbc1b66421dd6fe0db816ec14362b895d1
SHA-256 9fd73c4ea24352b6165106c1d5a1b88bd43ea9e6ba0e15a733a217a59d7bd268
Software Bill-of-Materials (SBOM)



January 07, 2020 minor


  • Added additional debug logging to metric update tasks


  • Fixed portfolio metrics issue that allowed multiple operations to be executed simultaneously leading to performance degradation
Algorithm Checksum
SHA-1 5cd02dc5c6ca8aba3cea1ad5ad03d039ecdd757c
SHA-256 f80f527d96692a45f3bba86849551debf4b407bd880f104b890912975cc865ca
Algorithm Checksum
SHA-1 766d5394ce7a5a0e08c96a55930adc3377897d99
SHA-256 4e6233013af574585d93dd99586455a810ea434c3bc5da95e53aad45751f5bc2


December 16, 2019 major


  • Application context is now configurable in the Docker container
  • SVG badges may now be retrieved via the project name and version
  • Added Hex repository support for Erlang, Elixir, and other BEAM languages
  • Added configurable support for defining components as internal which are not subject to external analysis
  • Increased CPE analysis precision for components with CPEs containing a value in the update field


  • Fixed defect in /api/v1/project that returned a server error if the ‘name’ parameter was specified
  • Fixed defect resulting in invalid gzip response body when Accept-Encoding was not specified
  • Fixed defect resulting in licenses not being loaded if Dependency-Track is deployed to a directory containing a space
  • Changed behavior when parsing an invalid CPE to display a single line warning rather than the full stack trace
  • Fixed defect resulting in a project not being able to be deleted when that project was part of a notification rule
  • Fixed encoding issue affecting project names containing special characters


Upgrade Notes:

  • Support for consuming Dependency-Check v4.x XML reports has been removed
  • The following can safely be (optionally) dropped upon a successful upgrade (consult log):
    • Tables:
      • SCAN
    • Columns:
Algorithm Checksum
SHA-1 e946c65ec0ff5ba12e843789b917caab635bfe62
SHA-256 bd02a522a8c9beeb8dd7964f07eb27a7a02ce8bbf6a7c8af3378bb26fc98a087
Algorithm Checksum
SHA-1 22da81fb91b5641fcb805c74063c11e521fe0ad4
SHA-256 9207e25b19d34b57804f25e9881e663ebb56333520b039c5ccfd93209295b0a1


October 01, 2019 minor


  • Fixed issue that prevented upgrades to 3.6.0 when using Microsoft SQL Server
Algorithm Checksum
SHA-1 f18f248d2601878b3d437e3c6539311dc4a31c47
SHA-256 b24cc49e8483c4841d6bc3efa9c1f944836a9524028960ee463ae4db7dac7c02
Algorithm Checksum
SHA-1 b758993e26f812494ca0191e7ad39037f2cd79ea
SHA-256 da128b3602ea4e0214558074abd3df30201e7d858b79a7abb5065d358db19b40


September 28, 2019 major


  • Added configurable option to enable/disable BOMs based on format (CycloneDX enabled by default)
  • Added support for the official CPE v2.3 dictionary and vulnerabilities with CPEs of affected products
  • Added ability to identify vulnerabilities in components solely by their CPE
  • Added full support for VulnDB as a source of vulnerability intelligence
  • Added support for SVG badges
  • Added additional logging during metrics updates
  • Docker container now supports Kubernetes and OpenShift
  • Docker container now has configurable support for specifying logging levels
  • Added Inherited Risk Score to project list view with the ability to sort on risk score
  • Added an ‘active’ flag to projects with the default behavior of hiding inactive projects
  • Added BOM_CONSUMED and BOM_PROCESSED notifications which can optionally deliver BOMs via webhooks
  • Added support for last BOM imported including the BOM type and version
  • Added an API to lookup a project by its name and version
  • Added analysis interval throttle to prevent repeated analysis requests for the same components
  • Slack and email alerts now contain links back to Dependency-Track
  • Added support for Java 11


  • Fix for GLOBAL_AUDIT_CHANGE not including affected projects
  • Fixed issue that prevented Dependency-Track for working with non-default URL contexts
  • Fixed intermittent persistence issue resulting in NPE in BomUploadProcessingTask
  • Fixed issue resulting in incorrect percentage audited on project findings
  • Fixed OSS Index analyzer in response to the URL changes from to

Upgrade Notes:

  • Support for SPDX BOMs and Dependency-Check XML reports are disabled by default
  • Replaced embedded Dependency-Check library with internal CPE analyzer
  • Dependency-Track no longer mirrors XML data feeds from the NVD
Algorithm Checksum
SHA-1 6cd17d5a31472f7f60e674e2d7fc2e3050085808
SHA-256 bbb72fa3b6246b7afa7c22b103f0c85daf82565a38ae12973043775e6b27fd6e
Algorithm Checksum
SHA-1 f7b88825dbaf8b837977954f5a7e506952ed8361
SHA-256 a1d0d308a46d30399e9ff9a0334fe3be70345aa12c30c0d1d6bfccdcafe062e2


July 17, 2019 minor


Algorithm Checksum
SHA-1 aafdfa3142dc478b95f1d6ffc268b2a1832ccb29
SHA-256 73bbe06a22f84ce7b099da3c552e267c980f0f8c58ca6cccdd3eaa210bfe9b6c
Algorithm Checksum
SHA-1 cf71dbf7ae697038d6a42485f14991f343ffdeff
SHA-256 271705e72e94e9f9fb36159ea110a05ff465c4d1f2572a89570774e57c08a247


June 07, 2019 major


  • Improved performance, reliability, and quality
  • Added support for importing CycloneDX v1.1 BOMs
  • Added additional logging and enhanced logging configuration
  • Added configurable CORS support


  • Numerous. The majority of known defects have been resolved

Upgrade Notes:

Two new LDAP properties were introduced in v3.5.0 that affect LDAP configuration. The properties are:


Refer to Configuration and Deploying Docker Container for details.

Additional properties introduced in this release are:

  • alpine.database.pool.enabled
  • alpine.database.pool.max.size
  • alpine.database.pool.idle.timeout
  • alpine.database.pool.max.lifetime

Under most situations, changing these values is not recommended and may introduce unintended consequences. One important change introduced in this release is the default value of alpine.database.pool.max.lifetime has changed from 30 minutes (in previous releases) to 10 minutes.

Algorithm Checksum
SHA-1 7d66f0530d74ff9bc0de628d5e76b5ee6ed6ead7
SHA-256 8bbf820fde7843a680fd51eed831aeddd61507f5420abb68b46859168cc98919
Algorithm Checksum
SHA-1 0bb9a0737a36ebbcd88fe91ca595f12957e85583
SHA-256 143ed44988419ba84cc3956e602e297f025149f19faa65f32c0e8311b71fed5b


April 16, 2019 minor


  • Fixed defect that caused high CPU consumption (via thread exhaustion) in some cases when NPM Audit was enabled.
Algorithm Checksum
SHA-1 f8da8e34a3cabcf72b721488f5294710ff632bf6
SHA-256 72391cc636c2159ffc0c516f2001688129a3b6424164c98ce9045c0fd5c3219b
Algorithm Checksum
SHA-1 1cdb5b6c5698229b21acbc610df77ec819ad5180
SHA-256 619e9ae00feb9f9723bef68981d32932d2d5cdf808b192619bf072d525224f5e


December 22, 2018 major


  • Improvements to Findings API
  • Created Finding Packaging Format for the native exporting of findings
  • Added support for external integrations including:
    • Fortify Software Security Center
    • Kenna Security
  • Added repository (and outdated version detection) support for NuGet and Pypi
  • Updated SPDX license list to v3.3
  • Added support for identifying FSF Libre licenses
  • Updated Java version in Docker container
  • Docker container can now be fully configured with environment variables
  • Added Test Configuration button when configuring SMTP settings
  • Added logfile rotation with default 10MB cap (configurable)


  • Corrected issue that incorrectly returned suppressed vulnerabilities when queried for non-suppressed ones
  • Fixed issue that resulted in server/UI timeouts due to excessive license payload
  • Fixed NPE that occurred when the configured SMTP server didn’t require authentication
  • Added workaround for outstanding OSS Index defect where the service didn’t process PackageURLs containing qualifiers
  • Updated OpenUnirest which addressed configuration issue with library not honoring proxy server settings
Algorithm Checksum
SHA-1 676e04e0ef002e371da3b5eab239b0ab55dffe57
SHA-256 006801f124d190e929ab7e6352adcc0bf89047259eff5a15cf4d54a01d7b402d
Algorithm Checksum
SHA-1 15309c0818034ac99f603b52f242748b255818b9
SHA-256 624fa3e7f458b163a0bbb8f05ee7cb1cf052d6d4ea53ff2b43686dd55bb83135


November 13, 2018 minor


  • Improved findings API to support a wider range of use-cases


  • When importing some npm dependencies (via Dependency-Check report), some modules would get misidentified causing an NPE
  • Fixed non-standard Java versioning schemes (such as Debian OpenJDK) that caused version comparison to fail
  • Corrected issue that resulted in suppressed vulnerabilities to be returned from a query as if they were not suppressed
  • Fixed issue preventing saving of SMTP settings with anonymous authentication

Upgrade Notes:

The format of the findings API has changed and will not be versioned. This API is used to present findings from the audit tab in the UI. If this API was being used outside the UI, please note that the response format has changed.

Algorithm Checksum
SHA-1 f7a0fcf9568a765b9bb3cdf3465f475810c333e8
SHA-256 f5693cab665932c80e7056c37ed93bf61a1638e252e48e9c0717b8d0c4740ea4
Algorithm Checksum
SHA-1 bfcf20a5cb87d562b781419f7b989c35ff67e390
SHA-256 91156bc404ab84a09e912302888ef06c52813764e88ad73039550a9ff2e82b91


October 25, 2018 major


  • The ability to manually upload a CycloneDX or SPDX BOM from the user interface
  • Optional automated provisioning of LDAP users
  • Optional synchronization of team membership based on a users LDAP group membership
  • Added API that provides component metadata from a project in CycloneDX format
  • Added ability to track the progress of work performed when a BOM is uploaded
  • Added tracking of audited and unaudited metrics
  • Added ability to add new project version and optionally clone source metadata
  • Added ability to search by tag name when displaying projects
  • Added checksum generation when publishing a release (backported to 3.2.2)
  • The NSP Advisory API has been removed and replaced with the NPM Public Advisory API (backported to v3.2.1)


  • Fixed numerous LDAP compatibility issues
  • Added additional logging when BOM upload is not in a supported format

Upgrade Notes:

This release of Dependency-Track supports a wide range of LDAP implementations and has been tested with Active Directory, ApacheDS, Fedora 389 Directory, and NetIQ/Novell eDirectory. In order to ensure compatibility, some existing LDAP configuration properties have been changed.

# This property has been removed
# This property now refers to the users DN
# Format now applies only to the value of 
# Examples have been modified. A users DN is no longer a valid format.
# New properties

See Also:

Algorithm Checksum
SHA-1 413b47068dd1272f0ea6c4af67dc1465fcf10674
SHA-256 5632d6efa8c6ea2633bb767d09c73c4ee68e9319b638ce00da4c422f5123c906
Algorithm Checksum
SHA-1 1a8dc64a7535375fdd4ff789eeb9d3635dcba019
SHA-256 96e20c0b72e3d8c460dfe3ce2b9aca72c6114492747db9afffca9784c64d23b9


October 02, 2018 minor


  • Critical defect which may lead to duplicate or erroneous requests to NPM Audit API


  • Added checksums.xml including SHA-1, SHA-256, SHA-512 checksums for traditional and embedded wars to GitHub releases.
Algorithm Checksum
SHA-1 fead4ed834b4738b8c19c427ae57653f7af4a3b8
SHA-256 ee53ceacb07b0b0b4dfa88e2bdc2e905668f0dd6d42ca1000b3204d0a2ee1842
Algorithm Checksum
SHA-1 defbb7a40bb12c3beacdeb43fb5fd325d226da50
SHA-256 c154f0f07c9875d602d3e1df93d93d617e83f350ef683bdb16eb193d03a86ea5


September 21, 2018 minor


  • The NSP Advisory API has been removed and replaced with the NPM Public Advisory API


  • Processing and permission corrections to new multi-part BOM upload API
  • UI corrections for vulnerabilities with unassigned severity
  • Fixes for displaying and processing of vulnerabilities without CVSS scores
  • Minor changes to severity colour scheme

Upgrade Notes:

All previous NSP vulnerabilities will automatically be migrated to NPM vulnerabilities. No additional action is required. Unlike NSP vulnerabilities, NPM does not provide CVSS scores or vectors. Therefore all NPM vulnerabilities will no longer display the CVSS vector, or the base, impact, or exploitability scores and corresponding chart data.


September 06, 2018 major


  • Configurable notifications of new vulnerabilities, vulnerable dependencies, analysis decision changes, and system events
  • Added Slack, Microsoft Teams, Outbound Webhook, Email, and system console notification publishers
  • Replaced NSP Check API with NPM Audit API
  • Added support for Sonatype OSS Index
  • Updated SPDX license IDs to v3.2
  • General improvements in logging when error conditions are encountered
  • Improvements to Dependency-Check XML report parsing
  • Added native CPE 2.2 and 2.3 parsing capability
  • Enhanced administrative interface with options for repositories and general configuration
  • Updated Java version used in Docker container


  • The audit table did not reflect the correct analysis and suppressed data
  • Added validation when processing Dependency-Check XML reports containing invalid Maven GAVs
  • Corrected issue with NVD mirroring affecting Docker containers and case-sensitive filesystems

Upgrade Notes:

  • The PROJECT_CREATION_UPLOAD permission was introduced in this release. Existing API keys that need the ability to dynamically create projects (without providing them full PORTFOLIO_MANAGEMENT permission) will need this permission added to their account or through their team membership.

  • The SYSTEM_CONFIGURATION permission was introduced in this release. Existing administrative users that need the ability to perform more general purpose system configurations need to add this permission to their accounts.

  • Upgrades to v3.2.0 can be successfully performed from systems running v3.1.x. If a previous version is being used, an upgrade to 3.1.x is required prior to upgrading to v3.2.0.


June 20, 2018 minor


  • Fixed issue where new permissions were not being added to database on upgrades


June 19, 2018 major


  • Support for advanced auditing workflow to easily triage findings
  • Support for external repositories to retrieve additional component metadata from
  • Support for SPDX 3.1 license IDs
  • NVD mirroring support for Dependency-Check (and other) clients
  • Support for out-of-date version detection (rubygems, maven, and npm)
  • Enhanced API to (optionally) autocreate project on bom/scan upload
  • Better support for Dependency-Check “relatedDependencies”
  • Added individual component metrics (independent of dependency metrics)
  • Added per project and per component overview with metrics and refresh support
  • Specific table columns can now be sorted with full pagination support
  • Improved error logging when issues are encountered during BOM and scan processing
  • Enhanced LDAP integration to support strong authentication mechanisms and configurable user formats
  • General performance improvements on multi-core machines
  • Minor enhancements to user interface


  • Fixed defect that prevented paginated results on project tag searches
  • Fixed defect affecting GAV identifiers in Dependency-Check Gradle/CLI reports not being in parenthesis

Upgrade Notes:

  • The VULNERABILITY_ANALYSIS permission was introduced in this release. Existing users that need the ability to audit findings will need this permission added to their account or through their team membership.
  • MySQL now requires ANSI_QUOTES to be added to the SQL mode. Refer to Database Support for details.


May 02, 2018 minor


  • Fixed defect resulting in incorrect results returned when filtering on components in the project view
  • Synced CycloneDX specification to latest v1.0.1 release


April 13, 2018 minor


  • Fixed defect resulting in incorrect vulnerability counts for projects
  • Fixed defect which prevented project metrics from returning results
  • Fixed issue related to the assignment of tags on project creation
  • Added the VIEW_PORTFOLIO permission to the ‘automation’ team on new installs
  • Updated several dependencies
  • Performance improvements in database connection pool
  • Fixed defect where database connections were not being reconnected if the connection was lost
  • Fixed multiple defects related to component reconciliation when processing BOM and scan uploads


March 30, 2018 minor


  • Responded to changes in NVD data feed URLs by correcting the XML 1.2 and 2.0 URLs used for mirroring.


March 29, 2018 minor


  • Fixed data model issue which prevented multiple versions of the same project name from being persisted.
  • Fixed issue in admin console which did not properly display the number of team members.

Upgrade Notes:

If v3.0.0 was deployed, shutdown Dependency-Track, execute the following statement against the database, and deploy v3.0.1.

Removes the constraint on having a unique project name thus preventing
multiple versions of the project from existing.


March 27, 2018 major

Project Reboot Successful! This is the first release after being developed from the ground up.


  • Dramatically increases visibility into the use of vulnerable components
  • Supports an unlimited number of projects and components
  • Projects can range from applications, operating systems, firmware, to IoT devices
  • Tracks vulnerabilities across entire project portfolio
  • Tracks vulnerabilities by component
  • Easily identify projects that are potentially vulnerable to newly published vulnerabilities
  • Supports standardized SPDX license ID’s and tracks license use by component
  • Supports CycloneDX and SPDX bill-of-material formats
  • Easy to read metrics for components, projects, and portfolio
  • API-first design facilitates easy integration with other systems
  • API documentation available in Swagger 2.0 (OpenAPI 3 support coming soon)
  • Flexible authentication supports internally managed users, Active Directory/LDAP, and API Keys
  • Simple to install and configure. Get up and running in just a few minutes