Subscribe with RSS to keep up with the latest changes.
July 17, 2019 minor
- GHSA-jp9v-w6vw-9m5v Cross-Site Scripting (XSS): Persistent
June 07, 2019 major
- Improved performance, reliability, and quality
- Added support for importing CycloneDX v1.1 BOMs
- Added additional logging and enhanced logging configuration
- Added configurable CORS support
- Numerous. The majority of known defects have been resolved
Two new LDAP properties were introduced in v3.5.0 that affect LDAP configuration. The properties are:
Additional properties introduced in this release are:
Under most situations, changing these values is not recommended and may introduce unintended consequences.
One important change introduced in this release is the default value of
has changed from 30 minutes (in previous releases) to 10 minutes.
April 16, 2019 minor
- Fixed defect that caused high CPU consumption (via thread exhaustion) in some cases when NPM Audit was enabled.
December 22, 2018 major
- Improvements to Findings API
- Created Finding Packaging Format for the native exporting of findings
- Added support for external integrations including:
- Fortify Software Security Center
- Kenna Security
- Added repository (and outdated version detection) support for NuGet and Pypi
- Updated SPDX license list to v3.3
- Added support for identifying FSF Libre licenses
- Updated Java version in Docker container
- Docker container can now be fully configured with environment variables
- Added Test Configuration button when configuring SMTP settings
- Added logfile rotation with default 10MB cap (configurable)
- Corrected issue that incorrectly returned suppressed vulnerabilities when queried for non-suppressed ones
- Fixed issue that resulted in server/UI timeouts due to excessive license payload
- Fixed NPE that occurred when the configured SMTP server didn’t require authentication
- Added workaround for outstanding OSS Index defect where the service didn’t process PackageURLs containing qualifiers
- Updated OpenUnirest which addressed configuration issue with library not honoring proxy server settings
November 13, 2018 minor
- Improved findings API to support a wider range of use-cases
- When importing some npm dependencies (via Dependency-Check report), some modules would get misidentified causing an NPE
- Fixed non-standard Java versioning schemes (such as Debian OpenJDK) that caused version comparison to fail
- Corrected issue that resulted in suppressed vulnerabilities to be returned from a query as if they were not suppressed
- Fixed issue preventing saving of SMTP settings with anonymous authentication
The format of the findings API has changed and will not be versioned. This API is used to present findings from the audit tab in the UI. If this API was being used outside the UI, please note that the response format has changed.
October 25, 2018 major
- The ability to manually upload a CycloneDX or SPDX BOM from the user interface
- Optional automated provisioning of LDAP users
- Optional synchronization of team membership based on a users LDAP group membership
- Added API that provides component metadata from a project in CycloneDX format
- Added ability to track the progress of work performed when a BOM is uploaded
- Added tracking of audited and unaudited metrics
- Added ability to add new project version and optionally clone source metadata
- Added ability to search by tag name when displaying projects
- Added checksum generation when publishing a release (backported to 3.2.2)
- The NSP Advisory API has been removed and replaced with the NPM Public Advisory API (backported to v3.2.1)
- Fixed numerous LDAP compatibility issues
- Added additional logging when BOM upload is not in a supported format
This release of Dependency-Track supports a wide range of LDAP implementations and has been tested with Active Directory, ApacheDS, Fedora 389 Directory, and NetIQ/Novell eDirectory. In order to ensure compatibility, some existing LDAP configuration properties have been changed.
# This property has been removed alpine.ldap.domain
# This property now refers to the users DN alpine.ldap.bind.username
# Format now applies only to the value of alpine.ldap.attribute.name. # Examples have been modified. A users DN is no longer a valid format. alpine.ldap.auth.username.format
# New properties alpine.ldap.groups.filter alpine.ldap.user.groups.filter alpine.ldap.user.provisioning alpine.ldap.team.synchronization
October 02, 2018 minor
- Critical defect which may lead to duplicate or erroneous requests to NPM Audit API
- Added checksums.xml including SHA-1, SHA-256, SHA-512 checksums for traditional and embedded wars to GitHub releases.
September 21, 2018 minor
- The NSP Advisory API has been removed and replaced with the NPM Public Advisory API
- Processing and permission corrections to new multi-part BOM upload API
- UI corrections for vulnerabilities with unassigned severity
- Fixes for displaying and processing of vulnerabilities without CVSS scores
- Minor changes to severity colour scheme
All previous NSP vulnerabilities will automatically be migrated to NPM vulnerabilities. No additional action is required. Unlike NSP vulnerabilities, NPM does not provide CVSS scores or vectors. Therefore all NPM vulnerabilities will no longer display the CVSS vector, or the base, impact, or exploitability scores and corresponding chart data.
September 06, 2018 major
- Configurable notifications of new vulnerabilities, vulnerable dependencies, analysis decision changes, and system events
- Added Slack, Microsoft Teams, Outbound Webhook, Email, and system console notification publishers
- Replaced NSP Check API with NPM Audit API
- Added support for Sonatype OSS Index
- Updated SPDX license IDs to v3.2
- General improvements in logging when error conditions are encountered
- Improvements to Dependency-Check XML report parsing
- Added native CPE 2.2 and 2.3 parsing capability
- Enhanced administrative interface with options for repositories and general configuration
- Updated Java version used in Docker container
- The audit table did not reflect the correct analysis and suppressed data
- Added validation when processing Dependency-Check XML reports containing invalid Maven GAVs
- Corrected issue with NVD mirroring affecting Docker containers and case-sensitive filesystems
The PROJECT_CREATION_UPLOAD permission was introduced in this release. Existing API keys that need the ability to dynamically create projects (without providing them full PORTFOLIO_MANAGEMENT permission) will need this permission added to their account or through their team membership.
The SYSTEM_CONFIGURATION permission was introduced in this release. Existing administrative users that need the ability to perform more general purpose system configurations need to add this permission to their accounts.
Upgrades to v3.2.0 can be successfully performed from systems running v3.1.x. If a previous version is being used, an upgrade to 3.1.x is required prior to upgrading to v3.2.0.
June 20, 2018 minor
- Fixed issue where new permissions were not being added to database on upgrades
June 19, 2018 major
- Support for advanced auditing workflow to easily triage findings
- Support for external repositories to retrieve additional component metadata from
- Support for SPDX 3.1 license IDs
- NVD mirroring support for Dependency-Check (and other) clients
- Support for out-of-date version detection (rubygems, maven, and npm)
- Enhanced API to (optionally) autocreate project on bom/scan upload
- Better support for Dependency-Check “relatedDependencies”
- Added individual component metrics (independent of dependency metrics)
- Added per project and per component overview with metrics and refresh support
- Specific table columns can now be sorted with full pagination support
- Improved error logging when issues are encountered during BOM and scan processing
- Enhanced LDAP integration to support strong authentication mechanisms and configurable user formats
- General performance improvements on multi-core machines
- Minor enhancements to user interface
- Fixed defect that prevented paginated results on project tag searches
- Fixed defect affecting GAV identifiers in Dependency-Check Gradle/CLI reports not being in parenthesis
- The VULNERABILITY_ANALYSIS permission was introduced in this release. Existing users that need the ability to audit findings will need this permission added to their account or through their team membership.
- MySQL now requires ANSI_QUOTES to be added to the SQL mode. Refer to Database Support for details.
May 02, 2018 minor
- Fixed defect resulting in incorrect results returned when filtering on components in the project view
- Synced CycloneDX specification to latest v1.0.1 release
April 13, 2018 minor
- Fixed defect resulting in incorrect vulnerability counts for projects
- Fixed defect which prevented project metrics from returning results
- Fixed issue related to the assignment of tags on project creation
- Added the VIEW_PORTFOLIO permission to the ‘automation’ team on new installs
- Updated several dependencies
- Performance improvements in database connection pool
- Fixed defect where database connections were not being reconnected if the connection was lost
- Fixed multiple defects related to component reconciliation when processing BOM and scan uploads
March 30, 2018 minor
- Responded to changes in NVD data feed URLs by correcting the XML 1.2 and 2.0 URLs used for mirroring.
March 29, 2018 minor
- Fixed data model issue which prevented multiple versions of the same project name from being persisted.
- Fixed issue in admin console which did not properly display the number of team members.
If v3.0.0 was deployed, shutdown Dependency-Track, execute the following statement against the database, and deploy v3.0.1.
/* Removes the constraint on having a unique project name thus preventing multiple versions of the project from existing. https://github.com/DependencyTrack/dependency-track/issues/118 */ ALTER TABLE PROJECT DROP CONSTRAINT PROJECT_NAME_IDX;
March 27, 2018 major
Project Reboot Successful! This is the first release after being developed from the ground up.
- Dramatically increases visibility into the use of vulnerable components
- Supports an unlimited number of projects and components
- Projects can range from applications, operating systems, firmware, to IoT devices
- Tracks vulnerabilities across entire project portfolio
- Tracks vulnerabilities by component
- Easily identify projects that are potentially vulnerable to newly published vulnerabilities
- Supports standardized SPDX license ID’s and tracks license use by component
- Supports CycloneDX and SPDX bill-of-material formats
- Easy to read metrics for components, projects, and portfolio
- API-first design facilitates easy integration with other systems
- API documentation available in Swagger 2.0 (OpenAPI 3 support coming soon)
- Flexible authentication supports internally managed users, Active Directory/LDAP, and API Keys
- Simple to install and configure. Get up and running in just a few minutes