Subscribe with RSS to keep up with the latest changes.
March 22, 2020 major
Bundled frontend: v1.0.0
- New user interface based on Vue.js and Bootstrap.
- User interface can optionally be deployed and upgraded independently of the Dependency-Track server.
- Package repositories are now configurable.
- Package repositories can now be identified as ‘internal’. Components identified as ‘internal’ will be analyzed using internal repositories.
- Added additional logging and notifications for OSS Index and NPM Audit analyzers.
- Added the ability to publish system notifications when vulnerability analyzers encounter communication or other errors.
- Added several occurrences of counts for various items throughout the UI.
- Corrected the percentage value of findings audited.
- Fixed URL to Maven Central which prevented the MavenMetaAnalyzer from retrieving component metadata.
- Changed logging behavior when internal components are identified.
- Improved accuracy of internal CPE analyzer which may have lead to false negatives in some situations.
- Fixed issue where the CPE value defined in a BOM was not being persisted if the component previously existed.
- Fixed issue which prevented the HexMetaAnalyzer from executing preventing it from retrieving component metadata for Erlang or Elixir components.
- All Dependency-Track server releases now include a complete CycloneDX software bill-of-materials.
- Added missing permission checks to repository API endpoints.
indexdirectories inside the Dependency-Track data directory will be deleted upon upgrade. This will force the NVD to be downloaded and reprocessed and the indexes to be rebuilt.
- The internal vulnerable software dictionary, generated automatically from the NVD, will be wiped upon upgrade. This will take several minutes to complete and should not be interrupted.
Software Bill-of-Materials (SBOM)
January 07, 2020 minor
- Added additional debug logging to metric update tasks
- Fixed portfolio metrics issue that allowed multiple operations to be executed simultaneously leading to performance degradation
December 16, 2019 major
- Application context is now configurable in the Docker container
- SVG badges may now be retrieved via the project name and version
- Added Hex repository support for Erlang, Elixir, and other BEAM languages
- Added configurable support for defining components as internal which are not subject to external analysis
- Increased CPE analysis precision for components with CPEs containing a value in the update field
- Fixed defect in /api/v1/project that returned a server error if the ‘name’ parameter was specified
- Fixed defect resulting in invalid gzip response body when Accept-Encoding was not specified
- Fixed defect resulting in licenses not being loaded if Dependency-Track is deployed to a directory containing a space
- Changed behavior when parsing an invalid CPE to display a single line warning rather than the full stack trace
- Fixed defect resulting in a project not being able to be deleted when that project was part of a notification rule
- Fixed encoding issue affecting project names containing special characters
- GHSA-4gqv-hcmg-jw33 Cross-Site Scripting (XSS): Persistent
- GHSA-6j82-qv49-r46p Cross-Site Scripting (XSS): Persistent
- Support for consuming Dependency-Check v4.x XML reports has been removed
- The following can safely be (optionally) dropped upon a successful upgrade (consult log):
- LAST_SCAN_IMPORTED (in PROJECT table)
October 01, 2019 minor
- Fixed issue that prevented upgrades to 3.6.0 when using Microsoft SQL Server
September 28, 2019 major
- Added configurable option to enable/disable BOMs based on format (CycloneDX enabled by default)
- Added support for the official CPE v2.3 dictionary and vulnerabilities with CPEs of affected products
- Added ability to identify vulnerabilities in components solely by their CPE
- Added full support for VulnDB as a source of vulnerability intelligence
- Added support for SVG badges
- Added additional logging during metrics updates
- Docker container now supports Kubernetes and OpenShift
- Docker container now has configurable support for specifying logging levels
- Added Inherited Risk Score to project list view with the ability to sort on risk score
- Added an ‘active’ flag to projects with the default behavior of hiding inactive projects
- Added BOM_CONSUMED and BOM_PROCESSED notifications which can optionally deliver BOMs via webhooks
- Added support for last BOM imported including the BOM type and version
- Added an API to lookup a project by its name and version
- Added analysis interval throttle to prevent repeated analysis requests for the same components
- Slack and email alerts now contain links back to Dependency-Track
- Added support for Java 11
- Fix for GLOBAL_AUDIT_CHANGE not including affected projects
- Fixed issue that prevented Dependency-Track for working with non-default URL contexts
- Fixed intermittent persistence issue resulting in NPE in BomUploadProcessingTask
- Fixed issue resulting in incorrect percentage audited on project findings
- Fixed OSS Index analyzer in response to the URL changes from ossindex.net to ossindex.sonatype.org
- Support for SPDX BOMs and Dependency-Check XML reports are disabled by default
- Replaced embedded Dependency-Check library with internal CPE analyzer
- Dependency-Track no longer mirrors XML data feeds from the NVD
July 17, 2019 minor
- GHSA-jp9v-w6vw-9m5v Cross-Site Scripting (XSS): Persistent
June 07, 2019 major
- Improved performance, reliability, and quality
- Added support for importing CycloneDX v1.1 BOMs
- Added additional logging and enhanced logging configuration
- Added configurable CORS support
- Numerous. The majority of known defects have been resolved
Two new LDAP properties were introduced in v3.5.0 that affect LDAP configuration. The properties are:
Additional properties introduced in this release are:
Under most situations, changing these values is not recommended and may introduce unintended consequences.
One important change introduced in this release is the default value of
has changed from 30 minutes (in previous releases) to 10 minutes.
April 16, 2019 minor
- Fixed defect that caused high CPU consumption (via thread exhaustion) in some cases when NPM Audit was enabled.
December 22, 2018 major
- Improvements to Findings API
- Created Finding Packaging Format for the native exporting of findings
- Added support for external integrations including:
- Fortify Software Security Center
- Kenna Security
- Added repository (and outdated version detection) support for NuGet and Pypi
- Updated SPDX license list to v3.3
- Added support for identifying FSF Libre licenses
- Updated Java version in Docker container
- Docker container can now be fully configured with environment variables
- Added Test Configuration button when configuring SMTP settings
- Added logfile rotation with default 10MB cap (configurable)
- Corrected issue that incorrectly returned suppressed vulnerabilities when queried for non-suppressed ones
- Fixed issue that resulted in server/UI timeouts due to excessive license payload
- Fixed NPE that occurred when the configured SMTP server didn’t require authentication
- Added workaround for outstanding OSS Index defect where the service didn’t process PackageURLs containing qualifiers
- Updated OpenUnirest which addressed configuration issue with library not honoring proxy server settings
November 13, 2018 minor
- Improved findings API to support a wider range of use-cases
- When importing some npm dependencies (via Dependency-Check report), some modules would get misidentified causing an NPE
- Fixed non-standard Java versioning schemes (such as Debian OpenJDK) that caused version comparison to fail
- Corrected issue that resulted in suppressed vulnerabilities to be returned from a query as if they were not suppressed
- Fixed issue preventing saving of SMTP settings with anonymous authentication
The format of the findings API has changed and will not be versioned. This API is used to present findings from the audit tab in the UI. If this API was being used outside the UI, please note that the response format has changed.
October 25, 2018 major
- The ability to manually upload a CycloneDX or SPDX BOM from the user interface
- Optional automated provisioning of LDAP users
- Optional synchronization of team membership based on a users LDAP group membership
- Added API that provides component metadata from a project in CycloneDX format
- Added ability to track the progress of work performed when a BOM is uploaded
- Added tracking of audited and unaudited metrics
- Added ability to add new project version and optionally clone source metadata
- Added ability to search by tag name when displaying projects
- Added checksum generation when publishing a release (backported to 3.2.2)
- The NSP Advisory API has been removed and replaced with the NPM Public Advisory API (backported to v3.2.1)
- Fixed numerous LDAP compatibility issues
- Added additional logging when BOM upload is not in a supported format
This release of Dependency-Track supports a wide range of LDAP implementations and has been tested with Active Directory, ApacheDS, Fedora 389 Directory, and NetIQ/Novell eDirectory. In order to ensure compatibility, some existing LDAP configuration properties have been changed.
# This property has been removed alpine.ldap.domain
# This property now refers to the users DN alpine.ldap.bind.username
# Format now applies only to the value of alpine.ldap.attribute.name. # Examples have been modified. A users DN is no longer a valid format. alpine.ldap.auth.username.format
# New properties alpine.ldap.groups.filter alpine.ldap.user.groups.filter alpine.ldap.user.provisioning alpine.ldap.team.synchronization
October 02, 2018 minor
- Critical defect which may lead to duplicate or erroneous requests to NPM Audit API
- Added checksums.xml including SHA-1, SHA-256, SHA-512 checksums for traditional and embedded wars to GitHub releases.
September 21, 2018 minor
- The NSP Advisory API has been removed and replaced with the NPM Public Advisory API
- Processing and permission corrections to new multi-part BOM upload API
- UI corrections for vulnerabilities with unassigned severity
- Fixes for displaying and processing of vulnerabilities without CVSS scores
- Minor changes to severity colour scheme
All previous NSP vulnerabilities will automatically be migrated to NPM vulnerabilities. No additional action is required. Unlike NSP vulnerabilities, NPM does not provide CVSS scores or vectors. Therefore all NPM vulnerabilities will no longer display the CVSS vector, or the base, impact, or exploitability scores and corresponding chart data.
September 06, 2018 major
- Configurable notifications of new vulnerabilities, vulnerable dependencies, analysis decision changes, and system events
- Added Slack, Microsoft Teams, Outbound Webhook, Email, and system console notification publishers
- Replaced NSP Check API with NPM Audit API
- Added support for Sonatype OSS Index
- Updated SPDX license IDs to v3.2
- General improvements in logging when error conditions are encountered
- Improvements to Dependency-Check XML report parsing
- Added native CPE 2.2 and 2.3 parsing capability
- Enhanced administrative interface with options for repositories and general configuration
- Updated Java version used in Docker container
- The audit table did not reflect the correct analysis and suppressed data
- Added validation when processing Dependency-Check XML reports containing invalid Maven GAVs
- Corrected issue with NVD mirroring affecting Docker containers and case-sensitive filesystems
The PROJECT_CREATION_UPLOAD permission was introduced in this release. Existing API keys that need the ability to dynamically create projects (without providing them full PORTFOLIO_MANAGEMENT permission) will need this permission added to their account or through their team membership.
The SYSTEM_CONFIGURATION permission was introduced in this release. Existing administrative users that need the ability to perform more general purpose system configurations need to add this permission to their accounts.
Upgrades to v3.2.0 can be successfully performed from systems running v3.1.x. If a previous version is being used, an upgrade to 3.1.x is required prior to upgrading to v3.2.0.
June 20, 2018 minor
- Fixed issue where new permissions were not being added to database on upgrades
June 19, 2018 major
- Support for advanced auditing workflow to easily triage findings
- Support for external repositories to retrieve additional component metadata from
- Support for SPDX 3.1 license IDs
- NVD mirroring support for Dependency-Check (and other) clients
- Support for out-of-date version detection (rubygems, maven, and npm)
- Enhanced API to (optionally) autocreate project on bom/scan upload
- Better support for Dependency-Check “relatedDependencies”
- Added individual component metrics (independent of dependency metrics)
- Added per project and per component overview with metrics and refresh support
- Specific table columns can now be sorted with full pagination support
- Improved error logging when issues are encountered during BOM and scan processing
- Enhanced LDAP integration to support strong authentication mechanisms and configurable user formats
- General performance improvements on multi-core machines
- Minor enhancements to user interface
- Fixed defect that prevented paginated results on project tag searches
- Fixed defect affecting GAV identifiers in Dependency-Check Gradle/CLI reports not being in parenthesis
- The VULNERABILITY_ANALYSIS permission was introduced in this release. Existing users that need the ability to audit findings will need this permission added to their account or through their team membership.
- MySQL now requires ANSI_QUOTES to be added to the SQL mode. Refer to Database Support for details.
May 02, 2018 minor
- Fixed defect resulting in incorrect results returned when filtering on components in the project view
- Synced CycloneDX specification to latest v1.0.1 release
April 13, 2018 minor
- Fixed defect resulting in incorrect vulnerability counts for projects
- Fixed defect which prevented project metrics from returning results
- Fixed issue related to the assignment of tags on project creation
- Added the VIEW_PORTFOLIO permission to the ‘automation’ team on new installs
- Updated several dependencies
- Performance improvements in database connection pool
- Fixed defect where database connections were not being reconnected if the connection was lost
- Fixed multiple defects related to component reconciliation when processing BOM and scan uploads
March 30, 2018 minor
- Responded to changes in NVD data feed URLs by correcting the XML 1.2 and 2.0 URLs used for mirroring.
March 29, 2018 minor
- Fixed data model issue which prevented multiple versions of the same project name from being persisted.
- Fixed issue in admin console which did not properly display the number of team members.
If v3.0.0 was deployed, shutdown Dependency-Track, execute the following statement against the database, and deploy v3.0.1.
/* Removes the constraint on having a unique project name thus preventing multiple versions of the project from existing. https://github.com/DependencyTrack/dependency-track/issues/118 */ ALTER TABLE PROJECT DROP CONSTRAINT PROJECT_NAME_IDX;
March 27, 2018 major
Project Reboot Successful! This is the first release after being developed from the ground up.
- Dramatically increases visibility into the use of vulnerable components
- Supports an unlimited number of projects and components
- Projects can range from applications, operating systems, firmware, to IoT devices
- Tracks vulnerabilities across entire project portfolio
- Tracks vulnerabilities by component
- Easily identify projects that are potentially vulnerable to newly published vulnerabilities
- Supports standardized SPDX license ID’s and tracks license use by component
- Supports CycloneDX and SPDX bill-of-material formats
- Easy to read metrics for components, projects, and portfolio
- API-first design facilitates easy integration with other systems
- API documentation available in Swagger 2.0 (OpenAPI 3 support coming soon)
- Flexible authentication supports internally managed users, Active Directory/LDAP, and API Keys
- Simple to install and configure. Get up and running in just a few minutes