Dependency-Track logov4.10

Subscribe with RSS to keep up with the latest changes.

v4.10.1

December 19, 2023 patch

This release fixes various defects in the API server.
There are no changes for the frontend, the latest version of it remains 4.10.0.

NVD Data Feed Retirement Update:

The NVD has announced that retirement of the legacy data feeds has been delayed until further notice. Dependency-Track users who:

  • ran into issues with the new NVD REST API integration, or
  • did not have the time yet to migrate

can safely continue consuming the legacy feeds, or switch back to it.

Fixes:

  • Fix alert rules not working for projects where the ACTIVE column is NULL - apiserver/#3306
  • Fix NPE in version distance policy evaluation when project has no direct dependencies - apiserver/#3308
  • Fix ClassCastException when updating an existing ProjectMetadata#authors field - apiserver/#3312
  • Fix NPE in GitHub repository metadata analysis for components without version - apiserver/#3315
  • Fix last modified timestamp for NVD mirroring via REST API not taking effect until restart - apiserver/#3323

For a complete list of changes, refer to the respective GitHub milestones:

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

Special thanks to everyone who contributed code to implement enhancements and fix defects:
@jadyndev

dependency-track-apiserver.jar #
Algorithm Checksum
SHA-1 1d728ce1788e5db8b3a9308338a9e7e8ab5af12e
SHA-256 e30731cd1915d3a1578cf5d8c8596d247fb11a82a3fe4c1ba2fb9fad01667aef
dependency-track-bundled.jar #
Algorithm Checksum
SHA-1 be32e1bc64d0b9b8019e340717d4ae3c12442ecd
SHA-256 ffa0ab6dc9be894d0887ca3e10c4ffe3a333305d98de940413fcdbb05e2bcebd
Software Bill of Materials (SBOM) #

v4.10.0 #

December 08, 2023 major

Dependency-Track has historically relied on file-based data feeds to mirror contents of the National Vulnerability Database (NVD). These feeds are being retired on December 15th 2023, although they may be available up until December 18th.

As a consequence, this release includes support for mirroring the NVD via its REST API instead. This integration will be optional for Dependency-Track v4.10, but mandatory for later releases. Users are encouraged to enable REST API mirroring now, to ensure a smooth transition. Refer to the NVD datasource documentation to learn more.

Features:

  • Add support for mirroring the NVD via its REST API - apiserver/#3175
  • Add retries with exponential backoff for NVD feed downloads - apiserver/#3154
  • Add support for CycloneDX metadata.supplier, metadata.manufacturer, metadata.authors, and component.supplier - apiserver/#3090, apiserver/#3179
  • Add support for authenticating with public / non-internal repositories - apiserver/#2876
  • Add support for fetching latest versions from GitHub - apiserver/#3112
    • Applicable to components with pkg:github/<owner>/<repository>@<version> package URLs
  • Improve efficiency of search index operations - apiserver/#3116
  • Add option to emit log for successfully published notifications, and improve logging around notifications in general - apiserver/#3211
  • Use Java 21 JRE in container images - apiserver/#3089
  • Tweak container health check to prevent wget zombie processes on slow hosts - apiserver/#3245
  • Expose alpine_event_processing_seconds metric for monitoring of event processing durations
  • Add average event processing duration to Grafana dashboard - apiserver/#3173
  • Add guidance for 413 Content Too Large errors upon BOM upload - apiserver/#3167
  • Improve OIDC documentation - apiserver/#3186
  • Add “Show in Dependency-Graph” button to component search results - frontend/#572

Fixes:

  • Fix false positives in CPE matching due to ambiguous vendor-product relations - apiserver/#3209
  • Fix failure to delete policy violations when they have an audit trail - apiserver/#3228
  • Fix teams not being assignable to alerts with custom email publishers - apiserver/#3232
  • Fix inability to rebuild search indexes for more than one entity type at a time - apiserver/#2987
  • Fix trailing comma in default Slack notification template - apiserver/#3172
  • Fix NPE when affected node in OSV does not define a package - apiserver/#3194
  • Fix NPE for BOM_PROCESSING_FAILED notifications when parsing of the BOM failed - apiserver/#3198
  • Fix gradual performance degradation of portfolio vulnerability analysis - apiserver/#3222
  • Fix erroneous warning log during VEX import - apiserver/#3233
  • Fix project.active defaulting to false when creating projects via REST API - apiserver/#3244
  • Fix OIDC login button moving before it can be clicked - frontend/#616
  • Fix input fields losing focus while editing alerts - frontend/#619
  • Fix switching between project versions being broken on tabs other than “Overview” - frontend/#659
  • Fix notification level not being modifiable for existing alerts - frontend/#661

Upgrade Notes:

  • The CPE table is no longer needed and will be dropped automatically upon upgrade - apiserver/#3117
  • A warning will be logged when mirroring the NVD through its legacy data feeds
  • As the Grafana dashboard is not managed by Dependency-Track, users wishing to update it will need to re-import it into their Grafana instance.

For a complete list of changes, refer to the respective GitHub milestones:

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

Special thanks to everyone who contributed code to implement enhancements and fix defects:
@AbdelHajou, @Nikemare, @acdha, @dimitri-rebrikov, @jadyndev, @leec94, @mehab, @melba-lopez, @rbt-mm, @rkg-mm, @willienel, @ybelMekk

dependency-track-apiserver.jar #
Algorithm Checksum
SHA-1 c308b1f6a2d73fc2bba9da2cc33bf7e3ec49e851
SHA-256 d06f4550e16451ccb7843c36534172744934a7dc69e1d48e970a6eec24e49dc3
dependency-track-bundled.jar #
Algorithm Checksum
SHA-1 b94fb9cbaa91c4e332bcec266e10a0f325f12e22
SHA-256 cf27db44e637b4bc551c16e659e81890f4c5d4f3b4ea9893ebf1717bff98b999
frontend-dist.zip #
Algorithm Checksum
SHA-1 217bcaab3a7da2ae2fab3103055f9503aef5db07
SHA-256 2f6f524c45afcc4a90128cab22a557bf41b88c716aaf0992eb6bb2239ce1469c
Software Bill of Materials (SBOM) #

v4.9.1 #

October 30, 2023 patch

Fixes:

  • Fix failure to import BOMs in XML format when they contain multiple metadata>tools nodes - apiserver/#3125
  • Fix failure to parse BOMs in XML format when the metadata>component nodes has properties - apiserver/#3125
  • Fix failure to parse BOMs in XML format when the component>hashes node is empty - apiserver/#3141
  • Fix impossible SQL query conditions causing DB indexes to be bypassed - apiserver/#3126
  • Fix failure to start the application when using a logging config with JSON output - apiserver/#3129
  • Fix NGINX failing to start when IPv6 is not available - frontend/#623
  • Fix NGINX entrypoint failing to detect mounted config.json under containerd - frontend/#624
  • Fix external references being cleared when updating a project via UI - frontend/#628

For a complete list of changes, refer to the respective GitHub milestone:

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

Special thanks to everyone who contributed code to implement enhancements and fix defects:
@muellerst-hg

dependency-track-apiserver.jar #
Algorithm Checksum
SHA-1 99da5f705c3b0048ecf621e8c738a87147c693d9
SHA-256 5d925f08f85fe7f39231357c4a4c8057fd354e048b7c9407efb20af78033ecec
dependency-track-bundled.jar #
Algorithm Checksum
SHA-1 487801d69bffb2e8def5aad9aa55c34be8cddcb2
SHA-256 19ac4ede2932ff54c42e0466cdf7d5b410f7a44784562f237fc5b4b8891a8dc8
frontend-dist.zip #
Algorithm Checksum
SHA-1 d45d09a8ffb4c36f2fac78149d5f7cefe31a280b
SHA-256 6bc0bf9ecb8e7dc26eb3bfe9beecc41c5d11e5ccb902f19f0445aaa5860a1980
Software Bill of Materials (SBOM) #

v4.9.0 #

October 16, 2023 major

Features:

Fixes:

  • Fix memory leak in policy evaluation - apiserver/#2872
  • Fix memory leak in VEX upload processing - apiserver/#2873
  • Fix VDR export erroneously containing non-vulnerable components - apiserver/#2878
  • Fix VEX export erroneously containing dependency graph - apiserver/#3067
  • Fix false positives in CPE matching when version attribute of a CVE’s CPE is NA - apiserver/#1832
  • Fix false negatives in CPE matching when part or vendor attribute of a component’s CPE is ANY - apiserver/#2988
  • Fix Uncaught internal server error when fetching components by hash if Portfolio Access Control is enabled - apiserver/#2953
  • Fix Affected Component format for CPEs with version ranges - apiserver/#2967
  • Fix missing duplicate check when cloning projects - apiserver/#2966
  • Fix NullPointerException when checking for existence of projects without version - apiserver/#3068
  • Fix module import issues when working on the code base with Eclipse - apiserver/#2971
  • Fix version distance policy being evaluated despite not being configured - apiserver/#2980
  • Fix @JsonIgnore having no effect on transient fields - apiserver/#3051
  • Fix misleading docs about authentication and authorization enforcement being optional - apiserver/#3047
  • Fix default Slack notification template producing invalid JSON for PROJECT_AUDIT_CHANGE notifications - apiserver/#2838
  • Fix default Mattermost notification template producing invalid JSON for NEW_VULNERABLE_DEPENDENCY notifications - apiserver/#3093
  • Fix number of project versions displayed in dropdown being limited to 10 - frontend/#397
  • Fix unauthenticated users not being redirected to login page - frontend/#502
  • Fix no permissions being defined for dashboard route - frontend/#506
  • Fix regression in Docker Compose file regarding application directory - frontend/#494
  • Fix external references dropdown rendering outside the screen - frontend/#539
  • Fix vulnerability aliases not being displayed in expanded rows of findings table - frontend/#559
  • Fix type error in external references dropdown - frontend/#565
  • Fix license expression input fields - frontend/#580
  • Fix wrong message being displayed when creating policies - frontend/#610
  • Fix file permissions of NGINX config file - frontend/#611

Upgrade Notes:

  • API keys generated after the upgrade will be prefixed with odt_. Existing API keys without this prefix will continue to work. The prefix is configurable via alpine.api.key.prefix, although customization is not recommended. Refer to Configuration for details.
  • Users ingesting SBOMs with CPE data may notice an uptick in vulnerabilities being identified by the internal analyzer. This is expected as a result of apiserver/#2988 being fixed. If newly identified vulnerabilities turn out to be largely false positives, let the project team know by reporting a defect.

For a complete list of changes, refer to the respective GitHub milestones:

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

Special thanks to everyone who contributed code to implement enhancements and fix defects:
@HagarJNode, @Meroje, @Nikemare, @RingoDev, @Shawyeok, @dustin-decker, @hborchardt, @heubeck, @mattmatician, @melba-lopez, @muellerst-hg, @nathan-mittelette, @sahibamittal, @sephiroth-j, @syalioune, @takumakume, @valentijnscholten, @walterdeboer

dependency-track-apiserver.jar #
Algorithm Checksum
SHA-1 cd4ec4f1ed075f37476f46da11451158d7460502
SHA-256 281f091107ef79d9b1e9361dc78608260b364eaa7dbbaeb29d4f7aef1a4bf67b
dependency-track-bundled.jar #
Algorithm Checksum
SHA-1 6f3a077219fb49a502a88fcbb40e05865a23f5c5
SHA-256 4ca0b061ed83fa0b34ede8158f3ec0e2a7380c2736731995cf330f809076951f
frontend-dist.zip #
Algorithm Checksum
SHA-1 151f24f7b92e93dcf6600c4b8ee9e0ebd7b3560b
SHA-256 1ff2ace778d08529b42ee297fb6e3b0bbe8b2593b2b8686e8b3e3c9472663c2a
Software Bill of Materials (SBOM) #

v4.8.2 #

May 17, 2023 patch

This release fixes a regression in the API server related to fetching of policy violations, which was introduced in 4.8.1.
There are no changes for the frontend, the latest version of it remains 4.8.1.

Fixes:

  • Fix policy violations endpoint erroneously returning violations for all projects when no searchText parameter is provided - apiserver/#2766
  • Fix signals (e.g. SIGTERM) not being handled by the JVM process inside the container image, preventing graceful shutdown - apiserver/#2750

For a complete list of changes, refer to the respective GitHub milestone:

dependency-track-apiserver.jar #
Algorithm Checksum
SHA-1 bfc8758eb30ab90f4280cb37ea959964f74706b9
SHA-256 2b1d249d98f72b863deb4769665efc119a3ef8db195838decddce9a2a12f36b4
dependency-track-bundled.jar #
Algorithm Checksum
SHA-1 52bd8b0c0646d0759e30f5b1600f5fb17e4ede36
SHA-256 2f8171cd2a93f060110e0f7f5f1555a17db11de0a3cb0cb5b6068dfe3cd8e5e3
Software Bill of Materials (SBOM) #

v4.8.1 #

May 16, 2023 patch

Fixes:

  • Fix unrelated vulnerabilities being correlated during alias synchronization - apiserver/#2194
  • Fix NullPointerException when email alert is configured with just teams as destination - apiserver/#2698
  • Fix broken pagination in DefectDojo integration - apiserver/#2707
  • Fix search function in policy violation tab not working - apiserver/#2622
  • Fix PATCH /api/v1/project endpoint not updating external references - apiserver/#2695
  • Fix NullPointerException in DefectDojo integration - apiserver/#2628
  • Fix retrieval of OIDC JWK sets not respecting HTTP proxy settings - apiserver/#2696
  • Lower log level for repository meta analyzer to WARN and include exception details - apiserver/#2697
  • Add missing config docs for alpine.oidc.client.id - apiserver/#2743
  • Fix not all vulnerability aliases being displayed in the UI - frontend/#477
  • Fix broken vulnerability alias links - frontend/#486
  • Fix broken project tag links on tabs other than “Overview” - frontend/#483
  • Fix broken project version links on tabs other than “Overview” - frontend/#495

For a complete list of changes, refer to the respective GitHub milestones:

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

Special thanks to everyone who contributed code to fix defects:
@heubeck, @jakubrak, @sahibamittal, @valentijnscholten

dependency-track-apiserver.jar #
Algorithm Checksum
SHA-1 553d17a940220d79b686ce6b64d65c0854915f1b
SHA-256 56db674f5b467eac0a5b3fde99bc6285fd9135ad84e8fa0328ed6ace64fc723c
dependency-track-bundled.jar #
Algorithm Checksum
SHA-1 b2f0e053083ac672a9eaef19f7363ac854bdb91a
SHA-256 e1bd03ea89b312c2125791a0d46ca99aa62365140a4f175d2f45cbb1d59a87a6
frontend-dist.zip #
Algorithm Checksum
SHA-1 01bc042e1f510e089b9db937852dbcde69eca603
SHA-256 f946994c0f66647bd34c9e10997f2b62c08ab17ebbfe42edf149be12a47b2278
Software Bill of Materials (SBOM) #

v4.8.0 #

April 18, 2023 major

Celebrating 10 years of OWASP Dependency-Track

Dependency-Track is celebrating its 10th anniversary this year!
Read the announcement from Steve Springett, creator of Dependency-Track, on the OWASP blog.

Highlights:

  • Improved frontend UX.
    • Navigating through the UI, switching tabs etc. now properly updates the URL in the browser. This makes it possible to share links to specific pages with others, and not lose context entirely when using the browser’s “go back” functionality.
    • Criteria for the component search is now encoded in the URL, which allows “deep-linking” to searches, making it easier to collaborate with colleagues.
    • The UI will now remember various user preferences, i.e. selected columns, numbers of search results per page, whether to show inactive projects, and much more.
    • The dependency graph now optionally displays indicator icons for outdated components.
  • Polished policy engine. The policy engine received lots of love in this release, ranging from various bugfixes, to newly supported policy conditions.
  • Reduced resource footprint for vulnerability database mirroring. Downloading and processing vulnerability data from the NVD, GitHub, and OSV has historically been a heavy task that could cause large spikes in JVM heap usage. Due to various improvements, mirroring will now be faster, and a lot more lightweight (see apiserver/#2575 for comparisons).

Features:

  • Reduce log level for some recurring tasks to debug - apiserver/#2325
  • Reduce log level for Defect Dojo pagination advancement to info - apiserver/#2338
  • Add User-Agent header to Snyk requests - apiserver/#2396
  • Allow updating only the project’s parent via PATCH, without having to worry about any other project properties. - apiserver/#2401
  • Include version of affected projects in Jira notification template - apiserver/#2408
  • Add support for regular expressions in policy conditions - apiserver/#2144
  • Show version status information on dependency graph nodes - apiserver/#2273
  • Add support for component age in policy conditions - apiserver/#772
  • Skip superfluous component metrics calculation during OSS Index analysis - apiserver/#2466
  • Handle deleted projects gracefully when processing uploaded BOMs - apiserver/#2467
  • Include persistence framework in logging configuration - apiserver/#2483
  • Drop dependency on Unirest library - apiserver/#2350
  • Simplify and speed up vulnerability metrics calculation - apiserver/#2481
  • Add developer documentation for skipping NVD mirroring - apiserver/#2547
  • Execute NVD and EPSS mirroring on multi-threaded event service - apiserver/#2526
  • Reduce memory footprint of vulnerability mirroring tasks - apiserver/#2525
  • Allow for prevention of re-opening Defect Dojo findings via “do not reactivate” flag - apiserver/#2424
  • Add support for vulnerability ID in policy conditions - apiserver/#2557
  • Add support for matching of non-existent CPEs and Package URLs in policy conditions - apiserver/#2587
  • Ingest remediation details from Snyk - apiserver/#2571
  • Handle errors from repository metadata analyzers more gracefully - apiserver/#2563
  • Add support for CPAN repositories - apiserver/#639
  • Allow inclusion of H2 web console for local development purposes - apiserver/#2592
  • Add BOM_PROCESSING_FAILED notification - apiserver/#2264
  • Ingest vulnerability publication time from Snyk - apiserver/#2626
  • Add health endpoints - apiserver/#1001
  • Include dependency graph in CycloneDX exports - apiserver/#2616
  • Allow for vulnerability alias synchronization to be disabled for each source that supports it - apiserver/#2670
  • Reduce heap usage during NVD mirroring - apiserver/#2575
  • Support Jira authentication with personal access token - apiserver/#2641
  • Allow parent project to be specified when upload a BOM - apiserver/#2412
  • Update branding - frontend/#387
  • Add deep linking capability throughout the entire UI - frontend/#391
  • Remember UI user preferences (selected columns, page sizes, etc.) - frontend/#348
  • Add deep linking for component search - frontend/#425
  • Make removing a project parent relationship more convenient - frontend/#424
  • Display multiple aliases in a vertical rather than horizontal list - frontend/#315
  • Display aliases column in all vulnerability list views - frontend/#315
  • Add optional tags column to projects list view - frontend/#319

Fixes:

  • Fix unhandled exceptions when fetching repository metadata for Composer components that no longer exist - apiserver/#2134
  • Fix invalid group name of Jira configuration properties - apiserver/#2313
  • Fix duplicate policy violations caused by the “Package URL” policy condition - apiserver/#1925
  • Fix policies with operator ALL behaving as if operator ANY was used - apiserver/#2212
  • Fix 2023 NVD feeds not being fetched unless DT is restarted in new year - apiserver/#2349
  • Fix VulnDB analysis results not being cached properly - apiserver/#2436
  • Fix incomplete ingestion of dependency graph from hierarchically merged BOMs - apiserver/#2411
  • Remove unnecessary parentUuid field from project model - apiserver/#2439
  • Fix AlreadyClosedException when committing search indexes - apiserver/#2379
  • Prevent OSV ecosystems being selected multiple times - apiserver/#2473
  • Fix NullPointerException when computing enabled OSV ecosystems - apiserver/#2527
  • Fix Finding Packaging Format (FPF) export containing internal technical fields - apiserver/#2469
  • Fix ACL definitions not being cloned when cloning a project - apiserver/#2493
  • Fix email notification for PROJECT_AUDIT_CHANGE missing some information - apiserver/#2420
  • Fix not all tags being checked when evaluating “limit to” for policies - apiserver/#2586
  • Fix internal server error when fetching all projects while ACL is enabled - apiserver/#2583
  • Fix failures to import BOMs when component author fields exceed 255 characters - apiserver/#2488
  • Fix incomplete implementation of apiserver/#2313 - apiserver/#2610
  • Fix dependency graph in UI being deleted after exporting project as CycloneDX - apiserver/#2494
  • Fix project URL in email and Cisco WebEx notifications - apiserver/#2631
  • Fix OSV overriding CVE data when NVD mirroring is also enabled - apiserver/#2293
  • Fix redundant POLICY_VIOLATION notifications for existing violations - apiserver/#2655
  • Fix email of LDAP users not being persisted - apiserver/#2320
  • Fix email of OIDC users not being persisted - apiserver/#2647
  • Fix VEX import not working for vulnerabilities from OSV, Snyk, and VulnDB - apiserver/#2538
  • Fix missing project and component information in Microsoft Teams notifications - apiserver/#2638
  • Fix API server not respecting HTTP proxy settings when communicating with OIDC Identity Provider - apiserver/#1940
  • Fix potential Invalid state. Transaction has already started error during repository metadata analysis - apiserver/#2678
  • Fix broken link to affected projects - frontend/#417
  • Fix duplicate PURL version in Affected Components tab of vulnerability details - frontend/#454

Upgrade Notes:

  • The parentUuid field has been removed from the project model and will thus no longer be returned by the REST API (apiserver/#2439)
  • Due to apiserver/#2469, the File Packaging Format (FPF) version has been bumped to 1.2; Refer to File Formats for details
  • Synchronization of vulnerability aliases is now disabled by default for OSV and Snyk (apiserver/#2670)

For a complete list of changes, refer to the respective GitHub milestones:

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

Special thanks to everyone who contributed code to implement enhancements and fix defects:
@Ehoky, @Gator8, @Hunroll, @StephenKing, @ch8matt, @jkowalleck, @lme-nca, @malice00, @mcombuechen, @msymons, @mvandermade, @rbt-mm, @roadSurfer, @s-spindler, @sahibamittal, @syalioune, @walterdeboer, @zgael

dependency-track-apiserver.jar #
Algorithm Checksum
SHA-1 883754d3ed227a124976c3f9247345be48cc0561
SHA-256 0ab7e3a1d0cd308a9193a6bec7b561f3911d19052312a82e4a59607d4ff50fd0
dependency-track-bundled.jar #
Algorithm Checksum
SHA-1 979f02a5bf3ea5d8b0bba7d4e73a725de1920219
SHA-256 af9f6d79e7828b4f744f9f82215486c0b5649abf6544d0374c945b2ab5d8b58a
frontend-dist.zip #
Algorithm Checksum
SHA-1 852b8a16aa8d07ccd46b4bec38cda736c6271c42
SHA-256 40cffc6fcaafe4a23d2c347958c2e3f43e3c02afe3def238bfd4615684803537
Software Bill of Materials (SBOM) #

v4.7.1 #

January 31, 2023 patch

Fixes:

  • Resolved a defect that caused BOM uploads to fail when the BOM file contained a byte order mark - apiserver/#2312
  • Resolved a defect that caused updating projects to fail when their active status was null - apiserver/#2317
  • Resolved a defect that prevented teams from being deleted when portfolio access control was enabled - apiserver/#2374
  • Move “Use Cases” documentation page to “Community Usage Examples” and clarify its purpose - apiserver/#2403
  • Resolved a defect that caused vulnerability alias synchronization to fail for VulnDB - apiserver/#2428
  • Fixed typo in monitoring documentation - apiserver/#2430
  • Resolved a defect that caused component details to not be displayed in policy violations tab - frontend/#373

For a complete list of changes, refer to the respective GitHub milestones:

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.
Special thanks to everyone who contributed code to fix defects:

@JoergBruenner, @mehab, @rbt-mm, @sergioasantiago, @syalioune

dependency-track-apiserver.jar #
Algorithm Checksum
SHA-1 ef119b6f5fb422687e5152528bdb3e40e89c8733
SHA-256 7fbccad45c730226ab9df1ff51aaa2dba90b93cf22547bbe395d3f3b849c8371
dependency-track-bundled.jar #
Algorithm Checksum
SHA-1 94ca9179dad020c45adfdf0152b3f20081f7cf8b
SHA-256 fe3fad9d43235df30880e547f838f65fe6365919dbc19107e4da349a5dce104f
frontend-dist.zip #
Algorithm Checksum
SHA-1 1c1412a09a64d08ae44cb3c9c980bfbb2786ff53
SHA-256 95aed5a69c6e1db5ab05eaa57f511d5e16f92bafd67839be63f136ea78e11252
Software Bill of Materials (SBOM) #

v4.7.0 #

December 16, 2022 major

Highlights:

  • Hierarchical Project Relationships. Projects can now be organized in hierarchies, using simple parent-child-relationships. Hierarchies are visualized in the UI, and allow projects to inherit various configurations from their parent, including notification rules and applicable policies.
  • Improved Dependency Graph. The dependency graph can now be displayed in its entirety. Previously, the depth was limited to only three levels. Additionally, it’s now possible to navigate from a specific component (e.g. from the Audit Vulnerabilities tab) directly to the dependency graph. In doing so, Dependency-Track will show all paths in the graph leading up to this component, making it easy to understand how a given component is introduced to the project.
  • Snyk Integration (Beta). Dependency-Track can now make use of Snyk to scan and continuously monitor components for vulnerabilities. This provides access to Snyk’s proprietary vulnerability database, maintained by their dedicated research team. The Snyk integration requires a paid subscription with REST API access.
  • Jira Integration. It is now possible to publish notifications to Jira, making it easier to integrate events that require action to be taken into existing Jira workflows.

Features:

Fixes:

  • Fix dependency graph only showing 3 levels of transitive relationships - frontend/#85
  • Fix alert limitations to not be applied for POLICY_VIOLATION and PROJECT_AUDIT_CHANGE notifications - apiserver/#975
  • Fix NVD mirroring to fail when using CIFS volumes - apiserver/#2048
  • When determining the latest version of a Maven component, use the release version advertised by the repository, instead of latest - apiserver/#2075
  • Fix incorrect project URL in email notifications - apiserver/#2172
  • Fix missing project information in NEW_VULNERABLE_DEPENDENCY notification emails - apiserver/#2139
  • Fix search indexes not being (re-) built - apiserver/#2104
  • Fix Component in Affected Components tab of vulnerability details showing undefined in some cases - apiserver/#2231
  • Fix incorrect datasource for instance dropdown in sample Grafana dashboard - apiserver/#2068
  • Fix broke heap usage gauge in sample Grafana dashboard - apiserver/#2073
  • Fix CPEs not matching on identical versions - apiserver/#2240
  • Fix inability to delete teams that are part of one or more ACL - apiserver/#1532

Upgrade Notes:

  • Creating new or searching for existing tags will now treat tag names as case-insensitive (apiserver/#1717). Users relying on tags being treated as case-sensitive (e.g. critical and CRITICAL being treated as different) should review their use of tags prior to upgrading.
  • Names of the HikariCP connection pools in the exposed Prometheus metrics have changed from HikariPool-3 and HikariPool-4 to transactional and non-transactional (apiserver/#2238). Users monitoring those pools are advised to update their monitoring configuration accordingly (e.g. Grafana dashboards).
  • Distribution of the API server SBOM in XML format has been dropped (apiserver/#2175). Users consuming the API server BOM in XML format should migrate to consuming the JSON-formatted BOM instead.

For a complete list of changes, refer to the respective GitHub milestones:

We thank all organizations and individuals who contributed to this release.
Special thanks to everyone who contributed code to implement enhancements and fix defects:

@AZenker, @JoergBruenner, @KramNamez, @Mvld3r, @Zargath, @awegg, @ch8matt, @japurva1502, @kekkegenkai, @mehab, @nathan-mittelette, @omerlh, @rbt-mm, @ribbybibby, @s-spindler, @sahibamittal, @syalioune, @valentijnscholten

dependency-track-apiserver.jar #
Algorithm Checksum
SHA-1 99f1a012a983b8256d9346e64d3dd27e92d1c808
SHA-256 373e8efa1a8995193b7c068ea34974040627553647905d38e1dce053333eeb10
dependency-track-bundled.jar #
Algorithm Checksum
SHA-1 c7faee42162e1712377fbd8a03dfd9e3ef251a23
SHA-256 631807c24fd76c0f44d4494a44147e0414ab471ac1e12fe4ebff054f363a8f0f
frontend-dist.zip #
Algorithm Checksum
SHA-1 8696218e07d438896f236f691f2ca658faf0377a
SHA-256 23cc72eea3361edeaff84efe0a1a0327e47367419466307867103bac2b14ad75
Software Bill of Materials (SBOM) #

v4.6.3 #

November 18, 2022 patch

This release fixes a defect in the caching of vulnerability analysis results from external sources.
There are no changes for the frontend, the latest version of it remains 4.6.1.

Fixes:

Upgrade Notes:

  • The value of the scanner.analysis.cache.validity.period configuration property will be reset to 12 hours during the automated upgrade. No manual actions are required.

For a complete list of changes, refer to the respective GitHub milestones:

dependency-track-apiserver.jar #
Algorithm Checksum
SHA-1 68b806410c2e68fe8c586b93044f29a648f96466
SHA-256 d9b5337419addee26658da8e421f0286aaa92160b8f6f85caca83aa1a328611f
dependency-track-bundled.jar #
Algorithm Checksum
SHA-1 ac2a60bc8fedad714fa55c2aaad44533fa2086d7
SHA-256 1229681b5d1dc399ec662946969f7ef225bc7e6381861d8eb35e31d431b25714
Software Bill of Materials (SBOM) #

v4.6.2 #

October 24, 2022 patch

This release fixes a cross-site scripting (XSS) vulnerability in the frontend. The bundled distribution has been updated to include the fixed frontend version. There are no changes for the API server distribution.

Fixes:

  • Resolved a defect that caused HTML tags in vulnerability descriptions to be rendered on the vulnerability details page - #300

Security:

  • Fixed a cross-site scripting vulnerability in the vulnerability details page - GHSA-c33w-pm52-mqvf

For a complete list of changes, refer to the respective GitHub milestones:

dependency-track-apiserver.jar #
Algorithm Checksum
SHA-1 313b2ee9bd957f8bd2b0baba524044197501b2a9
SHA-256 7ee92f572cebe6d8d8f9e37ab6067e5849c83c56c98b38a21418557260efbfdc
dependency-track-bundled.jar #
Algorithm Checksum
SHA-1 e009cc9345ae5bdb321c651df769a6d02dfc5a67
SHA-256 0e67de28a99aec1d2e3c4592b42f04e86084129f58f3d338b572fdc5b7064899
frontend-dist.zip #
Algorithm Checksum
SHA-1 67843f34745d4983da001ca158c0fa6aba814427
SHA-256 f0cb536946117068f26845eee89975e4d7feac0b7c806bae505172e85bfadf76
Software Bill of Materials (SBOM) #

v4.6.1 #

October 13, 2022 patch

Fixes:

  • Resolved defect that caused policy name and violation state to not be displayed in the violations audit tab - #2043

For a complete list of changes, refer to the respective GitHub milestones:

dependency-track-apiserver.jar #
Algorithm Checksum
SHA-1 f3c8e2007f2795b12f438b6b9318c4d5c448fa0b
SHA-256 e293756b5e27d6c3213dfbeead946bf220d278d418c817c74a81fda395764977
dependency-track-bundled.jar #
Algorithm Checksum
SHA-1 da0d27cd635de292bcae112c816b97c1b1d50107
SHA-256 0a8530aab97bedbc33575a5ff18677eef1bcc555bb038150229bc5147c7ef522
Software Bill of Materials (SBOM) #

v4.6.0 #

October 11, 2022 major

Highlights:

  • Vulnerability Aliases. By ingesting data from multiple sources of vulnerability intelligence, there will be cases where different advisories describe the same vulnerability. For example, CVE-2022-31197 and GHSA-r38f-c4h4-hqq2 describe the same defect, yet their descriptions and risk ratings differ. Dependency-Track 4.6 now recognizes when multiple advisories alias each other, and includes this information in notifications and REST API responses. Aliases will additionally be considered when calculating portfolio metrics, so that duplicate vulnerabilities do not skyrocket the risk scoring. Further improvements to aliases will be coming in future releases.
  • OSV Integration (Beta). Dependency-Track now optionally mirrors vulnerability intelligence data from the Open Source Vulnerabilities database (OSV). OSV normalizes and enriches data from multiple other vulnerability databases. Mirroring can be limited to a configurable selection of ecosystems.
  • New Policy Conditions.
    • Using the tag condition, policies can be restricted to projects with certain properties or priorities (e.g. high-risk, internet-facing, etc.)
    • Using the CWE condition, policies can assist in prioritizing findings of certain weaknesses
    • Using the component hash condition, policies can be used to flag usage of malicious or tainted packages
  • Performance. Various improvements, most prominently regarding metrics updates. Organizations, especially those with large portfolios of multiple thousands of projects, will see a drastic reduction in runtime and resource usage.
  • Observability. By exposition of system metrics via the Prometheus text-based format, operators can now monitor their instances using Prometheus, Grafana, or other compatible observability stacks. Metrics exposition is optional and must be enabled, refer to the monitoring documentation for details.
  • Customization. Users with advanced customization needs can now create and modify notification templates, as well as specify custom intervals for recurring tasks. Refer to the notifications and recurring tasks documentation for details.
  • Authentication for Internal Repositories. Dependency-Track can now authenticate with artifact repositories like Nexus Repository Manager or Artifactory to fetch information about internal artifacts.

Features:

  • Added support for authentication with internal package repositories - #881
  • Added support for configuration of recurring tasks intervals - #1542
  • Added support for policy violation badges - #1690
  • Added support for disabling alerts - #1173
  • Added support for CWEs in policy conditions - #1768
  • Added support for component hashes in policy conditions - #1775
  • Added support for tags in policy conditions - #1565
  • Added support for fuzzy CPE matching - #1799
  • Added support for notification publishing via Mattermost - #1702
  • Added support for reimporting findings to an existing DefectDojo test instead of creating a new test upon each upload - #1622
  • Added support for ingesting and displaying component author information - #1726
  • Added support for vulnerability aliases - #1912
  • Added support for custom notification templates - #275
  • Added experimental OSV integration - #931
  • Added support for Prometheus metrics exposition - #1796
  • Refactored metrics update functionality to be faster and more efficient - #1704
  • Upgraded to Java 17 - #1804
  • Removed source maps from frontend production build - #192
  • Added name of the authenticated user to the profile menu in the UI - #167
  • Added support for performing cross-site frontend requests with cookies - #156
  • Added columns for CVSS and EPSS to the component vulnerabilities view - #1948
  • Added listing of affected projects to email notification templates - #2005

Fixes:

  • Resolved defect that made it impossible to delete a project when assigned to a policy - #1852
  • Resolved defect related non-thread-safe usage of the internal Lucene search index - #1791
  • Resolved defect that caused the subject of email notifications saying null in certain situations - #1818
  • Resolved defect that caused the VulnDB analyzer failing to mark components as vulnerable - #1780
  • Resolved defect where the affectedComponents field of vulnerabilities would not be populated - #1766
  • Resolved defect that caused vulnerability details taking too long to load - #1765
  • Resolved defect that caused an internal server error when uploading a VEX document via HTTP PUT - #1836
  • Resolved defect that caused an internal server error when creating a vulnerability without CWEs - #1664
  • Resolved defect that caused an internal server error when submitting analysis details with more than 255 characters - #1661
  • Resolved defect that caused an internal server error when importing a SaaSBOM - #1790
  • Resolved defect that caused NVD mirroring notifications not working correctly - #1429
  • Resolved defect that caused VEX import not ingesting analyses for internal vulnerabilities - #1692
  • Resolved defect that caused excessive memory utilization when identifying internal components - #1947
  • Resolved defect that caused wrong project tags to be displayed after switching versions - #188
  • Resolved defect that caused component licenses to not be displayed on some occasions - #223
  • Resolved defect that caused horizontal scroll bars to be displayed unnecessarily in the UI - #248
  • Resolved defect that made it impossible to provide component hashes in uppercase - #1174
  • Resolved defect that prevented vulnerabilities in PHP components to be identified based on GitHub Advisories data - #1998
  • Resolved defect that caused a NumberFormatException to be thrown when resolving CWEs for findings - #2029
  • Resolved projects search filter not working when viewing projects by tag - #405
  • Resolved notifications with group NEW_VULNERABLE_DEPENDENCY not working at all - #1611
  • Resolved multiple minor UI defects related to API key management - #240
  • Resolved UI defect that caused vulnerability details not being displayed when only the CVSS vector, but not the scores were returned by the API - #239
  • Resolved UI defect that caused an incorrect tooltip being displayed for the email field in the email configuration test modal - #161
  • Resolved UI defect that caused the policy management view to not be updated when restricting a policy to a project - #169
  • Resolved UI defect that caused input fields losing focus after saving - #98

Security:

  • Fixed a defect that could cause API keys to be logged in clear text when handling API requests using keys with insufficient permissions - GHSA-gh7v-4hxp-gqp4

Upgrade Notes:

  • The new baseline Java version is 17 (#1804)
    • Java versions later than 17 may work as well, but haven’t been tested
    • Users deploying DT via executable WAR will need to upgrade Java accordingly
    • Users deploying DT via containers don’t need to do anything
  • The embedded H2 database has been upgraded to major version 2
    • Manual upgrade steps are required, refer to the H2 v2 migration guide
    • Without the manual migration, Dependency-Track 4.6 will not work with H2 databases created by earlier versions
    • Reminder: H2 is not, and never has been, supported for production usage
  • With #1429, handling of notification levels has changed
    • Previously, an alert with level ERROR would trigger on notifications with levels ERROR, WARNING, and INFORMATIONAL
    • Now, an alert with level ERROR will only trigger on notifications with level ERROR
    • An alert with level WARNING will trigger on notifications with level WARNING and ERROR etc.
    • The new behavior is similar to how structured logging libraries work
    • This change primarily affects notifications of the SYSTEM scope, which are used to report statuses of various tasks, e.g. DATASOURCE_MIRRORING
    • Notifications in the PORTFOLIO scope (e.g. NEW_VULNERABILITY) all have the INFORMATIONAL level
    • Users who configured alerts with scope PORTFOLIO and level ERROR should change the level to INFORMATIONAL after the upgrade

For a complete list of changes, refer to the respective GitHub milestones:

We thank all organizations and individuals who contributed to this release.
Special thanks to everyone who contributed code to implement enhancements and fix defects:

@AbdelHajou, @awegg, @dGuerr, @k3rnelpan1c-dev, @maaheeb, @officerNordberg, @rbt-mm, @rkg-mm, @s-spindler, @sahibamittal, @stephan-strate, @syalioune, @tmehnert, @yangsec888

dependency-track-apiserver.jar #
Algorithm Checksum
SHA-1 e40fb14764fb5eb9fcd654472434c3701c44f208
SHA-256 29d422816b593ddef89b07e9bc1c72a5cfb141eaea4a1d59615309089bab03ea
dependency-track-bundled.jar #
Algorithm Checksum
SHA-1 9e1b283c442e1bfb2c5c4ea23b1a1590cf7afc5d
SHA-256 1e6ba17e6dc1f6422826a020ece5ec6ae2bef1aa9ae563f57653ed6bc0944f14
frontend-dist.zip #
Algorithm Checksum
SHA-1 0f8967a4f777d33fd285d7fe8786f08690ffedd9
SHA-256 14791981d23850b72e39cee8c6378c6e25de0f8f5ee46b5c244c28bd6262db9a
Software Bill of Materials (SBOM) #

v4.5.0 #

May 18, 2022 major

Features:

  • Added support for consuming VEX - #1387
  • Added support for management of internal vulnerabilities - #96
    • Added new VULNERABILITY_MANAGEMENT permission, which is required to create, edit and delete internal vulnerabilities
  • Added support for EPSS - #1178
  • Added support for notifications on policy violations - #1396
  • Added support for fetching projects by classifier - #1185
  • Added support for multiple CWEs being assigned to vulnerabilities - #1467
    • API, FPF and notifications now include an additional JSON array field cwes
    • The cwe field is still supported, but deprecated, and will be removed in a later release
  • Added new VIEW_POLICY_VIOLATION permission that grants read-only access to policy violations and the audit trail - #1433
  • Added ability to modify specific project fields via PATCH requests - #1586
  • Grant access to the team that created a project via BOM upload when portfolio ACL is enabled - #1529
  • Improved resource efficiency of portfolio metrics updates - #1481
  • Reversed order of NVD feed downloads so that latest vulnerabilities are loaded first - #1557
  • Included policy violation analysis in daily portfolio analysis - #1492
  • Added OIDC setup example for Azure AD - #1564

Fixes:

  • Resolved defect where the VULNERABILITY_ANALYSIS permission was required to see policy violations - #126
  • Resolved defect where audit trail entries were generated for Justification and Response, even though they didn’t actually change - #1566
  • Resolved defect where vulnerabilities from GitHub Advisories could not be matched with Go modules - #1574
  • Resolved defect where filtering projects by tag would ignore the active / inactive filter - #1501
  • Resolved defect where NVD mirroring could not be enabled - #1576
  • Updated URL of the Atlassian package repository - #1568
  • Resolved multiple defects in calculation of portfolio metrics - #1530
  • Resolved defect where incomplete NVD data could be mirrored - #1480
  • Resolved defect where portfolio changes wouldn’t immediately be reflected in results of the search API - #1605
  • Resolved defect where policy violations of type Security would not be displayed - #91
  • Resolved defect where analysis justification and response would be reset when suppressing a finding - #140
  • Resolved defect where the analysis status of policy violations would not be displayed - #130

Security:

Upgrade Notes:

  • The nist directory inside the Dependency-Track data directory will be deleted upon upgrade. This will force the NVD to be downloaded and reprocessed.
  • Users and teams with POLICY_VIOLATION_ANALYSIS permission are automatically granted the VIEW_POLICY_VIOLATION permission during the automatic upgrade.
  • Location of config.json in the frontend container changed from /app/static/config.json to /opt/owasp/dependency-track-frontend/static/config.json
dependency-track-apiserver.war #
Algorithm Checksum
SHA-1 8db4707e3458b122e73cce92e7dc143c115db962
SHA-256 0c3d75501a0545f90e862aa0e2920f0c6146abcd436983531de7757ff294f568
dependency-track-bundled.war #
Algorithm Checksum
SHA-1 984aafe85ac2dc361f9b0adf3c26d99decbab641
SHA-256 360176e810072b9ad393ba4f36e261c333ba45f4a662fe6b180e7481d70a14e1
Software Bill of Materials (SBOM) #

bom.json bom.xml

v4.4.2 #

March 04, 2022 patch

Features:

  • Added advanced configuration options for controlling outbound HTTP connection timeouts - 1431

Fixes:

  • Resolved defect that resulted in a server error when suppressing a vulnerability - 1409

Security:

Upgrade Notes:

dependency-track-apiserver.war #
Algorithm Checksum
SHA-1 172f569eb85f1182500571a160b134e8b1005ebf
SHA-256 5869df68cd29d48366d653a697bc198e0f3396c2897cd4a668743fc7157fb8df
dependency-track-bundled.war #
Algorithm Checksum
SHA-1 49e73a820426a39ab83e6ec2a12f1c24e198a144
SHA-256 d1570efdb61f7a2aa264f8103f6285e5330818087d3c54456e1b5335a3ca681f
Software Bill of Materials (SBOM) #

bom.json bom.xml

v4.4.1 #

February 18, 2022 patch

Features:

  • Fixes:
  • Resolved defect where the automatic upgrade failed on Microsoft SQL Server databases

Security:

Upgrade Notes:

  • For MSSQL users only: If an upgrade to v4.4.0 was previously attempted and no rollback was performed yet, the following SQL statement must be executed before launching v4.4.1: DELETE FROM "PERMISSION" WHERE "NAME" = 'VIEW_VULNERABILITY'
dependency-track-apiserver.war #
Algorithm Checksum
SHA-1 9d6f20709009193540c4c152f0c0757d3b26bd5e
SHA-256 c3eaeee440bfd1a734fb009983c97792407b107d64d4e9035a179b9b27c8ca49
dependency-track-bundled.war #
Algorithm Checksum
SHA-1 ebadb4576ea419eb42807f5ef2bedb572de02df0
SHA-256 e7b5e0ac00bc0e1021dc7a6571e02392c6854b12bba2ceea543c3959b7572524
Software Bill of Materials (SBOM) #

bom.json bom.xml

v4.4.0 #

February 17, 2022 major

Features:

  • Expanded vulnerability auditing and BOM export capabilities to include Vulnerability Exploitability Exchange (VEX) - #1365
  • Added Download BOM option to frontend supporting inventory, inventory with vulnerabilities, and vex - #1365
  • Added support for GitHub Advisories as a source of vulnerability intelligence - #1225
  • Removed legacy support for NPM Advisories and NPM Audit - #1225
  • Added support for CycloneDX external references to component details - #920
  • Added new VIEW_VULNERABILITY permission that grants read-only access to project vulnerabilities and the audit trail. The permission also grants access to the findings API.
  • Added support for ARM64 (including AArch64) container images - #1213
  • Added Dependency-Track SBOMs for frontend and API Server to /.well-known/sbom - #1363
  • Added API endpoint for teams/self specific to API key principals - #861
  • Added support for Cisco WebEx as a target for alerts and notifications - #1170
  • NVD feed location is now configurable to support mirrors - #1274
  • Added support for OSS Index external references to increase CVE association - #1197
  • Added separate log events for “invalid username/password” and “account locked” - #1189
  • Added i18n support for vulnerability audit states - #946
  • Added policy violations column to projects page - #94

Fixes:

  • Resolved defect where the project a component belongs to may not be returned in API response - #1227
  • Resolved defect where notifications limited to specific projects weren’t properly limited - #1150
  • Resolved NPE in GoModulesMetaAnalyzer when a component without group was analyzed - #1220
  • Add workaround for OSS Index ignoring the component version when prefixed with v - #1220
  • Resolved OIDC post-login redirects for identity providers that do not support custom parameters in the redirect_uri parameter - #113
  • Resolved defect that produced JDOObjectNotFoundException on heavy loads - #1168
  • Optimized performance of VulnerabilityAnalysisTask that previously caused high load - #1212
  • Resolved defect that prevented vulnerability identification for some hardware devices - #1320
  • Updated docker-compose.yml to include correct CORS configuration - #1325
  • Resolved incompatible dependency issue with VulnDB integration - #1349
  • The upload button in the UI is now deactivated until a file is specified - #86
  • Resolved issue where tooltip in UI graphs may not be displayed - #92
  • Resolved issue where v in some ecosystem versions caused issue with analysis - #1243 #1220
  • Resolved issue with BOMs containing UTF-8 byte order markers where rejected as invalid - #1214
  • Resolved issue where consuming a BOM with zero components would not trigger a metric update - #1183

Security:

Upgrade Notes:

  • Users and teams with VULNERABILITY_ANALYSIS permission are automatically granted the VIEW_VULNERABILITY permission during the automatic upgrade.
dependency-track-apiserver.war #
Algorithm Checksum
SHA-1 c81d753ce4376cee1ae4d2a8cf9710a9b8ceee45
SHA-256 31e685e79b658f661ce28f8c5cbc96906d23d408a2ade70ff7e7a8e20f054972
dependency-track-bundled.war #
Algorithm Checksum
SHA-1 2b15b51c64938997ec9fbcf66054436064d9ef23
SHA-256 c45835bc09ffe30c3b8ab675267259120230992bc984348293ae32b28ce1b54c
Software Bill of Materials (SBOM) #

bom.json bom.xml

v4.3.6 #

September 20, 2021 patch

Features:

Fixes:

  • Added missing policy violation analysis on projects with empty component list #1183

Security:

  • Added additional audit logging for login attempts where the account has been locked out #1189

Upgrade Notes:

dependency-track-apiserver.war #
Algorithm Checksum
SHA-1 d41721f52bfb17c9ba507a1ac01532071643d8ac
SHA-256 83f0bc7199677e3f6f84a76673b936ca73a6b8f54d5cb7cf181f77d548d47a6b
dependency-track-bundled.war #
Algorithm Checksum
SHA-1 31fb39d8fecb6ec1e5c02d0fdede7a3e7e1cd952
SHA-256 3b0d1905291cf74af8f9e3bd81366d2b6c278ffe4b3940c0bb649871f6dfd15d
Software Bill of Materials (SBOM) #

bom.json bom.xml

v4.3.5 #

September 20, 2021 patch

No changes in this release.

dependency-track-apiserver.war #
Algorithm Checksum
SHA-1 d13ea84585009e70da2745690f4580b8db2a6e75
SHA-256 5334a13a5cc0662986d1643463c22bd6a7f3875165ad89296e2f9704b51acec5
dependency-track-bundled.war #
Algorithm Checksum
SHA-1 2aee316ac07c5941a7ba734c30bec4f517cc2df1
SHA-256 3053e47cee828f459bede221159d68a61294670c3aed0720901273c7f3091256
Software Bill of Materials (SBOM) #

bom.json bom.xml

v4.3.4 #

August 31, 2021 patch

Features:

Fixes:

  • Logic issue that causes inconsistent vulnerability findings when uploading the same BOM to different projects - #1176

Security:

Upgrade Notes:

dependency-track-apiserver.war #
Algorithm Checksum
SHA-1 813e3a7207e47a7ee6769a1e74b040942f8995b5
SHA-256 1f8bae644dc6982933ec080167d90a66d8090055d75aad7e924a91a9cb8783c8
dependency-track-bundled.war #
Algorithm Checksum
SHA-1 11db7cb3cf83b4e0d6ac121061b42d3f7e3c2c4e
SHA-256 f6a2012a352294371e8396396e4659789c43c40931ada0d89e5c17352de0d1f1
Software Bill of Materials (SBOM) #

bom.json bom.xml

v4.3.3 #

August 20, 2021 patch

Features:

Fixes:

  • Persistence issue related to manual server-side pagination that may cause JDOObjectNotFoundException: No such database row - #1059
  • Persistence issue that may result in ‘unknown’ project names for affect projects in the UI - #1154
  • Updated frontend to v4.3.1 which includes minor fixes and dependency updates

Security:

Upgrade Notes:

dependency-track-apiserver.war #
Algorithm Checksum
SHA-1 e28bc741856904115e54dd5bf2ef09addde011e8
SHA-256 b748e9b43a25068dc5096f5a68d2e21d5450fca1d3805350042a566c4506d2ba
dependency-track-bundled.war #
Algorithm Checksum
SHA-1 e884e3e32e18ff608837cc2d33b1d1760a00d0c7
SHA-256 05b87a43da078a684126f752d83a8da7488a8c02ef6d9ae9d3f0b347baec1832
Software Bill of Materials (SBOM) #

bom.json bom.xml

v4.3.2 #

August 07, 2021 patch

Features:

Fixes:

  • Resoled an issue with portfolio access control where a user belonging to multiple teams will not have access to the aggregate of all projects or components they’re permitted to - #1132

Security:

Upgrade Notes:

dependency-track-apiserver.war #
Algorithm Checksum
SHA-1 9746e03d0bd7dc02ca1d94aa29a6445144fb7589
SHA-256 283282536ec276bf048428fc02aee119ff9e42f995c67cf169e2bd2a7a92cd31
dependency-track-bundled.war #
Algorithm Checksum
SHA-1 1cb384c6f5fc457cddbb93c55b7188cf5b446f6f
SHA-256 cbab1409dc262d461db99587bd99fe6b0677fde36414b3c6c965b14640aec29b
Software Bill of Materials (SBOM) #

bom.json bom.xml

v4.3.1 #

August 03, 2021 patch

Features:

Fixes:

  • Resolves an issue introduced in Datanucleus 5.2.8 that lead to invalid SQL generation on Postgres databases - #1129

Security:

Upgrade Notes:

dependency-track-apiserver.war #
Algorithm Checksum
SHA-1 6c188379b93f2b4052bb73649608db69175b0efc
SHA-256 6008b32cc3cf6b13d0e7efaff335290102580bd6b518f50d630b99280a9b5538
dependency-track-bundled.war #
Algorithm Checksum
SHA-1 9ff235da5d4b6fb9e9fe4b6762c5dfa8d83073e9
SHA-256 a64885b7146e7b74e0099a691781ef6417f094fd7424768cf25a86a7de642b00
Software Bill of Materials (SBOM) #

bom.json bom.xml

v4.3.0 #

August 02, 2021 major

Features:

  • Implemented Portfolio Access Control (beta) - #140
  • OpenID Connect: Source user claims from /userinfo and ID token - #1008
    • Resolves an issue where some IdPs would provide specific claims only in one and not the other of the two
  • Added Go Modules repository support
  • Added timeout for idle transactions - #941
  • Components with missing or unknown license are now evaluated against policy condition - #1105

Fixes:

  • Resolved issue where active projects could only be displayed when showing inactive projects - #963
  • Resolved high load issues with Postgres while simultaneously increasing performance for all database platforms - #1026
  • Resolved issue with OSS Index where PURLs without a version will lead to scan failure - #1115

Security:

Portfolio ACL logic has been implemented. In its current form, Portfolio Access Control is a beta feature in v4.3. As a result, the project will not treat bypass or absent ACL logic as a security defect. There are a few known gaps in ACL logic that will exist in v4.3. These gaps are tracked in #1127.

ACL logic covers:

  • /v1/bom/*
    • Uploading SBOMs to projects or exporting SBOMs from projects or components
  • v1/component/*
    • CRUD operations on components
  • /v1/finding/*
    • Security findings for projects and components
  • /v1/metrics/*
    • Project and component metrics
  • /v1/project/*
    • _RUD operations on projects
  • /v1/service/*
    • CRUD operations on components
  • /v1/violation/*
    • Project and component policy violations
  • /v1/vulnerability/*
    • CRUD operations on vulnerable projects or components

The user interface clearly states that Portfolio Access Control is beta. By default, Portfolio Access Control is disabled.

Upgrade Notes:

  • OpenID Connect: The client ID of the frontend has to be passed to the API server via the alpine.oidc.client.id property
    • Required for the API server to be able to validate ID tokens. Refer to the OIDC documentation for details.
  • Removed legacy support for SPDX (RDF and tag/value) - #1053
  • Removed legacy support for the traditional WAR (was previously deprecated and unsupported) - #1070
dependency-track-apiserver.jar #
Algorithm Checksum
SHA-1 1c19a467705631c3c4449fa3f95c9d4a73d26caa
SHA-256 34e0cc69eb6934d9e25573d29870cefce75d07d97fb06d58e8830f566256e1dc
dependency-track-bundled.jar #
Algorithm Checksum
SHA-1 3e3a9edb9a9077fc5e2b2634f5967d1a61b0e1cb
SHA-256 78c5a7acf02d5d5f7231c444fdc58b38f12ebec20453c51106200ca0d644b387
Software Bill of Materials (SBOM) #

bom.json bom.xml

v4.2.2 #

May 07, 2021 patch

Features:

Fixes:

  • Resolved issue originating from changes in the NVD JSON feed which prevented the identification of vulnerabilities by a components CPE. (#1018), (#1033)

Security:

Upgrade Notes:

dependency-track-apiserver.war #
Algorithm Checksum
SHA-1 60a87ecafd9ba4b0ba119a65e1a041b0c5f576ea
SHA-256 bd20dbee794fa0c37c345526204058dbfbdd734acaf257783f9cb47e2cf17c63
dependency-track-bundled.war #
Algorithm Checksum
SHA-1 748b3fbf89efb61d29a468e3cd1c90bfcaeb3c4e
SHA-256 93948be57b0e7864b872a2869c840c50bf9f2b3d1e9cc75794abea4c53038851
dependency-track.war #
Algorithm Checksum
SHA-1 35b61e4309303a7ad605c21cfa5eddcbabcfa15f
SHA-256 965508b98df6701ffea13ec9bcfb2f3d8a7e14eba95a68f5c266a2b75b1db109
Software Bill of Materials (SBOM) #

bom.json bom.xml

v4.2.1 #

March 20, 2021 patch

Features:

Fixes:

  • Resolves an issue in OIDC support where “email” could not be used as the username claim

Security:

Upgrade Notes:

dependency-track-apiserver.war #
Algorithm Checksum
SHA-1 92a0e935c7d4309e67fc7eb149191d96a1635c8b
SHA-256 80cc253d05ccb91aa432667bf7d418bc8327f82b1dfe770aec71c434d0ecd308
dependency-track-bundled.war #
Algorithm Checksum
SHA-1 930d89d1a37e85130a6603969f30253fe842a6e0
SHA-256 2b27c6f1918a897f22b48542010611c67fa137f399521a45c900ee59120b81c5
dependency-track.war #
Algorithm Checksum
SHA-1 7a3061da05f67fd4f98b149eeb6d588389d1b202
SHA-256 06da5d59c8404f31d3497d163a2d3fe75f35af50374339315c6161dd0b989637
Software Bill of Materials (SBOM) #

bom.json bom.xml

v4.2.0 #

March 17, 2021 major

Features:

  • Added support for capturing dependency graphs from CycloneDX SBOMs
  • Added dynamic visualization of dependency graphs in user interface
  • Added support for services defined in CycloneDX SBOMs
  • Added support for CWE v4
  • Add support for version policy conditions and version comparisons in the coordinates condition (#390)
  • Detail modals for projects, components, services, and vulnerabilities now display the object’s UUID

Fixes:

  • Added support for Fortify SSC 20.1 and higher. This fixes a breaking change introduced in SSC 20.1
  • Added missing database index to increase performance when a large number of components are in the portfolio
  • Fixed multiple issues when cloning projects

Security:

Upgrade Notes:

  • OpenID Connect: To facilitate support for post-login redirects, the valid redirect URIs client setting in IdPs may need to be updated. Refer to the OIDC documentation for details.
  • The internal port the frontend container listens on has changed from port 80 to port 8080. docker-compose files may need to be updated to reflect this change. Updated compose files are available for download.
  • Starting with Dependency-Track v4.2, the API Server and the Frontend now have the same major and minor (semantic) version. Patch versions however, may continue to be unique.
dependency-track-apiserver.war #
Algorithm Checksum
SHA-1 f1776e778405b5f6be2903d317463a74153c5319
SHA-256 a47a3073def269e810d53de781cd7c22620e94ca80df3f781d528a7a5fe4c779
dependency-track-bundled.war #
Algorithm Checksum
SHA-1 c3c2f931cc4f835eddd0013a885e13c16f990ea9
SHA-256 7d61818c281c6540ff4273d4d4c5d9d6e63b86b55f13e92fca7ba2921613800c
dependency-track.war #
Algorithm Checksum
SHA-1 1634d6cf94761d3b0839f4b4a4d9fdd53d314ba6
SHA-256 792dc2adcc33c936629d014dacca8965d001bd1d236893df50dc88dc332d4d21
Software Bill of Materials (SBOM) #

bom.json bom.xml

v4.1.0 #

February 09, 2021 major

Features:

  • Added support for vulnerabilities in policy violations
  • Added Packagist (PHP Composer) repository support
  • Added Rust Cargo repository support
  • Added integration support for DefectDojo
  • Added the addition of a notes field for components
  • Updated Java requirements to Java 11

Fixes:

  • Fixed issue that prevented SWID tag ID from being persisted when BOMs were consumed
  • Added prevention that should detect future occurrences pagination of the NPM Advisory API not working

Security:

Upgrade Notes:

  • Support for Java 8 was dropped. API Server now requires Java 11
  • Downloading a CycloneDX BOM for a project now results in the IANA media types in the response header.

    application/vnd.cyclonedx+xml

    application/vnd.cyclonedx+json

dependency-track-apiserver.war #
Algorithm Checksum
SHA-1 ed951e6a1db32b5541b646f7595cce28345c816d
SHA-256 e459525d279abef75f0d6cef756636503b1040939778df14decaaca65d284db1
dependency-track-bundled.war #
Algorithm Checksum
SHA-1 669955757d9f5fe1e145ac61e761358986697b3d
SHA-256 a33f70500087fc6cfa9ffdeba1ac20de474ba28c1572f85337f04765e961f66c
dependency-track.war #
Algorithm Checksum
SHA-1 a2ab12792eebcf420e6f0b07baa4a49bce5e0082
SHA-256 c47fa7e5c2049e1f677b552838b7b5ee6971dfdee942f2e3ce1f0aa708a9dfaa
Software Bill of Materials (SBOM) #

bom.json bom.xml

v4.0.1 #

January 12, 2021 minor

Fixes:

  • Fixes issue that resulted in policy violations being returned for all projects rather than the project for which the query is made for.
dependency-track-apiserver.war #
Algorithm Checksum
SHA-1 5fb224978c700f5c38d49527669da262a324a9be
SHA-256 d46594ec65c0a30b645eb13419bdc36df41cc6d71053b8bb9efdee80d4de7b99
dependency-track-bundled.war #
Algorithm Checksum
SHA-1 d9275f0b660b54205ec811c0d0cab9f584ba2a91
SHA-256 89e155529036c5f8eb977f0c611eac2abc9496c55d2c49dd4dec14dbc5acb431
dependency-track.war #
Algorithm Checksum
SHA-1 59b571d0b1ee97a12342938d0d3b17b287c86ad4
SHA-256 a54b564123873ea3c2378c2dce5a9ecf0000df6ee0721f9d3ddf0349ba4c575f
Software Bill of Materials (SBOM) #

v4.0.0 #

January 03, 2021 major

Features:

  • Flexible, project-centric data model
  • Added policy engine, configurable policies, policy evaluation, and auditing workflow
  • Added default license groups
  • Anonymous access to Sonatype OSS Index is now enabled by default
  • Component vulnerabilities are now attributed to the analyzers responsible for finding them
  • Added support for CycloneDX 1.2 and SPDX 2.2
  • Added component support for Blake2b and Blake3 hash algorithms
  • Added component support for SWID Tag ID
  • Projects now have identity, similar to components, and support coordinates (group, name, version), CPE, Package URL, and SWID Tag ID
  • Added support for firmware and container component types
  • When generating a CycloneDX BOM from a project or component, v1.2 of the spec is now produced
  • Updated SPDX license list to v3.11
  • Dropped support for NVD JSON v1.0 data feeds
  • Optimized NVD mirroring logic
  • Inactive projects are omitted from portfolio metrics
  • Updates to the notification email template for BOM consumed and BOM processed

Fixes:

  • Fixed issue with scoped NPM packages not being identified correctly
  • Fixed issue that failed to report new vulnerabilities on existing components
  • Fixed broken weakness (CWE) link on some vulnerabilities
  • Fixed failure on mail notifications when multiple addresses were configured
  • Fixed container healthcheck to specify use of no-proxy
  • Fixed issue where component descriptions in a BOM were not being saved

Security:

Upgrade Notes:

  • The Dependency-Track v4 data model is incompatible with previous releases. As a result, it is not possible to simply upgrade as with previous versions. A data migration is required to update from 3.8 to 4.0. The migration is a standalone set of scripts that must be executed against the database in order to migrate the data to the new model. Refer to the official v3.8.0 to v4.0.0 Migration Project for more information.
  • Four Dependency-Track distribution variants are provided. Refer to Distributions for details.
  • The traditional WAR distribution is deprecated and no longer supported. It is still being produced as of this release but will be discontinued in a future release.
  • Docker images have been moved from the OWASP organization on Docker Hub to a dedicated Dependency-Track organization.
  • The FrontEnd requires deployment to the root (“/”) context. Deploying to any context other than root is no longer supported.
  • Some APIs have changed as of this release. APIs that were specific to the global component model have been removed. APIs that referenced a ‘dependency’ in the model have changed. Components are now assigned directly to projects themselves, thus eliminating the need for ‘dependency’ objects in v4.
  • The MySQL Connector distributed with the Docker image has been updated to version 8.0.22. When using MySQL, ALPINE_DATABASE_DRIVER_PATH has to be set to /extlib/mysql-connector-java-8.0.22.jar. Note that ALPINE_DATABASE_DRIVER may need to be updated as well. Refer to the official upgrading instructions.
  • The Postgres driver distributed with the Docker image has been updated to version 42.2.18. When using Postgres, ALPINE_DATABASE_DRIVER_PATH has to be set to /extlib/postgresql-42.2.18.jar.
dependency-track-apiserver.war #
Algorithm Checksum
SHA-1 9124352542544c5662d3ebf34d951e61f08ff231
SHA-256 6b6b8d608b467da087fb7ebe12fb6bbb2a418d97168baa186b1320fdb3b49a91
dependency-track-bundled.war #
Algorithm Checksum
SHA-1 9a4f516e5fcd6eae117465732e3dcaa69227d238
SHA-256 2e66976b5f890186e64255484f262564e23e8a3ce482769374959c7ddc55c42c
dependency-track.war #
Algorithm Checksum
SHA-1 a489586be032890ec6cddc5ec839da57026837a7
SHA-256 152819d9b80377f6b672fbdc6448d7ea250f3bba43c479c335404faa700d9b24
Software Bill of Materials (SBOM) #

bom.json bom.xml

v3.8.0 #

March 22, 2020 major

Bundled frontend: v1.0.0

Features:

  • New user interface based on Vue.js and Bootstrap.
  • User interface can optionally be deployed and upgraded independently of the Dependency-Track server.
  • Package repositories are now configurable.
  • Package repositories can now be identified as ‘internal’. Components identified as ‘internal’ will be analyzed using internal repositories.
  • Added additional logging and notifications for OSS Index and NPM Audit analyzers.
  • Added the ability to publish system notifications when vulnerability analyzers encounter communication or other errors.
  • Added several occurrences of counts for various items throughout the UI.

Fixes:

  • Corrected the percentage value of findings audited.
  • Fixed URL to Maven Central which prevented the MavenMetaAnalyzer from retrieving component metadata.
  • Changed logging behavior when internal components are identified.
  • Improved accuracy of internal CPE analyzer which may have lead to false negatives in some situations.
  • Fixed issue where the CPE value defined in a BOM was not being persisted if the component previously existed.
  • Fixed issue which prevented the HexMetaAnalyzer from executing preventing it from retrieving component metadata for Erlang or Elixir components.

Security:

  • All Dependency-Track server releases now include a complete CycloneDX software bill-of-materials.
  • Added missing permission checks to repository API endpoints.

Upgrade Notes:

  • The nist and index directories inside the Dependency-Track data directory will be deleted upon upgrade. This will force the NVD to be downloaded and reprocessed and the indexes to be rebuilt.
  • The internal vulnerable software dictionary, generated automatically from the NVD, will be wiped upon upgrade. This will take several minutes to complete and should not be interrupted.
dependency-track-embedded.war #
Algorithm Checksum
SHA-1 091627dfa144a1313bf9090d8f67b4760e635b23
SHA-256 56674c40da9dc4277b6c8238d0dc6cc28bdf3b4cc51b7b845606b1a2c149070b
dependency-track.war #
Algorithm Checksum
SHA-1 1db04afbc1b66421dd6fe0db816ec14362b895d1
SHA-256 9fd73c4ea24352b6165106c1d5a1b88bd43ea9e6ba0e15a733a217a59d7bd268
Software Bill-of-Materials (SBOM) #

bom.xml

v3.7.1 #

January 07, 2020 minor

Features:

  • Added additional debug logging to metric update tasks

Fixes:

  • Fixed portfolio metrics issue that allowed multiple operations to be executed simultaneously leading to performance degradation
dependency-track-embedded.war #
Algorithm Checksum
SHA-1 5cd02dc5c6ca8aba3cea1ad5ad03d039ecdd757c
SHA-256 f80f527d96692a45f3bba86849551debf4b407bd880f104b890912975cc865ca
dependency-track.war #
Algorithm Checksum
SHA-1 766d5394ce7a5a0e08c96a55930adc3377897d99
SHA-256 4e6233013af574585d93dd99586455a810ea434c3bc5da95e53aad45751f5bc2

v3.7.0 #

December 16, 2019 major

Features:

  • Application context is now configurable in the Docker container
  • SVG badges may now be retrieved via the project name and version
  • Added Hex repository support for Erlang, Elixir, and other BEAM languages
  • Added configurable support for defining components as internal which are not subject to external analysis
  • Increased CPE analysis precision for components with CPEs containing a value in the update field

Fixes:

  • Fixed defect in /api/v1/project that returned a server error if the ‘name’ parameter was specified
  • Fixed defect resulting in invalid gzip response body when Accept-Encoding was not specified
  • Fixed defect resulting in licenses not being loaded if Dependency-Track is deployed to a directory containing a space
  • Changed behavior when parsing an invalid CPE to display a single line warning rather than the full stack trace
  • Fixed defect resulting in a project not being able to be deleted when that project was part of a notification rule
  • Fixed encoding issue affecting project names containing special characters

Security:

Upgrade Notes:

  • Support for consuming Dependency-Check v4.x XML reports has been removed
  • The following can safely be (optionally) dropped upon a successful upgrade (consult log):
    • Tables:
      • SCANS_COMPONENTS
      • SCAN
    • Columns:
      • LAST_SCAN_IMPORTED (in PROJECT table)
dependency-track-embedded.war #
Algorithm Checksum
SHA-1 e946c65ec0ff5ba12e843789b917caab635bfe62
SHA-256 bd02a522a8c9beeb8dd7964f07eb27a7a02ce8bbf6a7c8af3378bb26fc98a087
dependency-track.war #
Algorithm Checksum
SHA-1 22da81fb91b5641fcb805c74063c11e521fe0ad4
SHA-256 9207e25b19d34b57804f25e9881e663ebb56333520b039c5ccfd93209295b0a1

v3.6.1 #

October 01, 2019 minor

Fixes:

  • Fixed issue that prevented upgrades to 3.6.0 when using Microsoft SQL Server
dependency-track-embedded.war #
Algorithm Checksum
SHA-1 f18f248d2601878b3d437e3c6539311dc4a31c47
SHA-256 b24cc49e8483c4841d6bc3efa9c1f944836a9524028960ee463ae4db7dac7c02
dependency-track.war #
Algorithm Checksum
SHA-1 b758993e26f812494ca0191e7ad39037f2cd79ea
SHA-256 da128b3602ea4e0214558074abd3df30201e7d858b79a7abb5065d358db19b40

v3.6.0 #

September 28, 2019 major

Features:

  • Added configurable option to enable/disable BOMs based on format (CycloneDX enabled by default)
  • Added support for the official CPE v2.3 dictionary and vulnerabilities with CPEs of affected products
  • Added ability to identify vulnerabilities in components solely by their CPE
  • Added full support for VulnDB as a source of vulnerability intelligence
  • Added support for SVG badges
  • Added additional logging during metrics updates
  • Docker container now supports Kubernetes and OpenShift
  • Docker container now has configurable support for specifying logging levels
  • Added Inherited Risk Score to project list view with the ability to sort on risk score
  • Added an ‘active’ flag to projects with the default behavior of hiding inactive projects
  • Added BOM_CONSUMED and BOM_PROCESSED notifications which can optionally deliver BOMs via webhooks
  • Added support for last BOM imported including the BOM type and version
  • Added an API to lookup a project by its name and version
  • Added analysis interval throttle to prevent repeated analysis requests for the same components
  • Slack and email alerts now contain links back to Dependency-Track
  • Added support for Java 11

Fixes:

  • Fix for GLOBAL_AUDIT_CHANGE not including affected projects
  • Fixed issue that prevented Dependency-Track for working with non-default URL contexts
  • Fixed intermittent persistence issue resulting in NPE in BomUploadProcessingTask
  • Fixed issue resulting in incorrect percentage audited on project findings
  • Fixed OSS Index analyzer in response to the URL changes from ossindex.net to ossindex.sonatype.org

Upgrade Notes:

  • Support for SPDX BOMs and Dependency-Check XML reports are disabled by default
  • Replaced embedded Dependency-Check library with internal CPE analyzer
  • Dependency-Track no longer mirrors XML data feeds from the NVD
dependency-track-embedded.war #
Algorithm Checksum
SHA-1 6cd17d5a31472f7f60e674e2d7fc2e3050085808
SHA-256 bbb72fa3b6246b7afa7c22b103f0c85daf82565a38ae12973043775e6b27fd6e
dependency-track.war #
Algorithm Checksum
SHA-1 f7b88825dbaf8b837977954f5a7e506952ed8361
SHA-256 a1d0d308a46d30399e9ff9a0334fe3be70345aa12c30c0d1d6bfccdcafe062e2

v3.5.1 #

July 17, 2019 minor

Fixes:

dependency-track-embedded.war #
Algorithm Checksum
SHA-1 aafdfa3142dc478b95f1d6ffc268b2a1832ccb29
SHA-256 73bbe06a22f84ce7b099da3c552e267c980f0f8c58ca6cccdd3eaa210bfe9b6c
dependency-track.war #
Algorithm Checksum
SHA-1 cf71dbf7ae697038d6a42485f14991f343ffdeff
SHA-256 271705e72e94e9f9fb36159ea110a05ff465c4d1f2572a89570774e57c08a247

v3.5.0 #

June 07, 2019 major

Features:

  • Improved performance, reliability, and quality
  • Added support for importing CycloneDX v1.1 BOMs
  • Added additional logging and enhanced logging configuration
  • Added configurable CORS support

Fixes:

  • Numerous. The majority of known defects have been resolved

Upgrade Notes:

Two new LDAP properties were introduced in v3.5.0 that affect LDAP configuration. The properties are:

  • alpine.ldap.groups.search.filter
  • alpine.ldap.users.search.filter

Refer to Configuration and Deploying Docker Container for details.

Additional properties introduced in this release are:

  • alpine.database.pool.enabled
  • alpine.database.pool.max.size
  • alpine.database.pool.idle.timeout
  • alpine.database.pool.max.lifetime

Under most situations, changing these values is not recommended and may introduce unintended consequences. One important change introduced in this release is the default value of alpine.database.pool.max.lifetime has changed from 30 minutes (in previous releases) to 10 minutes.

dependency-track-embedded.war #
Algorithm Checksum
SHA-1 7d66f0530d74ff9bc0de628d5e76b5ee6ed6ead7
SHA-256 8bbf820fde7843a680fd51eed831aeddd61507f5420abb68b46859168cc98919
dependency-track.war #
Algorithm Checksum
SHA-1 0bb9a0737a36ebbcd88fe91ca595f12957e85583
SHA-256 143ed44988419ba84cc3956e602e297f025149f19faa65f32c0e8311b71fed5b

v3.4.1 #

April 16, 2019 minor

Fixes:

  • Fixed defect that caused high CPU consumption (via thread exhaustion) in some cases when NPM Audit was enabled.
dependency-track-embedded.war #
Algorithm Checksum
SHA-1 f8da8e34a3cabcf72b721488f5294710ff632bf6
SHA-256 72391cc636c2159ffc0c516f2001688129a3b6424164c98ce9045c0fd5c3219b
dependency-track.war #
Algorithm Checksum
SHA-1 1cdb5b6c5698229b21acbc610df77ec819ad5180
SHA-256 619e9ae00feb9f9723bef68981d32932d2d5cdf808b192619bf072d525224f5e

v3.4.0 #

December 22, 2018 major

Features:

  • Improvements to Findings API
  • Created Finding Packaging Format for the native exporting of findings
  • Added support for external integrations including:
    • Fortify Software Security Center
    • Kenna Security
  • Added repository (and outdated version detection) support for NuGet and Pypi
  • Updated SPDX license list to v3.3
  • Added support for identifying FSF Libre licenses
  • Updated Java version in Docker container
  • Docker container can now be fully configured with environment variables
  • Added Test Configuration button when configuring SMTP settings
  • Added logfile rotation with default 10MB cap (configurable)

Fixes:

  • Corrected issue that incorrectly returned suppressed vulnerabilities when queried for non-suppressed ones
  • Fixed issue that resulted in server/UI timeouts due to excessive license payload
  • Fixed NPE that occurred when the configured SMTP server didn’t require authentication
  • Added workaround for outstanding OSS Index defect where the service didn’t process PackageURLs containing qualifiers
  • Updated OpenUnirest which addressed configuration issue with library not honoring proxy server settings
dependency-track-embedded.war #
Algorithm Checksum
SHA-1 676e04e0ef002e371da3b5eab239b0ab55dffe57
SHA-256 006801f124d190e929ab7e6352adcc0bf89047259eff5a15cf4d54a01d7b402d
dependency-track.war #
Algorithm Checksum
SHA-1 15309c0818034ac99f603b52f242748b255818b9
SHA-256 624fa3e7f458b163a0bbb8f05ee7cb1cf052d6d4ea53ff2b43686dd55bb83135

v3.3.1 #

November 13, 2018 minor

Features:

  • Improved findings API to support a wider range of use-cases

Fixes:

  • When importing some npm dependencies (via Dependency-Check report), some modules would get misidentified causing an NPE
  • Fixed non-standard Java versioning schemes (such as Debian OpenJDK) that caused version comparison to fail
  • Corrected issue that resulted in suppressed vulnerabilities to be returned from a query as if they were not suppressed
  • Fixed issue preventing saving of SMTP settings with anonymous authentication

Upgrade Notes:

The format of the findings API has changed and will not be versioned. This API is used to present findings from the audit tab in the UI. If this API was being used outside the UI, please note that the response format has changed.

dependency-track-embedded.war #
Algorithm Checksum
SHA-1 f7a0fcf9568a765b9bb3cdf3465f475810c333e8
SHA-256 f5693cab665932c80e7056c37ed93bf61a1638e252e48e9c0717b8d0c4740ea4
dependency-track.war #
Algorithm Checksum
SHA-1 bfcf20a5cb87d562b781419f7b989c35ff67e390
SHA-256 91156bc404ab84a09e912302888ef06c52813764e88ad73039550a9ff2e82b91

v3.3.0 #

October 25, 2018 major

Features:

  • The ability to manually upload a CycloneDX or SPDX BOM from the user interface
  • Optional automated provisioning of LDAP users
  • Optional synchronization of team membership based on a users LDAP group membership
  • Added API that provides component metadata from a project in CycloneDX format
  • Added ability to track the progress of work performed when a BOM is uploaded
  • Added tracking of audited and unaudited metrics
  • Added ability to add new project version and optionally clone source metadata
  • Added ability to search by tag name when displaying projects
  • Added checksum generation when publishing a release (backported to 3.2.2)
  • The NSP Advisory API has been removed and replaced with the NPM Public Advisory API (backported to v3.2.1)

Fixes:

  • Fixed numerous LDAP compatibility issues
  • Added additional logging when BOM upload is not in a supported format

Upgrade Notes:

This release of Dependency-Track supports a wide range of LDAP implementations and has been tested with Active Directory, ApacheDS, Fedora 389 Directory, and NetIQ/Novell eDirectory. In order to ensure compatibility, some existing LDAP configuration properties have been changed.

# This property has been removed
alpine.ldap.domain
# This property now refers to the users DN
alpine.ldap.bind.username
# Format now applies only to the value of alpine.ldap.attribute.name. 
# Examples have been modified. A users DN is no longer a valid format.
alpine.ldap.auth.username.format
# New properties
alpine.ldap.groups.filter
alpine.ldap.user.groups.filter
alpine.ldap.user.provisioning
alpine.ldap.team.synchronization

See Also:

dependency-track-embedded.war #
Algorithm Checksum
SHA-1 413b47068dd1272f0ea6c4af67dc1465fcf10674
SHA-256 5632d6efa8c6ea2633bb767d09c73c4ee68e9319b638ce00da4c422f5123c906
dependency-track.war #
Algorithm Checksum
SHA-1 1a8dc64a7535375fdd4ff789eeb9d3635dcba019
SHA-256 96e20c0b72e3d8c460dfe3ce2b9aca72c6114492747db9afffca9784c64d23b9

v3.2.2 #

October 02, 2018 minor

Fixes:

  • Critical defect which may lead to duplicate or erroneous requests to NPM Audit API

Changes:

  • Added checksums.xml including SHA-1, SHA-256, SHA-512 checksums for traditional and embedded wars to GitHub releases.
dependency-track-embedded.war #
Algorithm Checksum
SHA-1 fead4ed834b4738b8c19c427ae57653f7af4a3b8
SHA-256 ee53ceacb07b0b0b4dfa88e2bdc2e905668f0dd6d42ca1000b3204d0a2ee1842
dependency-track.war #
Algorithm Checksum
SHA-1 defbb7a40bb12c3beacdeb43fb5fd325d226da50
SHA-256 c154f0f07c9875d602d3e1df93d93d617e83f350ef683bdb16eb193d03a86ea5

v3.2.1 #

September 21, 2018 minor

Features:

  • The NSP Advisory API has been removed and replaced with the NPM Public Advisory API

Fixes:

  • Processing and permission corrections to new multi-part BOM upload API
  • UI corrections for vulnerabilities with unassigned severity
  • Fixes for displaying and processing of vulnerabilities without CVSS scores
  • Minor changes to severity colour scheme

Upgrade Notes:

All previous NSP vulnerabilities will automatically be migrated to NPM vulnerabilities. No additional action is required. Unlike NSP vulnerabilities, NPM does not provide CVSS scores or vectors. Therefore all NPM vulnerabilities will no longer display the CVSS vector, or the base, impact, or exploitability scores and corresponding chart data.

v3.2.0 #

September 06, 2018 major

Features:

  • Configurable notifications of new vulnerabilities, vulnerable dependencies, analysis decision changes, and system events
  • Added Slack, Microsoft Teams, Outbound Webhook, Email, and system console notification publishers
  • Replaced NSP Check API with NPM Audit API
  • Added support for Sonatype OSS Index
  • Updated SPDX license IDs to v3.2
  • General improvements in logging when error conditions are encountered
  • Improvements to Dependency-Check XML report parsing
  • Added native CPE 2.2 and 2.3 parsing capability
  • Enhanced administrative interface with options for repositories and general configuration
  • Updated Java version used in Docker container

Fixes:

  • The audit table did not reflect the correct analysis and suppressed data
  • Added validation when processing Dependency-Check XML reports containing invalid Maven GAVs
  • Corrected issue with NVD mirroring affecting Docker containers and case-sensitive filesystems

Upgrade Notes:

  • The PROJECT_CREATION_UPLOAD permission was introduced in this release. Existing API keys that need the ability to dynamically create projects (without providing them full PORTFOLIO_MANAGEMENT permission) will need this permission added to their account or through their team membership.

  • The SYSTEM_CONFIGURATION permission was introduced in this release. Existing administrative users that need the ability to perform more general purpose system configurations need to add this permission to their accounts.

  • Upgrades to v3.2.0 can be successfully performed from systems running v3.1.x. If a previous version is being used, an upgrade to 3.1.x is required prior to upgrading to v3.2.0.

v3.1.1 #

June 20, 2018 minor

Fixes:

  • Fixed issue where new permissions were not being added to database on upgrades

v3.1.0 #

June 19, 2018 major

Features:

  • Support for advanced auditing workflow to easily triage findings
  • Support for external repositories to retrieve additional component metadata from
  • Support for SPDX 3.1 license IDs
  • NVD mirroring support for Dependency-Check (and other) clients
  • Support for out-of-date version detection (rubygems, maven, and npm)
  • Enhanced API to (optionally) autocreate project on bom/scan upload
  • Better support for Dependency-Check “relatedDependencies”
  • Added individual component metrics (independent of dependency metrics)
  • Added per project and per component overview with metrics and refresh support
  • Specific table columns can now be sorted with full pagination support
  • Improved error logging when issues are encountered during BOM and scan processing
  • Enhanced LDAP integration to support strong authentication mechanisms and configurable user formats
  • General performance improvements on multi-core machines
  • Minor enhancements to user interface

Fixes:

  • Fixed defect that prevented paginated results on project tag searches
  • Fixed defect affecting GAV identifiers in Dependency-Check Gradle/CLI reports not being in parenthesis

Upgrade Notes:

  • The VULNERABILITY_ANALYSIS permission was introduced in this release. Existing users that need the ability to audit findings will need this permission added to their account or through their team membership.
  • MySQL now requires ANSI_QUOTES to be added to the SQL mode. Refer to Database Support for details.

v3.0.4 #

May 02, 2018 minor

Fixes:

  • Fixed defect resulting in incorrect results returned when filtering on components in the project view
  • Synced CycloneDX specification to latest v1.0.1 release

v3.0.3 #

April 13, 2018 minor

Fixes:

  • Fixed defect resulting in incorrect vulnerability counts for projects
  • Fixed defect which prevented project metrics from returning results
  • Fixed issue related to the assignment of tags on project creation
  • Added the VIEW_PORTFOLIO permission to the ‘automation’ team on new installs
  • Updated several dependencies
  • Performance improvements in database connection pool
  • Fixed defect where database connections were not being reconnected if the connection was lost
  • Fixed multiple defects related to component reconciliation when processing BOM and scan uploads

v3.0.2 #

March 30, 2018 minor

Fixes:

  • Responded to changes in NVD data feed URLs by correcting the XML 1.2 and 2.0 URLs used for mirroring.

v3.0.1 #

March 29, 2018 minor

Fixes:

  • Fixed data model issue which prevented multiple versions of the same project name from being persisted.
  • Fixed issue in admin console which did not properly display the number of team members.

Upgrade Notes:

If v3.0.0 was deployed, shutdown Dependency-Track, execute the following statement against the database, and deploy v3.0.1.

/*
Removes the constraint on having a unique project name thus preventing
multiple versions of the project from existing.
https://github.com/DependencyTrack/dependency-track/issues/118
*/
ALTER TABLE PROJECT DROP CONSTRAINT PROJECT_NAME_IDX;

v3.0.0 #

March 27, 2018 major

Project Reboot Successful! This is the first release after being developed from the ground up.

Features:

  • Dramatically increases visibility into the use of vulnerable components
  • Supports an unlimited number of projects and components
  • Projects can range from applications, operating systems, firmware, to IoT devices
  • Tracks vulnerabilities across entire project portfolio
  • Tracks vulnerabilities by component
  • Easily identify projects that are potentially vulnerable to newly published vulnerabilities
  • Supports standardized SPDX license ID’s and tracks license use by component
  • Supports CycloneDX and SPDX bill-of-material formats
  • Easy to read metrics for components, projects, and portfolio
  • API-first design facilitates easy integration with other systems
  • API documentation available in Swagger 2.0 (OpenAPI 3 support coming soon)
  • Flexible authentication supports internally managed users, Active Directory/LDAP, and API Keys
  • Simple to install and configure. Get up and running in just a few minutes

Fixes: