Dependency-Track logo Dependency-Track

Subscribe with RSS to keep up with the latest changes.

v3.5.0

June 07, 2019 major

Features:

  • Improved performance, reliability, and quality
  • Added support for importing CycloneDX v1.1 BOMs
  • Added additional logging and enhanced logging configuration
  • Added configurable CORS support

Fixes:

  • Numerous. The majority of known defects have been resolved

Upgrade Notes:

Two new LDAP properties were introduced in v3.5.0 that affect LDAP configuration. The properties are:

  • alpine.ldap.groups.search.filter
  • alpine.ldap.users.search.filter

Refer to Configuration and Deploying Docker Container for details.

Additional properties introduced in this release are:

  • alpine.database.pool.enabled
  • alpine.database.pool.max.size
  • alpine.database.pool.idle.timeout
  • alpine.database.pool.max.lifetime

Under most situations, changing these values is not recommended and may introduce unintended consequences. One important change introduced in this release is the default value of alpine.database.pool.max.lifetime has changed from 30 minutes (in previous releases) to 10 minutes.

dependency-track-embedded.war
Algorithm Checksum
SHA-1 7d66f0530d74ff9bc0de628d5e76b5ee6ed6ead7
SHA-256 8bbf820fde7843a680fd51eed831aeddd61507f5420abb68b46859168cc98919
dependency-track.war
Algorithm Checksum
SHA-1 0bb9a0737a36ebbcd88fe91ca595f12957e85583
SHA-256 143ed44988419ba84cc3956e602e297f025149f19faa65f32c0e8311b71fed5b

v3.4.1

April 16, 2019 minor

Fixes:

  • Fixed defect that caused high CPU consumption (via thread exhaustion) in some cases when NPM Audit was enabled.
dependency-track-embedded.war
Algorithm Checksum
SHA-1 f8da8e34a3cabcf72b721488f5294710ff632bf6
SHA-256 72391cc636c2159ffc0c516f2001688129a3b6424164c98ce9045c0fd5c3219b
dependency-track.war
Algorithm Checksum
SHA-1 1cdb5b6c5698229b21acbc610df77ec819ad5180
SHA-256 619e9ae00feb9f9723bef68981d32932d2d5cdf808b192619bf072d525224f5e

v3.4.0

December 22, 2018 major

Features:

  • Improvements to Findings API
  • Created Finding Packaging Format for the native exporting of findings
  • Added support for external integrations including:
    • Fortify Software Security Center
    • Kenna Security
  • Added repository (and outdated version detection) support for NuGet and Pypi
  • Updated SPDX license list to v3.3
  • Added support for identifying FSF Libre licenses
  • Updated Java version in Docker container
  • Docker container can now be fully configured with environment variables
  • Added Test Configuration button when configuring SMTP settings
  • Added logfile rotation with default 10MB cap (configurable)

Fixes:

  • Corrected issue that incorrectly returned suppressed vulnerabilities when queried for non-suppressed ones
  • Fixed issue that resulted in server/UI timeouts due to excessive license payload
  • Fixed NPE that occurred when the configured SMTP server didn’t require authentication
  • Added workaround for outstanding OSS Index defect where the service didn’t process PackageURLs containing qualifiers
  • Updated OpenUnirest which addressed configuration issue with library not honoring proxy server settings
dependency-track-embedded.war
Algorithm Checksum
SHA-1 676e04e0ef002e371da3b5eab239b0ab55dffe57
SHA-256 006801f124d190e929ab7e6352adcc0bf89047259eff5a15cf4d54a01d7b402d
dependency-track.war
Algorithm Checksum
SHA-1 15309c0818034ac99f603b52f242748b255818b9
SHA-256 624fa3e7f458b163a0bbb8f05ee7cb1cf052d6d4ea53ff2b43686dd55bb83135

v3.3.1

November 13, 2018 minor

Features:

  • Improved findings API to support a wider range of use-cases

Fixes:

  • When importing some npm dependencies (via Dependency-Check report), some modules would get misidentified causing an NPE
  • Fixed non-standard Java versioning schemes (such as Debian OpenJDK) that caused version comparison to fail
  • Corrected issue that resulted in suppressed vulnerabilities to be returned from a query as if they were not suppressed
  • Fixed issue preventing saving of SMTP settings with anonymous authentication

Upgrade Notes:

The format of the findings API has changed and will not be versioned. This API is used to present findings from the audit tab in the UI. If this API was being used outside the UI, please note that the response format has changed.

dependency-track-embedded.war
Algorithm Checksum
SHA-1 f7a0fcf9568a765b9bb3cdf3465f475810c333e8
SHA-256 f5693cab665932c80e7056c37ed93bf61a1638e252e48e9c0717b8d0c4740ea4
dependency-track.war
Algorithm Checksum
SHA-1 bfcf20a5cb87d562b781419f7b989c35ff67e390
SHA-256 91156bc404ab84a09e912302888ef06c52813764e88ad73039550a9ff2e82b91

v3.3.0

October 25, 2018 major

Features:

  • The ability to manually upload a CycloneDX or SPDX BOM from the user interface
  • Optional automated provisioning of LDAP users
  • Optional synchronization of team membership based on a users LDAP group membership
  • Added API that provides component metadata from a project in CycloneDX format
  • Added ability to track the progress of work performed when a BOM is uploaded
  • Added tracking of audited and unaudited metrics
  • Added ability to add new project version and optionally clone source metadata
  • Added ability to search by tag name when displaying projects
  • Added checksum generation when publishing a release (backported to 3.2.2)
  • The NSP Advisory API has been removed and replaced with the NPM Public Advisory API (backported to v3.2.1)

Fixes:

  • Fixed numerous LDAP compatibility issues
  • Added additional logging when BOM upload is not in a supported format

Upgrade Notes:

This release of Dependency-Track supports a wide range of LDAP implementations and has been tested with Active Directory, ApacheDS, Fedora 389 Directory, and NetIQ/Novell eDirectory. In order to ensure compatibility, some existing LDAP configuration properties have been changed.

# This property has been removed
alpine.ldap.domain
# This property now refers to the users DN
alpine.ldap.bind.username
# Format now applies only to the value of alpine.ldap.attribute.name. 
# Examples have been modified. A users DN is no longer a valid format.
alpine.ldap.auth.username.format
# New properties
alpine.ldap.groups.filter
alpine.ldap.user.groups.filter
alpine.ldap.user.provisioning
alpine.ldap.team.synchronization

See Also:

dependency-track-embedded.war
Algorithm Checksum
SHA-1 413b47068dd1272f0ea6c4af67dc1465fcf10674
SHA-256 5632d6efa8c6ea2633bb767d09c73c4ee68e9319b638ce00da4c422f5123c906
dependency-track.war
Algorithm Checksum
SHA-1 1a8dc64a7535375fdd4ff789eeb9d3635dcba019
SHA-256 96e20c0b72e3d8c460dfe3ce2b9aca72c6114492747db9afffca9784c64d23b9

v3.2.2

October 02, 2018 minor

Fixes:

  • Critical defect which may lead to duplicate or erroneous requests to NPM Audit API

Changes:

  • Added checksums.xml including SHA-1, SHA-256, SHA-512 checksums for traditional and embedded wars to GitHub releases.
dependency-track-embedded.war
Algorithm Checksum
SHA-1 fead4ed834b4738b8c19c427ae57653f7af4a3b8
SHA-256 ee53ceacb07b0b0b4dfa88e2bdc2e905668f0dd6d42ca1000b3204d0a2ee1842
dependency-track.war
Algorithm Checksum
SHA-1 defbb7a40bb12c3beacdeb43fb5fd325d226da50
SHA-256 c154f0f07c9875d602d3e1df93d93d617e83f350ef683bdb16eb193d03a86ea5

v3.2.1

September 21, 2018 minor

Features:

  • The NSP Advisory API has been removed and replaced with the NPM Public Advisory API

Fixes:

  • Processing and permission corrections to new multi-part BOM upload API
  • UI corrections for vulnerabilities with unassigned severity
  • Fixes for displaying and processing of vulnerabilities without CVSS scores
  • Minor changes to severity colour scheme

Upgrade Notes:

All previous NSP vulnerabilities will automatically be migrated to NPM vulnerabilities. No additional action is required. Unlike NSP vulnerabilities, NPM does not provide CVSS scores or vectors. Therefore all NPM vulnerabilities will no longer display the CVSS vector, or the base, impact, or exploitability scores and corresponding chart data.

v3.2.0

September 06, 2018 major

Features:

  • Configurable notifications of new vulnerabilities, vulnerable dependencies, analysis decision changes, and system events
  • Added Slack, Microsoft Teams, Outbound Webhook, Email, and system console notification publishers
  • Replaced NSP Check API with NPM Audit API
  • Added support for Sonatype OSS Index
  • Updated SPDX license IDs to v3.2
  • General improvements in logging when error conditions are encountered
  • Improvements to Dependency-Check XML report parsing
  • Added native CPE 2.2 and 2.3 parsing capability
  • Enhanced administrative interface with options for repositories and general configuration
  • Updated Java version used in Docker container

Fixes:

  • The audit table did not reflect the correct analysis and suppressed data
  • Added validation when processing Dependency-Check XML reports containing invalid Maven GAVs
  • Corrected issue with NVD mirroring affecting Docker containers and case-sensitive filesystems

Upgrade Notes:

  • The PROJECT_CREATION_UPLOAD permission was introduced in this release. Existing API keys that need the ability to dynamically create projects (without providing them full PORTFOLIO_MANAGEMENT permission) will need this permission added to their account or through their team membership.

  • The SYSTEM_CONFIGURATION permission was introduced in this release. Existing administrative users that need the ability to perform more general purpose system configurations need to add this permission to their accounts.

  • Upgrades to v3.2.0 can be successfully performed from systems running v3.1.x. If a previous version is being used, an upgrade to 3.1.x is required prior to upgrading to v3.2.0.

v3.1.1

June 20, 2018 minor

Fixes:

  • Fixed issue where new permissions were not being added to database on upgrades

v3.1.0

June 19, 2018 major

Features:

  • Support for advanced auditing workflow to easily triage findings
  • Support for external repositories to retrieve additional component metadata from
  • Support for SPDX 3.1 license IDs
  • NVD mirroring support for Dependency-Check (and other) clients
  • Support for out-of-date version detection (rubygems, maven, and npm)
  • Enhanced API to (optionally) autocreate project on bom/scan upload
  • Better support for Dependency-Check “relatedDependencies”
  • Added individual component metrics (independent of dependency metrics)
  • Added per project and per component overview with metrics and refresh support
  • Specific table columns can now be sorted with full pagination support
  • Improved error logging when issues are encountered during BOM and scan processing
  • Enhanced LDAP integration to support strong authentication mechanisms and configurable user formats
  • General performance improvements on multi-core machines
  • Minor enhancements to user interface

Fixes:

  • Fixed defect that prevented paginated results on project tag searches
  • Fixed defect affecting GAV identifiers in Dependency-Check Gradle/CLI reports not being in parenthesis

Upgrade Notes:

  • The VULNERABILITY_ANALYSIS permission was introduced in this release. Existing users that need the ability to audit findings will need this permission added to their account or through their team membership.
  • MySQL now requires ANSI_QUOTES to be added to the SQL mode. Refer to Database Support for details.

v3.0.4

May 02, 2018 minor

Fixes:

  • Fixed defect resulting in incorrect results returned when filtering on components in the project view
  • Synced CycloneDX specification to latest v1.0.1 release

v3.0.3

April 13, 2018 minor

Fixes:

  • Fixed defect resulting in incorrect vulnerability counts for projects
  • Fixed defect which prevented project metrics from returning results
  • Fixed issue related to the assignment of tags on project creation
  • Added the VIEW_PORTFOLIO permission to the ‘automation’ team on new installs
  • Updated several dependencies
  • Performance improvements in database connection pool
  • Fixed defect where database connections were not being reconnected if the connection was lost
  • Fixed multiple defects related to component reconciliation when processing BOM and scan uploads

v3.0.2

March 30, 2018 minor

Fixes:

  • Responded to changes in NVD data feed URLs by correcting the XML 1.2 and 2.0 URLs used for mirroring.

v3.0.1

March 29, 2018 minor

Fixes:

  • Fixed data model issue which prevented multiple versions of the same project name from being persisted.
  • Fixed issue in admin console which did not properly display the number of team members.

Upgrade Notes:

If v3.0.0 was deployed, shutdown Dependency-Track, execute the following statement against the database, and deploy v3.0.1.

/*
Removes the constraint on having a unique project name thus preventing
multiple versions of the project from existing.
https://github.com/DependencyTrack/dependency-track/issues/118
*/
ALTER TABLE PROJECT DROP CONSTRAINT PROJECT_NAME_IDX;

v3.0.0

March 27, 2018 major

Project Reboot Successful! This is the first release after being developed from the ground up.

Features:

  • Dramatically increases visibility into the use of vulnerable components
  • Supports an unlimited number of projects and components
  • Projects can range from applications, operating systems, firmware, to IoT devices
  • Tracks vulnerabilities across entire project portfolio
  • Tracks vulnerabilities by component
  • Easily identify projects that are potentially vulnerable to newly published vulnerabilities
  • Supports standardized SPDX license ID’s and tracks license use by component
  • Supports CycloneDX and SPDX bill-of-material formats
  • Easy to read metrics for components, projects, and portfolio
  • API-first design facilitates easy integration with other systems
  • API documentation available in Swagger 2.0 (OpenAPI 3 support coming soon)
  • Flexible authentication supports internally managed users, Active Directory/LDAP, and API Keys
  • Simple to install and configure. Get up and running in just a few minutes

Fixes: