Subscribe with RSS to keep up with the latest changes.
v4.10.1
December 19, 2023 patch
This release fixes various defects in the API server.
There are no changes for the frontend, the latest version of it remains 4.10.0.
NVD Data Feed Retirement Update:
The NVD has announced that retirement of the legacy data feeds has been delayed until further notice. Dependency-Track users who:
- ran into issues with the new NVD REST API integration, or
- did not have the time yet to migrate
can safely continue consuming the legacy feeds, or switch back to it.
Fixes:
- Fix alert rules not working for projects where the
ACTIVE
column isNULL
- apiserver/#3306 - Fix NPE in version distance policy evaluation when project has no direct dependencies - apiserver/#3308
- Fix
ClassCastException
when updating an existingProjectMetadata#authors
field - apiserver/#3312 - Fix NPE in GitHub repository metadata analysis for components without version - apiserver/#3315
- Fix last modified timestamp for NVD mirroring via REST API not taking effect until restart - apiserver/#3323
For a complete list of changes, refer to the respective GitHub milestones:
We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.
Special thanks to everyone who contributed code to implement enhancements and fix defects:
@jadyndev
dependency-track-apiserver.jar #
Algorithm | Checksum |
---|---|
SHA-1 | 1d728ce1788e5db8b3a9308338a9e7e8ab5af12e |
SHA-256 | e30731cd1915d3a1578cf5d8c8596d247fb11a82a3fe4c1ba2fb9fad01667aef |
dependency-track-bundled.jar #
Algorithm | Checksum |
---|---|
SHA-1 | be32e1bc64d0b9b8019e340717d4ae3c12442ecd |
SHA-256 | ffa0ab6dc9be894d0887ca3e10c4ffe3a333305d98de940413fcdbb05e2bcebd |
Software Bill of Materials (SBOM) #
- API Server: bom.json
v4.10.0 #
December 08, 2023 major
Dependency-Track has historically relied on file-based data feeds to mirror contents of the National Vulnerability Database (NVD). These feeds are being retired on December 15th 2023, although they may be available up until December 18th.
As a consequence, this release includes support for mirroring the NVD via its REST API instead. This integration will be optional for Dependency-Track v4.10, but mandatory for later releases. Users are encouraged to enable REST API mirroring now, to ensure a smooth transition. Refer to the NVD datasource documentation to learn more.
Features:
- Add support for mirroring the NVD via its REST API - apiserver/#3175
- Refer to the NVD datasource documentation for details
- Add retries with exponential backoff for NVD feed downloads - apiserver/#3154
- Add support for CycloneDX
metadata.supplier
,metadata.manufacturer
,metadata.authors
, andcomponent.supplier
- apiserver/#3090, apiserver/#3179 - Add support for authenticating with public / non-internal repositories - apiserver/#2876
- Add support for fetching latest versions from GitHub - apiserver/#3112
- Applicable to components with
pkg:github/<owner>/<repository>@<version>
package URLs
- Applicable to components with
- Improve efficiency of search index operations - apiserver/#3116
- Add option to emit log for successfully published notifications, and improve logging around notifications in general - apiserver/#3211
- Use Java 21 JRE in container images - apiserver/#3089
- Tweak container health check to prevent
wget
zombie processes on slow hosts - apiserver/#3245 - Expose
alpine_event_processing_seconds
metric for monitoring of event processing durations - Add average event processing duration to Grafana dashboard - apiserver/#3173
- Add guidance for
413 Content Too Large
errors upon BOM upload - apiserver/#3167 - Improve OIDC documentation - apiserver/#3186
- Add “Show in Dependency-Graph” button to component search results - frontend/#572
Fixes:
- Fix false positives in CPE matching due to ambiguous vendor-product relations - apiserver/#3209
- Fix failure to delete policy violations when they have an audit trail - apiserver/#3228
- Fix teams not being assignable to alerts with custom email publishers - apiserver/#3232
- Fix inability to rebuild search indexes for more than one entity type at a time - apiserver/#2987
- Fix trailing comma in default Slack notification template - apiserver/#3172
- Fix NPE when affected node in OSV does not define a package - apiserver/#3194
- Fix NPE for BOM_PROCESSING_FAILED notifications when parsing of the BOM failed - apiserver/#3198
- Fix gradual performance degradation of portfolio vulnerability analysis - apiserver/#3222
- Fix erroneous warning log during VEX import - apiserver/#3233
- Fix
project.active
defaulting tofalse
when creating projects via REST API - apiserver/#3244 - Fix OIDC login button moving before it can be clicked - frontend/#616
- Fix input fields losing focus while editing alerts - frontend/#619
- Fix switching between project versions being broken on tabs other than “Overview” - frontend/#659
- Fix notification level not being modifiable for existing alerts - frontend/#661
Upgrade Notes:
- The
CPE
table is no longer needed and will be dropped automatically upon upgrade - apiserver/#3117 - A warning will be logged when mirroring the NVD through its legacy data feeds
- Refer to the NVD datasource documentation to learn how to switch to API-based mirroring
- As the Grafana dashboard is not managed by Dependency-Track, users wishing to update it will need to re-import it into their Grafana instance.
For a complete list of changes, refer to the respective GitHub milestones:
We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.
Special thanks to everyone who contributed code to implement enhancements and fix defects:
@AbdelHajou, @Nikemare, @acdha, @dimitri-rebrikov, @jadyndev, @leec94, @mehab, @melba-lopez, @rbt-mm, @rkg-mm, @willienel, @ybelMekk
dependency-track-apiserver.jar #
Algorithm | Checksum |
---|---|
SHA-1 | c308b1f6a2d73fc2bba9da2cc33bf7e3ec49e851 |
SHA-256 | d06f4550e16451ccb7843c36534172744934a7dc69e1d48e970a6eec24e49dc3 |
dependency-track-bundled.jar #
Algorithm | Checksum |
---|---|
SHA-1 | b94fb9cbaa91c4e332bcec266e10a0f325f12e22 |
SHA-256 | cf27db44e637b4bc551c16e659e81890f4c5d4f3b4ea9893ebf1717bff98b999 |
frontend-dist.zip #
Algorithm | Checksum |
---|---|
SHA-1 | 217bcaab3a7da2ae2fab3103055f9503aef5db07 |
SHA-256 | 2f6f524c45afcc4a90128cab22a557bf41b88c716aaf0992eb6bb2239ce1469c |
Software Bill of Materials (SBOM) #
v4.9.1 #
October 30, 2023 patch
Fixes:
- Fix failure to import BOMs in XML format when they contain multiple
metadata>tools
nodes - apiserver/#3125 - Fix failure to parse BOMs in XML format when the
metadata>component
nodes hasproperties
- apiserver/#3125 - Fix failure to parse BOMs in XML format when the
component>hashes
node is empty - apiserver/#3141 - Fix impossible SQL query conditions causing DB indexes to be bypassed - apiserver/#3126
- Fix failure to start the application when using a logging config with JSON output - apiserver/#3129
- Fix NGINX failing to start when IPv6 is not available - frontend/#623
- Fix NGINX entrypoint failing to detect mounted
config.json
under containerd - frontend/#624 - Fix external references being cleared when updating a project via UI - frontend/#628
For a complete list of changes, refer to the respective GitHub milestone:
We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.
Special thanks to everyone who contributed code to implement enhancements and fix defects:
@muellerst-hg
dependency-track-apiserver.jar #
Algorithm | Checksum |
---|---|
SHA-1 | 99da5f705c3b0048ecf621e8c738a87147c693d9 |
SHA-256 | 5d925f08f85fe7f39231357c4a4c8057fd354e048b7c9407efb20af78033ecec |
dependency-track-bundled.jar #
Algorithm | Checksum |
---|---|
SHA-1 | 487801d69bffb2e8def5aad9aa55c34be8cddcb2 |
SHA-256 | 19ac4ede2932ff54c42e0466cdf7d5b410f7a44784562f237fc5b4b8891a8dc8 |
frontend-dist.zip #
Algorithm | Checksum |
---|---|
SHA-1 | d45d09a8ffb4c36f2fac78149d5f7cefe31a280b |
SHA-256 | 6bc0bf9ecb8e7dc26eb3bfe9beecc41c5d11e5ccb902f19f0445aaa5860a1980 |
Software Bill of Materials (SBOM) #
v4.9.0 #
October 16, 2023 major
Features:
- Support import of CycloneDX v1.5 BOMs - apiserver/#2850
- Introduce
odt_
prefix for API keys to ease leak detection - apiserver/#3047 - Add support for SPDX license expressions - apiserver/#2400
- Refer to Policy Compliance for details on how license expressions behave in policies
- Update SPDX license list to v3.21 - apiserver/#3006
- Support resolving of custom licenses by name, instead of only by ID - apiserver/#2769
- Add version distance policy condition - apiserver/#2537
- Separate policy evaluation into its own background task - apiserver/#2523
- Allow policy violation state to be set via API - apiserver/#2997
- Add “Outdated only” and “Direct only” options for viewing components of a project - apiserver/#2568
- Update bundled CWE dictionary to v4.12 - apiserver/#2877
- Reduce number of API requests necessary to populate the dependency graph of a project - apiserver/#2623
- Include JDBC connectors for Google Cloud SQL - apiserver/#2651
- Update default Snyk API version to
2023-06-22
- apiserver/#2911 - Log warnings when analyses from VEX could not be applied - apiserver/#2989
- Update Docker base image latest Debian stable - apiserver/#2904
- Update temurin base image to
17.0.8.1_1
- apiserver/#3069 - Add extensive test suite for CPE matching logic - apiserver/#2243
- Update documentation for private vulnerability database - apiserver/#2990
- Add docs and example config for logging in JSON format - apiserver/#2933
- Add note about required plan for the Snyk integration to docs - apiserver/#2899
- Update example Grafana dashboard - apiserver/#2788
- Add Docker Compose files for simplified local testing - apiserver/#2675
- Add auto-provisioning of Grafana to Docker Compose development setup - apiserver/#2879
- Hide username and password fields on login view when OIDC is enabled - frontend/#613
- Make NGINX listen on both IPv4 and IPv6 interfaces - frontend/#427
- Display external references and description in project overview - frontend/#485
- Use separate icons for current and out-of-date components to improve accessibility - frontend/#311
- Propagate
searchText
query parameter to list views - frontend/#563 - Raise baseline NodeJS version to 18 - frontend/#470
- Upgrade CoreJS to 3.x - frontend/#548
Fixes:
- Fix memory leak in policy evaluation - apiserver/#2872
- Fix memory leak in VEX upload processing - apiserver/#2873
- Fix VDR export erroneously containing non-vulnerable components - apiserver/#2878
- Fix VEX export erroneously containing dependency graph - apiserver/#3067
- Fix false positives in CPE matching when version attribute of a CVE’s CPE is
NA
- apiserver/#1832 - Fix false negatives in CPE matching when part or vendor attribute of a component’s CPE is
ANY
- apiserver/#2988 - Fix Uncaught internal server error when fetching components by hash if Portfolio Access Control is enabled - apiserver/#2953
- Fix Affected Component format for CPEs with version ranges - apiserver/#2967
- Fix missing duplicate check when cloning projects - apiserver/#2966
- Fix
NullPointerException
when checking for existence of projects without version - apiserver/#3068 - Fix module import issues when working on the code base with Eclipse - apiserver/#2971
- Fix version distance policy being evaluated despite not being configured - apiserver/#2980
- Fix
@JsonIgnore
having no effect ontransient
fields - apiserver/#3051 - Fix misleading docs about authentication and authorization enforcement being optional - apiserver/#3047
- Fix default Slack notification template producing invalid JSON for
PROJECT_AUDIT_CHANGE
notifications - apiserver/#2838 - Fix default Mattermost notification template producing invalid JSON for
NEW_VULNERABLE_DEPENDENCY
notifications - apiserver/#3093 - Fix number of project versions displayed in dropdown being limited to 10 - frontend/#397
- Fix unauthenticated users not being redirected to login page - frontend/#502
- Fix no permissions being defined for dashboard route - frontend/#506
- Fix regression in Docker Compose file regarding application directory - frontend/#494
- Fix external references dropdown rendering outside the screen - frontend/#539
- Fix vulnerability aliases not being displayed in expanded rows of findings table - frontend/#559
- Fix type error in external references dropdown - frontend/#565
- Fix license expression input fields - frontend/#580
- Fix wrong message being displayed when creating policies - frontend/#610
- Fix file permissions of NGINX config file - frontend/#611
Upgrade Notes:
- API keys generated after the upgrade will be prefixed with
odt_
. Existing API keys without this prefix will continue to work. The prefix is configurable viaalpine.api.key.prefix
, although customization is not recommended. Refer to Configuration for details. - Users ingesting SBOMs with CPE data may notice an uptick in vulnerabilities being identified by the internal analyzer. This is expected as a result of apiserver/#2988 being fixed. If newly identified vulnerabilities turn out to be largely false positives, let the project team know by reporting a defect.
For a complete list of changes, refer to the respective GitHub milestones:
We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.
Special thanks to everyone who contributed code to implement enhancements and fix defects:
@HagarJNode, @Meroje, @Nikemare, @RingoDev, @Shawyeok, @dustin-decker, @hborchardt, @heubeck,
@mattmatician, @melba-lopez, @muellerst-hg, @nathan-mittelette, @sahibamittal, @sephiroth-j, @syalioune,
@takumakume, @valentijnscholten, @walterdeboer
dependency-track-apiserver.jar #
Algorithm | Checksum |
---|---|
SHA-1 | cd4ec4f1ed075f37476f46da11451158d7460502 |
SHA-256 | 281f091107ef79d9b1e9361dc78608260b364eaa7dbbaeb29d4f7aef1a4bf67b |
dependency-track-bundled.jar #
Algorithm | Checksum |
---|---|
SHA-1 | 6f3a077219fb49a502a88fcbb40e05865a23f5c5 |
SHA-256 | 4ca0b061ed83fa0b34ede8158f3ec0e2a7380c2736731995cf330f809076951f |
frontend-dist.zip #
Algorithm | Checksum |
---|---|
SHA-1 | 151f24f7b92e93dcf6600c4b8ee9e0ebd7b3560b |
SHA-256 | 1ff2ace778d08529b42ee297fb6e3b0bbe8b2593b2b8686e8b3e3c9472663c2a |
Software Bill of Materials (SBOM) #
v4.8.2 #
May 17, 2023 patch
This release fixes a regression in the API server related to fetching of policy violations, which was introduced in 4.8.1.
There are no changes for the frontend, the latest version of it remains 4.8.1.
Fixes:
- Fix policy violations endpoint erroneously returning violations for all projects when no
searchText
parameter is provided - apiserver/#2766 - Fix signals (e.g.
SIGTERM
) not being handled by the JVM process inside the container image, preventing graceful shutdown - apiserver/#2750
For a complete list of changes, refer to the respective GitHub milestone:
dependency-track-apiserver.jar #
Algorithm | Checksum |
---|---|
SHA-1 | bfc8758eb30ab90f4280cb37ea959964f74706b9 |
SHA-256 | 2b1d249d98f72b863deb4769665efc119a3ef8db195838decddce9a2a12f36b4 |
dependency-track-bundled.jar #
Algorithm | Checksum |
---|---|
SHA-1 | 52bd8b0c0646d0759e30f5b1600f5fb17e4ede36 |
SHA-256 | 2f8171cd2a93f060110e0f7f5f1555a17db11de0a3cb0cb5b6068dfe3cd8e5e3 |
Software Bill of Materials (SBOM) #
- API Server: bom.json
v4.8.1 #
May 16, 2023 patch
Fixes:
- Fix unrelated vulnerabilities being correlated during alias synchronization - apiserver/#2194
- Fix
NullPointerException
when email alert is configured with just teams as destination - apiserver/#2698 - Fix broken pagination in DefectDojo integration - apiserver/#2707
- Fix search function in policy violation tab not working - apiserver/#2622
- Fix
PATCH /api/v1/project
endpoint not updating external references - apiserver/#2695 - Fix
NullPointerException
in DefectDojo integration - apiserver/#2628 - Fix retrieval of OIDC JWK sets not respecting HTTP proxy settings - apiserver/#2696
- Lower log level for repository meta analyzer to
WARN
and include exception details - apiserver/#2697 - Add missing config docs for
alpine.oidc.client.id
- apiserver/#2743 - Fix not all vulnerability aliases being displayed in the UI - frontend/#477
- Fix broken vulnerability alias links - frontend/#486
- Fix broken project tag links on tabs other than “Overview” - frontend/#483
- Fix broken project version links on tabs other than “Overview” - frontend/#495
For a complete list of changes, refer to the respective GitHub milestones:
We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.
Special thanks to everyone who contributed code to fix defects:
@heubeck, @jakubrak, @sahibamittal, @valentijnscholten
dependency-track-apiserver.jar #
Algorithm | Checksum |
---|---|
SHA-1 | 553d17a940220d79b686ce6b64d65c0854915f1b |
SHA-256 | 56db674f5b467eac0a5b3fde99bc6285fd9135ad84e8fa0328ed6ace64fc723c |
dependency-track-bundled.jar #
Algorithm | Checksum |
---|---|
SHA-1 | b2f0e053083ac672a9eaef19f7363ac854bdb91a |
SHA-256 | e1bd03ea89b312c2125791a0d46ca99aa62365140a4f175d2f45cbb1d59a87a6 |
frontend-dist.zip #
Algorithm | Checksum |
---|---|
SHA-1 | 01bc042e1f510e089b9db937852dbcde69eca603 |
SHA-256 | f946994c0f66647bd34c9e10997f2b62c08ab17ebbfe42edf149be12a47b2278 |
Software Bill of Materials (SBOM) #
v4.8.0 #
April 18, 2023 major
Celebrating 10 years of OWASP Dependency-Track
Dependency-Track is celebrating its 10th anniversary this year!
Read the announcement from Steve Springett, creator of Dependency-Track, on the OWASP blog.
Highlights:
- Improved frontend UX.
- Navigating through the UI, switching tabs etc. now properly updates the URL in the browser. This makes it possible to share links to specific pages with others, and not lose context entirely when using the browser’s “go back” functionality.
- Criteria for the component search is now encoded in the URL, which allows “deep-linking” to searches, making it easier to collaborate with colleagues.
- The UI will now remember various user preferences, i.e. selected columns, numbers of search results per page, whether to show inactive projects, and much more.
- The dependency graph now optionally displays indicator icons for outdated components.
- Polished policy engine. The policy engine received lots of love in this release, ranging from various bugfixes, to newly supported policy conditions.
- Reduced resource footprint for vulnerability database mirroring. Downloading and processing vulnerability data from the NVD, GitHub, and OSV has historically been a heavy task that could cause large spikes in JVM heap usage. Due to various improvements, mirroring will now be faster, and a lot more lightweight (see apiserver/#2575 for comparisons).
Features:
- Reduce log level for some recurring tasks to
debug
- apiserver/#2325 - Reduce log level for Defect Dojo pagination advancement to
info
- apiserver/#2338 - Add User-Agent header to Snyk requests - apiserver/#2396
- Allow updating only the project’s parent via
PATCH
, without having to worry about any other project properties. - apiserver/#2401 - Include version of affected projects in Jira notification template - apiserver/#2408
- Add support for regular expressions in policy conditions - apiserver/#2144
- Show version status information on dependency graph nodes - apiserver/#2273
- Add support for component age in policy conditions - apiserver/#772
- Skip superfluous component metrics calculation during OSS Index analysis - apiserver/#2466
- Handle deleted projects gracefully when processing uploaded BOMs - apiserver/#2467
- Include persistence framework in logging configuration - apiserver/#2483
- Drop dependency on Unirest library - apiserver/#2350
- Simplify and speed up vulnerability metrics calculation - apiserver/#2481
- Add developer documentation for skipping NVD mirroring - apiserver/#2547
- Execute NVD and EPSS mirroring on multi-threaded event service - apiserver/#2526
- Reduce memory footprint of vulnerability mirroring tasks - apiserver/#2525
- Allow for prevention of re-opening Defect Dojo findings via “do not reactivate” flag - apiserver/#2424
- Add support for vulnerability ID in policy conditions - apiserver/#2557
- Add support for matching of non-existent CPEs and Package URLs in policy conditions - apiserver/#2587
- Ingest remediation details from Snyk - apiserver/#2571
- Handle errors from repository metadata analyzers more gracefully - apiserver/#2563
- Add support for CPAN repositories - apiserver/#639
- Allow inclusion of H2 web console for local development purposes - apiserver/#2592
- Add
BOM_PROCESSING_FAILED
notification - apiserver/#2264 - Ingest vulnerability publication time from Snyk - apiserver/#2626
- Add health endpoints - apiserver/#1001
- Include dependency graph in CycloneDX exports - apiserver/#2616
- Allow for vulnerability alias synchronization to be disabled for each source that supports it - apiserver/#2670
- Reduce heap usage during NVD mirroring - apiserver/#2575
- Support Jira authentication with personal access token - apiserver/#2641
- Allow parent project to be specified when upload a BOM - apiserver/#2412
- Update branding - frontend/#387
- Add deep linking capability throughout the entire UI - frontend/#391
- Remember UI user preferences (selected columns, page sizes, etc.) - frontend/#348
- Add deep linking for component search - frontend/#425
- Make removing a project parent relationship more convenient - frontend/#424
- Display multiple aliases in a vertical rather than horizontal list - frontend/#315
- Display aliases column in all vulnerability list views - frontend/#315
- Add optional tags column to projects list view - frontend/#319
Fixes:
- Fix unhandled exceptions when fetching repository metadata for Composer components that no longer exist - apiserver/#2134
- Fix invalid group name of Jira configuration properties - apiserver/#2313
- Fix duplicate policy violations caused by the “Package URL” policy condition - apiserver/#1925
- Fix policies with operator
ALL
behaving as if operatorANY
was used - apiserver/#2212 - Fix 2023 NVD feeds not being fetched unless DT is restarted in new year - apiserver/#2349
- Fix VulnDB analysis results not being cached properly - apiserver/#2436
- Fix incomplete ingestion of dependency graph from hierarchically merged BOMs - apiserver/#2411
- Remove unnecessary
parentUuid
field from project model - apiserver/#2439 - Fix
AlreadyClosedException
when committing search indexes - apiserver/#2379 - Prevent OSV ecosystems being selected multiple times - apiserver/#2473
- Fix
NullPointerException
when computing enabled OSV ecosystems - apiserver/#2527 - Fix Finding Packaging Format (FPF) export containing internal technical fields - apiserver/#2469
- Fix ACL definitions not being cloned when cloning a project - apiserver/#2493
- Fix email notification for
PROJECT_AUDIT_CHANGE
missing some information - apiserver/#2420 - Fix not all tags being checked when evaluating “limit to” for policies - apiserver/#2586
- Fix internal server error when fetching all projects while ACL is enabled - apiserver/#2583
- Fix failures to import BOMs when component author fields exceed 255 characters - apiserver/#2488
- Fix incomplete implementation of apiserver/#2313 - apiserver/#2610
- Fix dependency graph in UI being deleted after exporting project as CycloneDX - apiserver/#2494
- Fix project URL in email and Cisco WebEx notifications - apiserver/#2631
- Fix OSV overriding CVE data when NVD mirroring is also enabled - apiserver/#2293
- Fix redundant
POLICY_VIOLATION
notifications for existing violations - apiserver/#2655 - Fix email of LDAP users not being persisted - apiserver/#2320
- Fix email of OIDC users not being persisted - apiserver/#2647
- Fix VEX import not working for vulnerabilities from OSV, Snyk, and VulnDB - apiserver/#2538
- Fix missing project and component information in Microsoft Teams notifications - apiserver/#2638
- Fix API server not respecting HTTP proxy settings when communicating with OIDC Identity Provider - apiserver/#1940
- Fix potential Invalid state. Transaction has already started error during repository metadata analysis - apiserver/#2678
- Fix broken link to affected projects - frontend/#417
- Fix duplicate PURL version in Affected Components tab of vulnerability details - frontend/#454
Upgrade Notes:
- The
parentUuid
field has been removed from the project model and will thus no longer be returned by the REST API (apiserver/#2439) - Due to apiserver/#2469, the File Packaging Format (FPF) version has been bumped to 1.2; Refer to File Formats for details
- Synchronization of vulnerability aliases is now disabled by default for OSV and Snyk (apiserver/#2670)
For a complete list of changes, refer to the respective GitHub milestones:
We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.
Special thanks to everyone who contributed code to implement enhancements and fix defects:
@Ehoky, @Gator8, @Hunroll, @StephenKing, @ch8matt, @jkowalleck, @lme-nca, @malice00, @mcombuechen, @msymons, @mvandermade, @rbt-mm, @roadSurfer, @s-spindler, @sahibamittal, @syalioune, @walterdeboer, @zgael
dependency-track-apiserver.jar #
Algorithm | Checksum |
---|---|
SHA-1 | 883754d3ed227a124976c3f9247345be48cc0561 |
SHA-256 | 0ab7e3a1d0cd308a9193a6bec7b561f3911d19052312a82e4a59607d4ff50fd0 |
dependency-track-bundled.jar #
Algorithm | Checksum |
---|---|
SHA-1 | 979f02a5bf3ea5d8b0bba7d4e73a725de1920219 |
SHA-256 | af9f6d79e7828b4f744f9f82215486c0b5649abf6544d0374c945b2ab5d8b58a |
frontend-dist.zip #
Algorithm | Checksum |
---|---|
SHA-1 | 852b8a16aa8d07ccd46b4bec38cda736c6271c42 |
SHA-256 | 40cffc6fcaafe4a23d2c347958c2e3f43e3c02afe3def238bfd4615684803537 |
Software Bill of Materials (SBOM) #
v4.7.1 #
January 31, 2023 patch
Fixes:
- Resolved a defect that caused BOM uploads to fail when the BOM file contained a byte order mark - apiserver/#2312
- Resolved a defect that caused updating projects to fail when their
active
status wasnull
- apiserver/#2317 - Resolved a defect that prevented teams from being deleted when portfolio access control was enabled - apiserver/#2374
- Move “Use Cases” documentation page to “Community Usage Examples” and clarify its purpose - apiserver/#2403
- Resolved a defect that caused vulnerability alias synchronization to fail for VulnDB - apiserver/#2428
- Fixed typo in monitoring documentation - apiserver/#2430
- Resolved a defect that caused component details to not be displayed in policy violations tab - frontend/#373
For a complete list of changes, refer to the respective GitHub milestones:
We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.
Special thanks to everyone who contributed code to fix defects:
@JoergBruenner, @mehab, @rbt-mm, @sergioasantiago, @syalioune
dependency-track-apiserver.jar #
Algorithm | Checksum |
---|---|
SHA-1 | ef119b6f5fb422687e5152528bdb3e40e89c8733 |
SHA-256 | 7fbccad45c730226ab9df1ff51aaa2dba90b93cf22547bbe395d3f3b849c8371 |
dependency-track-bundled.jar #
Algorithm | Checksum |
---|---|
SHA-1 | 94ca9179dad020c45adfdf0152b3f20081f7cf8b |
SHA-256 | fe3fad9d43235df30880e547f838f65fe6365919dbc19107e4da349a5dce104f |
frontend-dist.zip #
Algorithm | Checksum |
---|---|
SHA-1 | 1c1412a09a64d08ae44cb3c9c980bfbb2786ff53 |
SHA-256 | 95aed5a69c6e1db5ab05eaa57f511d5e16f92bafd67839be63f136ea78e11252 |
Software Bill of Materials (SBOM) #
v4.7.0 #
December 16, 2022 major
Highlights:
- Hierarchical Project Relationships. Projects can now be organized in hierarchies, using simple parent-child-relationships. Hierarchies are visualized in the UI, and allow projects to inherit various configurations from their parent, including notification rules and applicable policies.
- Improved Dependency Graph. The dependency graph can now be displayed in its entirety. Previously, the depth was limited to only three levels. Additionally, it’s now possible to navigate from a specific component (e.g. from the Audit Vulnerabilities tab) directly to the dependency graph. In doing so, Dependency-Track will show all paths in the graph leading up to this component, making it easy to understand how a given component is introduced to the project.
- Snyk Integration (Beta). Dependency-Track can now make use of Snyk to scan and continuously monitor components for vulnerabilities. This provides access to Snyk’s proprietary vulnerability database, maintained by their dedicated research team. The Snyk integration requires a paid subscription with REST API access.
- Jira Integration. It is now possible to publish notifications to Jira, making it easier to integrate events that require action to be taken into existing Jira workflows.
Features:
- Added support for hierarchical project relationships - apiserver/#84
- Added support for including project children in alert rule limitations - apiserver/#2013
- Added support for including project children in policies - apiserver/#2215
- Added support for vulnerability analysis with Snyk - apiserver/#365
- Added ability to focus on certain components in the dependency graph - frontend/#336
- Added support for OWASP Risk Rating methodology - apiserver/#1493
- Added source attributions for affected component version ranges of mirrored vulnerabilities - apiserver/#1815
- Added support for limiting alerts to selection of teams - apiserver/#1608
- Added support for optional
EXTRA_JAVA_OPTIONS
environment variable in API server container - apiserver/#2040 - Improved component batching behavior and resilience of the OSS Index analyzer - apiserver/#2023
- Added option to include ACLs when cloning a project - apiserver/#1534
- Added Reanalyze button to the Audit Vulnerabilities tab - apiserver/#2128
- Added support for custom licenses - apiserver/#2153
- Added Jira notification publisher - apiserver/#2118
- Added documentation for setting up OIDC with Google - apiserver/#2185
- Added support for license URLs - apiserver/#1977
- Allow bypassing of system requirements check - apiserver/#2197
- Added Swagger types for BOM operations of the REST API - apiserver/#2230
- Include commenter in
PROJECT_AUDIT_CHANGE
email notifications - apiserver/#2227 - Added ability to check for unresolved licenses in policy conditions - apiserver/#1518
- Added proper caching for repository meta analysis - apiserver/#1943
- Added health check, corruption check, and ability to manually trigger rebuilds for search indexes - apiserver/#2200
- Added support for project metadata, including ingestion from uploaded BOMs - apiserver/#1200
- Added use case examples to documentation - apiserver/#2211
- Added Azure DevOps extension to community integrations - apiserver/#2258
- Added total heap size and CPU usage lines to sample Grafana dashboard - apiserver/#2256
- Do not create temporary database connection pools when executing upgrades - apiserver/#2232
- Added persistence metrics to sample Grafana dashboard - apiserver/#2245
- Added ability to search for components by identity within a specific project - apiserver/#2228
- Treat tag names as case-insensitive - apiserver/#1717
- Added notification for newly created projects - apiserver/#2173
- Added ability to configure database connection pools separately - apiserver/#2238
- Added ability to configure the secret key path - apiserver/#2238
- Include services in the BOM distributed for the API server - apiserver/#2175
- Added support for Vulnerability Disclosure Report (VDR) exports - apiserver/#1800
- Make projects clickable in ACL configuration view - frontend/#320
- Display component version status in Audit Vulnerabilities and Exploit Predictions tab - frontend/#356
- Display last BOM import timestamp in project overview - frontend/#147
Fixes:
- Fix dependency graph only showing 3 levels of transitive relationships - frontend/#85
- Fix alert limitations to not be applied for
POLICY_VIOLATION
andPROJECT_AUDIT_CHANGE
notifications - apiserver/#975 - Fix NVD mirroring to fail when using CIFS volumes - apiserver/#2048
- When determining the latest version of a Maven component, use the
release
version advertised by the repository, instead oflatest
- apiserver/#2075 - Fix incorrect project URL in email notifications - apiserver/#2172
- Fix missing project information in
NEW_VULNERABLE_DEPENDENCY
notification emails - apiserver/#2139 - Fix search indexes not being (re-) built - apiserver/#2104
- Fix Component in Affected Components tab of vulnerability details showing
undefined
in some cases - apiserver/#2231 - Fix incorrect datasource for
instance
dropdown in sample Grafana dashboard - apiserver/#2068 - Fix broke heap usage gauge in sample Grafana dashboard - apiserver/#2073
- Fix CPEs not matching on identical versions - apiserver/#2240
- Fix inability to delete teams that are part of one or more ACL - apiserver/#1532
Upgrade Notes:
- Creating new or searching for existing tags will now treat tag names as case-insensitive (apiserver/#1717).
Users relying on tags being treated as case-sensitive (e.g.
critical
andCRITICAL
being treated as different) should review their use of tags prior to upgrading. - Names of the HikariCP connection pools in the exposed Prometheus metrics have changed from
HikariPool-3
andHikariPool-4
totransactional
andnon-transactional
(apiserver/#2238). Users monitoring those pools are advised to update their monitoring configuration accordingly (e.g. Grafana dashboards). - Distribution of the API server SBOM in XML format has been dropped (apiserver/#2175). Users consuming the API server BOM in XML format should migrate to consuming the JSON-formatted BOM instead.
For a complete list of changes, refer to the respective GitHub milestones:
We thank all organizations and individuals who contributed to this release.
Special thanks to everyone who contributed code to implement enhancements and fix defects:
@AZenker, @JoergBruenner, @KramNamez, @Mvld3r, @Zargath, @awegg, @ch8matt, @japurva1502, @kekkegenkai, @mehab, @nathan-mittelette, @omerlh, @rbt-mm, @ribbybibby, @s-spindler, @sahibamittal, @syalioune, @valentijnscholten
dependency-track-apiserver.jar #
Algorithm | Checksum |
---|---|
SHA-1 | 99f1a012a983b8256d9346e64d3dd27e92d1c808 |
SHA-256 | 373e8efa1a8995193b7c068ea34974040627553647905d38e1dce053333eeb10 |
dependency-track-bundled.jar #
Algorithm | Checksum |
---|---|
SHA-1 | c7faee42162e1712377fbd8a03dfd9e3ef251a23 |
SHA-256 | 631807c24fd76c0f44d4494a44147e0414ab471ac1e12fe4ebff054f363a8f0f |
frontend-dist.zip #
Algorithm | Checksum |
---|---|
SHA-1 | 8696218e07d438896f236f691f2ca658faf0377a |
SHA-256 | 23cc72eea3361edeaff84efe0a1a0327e47367419466307867103bac2b14ad75 |
Software Bill of Materials (SBOM) #
v4.6.3 #
November 18, 2022 patch
This release fixes a defect in the caching of vulnerability analysis results from external sources.
There are no changes for the frontend, the latest version of it remains 4.6.1.
Fixes:
- Resolved a defect that caused the component analysis cache validity period to be too short - #2115
Upgrade Notes:
- The value of the
scanner.analysis.cache.validity.period
configuration property will be reset to 12 hours during the automated upgrade. No manual actions are required.
For a complete list of changes, refer to the respective GitHub milestones:
dependency-track-apiserver.jar #
Algorithm | Checksum |
---|---|
SHA-1 | 68b806410c2e68fe8c586b93044f29a648f96466 |
SHA-256 | d9b5337419addee26658da8e421f0286aaa92160b8f6f85caca83aa1a328611f |
dependency-track-bundled.jar #
Algorithm | Checksum |
---|---|
SHA-1 | ac2a60bc8fedad714fa55c2aaad44533fa2086d7 |
SHA-256 | 1229681b5d1dc399ec662946969f7ef225bc7e6381861d8eb35e31d431b25714 |
Software Bill of Materials (SBOM) #
- API Server: bom.json
v4.6.2 #
October 24, 2022 patch
This release fixes a cross-site scripting (XSS) vulnerability in the frontend. The bundled distribution has been updated to include the fixed frontend version. There are no changes for the API server distribution.
Fixes:
- Resolved a defect that caused HTML tags in vulnerability descriptions to be rendered on the vulnerability details page - #300
Security:
- Fixed a cross-site scripting vulnerability in the vulnerability details page - GHSA-c33w-pm52-mqvf
For a complete list of changes, refer to the respective GitHub milestones:
dependency-track-apiserver.jar #
Algorithm | Checksum |
---|---|
SHA-1 | 313b2ee9bd957f8bd2b0baba524044197501b2a9 |
SHA-256 | 7ee92f572cebe6d8d8f9e37ab6067e5849c83c56c98b38a21418557260efbfdc |
dependency-track-bundled.jar #
Algorithm | Checksum |
---|---|
SHA-1 | e009cc9345ae5bdb321c651df769a6d02dfc5a67 |
SHA-256 | 0e67de28a99aec1d2e3c4592b42f04e86084129f58f3d338b572fdc5b7064899 |
frontend-dist.zip #
Algorithm | Checksum |
---|---|
SHA-1 | 67843f34745d4983da001ca158c0fa6aba814427 |
SHA-256 | f0cb536946117068f26845eee89975e4d7feac0b7c806bae505172e85bfadf76 |
Software Bill of Materials (SBOM) #
v4.6.1 #
October 13, 2022 patch
Fixes:
- Resolved defect that caused policy name and violation state to not be displayed in the violations audit tab - #2043
For a complete list of changes, refer to the respective GitHub milestones:
dependency-track-apiserver.jar #
Algorithm | Checksum |
---|---|
SHA-1 | f3c8e2007f2795b12f438b6b9318c4d5c448fa0b |
SHA-256 | e293756b5e27d6c3213dfbeead946bf220d278d418c817c74a81fda395764977 |
dependency-track-bundled.jar #
Algorithm | Checksum |
---|---|
SHA-1 | da0d27cd635de292bcae112c816b97c1b1d50107 |
SHA-256 | 0a8530aab97bedbc33575a5ff18677eef1bcc555bb038150229bc5147c7ef522 |
Software Bill of Materials (SBOM) #
- API Server: bom.json
v4.6.0 #
October 11, 2022 major
Highlights:
- Vulnerability Aliases. By ingesting data from multiple sources of vulnerability intelligence, there will be cases where different advisories describe the same vulnerability. For example, CVE-2022-31197 and GHSA-r38f-c4h4-hqq2 describe the same defect, yet their descriptions and risk ratings differ. Dependency-Track 4.6 now recognizes when multiple advisories alias each other, and includes this information in notifications and REST API responses. Aliases will additionally be considered when calculating portfolio metrics, so that duplicate vulnerabilities do not skyrocket the risk scoring. Further improvements to aliases will be coming in future releases.
- OSV Integration (Beta). Dependency-Track now optionally mirrors vulnerability intelligence data from the Open Source Vulnerabilities database (OSV). OSV normalizes and enriches data from multiple other vulnerability databases. Mirroring can be limited to a configurable selection of ecosystems.
- New Policy Conditions.
- Using the tag condition, policies can be restricted to projects with certain properties or priorities (e.g. high-risk, internet-facing, etc.)
- Using the CWE condition, policies can assist in prioritizing findings of certain weaknesses
- Using the component hash condition, policies can be used to flag usage of malicious or tainted packages
- Performance. Various improvements, most prominently regarding metrics updates. Organizations, especially those with large portfolios of multiple thousands of projects, will see a drastic reduction in runtime and resource usage.
- Observability. By exposition of system metrics via the Prometheus text-based format, operators can now monitor their instances using Prometheus, Grafana, or other compatible observability stacks. Metrics exposition is optional and must be enabled, refer to the monitoring documentation for details.
- Customization. Users with advanced customization needs can now create and modify notification templates, as well as specify custom intervals for recurring tasks. Refer to the notifications and recurring tasks documentation for details.
- Authentication for Internal Repositories. Dependency-Track can now authenticate with artifact repositories like Nexus Repository Manager or Artifactory to fetch information about internal artifacts.
Features:
- Added support for authentication with internal package repositories - #881
- Added support for configuration of recurring tasks intervals - #1542
- Added support for policy violation badges - #1690
- Added support for disabling alerts - #1173
- Added support for CWEs in policy conditions - #1768
- Added support for component hashes in policy conditions - #1775
- Added support for tags in policy conditions - #1565
- Added support for fuzzy CPE matching - #1799
- Added support for notification publishing via Mattermost - #1702
- Added support for reimporting findings to an existing DefectDojo test instead of creating a new test upon each upload - #1622
- Added support for ingesting and displaying component author information - #1726
- Added support for vulnerability aliases - #1912
- Added support for custom notification templates - #275
- Added experimental OSV integration - #931
- Added support for Prometheus metrics exposition - #1796
- Refactored metrics update functionality to be faster and more efficient - #1704
- Upgraded to Java 17 - #1804
- Removed source maps from frontend production build - #192
- Added name of the authenticated user to the profile menu in the UI - #167
- Added support for performing cross-site frontend requests with cookies - #156
- Added columns for CVSS and EPSS to the component vulnerabilities view - #1948
- Added listing of affected projects to email notification templates - #2005
Fixes:
- Resolved defect that made it impossible to delete a project when assigned to a policy - #1852
- Resolved defect related non-thread-safe usage of the internal Lucene search index - #1791
- Resolved defect that caused the subject of email notifications saying
null
in certain situations - #1818 - Resolved defect that caused the VulnDB analyzer failing to mark components as vulnerable - #1780
- Resolved defect where the
affectedComponents
field of vulnerabilities would not be populated - #1766 - Resolved defect that caused vulnerability details taking too long to load - #1765
- Resolved defect that caused an internal server error when uploading a VEX document via HTTP
PUT
- #1836 - Resolved defect that caused an internal server error when creating a vulnerability without CWEs - #1664
- Resolved defect that caused an internal server error when submitting analysis details with more than 255 characters - #1661
- Resolved defect that caused an internal server error when importing a SaaSBOM - #1790
- Resolved defect that caused NVD mirroring notifications not working correctly - #1429
- Resolved defect that caused VEX import not ingesting analyses for internal vulnerabilities - #1692
- Resolved defect that caused excessive memory utilization when identifying internal components - #1947
- Resolved defect that caused wrong project tags to be displayed after switching versions - #188
- Resolved defect that caused component licenses to not be displayed on some occasions - #223
- Resolved defect that caused horizontal scroll bars to be displayed unnecessarily in the UI - #248
- Resolved defect that made it impossible to provide component hashes in uppercase - #1174
- Resolved defect that prevented vulnerabilities in PHP components to be identified based on GitHub Advisories data - #1998
- Resolved defect that caused a
NumberFormatException
to be thrown when resolving CWEs for findings - #2029 - Resolved projects search filter not working when viewing projects by tag - #405
- Resolved notifications with group
NEW_VULNERABLE_DEPENDENCY
not working at all - #1611 - Resolved multiple minor UI defects related to API key management - #240
- Resolved UI defect that caused vulnerability details not being displayed when only the CVSS vector, but not the scores were returned by the API - #239
- Resolved UI defect that caused an incorrect tooltip being displayed for the email field in the email configuration test modal - #161
- Resolved UI defect that caused the policy management view to not be updated when restricting a policy to a project - #169
- Resolved UI defect that caused input fields losing focus after saving - #98
Security:
- Fixed a defect that could cause API keys to be logged in clear text when handling API requests using keys with insufficient permissions - GHSA-gh7v-4hxp-gqp4
Upgrade Notes:
- The new baseline Java version is 17 (#1804)
- Java versions later than 17 may work as well, but haven’t been tested
- Users deploying DT via executable WAR will need to upgrade Java accordingly
- Users deploying DT via containers don’t need to do anything
- The embedded H2 database has been upgraded to major version 2
- Manual upgrade steps are required, refer to the H2 v2 migration guide
- Without the manual migration, Dependency-Track 4.6 will not work with H2 databases created by earlier versions
- Reminder: H2 is not, and never has been, supported for production usage
- With #1429, handling of notification levels has changed
- Previously, an alert with level
ERROR
would trigger on notifications with levelsERROR
,WARNING
, andINFORMATIONAL
- Now, an alert with level
ERROR
will only trigger on notifications with levelERROR
- An alert with level
WARNING
will trigger on notifications with levelWARNING
andERROR
etc. - The new behavior is similar to how structured logging libraries work
- This change primarily affects notifications of the
SYSTEM
scope, which are used to report statuses of various tasks, e.g.DATASOURCE_MIRRORING
- Notifications in the
PORTFOLIO
scope (e.g.NEW_VULNERABILITY
) all have theINFORMATIONAL
level - Users who configured alerts with scope
PORTFOLIO
and levelERROR
should change the level toINFORMATIONAL
after the upgrade
- Previously, an alert with level
For a complete list of changes, refer to the respective GitHub milestones:
We thank all organizations and individuals who contributed to this release.
Special thanks to everyone who contributed code to implement enhancements and fix defects:
@AbdelHajou, @awegg, @dGuerr, @k3rnelpan1c-dev, @maaheeb, @officerNordberg, @rbt-mm, @rkg-mm, @s-spindler, @sahibamittal, @stephan-strate, @syalioune, @tmehnert, @yangsec888
dependency-track-apiserver.jar #
Algorithm | Checksum |
---|---|
SHA-1 | e40fb14764fb5eb9fcd654472434c3701c44f208 |
SHA-256 | 29d422816b593ddef89b07e9bc1c72a5cfb141eaea4a1d59615309089bab03ea |
dependency-track-bundled.jar #
Algorithm | Checksum |
---|---|
SHA-1 | 9e1b283c442e1bfb2c5c4ea23b1a1590cf7afc5d |
SHA-256 | 1e6ba17e6dc1f6422826a020ece5ec6ae2bef1aa9ae563f57653ed6bc0944f14 |
frontend-dist.zip #
Algorithm | Checksum |
---|---|
SHA-1 | 0f8967a4f777d33fd285d7fe8786f08690ffedd9 |
SHA-256 | 14791981d23850b72e39cee8c6378c6e25de0f8f5ee46b5c244c28bd6262db9a |
Software Bill of Materials (SBOM) #
v4.5.0 #
May 18, 2022 major
Features:
- Added support for consuming VEX - #1387
- Added support for management of internal vulnerabilities - #96
- Added new
VULNERABILITY_MANAGEMENT
permission, which is required to create, edit and delete internal vulnerabilities
- Added new
- Added support for EPSS - #1178
- Added support for notifications on policy violations - #1396
- Added support for fetching projects by classifier - #1185
- Added support for multiple CWEs being assigned to vulnerabilities - #1467
- API, FPF and notifications now include an additional JSON array field
cwes
- The
cwe
field is still supported, but deprecated, and will be removed in a later release
- API, FPF and notifications now include an additional JSON array field
- Added new
VIEW_POLICY_VIOLATION
permission that grants read-only access to policy violations and the audit trail - #1433 - Added ability to modify specific project fields via
PATCH
requests - #1586 - Grant access to the team that created a project via BOM upload when portfolio ACL is enabled - #1529
- Improved resource efficiency of portfolio metrics updates - #1481
- Reversed order of NVD feed downloads so that latest vulnerabilities are loaded first - #1557
- Included policy violation analysis in daily portfolio analysis - #1492
- Added OIDC setup example for Azure AD - #1564
Fixes:
- Resolved defect where the
VULNERABILITY_ANALYSIS
permission was required to see policy violations - #126 - Resolved defect where audit trail entries were generated for
Justification
andResponse
, even though they didn’t actually change - #1566 - Resolved defect where vulnerabilities from GitHub Advisories could not be matched with Go modules - #1574
- Resolved defect where filtering projects by tag would ignore the active / inactive filter - #1501
- Resolved defect where NVD mirroring could not be enabled - #1576
- Updated URL of the Atlassian package repository - #1568
- Resolved multiple defects in calculation of portfolio metrics - #1530
- Resolved defect where incomplete NVD data could be mirrored - #1480
- Resolved defect where portfolio changes wouldn’t immediately be reflected in results of the search API - #1605
- Resolved defect where policy violations of type Security would not be displayed - #91
- Resolved defect where analysis justification and response would be reset when suppressing a finding - #140
- Resolved defect where the analysis status of policy violations would not be displayed - #130
Security:
Upgrade Notes:
- The
nist
directory inside the Dependency-Track data directory will be deleted upon upgrade. This will force the NVD to be downloaded and reprocessed. - Users and teams with
POLICY_VIOLATION_ANALYSIS
permission are automatically granted theVIEW_POLICY_VIOLATION
permission during the automatic upgrade. - Location of
config.json
in the frontend container changed from/app/static/config.json
to/opt/owasp/dependency-track-frontend/static/config.json
dependency-track-apiserver.war #
Algorithm | Checksum |
SHA-1 | 8db4707e3458b122e73cce92e7dc143c115db962 |
SHA-256 | 0c3d75501a0545f90e862aa0e2920f0c6146abcd436983531de7757ff294f568 |
dependency-track-bundled.war #
Algorithm | Checksum |
SHA-1 | 984aafe85ac2dc361f9b0adf3c26d99decbab641 |
SHA-256 | 360176e810072b9ad393ba4f36e261c333ba45f4a662fe6b180e7481d70a14e1 |
Software Bill of Materials (SBOM) #
v4.4.2 #
March 04, 2022 patch
Features:
- Added advanced configuration options for controlling outbound HTTP connection timeouts - 1431
Fixes:
- Resolved defect that resulted in a server error when suppressing a vulnerability - 1409
Security:
Upgrade Notes:
dependency-track-apiserver.war #
Algorithm | Checksum |
SHA-1 | 172f569eb85f1182500571a160b134e8b1005ebf |
SHA-256 | 5869df68cd29d48366d653a697bc198e0f3396c2897cd4a668743fc7157fb8df |
dependency-track-bundled.war #
Algorithm | Checksum |
SHA-1 | 49e73a820426a39ab83e6ec2a12f1c24e198a144 |
SHA-256 | d1570efdb61f7a2aa264f8103f6285e5330818087d3c54456e1b5335a3ca681f |
Software Bill of Materials (SBOM) #
v4.4.1 #
February 18, 2022 patch
Features:
- Fixes:
- Resolved defect where the automatic upgrade failed on Microsoft SQL Server databases
Security:
Upgrade Notes:
- For MSSQL users only: If an upgrade to v4.4.0 was previously attempted and no rollback was performed yet,
the following SQL statement must be executed before launching v4.4.1:
DELETE FROM "PERMISSION" WHERE "NAME" = 'VIEW_VULNERABILITY'
dependency-track-apiserver.war #
Algorithm | Checksum |
SHA-1 | 9d6f20709009193540c4c152f0c0757d3b26bd5e |
SHA-256 | c3eaeee440bfd1a734fb009983c97792407b107d64d4e9035a179b9b27c8ca49 |
dependency-track-bundled.war #
Algorithm | Checksum |
SHA-1 | ebadb4576ea419eb42807f5ef2bedb572de02df0 |
SHA-256 | e7b5e0ac00bc0e1021dc7a6571e02392c6854b12bba2ceea543c3959b7572524 |
Software Bill of Materials (SBOM) #
v4.4.0 #
February 17, 2022 major
Features:
- Expanded vulnerability auditing and BOM export capabilities to include Vulnerability Exploitability Exchange (VEX) - #1365
- Added Download BOM option to frontend supporting inventory, inventory with vulnerabilities, and vex - #1365
- Added support for GitHub Advisories as a source of vulnerability intelligence - #1225
- Removed legacy support for NPM Advisories and NPM Audit - #1225
- Added support for CycloneDX external references to component details - #920
- Added new
VIEW_VULNERABILITY
permission that grants read-only access to project vulnerabilities and the audit trail. The permission also grants access to the findings API. - Added support for ARM64 (including AArch64) container images - #1213
- Added Dependency-Track SBOMs for frontend and API Server to
/.well-known/sbom
- #1363 - Added API endpoint for teams/self specific to API key principals - #861
- Added support for Cisco WebEx as a target for alerts and notifications - #1170
- NVD feed location is now configurable to support mirrors - #1274
- Added support for OSS Index external references to increase CVE association - #1197
- Added separate log events for “invalid username/password” and “account locked” - #1189
- Added i18n support for vulnerability audit states - #946
- Added policy violations column to projects page - #94
Fixes:
- Resolved defect where the project a component belongs to may not be returned in API response - #1227
- Resolved defect where notifications limited to specific projects weren’t properly limited - #1150
- Resolved NPE in
GoModulesMetaAnalyzer
when a component without group was analyzed - #1220 - Add workaround for OSS Index ignoring the component version when prefixed with
v
- #1220 - Resolved OIDC post-login redirects for identity providers that do not support custom parameters in the
redirect_uri
parameter - #113 - Resolved defect that produced JDOObjectNotFoundException on heavy loads - #1168
- Optimized performance of VulnerabilityAnalysisTask that previously caused high load - #1212
- Resolved defect that prevented vulnerability identification for some hardware devices - #1320
- Updated docker-compose.yml to include correct CORS configuration - #1325
- Resolved incompatible dependency issue with VulnDB integration - #1349
- The upload button in the UI is now deactivated until a file is specified - #86
- Resolved issue where tooltip in UI graphs may not be displayed - #92
- Resolved issue where
v
in some ecosystem versions caused issue with analysis - #1243 #1220 - Resolved issue with BOMs containing UTF-8 byte order markers where rejected as invalid - #1214
- Resolved issue where consuming a BOM with zero components would not trigger a metric update - #1183
Security:
Upgrade Notes:
- Users and teams with
VULNERABILITY_ANALYSIS
permission are automatically granted theVIEW_VULNERABILITY
permission during the automatic upgrade.
dependency-track-apiserver.war #
Algorithm | Checksum |
SHA-1 | c81d753ce4376cee1ae4d2a8cf9710a9b8ceee45 |
SHA-256 | 31e685e79b658f661ce28f8c5cbc96906d23d408a2ade70ff7e7a8e20f054972 |
dependency-track-bundled.war #
Algorithm | Checksum |
SHA-1 | 2b15b51c64938997ec9fbcf66054436064d9ef23 |
SHA-256 | c45835bc09ffe30c3b8ab675267259120230992bc984348293ae32b28ce1b54c |
Software Bill of Materials (SBOM) #
v4.3.6 #
September 20, 2021 patch
Features:
Fixes:
- Added missing policy violation analysis on projects with empty component list #1183
Security:
- Added additional audit logging for login attempts where the account has been locked out #1189
Upgrade Notes:
dependency-track-apiserver.war #
Algorithm | Checksum |
SHA-1 | d41721f52bfb17c9ba507a1ac01532071643d8ac |
SHA-256 | 83f0bc7199677e3f6f84a76673b936ca73a6b8f54d5cb7cf181f77d548d47a6b |
dependency-track-bundled.war #
Algorithm | Checksum |
SHA-1 | 31fb39d8fecb6ec1e5c02d0fdede7a3e7e1cd952 |
SHA-256 | 3b0d1905291cf74af8f9e3bd81366d2b6c278ffe4b3940c0bb649871f6dfd15d |
Software Bill of Materials (SBOM) #
v4.3.5 #
September 20, 2021 patch
No changes in this release.
dependency-track-apiserver.war #
Algorithm | Checksum |
SHA-1 | d13ea84585009e70da2745690f4580b8db2a6e75 |
SHA-256 | 5334a13a5cc0662986d1643463c22bd6a7f3875165ad89296e2f9704b51acec5 |
dependency-track-bundled.war #
Algorithm | Checksum |
SHA-1 | 2aee316ac07c5941a7ba734c30bec4f517cc2df1 |
SHA-256 | 3053e47cee828f459bede221159d68a61294670c3aed0720901273c7f3091256 |
Software Bill of Materials (SBOM) #
v4.3.4 #
August 31, 2021 patch
Features:
Fixes:
- Logic issue that causes inconsistent vulnerability findings when uploading the same BOM to different projects - #1176
Security:
Upgrade Notes:
dependency-track-apiserver.war #
Algorithm | Checksum |
SHA-1 | 813e3a7207e47a7ee6769a1e74b040942f8995b5 |
SHA-256 | 1f8bae644dc6982933ec080167d90a66d8090055d75aad7e924a91a9cb8783c8 |
dependency-track-bundled.war #
Algorithm | Checksum |
SHA-1 | 11db7cb3cf83b4e0d6ac121061b42d3f7e3c2c4e |
SHA-256 | f6a2012a352294371e8396396e4659789c43c40931ada0d89e5c17352de0d1f1 |
Software Bill of Materials (SBOM) #
v4.3.3 #
August 20, 2021 patch
Features:
Fixes:
- Persistence issue related to manual server-side pagination that may cause
JDOObjectNotFoundException: No such database row
- #1059 - Persistence issue that may result in ‘unknown’ project names for affect projects in the UI - #1154
- Updated frontend to v4.3.1 which includes minor fixes and dependency updates
Security:
Upgrade Notes:
dependency-track-apiserver.war #
Algorithm | Checksum |
SHA-1 | e28bc741856904115e54dd5bf2ef09addde011e8 |
SHA-256 | b748e9b43a25068dc5096f5a68d2e21d5450fca1d3805350042a566c4506d2ba |
dependency-track-bundled.war #
Algorithm | Checksum |
SHA-1 | e884e3e32e18ff608837cc2d33b1d1760a00d0c7 |
SHA-256 | 05b87a43da078a684126f752d83a8da7488a8c02ef6d9ae9d3f0b347baec1832 |
Software Bill of Materials (SBOM) #
v4.3.2 #
August 07, 2021 patch
Features:
Fixes:
- Resoled an issue with portfolio access control where a user belonging to multiple teams will not have access to the aggregate of all projects or components they’re permitted to - #1132
Security:
Upgrade Notes:
dependency-track-apiserver.war #
Algorithm | Checksum |
SHA-1 | 9746e03d0bd7dc02ca1d94aa29a6445144fb7589 |
SHA-256 | 283282536ec276bf048428fc02aee119ff9e42f995c67cf169e2bd2a7a92cd31 |
dependency-track-bundled.war #
Algorithm | Checksum |
SHA-1 | 1cb384c6f5fc457cddbb93c55b7188cf5b446f6f |
SHA-256 | cbab1409dc262d461db99587bd99fe6b0677fde36414b3c6c965b14640aec29b |
Software Bill of Materials (SBOM) #
v4.3.1 #
August 03, 2021 patch
Features:
Fixes:
- Resolves an issue introduced in Datanucleus 5.2.8 that lead to invalid SQL generation on Postgres databases - #1129
Security:
Upgrade Notes:
dependency-track-apiserver.war #
Algorithm | Checksum |
SHA-1 | 6c188379b93f2b4052bb73649608db69175b0efc |
SHA-256 | 6008b32cc3cf6b13d0e7efaff335290102580bd6b518f50d630b99280a9b5538 |
dependency-track-bundled.war #
Algorithm | Checksum |
SHA-1 | 9ff235da5d4b6fb9e9fe4b6762c5dfa8d83073e9 |
SHA-256 | a64885b7146e7b74e0099a691781ef6417f094fd7424768cf25a86a7de642b00 |
Software Bill of Materials (SBOM) #
v4.3.0 #
August 02, 2021 major
Features:
- Implemented Portfolio Access Control (beta) - #140
- OpenID Connect: Source user claims from
/userinfo
and ID token - #1008- Resolves an issue where some IdPs would provide specific claims only in one and not the other of the two
- Added Go Modules repository support
- Added timeout for idle transactions - #941
- Components with missing or unknown license are now evaluated against policy condition - #1105
Fixes:
- Resolved issue where active projects could only be displayed when showing inactive projects - #963
- Resolved high load issues with Postgres while simultaneously increasing performance for all database platforms - #1026
- Resolved issue with OSS Index where PURLs without a version will lead to scan failure - #1115
Security:
Portfolio ACL logic has been implemented. In its current form, Portfolio Access Control is a beta feature in v4.3. As a result, the project will not treat bypass or absent ACL logic as a security defect. There are a few known gaps in ACL logic that will exist in v4.3. These gaps are tracked in #1127.
ACL logic covers:
- /v1/bom/*
- Uploading SBOMs to projects or exporting SBOMs from projects or components
- v1/component/*
- CRUD operations on components
- /v1/finding/*
- Security findings for projects and components
- /v1/metrics/*
- Project and component metrics
- /v1/project/*
- _RUD operations on projects
- /v1/service/*
- CRUD operations on components
- /v1/violation/*
- Project and component policy violations
- /v1/vulnerability/*
- CRUD operations on vulnerable projects or components
The user interface clearly states that Portfolio Access Control is beta. By default, Portfolio Access Control is disabled.
Upgrade Notes:
- OpenID Connect: The client ID of the frontend has to be passed to the API server via the
alpine.oidc.client.id
property- Required for the API server to be able to validate ID tokens. Refer to the OIDC documentation for details.
- Removed legacy support for SPDX (RDF and tag/value) - #1053
- Removed legacy support for the traditional WAR (was previously deprecated and unsupported) - #1070
dependency-track-apiserver.jar #
Algorithm | Checksum |
SHA-1 | 1c19a467705631c3c4449fa3f95c9d4a73d26caa |
SHA-256 | 34e0cc69eb6934d9e25573d29870cefce75d07d97fb06d58e8830f566256e1dc |
dependency-track-bundled.jar #
Algorithm | Checksum |
SHA-1 | 3e3a9edb9a9077fc5e2b2634f5967d1a61b0e1cb |
SHA-256 | 78c5a7acf02d5d5f7231c444fdc58b38f12ebec20453c51106200ca0d644b387 |
Software Bill of Materials (SBOM) #
v4.2.2 #
May 07, 2021 patch
Features:
Fixes:
- Resolved issue originating from changes in the NVD JSON feed which prevented the identification of vulnerabilities by a components CPE. (#1018), (#1033)
Security:
Upgrade Notes:
dependency-track-apiserver.war #
Algorithm | Checksum |
SHA-1 | 60a87ecafd9ba4b0ba119a65e1a041b0c5f576ea |
SHA-256 | bd20dbee794fa0c37c345526204058dbfbdd734acaf257783f9cb47e2cf17c63 |
dependency-track-bundled.war #
Algorithm | Checksum |
SHA-1 | 748b3fbf89efb61d29a468e3cd1c90bfcaeb3c4e |
SHA-256 | 93948be57b0e7864b872a2869c840c50bf9f2b3d1e9cc75794abea4c53038851 |
dependency-track.war #
Algorithm | Checksum |
SHA-1 | 35b61e4309303a7ad605c21cfa5eddcbabcfa15f |
SHA-256 | 965508b98df6701ffea13ec9bcfb2f3d8a7e14eba95a68f5c266a2b75b1db109 |
Software Bill of Materials (SBOM) #
v4.2.1 #
March 20, 2021 patch
Features:
Fixes:
- Resolves an issue in OIDC support where “email” could not be used as the username claim
Security:
Upgrade Notes:
dependency-track-apiserver.war #
Algorithm | Checksum |
SHA-1 | 92a0e935c7d4309e67fc7eb149191d96a1635c8b |
SHA-256 | 80cc253d05ccb91aa432667bf7d418bc8327f82b1dfe770aec71c434d0ecd308 |
dependency-track-bundled.war #
Algorithm | Checksum |
SHA-1 | 930d89d1a37e85130a6603969f30253fe842a6e0 |
SHA-256 | 2b27c6f1918a897f22b48542010611c67fa137f399521a45c900ee59120b81c5 |
dependency-track.war #
Algorithm | Checksum |
SHA-1 | 7a3061da05f67fd4f98b149eeb6d588389d1b202 |
SHA-256 | 06da5d59c8404f31d3497d163a2d3fe75f35af50374339315c6161dd0b989637 |
Software Bill of Materials (SBOM) #
v4.2.0 #
March 17, 2021 major
Features:
- Added support for capturing dependency graphs from CycloneDX SBOMs
- Added dynamic visualization of dependency graphs in user interface
- Added support for services defined in CycloneDX SBOMs
- Added support for CWE v4
- Add support for version policy conditions and version comparisons in the coordinates condition (#390)
- Detail modals for projects, components, services, and vulnerabilities now display the object’s UUID
Fixes:
- Added support for Fortify SSC 20.1 and higher. This fixes a breaking change introduced in SSC 20.1
- Added missing database index to increase performance when a large number of components are in the portfolio
- Fixed multiple issues when cloning projects
Security:
Upgrade Notes:
- OpenID Connect: To facilitate support for post-login redirects, the valid redirect URIs client setting in IdPs may need to be updated. Refer to the OIDC documentation for details.
- The internal port the frontend container listens on has changed from port 80 to port 8080. docker-compose files may need to be updated to reflect this change. Updated compose files are available for download.
- Starting with Dependency-Track v4.2, the API Server and the Frontend now have the same major and minor (semantic) version. Patch versions however, may continue to be unique.
dependency-track-apiserver.war #
Algorithm | Checksum |
SHA-1 | f1776e778405b5f6be2903d317463a74153c5319 |
SHA-256 | a47a3073def269e810d53de781cd7c22620e94ca80df3f781d528a7a5fe4c779 |
dependency-track-bundled.war #
Algorithm | Checksum |
SHA-1 | c3c2f931cc4f835eddd0013a885e13c16f990ea9 |
SHA-256 | 7d61818c281c6540ff4273d4d4c5d9d6e63b86b55f13e92fca7ba2921613800c |
dependency-track.war #
Algorithm | Checksum |
SHA-1 | 1634d6cf94761d3b0839f4b4a4d9fdd53d314ba6 |
SHA-256 | 792dc2adcc33c936629d014dacca8965d001bd1d236893df50dc88dc332d4d21 |
Software Bill of Materials (SBOM) #
v4.1.0 #
February 09, 2021 major
Features:
- Added support for vulnerabilities in policy violations
- Added Packagist (PHP Composer) repository support
- Added Rust Cargo repository support
- Added integration support for DefectDojo
- Added the addition of a notes field for components
- Updated Java requirements to Java 11
Fixes:
- Fixed issue that prevented SWID tag ID from being persisted when BOMs were consumed
- Added prevention that should detect future occurrences pagination of the NPM Advisory API not working
Security:
Upgrade Notes:
- Support for Java 8 was dropped. API Server now requires Java 11
-
Downloading a CycloneDX BOM for a project now results in the IANA media types in the response header.
application/vnd.cyclonedx+xml
application/vnd.cyclonedx+json
dependency-track-apiserver.war #
Algorithm | Checksum |
SHA-1 | ed951e6a1db32b5541b646f7595cce28345c816d |
SHA-256 | e459525d279abef75f0d6cef756636503b1040939778df14decaaca65d284db1 |
dependency-track-bundled.war #
Algorithm | Checksum |
SHA-1 | 669955757d9f5fe1e145ac61e761358986697b3d |
SHA-256 | a33f70500087fc6cfa9ffdeba1ac20de474ba28c1572f85337f04765e961f66c |
dependency-track.war #
Algorithm | Checksum |
SHA-1 | a2ab12792eebcf420e6f0b07baa4a49bce5e0082 |
SHA-256 | c47fa7e5c2049e1f677b552838b7b5ee6971dfdee942f2e3ce1f0aa708a9dfaa |
Software Bill of Materials (SBOM) #
v4.0.1 #
January 12, 2021 minor
Fixes:
- Fixes issue that resulted in policy violations being returned for all projects rather than the project for which the query is made for.
dependency-track-apiserver.war #
Algorithm | Checksum |
SHA-1 | 5fb224978c700f5c38d49527669da262a324a9be |
SHA-256 | d46594ec65c0a30b645eb13419bdc36df41cc6d71053b8bb9efdee80d4de7b99 |
dependency-track-bundled.war #
Algorithm | Checksum |
SHA-1 | d9275f0b660b54205ec811c0d0cab9f584ba2a91 |
SHA-256 | 89e155529036c5f8eb977f0c611eac2abc9496c55d2c49dd4dec14dbc5acb431 |
dependency-track.war #
Algorithm | Checksum |
SHA-1 | 59b571d0b1ee97a12342938d0d3b17b287c86ad4 |
SHA-256 | a54b564123873ea3c2378c2dce5a9ecf0000df6ee0721f9d3ddf0349ba4c575f |
Software Bill of Materials (SBOM) #
v4.0.0 #
January 03, 2021 major
Features:
- Flexible, project-centric data model
- Added policy engine, configurable policies, policy evaluation, and auditing workflow
- Added default license groups
- Anonymous access to Sonatype OSS Index is now enabled by default
- Component vulnerabilities are now attributed to the analyzers responsible for finding them
- Added support for CycloneDX 1.2 and SPDX 2.2
- Added component support for Blake2b and Blake3 hash algorithms
- Added component support for SWID Tag ID
- Projects now have identity, similar to components, and support coordinates (group, name, version), CPE, Package URL, and SWID Tag ID
- Added support for firmware and container component types
- When generating a CycloneDX BOM from a project or component, v1.2 of the spec is now produced
- Updated SPDX license list to v3.11
- Dropped support for NVD JSON v1.0 data feeds
- Optimized NVD mirroring logic
- Inactive projects are omitted from portfolio metrics
- Updates to the notification email template for BOM consumed and BOM processed
Fixes:
- Fixed issue with scoped NPM packages not being identified correctly
- Fixed issue that failed to report new vulnerabilities on existing components
- Fixed broken weakness (CWE) link on some vulnerabilities
- Fixed failure on mail notifications when multiple addresses were configured
- Fixed container healthcheck to specify use of no-proxy
- Fixed issue where component descriptions in a BOM were not being saved
Security:
Upgrade Notes:
- The Dependency-Track v4 data model is incompatible with previous releases. As a result, it is not possible to simply upgrade as with previous versions. A data migration is required to update from 3.8 to 4.0. The migration is a standalone set of scripts that must be executed against the database in order to migrate the data to the new model. Refer to the official v3.8.0 to v4.0.0 Migration Project for more information.
- Four Dependency-Track distribution variants are provided. Refer to Distributions for details.
- The traditional WAR distribution is deprecated and no longer supported. It is still being produced as of this release but will be discontinued in a future release.
- Docker images have been moved from the OWASP organization on Docker Hub to a dedicated Dependency-Track organization.
- The FrontEnd requires deployment to the root (“/”) context. Deploying to any context other than root is no longer supported.
- Some APIs have changed as of this release. APIs that were specific to the global component model have been removed. APIs that referenced a ‘dependency’ in the model have changed. Components are now assigned directly to projects themselves, thus eliminating the need for ‘dependency’ objects in v4.
- The MySQL Connector distributed with the Docker image has been updated to version 8.0.22. When using MySQL,
ALPINE_DATABASE_DRIVER_PATH
has to be set to/extlib/mysql-connector-java-8.0.22.jar
. Note thatALPINE_DATABASE_DRIVER
may need to be updated as well. Refer to the official upgrading instructions. - The Postgres driver distributed with the Docker image has been updated to version 42.2.18. When using Postgres,
ALPINE_DATABASE_DRIVER_PATH
has to be set to/extlib/postgresql-42.2.18.jar
.
dependency-track-apiserver.war #
Algorithm | Checksum |
SHA-1 | 9124352542544c5662d3ebf34d951e61f08ff231 |
SHA-256 | 6b6b8d608b467da087fb7ebe12fb6bbb2a418d97168baa186b1320fdb3b49a91 |
dependency-track-bundled.war #
Algorithm | Checksum |
SHA-1 | 9a4f516e5fcd6eae117465732e3dcaa69227d238 |
SHA-256 | 2e66976b5f890186e64255484f262564e23e8a3ce482769374959c7ddc55c42c |
dependency-track.war #
Algorithm | Checksum |
SHA-1 | a489586be032890ec6cddc5ec839da57026837a7 |
SHA-256 | 152819d9b80377f6b672fbdc6448d7ea250f3bba43c479c335404faa700d9b24 |
Software Bill of Materials (SBOM) #
v3.8.0 #
March 22, 2020 major
Bundled frontend: v1.0.0
Features:
- New user interface based on Vue.js and Bootstrap.
- User interface can optionally be deployed and upgraded independently of the Dependency-Track server.
- Package repositories are now configurable.
- Package repositories can now be identified as ‘internal’. Components identified as ‘internal’ will be analyzed using internal repositories.
- Added additional logging and notifications for OSS Index and NPM Audit analyzers.
- Added the ability to publish system notifications when vulnerability analyzers encounter communication or other errors.
- Added several occurrences of counts for various items throughout the UI.
Fixes:
- Corrected the percentage value of findings audited.
- Fixed URL to Maven Central which prevented the MavenMetaAnalyzer from retrieving component metadata.
- Changed logging behavior when internal components are identified.
- Improved accuracy of internal CPE analyzer which may have lead to false negatives in some situations.
- Fixed issue where the CPE value defined in a BOM was not being persisted if the component previously existed.
- Fixed issue which prevented the HexMetaAnalyzer from executing preventing it from retrieving component metadata for Erlang or Elixir components.
Security:
- All Dependency-Track server releases now include a complete CycloneDX software bill-of-materials.
- Added missing permission checks to repository API endpoints.
Upgrade Notes:
- The
nist
andindex
directories inside the Dependency-Track data directory will be deleted upon upgrade. This will force the NVD to be downloaded and reprocessed and the indexes to be rebuilt. - The internal vulnerable software dictionary, generated automatically from the NVD, will be wiped upon upgrade. This will take several minutes to complete and should not be interrupted.
dependency-track-embedded.war #
Algorithm | Checksum |
SHA-1 | 091627dfa144a1313bf9090d8f67b4760e635b23 |
SHA-256 | 56674c40da9dc4277b6c8238d0dc6cc28bdf3b4cc51b7b845606b1a2c149070b |
dependency-track.war #
Algorithm | Checksum |
SHA-1 | 1db04afbc1b66421dd6fe0db816ec14362b895d1 |
SHA-256 | 9fd73c4ea24352b6165106c1d5a1b88bd43ea9e6ba0e15a733a217a59d7bd268 |
Software Bill-of-Materials (SBOM) #
v3.7.1 #
January 07, 2020 minor
Features:
- Added additional debug logging to metric update tasks
Fixes:
- Fixed portfolio metrics issue that allowed multiple operations to be executed simultaneously leading to performance degradation
dependency-track-embedded.war #
Algorithm | Checksum |
SHA-1 | 5cd02dc5c6ca8aba3cea1ad5ad03d039ecdd757c |
SHA-256 | f80f527d96692a45f3bba86849551debf4b407bd880f104b890912975cc865ca |
dependency-track.war #
Algorithm | Checksum |
SHA-1 | 766d5394ce7a5a0e08c96a55930adc3377897d99 |
SHA-256 | 4e6233013af574585d93dd99586455a810ea434c3bc5da95e53aad45751f5bc2 |
v3.7.0 #
December 16, 2019 major
Features:
- Application context is now configurable in the Docker container
- SVG badges may now be retrieved via the project name and version
- Added Hex repository support for Erlang, Elixir, and other BEAM languages
- Added configurable support for defining components as internal which are not subject to external analysis
- Increased CPE analysis precision for components with CPEs containing a value in the update field
Fixes:
- Fixed defect in /api/v1/project that returned a server error if the ‘name’ parameter was specified
- Fixed defect resulting in invalid gzip response body when Accept-Encoding was not specified
- Fixed defect resulting in licenses not being loaded if Dependency-Track is deployed to a directory containing a space
- Changed behavior when parsing an invalid CPE to display a single line warning rather than the full stack trace
- Fixed defect resulting in a project not being able to be deleted when that project was part of a notification rule
- Fixed encoding issue affecting project names containing special characters
Security:
- GHSA-4gqv-hcmg-jw33 Cross-Site Scripting (XSS): Persistent
- GHSA-6j82-qv49-r46p Cross-Site Scripting (XSS): Persistent
Upgrade Notes:
- Support for consuming Dependency-Check v4.x XML reports has been removed
- The following can safely be (optionally) dropped upon a successful upgrade (consult log):
- Tables:
- SCANS_COMPONENTS
- SCAN
- Columns:
- LAST_SCAN_IMPORTED (in PROJECT table)
- Tables:
dependency-track-embedded.war #
Algorithm | Checksum |
SHA-1 | e946c65ec0ff5ba12e843789b917caab635bfe62 |
SHA-256 | bd02a522a8c9beeb8dd7964f07eb27a7a02ce8bbf6a7c8af3378bb26fc98a087 |
dependency-track.war #
Algorithm | Checksum |
SHA-1 | 22da81fb91b5641fcb805c74063c11e521fe0ad4 |
SHA-256 | 9207e25b19d34b57804f25e9881e663ebb56333520b039c5ccfd93209295b0a1 |
v3.6.1 #
October 01, 2019 minor
Fixes:
- Fixed issue that prevented upgrades to 3.6.0 when using Microsoft SQL Server
dependency-track-embedded.war #
Algorithm | Checksum |
SHA-1 | f18f248d2601878b3d437e3c6539311dc4a31c47 |
SHA-256 | b24cc49e8483c4841d6bc3efa9c1f944836a9524028960ee463ae4db7dac7c02 |
dependency-track.war #
Algorithm | Checksum |
SHA-1 | b758993e26f812494ca0191e7ad39037f2cd79ea |
SHA-256 | da128b3602ea4e0214558074abd3df30201e7d858b79a7abb5065d358db19b40 |
v3.6.0 #
September 28, 2019 major
Features:
- Added configurable option to enable/disable BOMs based on format (CycloneDX enabled by default)
- Added support for the official CPE v2.3 dictionary and vulnerabilities with CPEs of affected products
- Added ability to identify vulnerabilities in components solely by their CPE
- Added full support for VulnDB as a source of vulnerability intelligence
- Added support for SVG badges
- Added additional logging during metrics updates
- Docker container now supports Kubernetes and OpenShift
- Docker container now has configurable support for specifying logging levels
- Added Inherited Risk Score to project list view with the ability to sort on risk score
- Added an ‘active’ flag to projects with the default behavior of hiding inactive projects
- Added BOM_CONSUMED and BOM_PROCESSED notifications which can optionally deliver BOMs via webhooks
- Added support for last BOM imported including the BOM type and version
- Added an API to lookup a project by its name and version
- Added analysis interval throttle to prevent repeated analysis requests for the same components
- Slack and email alerts now contain links back to Dependency-Track
- Added support for Java 11
Fixes:
- Fix for GLOBAL_AUDIT_CHANGE not including affected projects
- Fixed issue that prevented Dependency-Track for working with non-default URL contexts
- Fixed intermittent persistence issue resulting in NPE in BomUploadProcessingTask
- Fixed issue resulting in incorrect percentage audited on project findings
- Fixed OSS Index analyzer in response to the URL changes from ossindex.net to ossindex.sonatype.org
Upgrade Notes:
- Support for SPDX BOMs and Dependency-Check XML reports are disabled by default
- Replaced embedded Dependency-Check library with internal CPE analyzer
- Dependency-Track no longer mirrors XML data feeds from the NVD
dependency-track-embedded.war #
Algorithm | Checksum |
SHA-1 | 6cd17d5a31472f7f60e674e2d7fc2e3050085808 |
SHA-256 | bbb72fa3b6246b7afa7c22b103f0c85daf82565a38ae12973043775e6b27fd6e |
dependency-track.war #
Algorithm | Checksum |
SHA-1 | f7b88825dbaf8b837977954f5a7e506952ed8361 |
SHA-256 | a1d0d308a46d30399e9ff9a0334fe3be70345aa12c30c0d1d6bfccdcafe062e2 |
v3.5.1 #
July 17, 2019 minor
Fixes:
- GHSA-jp9v-w6vw-9m5v Cross-Site Scripting (XSS): Persistent
dependency-track-embedded.war #
Algorithm | Checksum |
SHA-1 | aafdfa3142dc478b95f1d6ffc268b2a1832ccb29 |
SHA-256 | 73bbe06a22f84ce7b099da3c552e267c980f0f8c58ca6cccdd3eaa210bfe9b6c |
dependency-track.war #
Algorithm | Checksum |
SHA-1 | cf71dbf7ae697038d6a42485f14991f343ffdeff |
SHA-256 | 271705e72e94e9f9fb36159ea110a05ff465c4d1f2572a89570774e57c08a247 |
v3.5.0 #
June 07, 2019 major
Features:
- Improved performance, reliability, and quality
- Added support for importing CycloneDX v1.1 BOMs
- Added additional logging and enhanced logging configuration
- Added configurable CORS support
Fixes:
- Numerous. The majority of known defects have been resolved
Upgrade Notes:
Two new LDAP properties were introduced in v3.5.0 that affect LDAP configuration. The properties are:
- alpine.ldap.groups.search.filter
- alpine.ldap.users.search.filter
Refer to Configuration and Deploying Docker Container for details.
Additional properties introduced in this release are:
- alpine.database.pool.enabled
- alpine.database.pool.max.size
- alpine.database.pool.idle.timeout
- alpine.database.pool.max.lifetime
Under most situations, changing these values is not recommended and may introduce unintended consequences.
One important change introduced in this release is the default value of alpine.database.pool.max.lifetime
has changed from 30 minutes (in previous releases) to 10 minutes.
dependency-track-embedded.war #
Algorithm | Checksum |
SHA-1 | 7d66f0530d74ff9bc0de628d5e76b5ee6ed6ead7 |
SHA-256 | 8bbf820fde7843a680fd51eed831aeddd61507f5420abb68b46859168cc98919 |
dependency-track.war #
Algorithm | Checksum |
SHA-1 | 0bb9a0737a36ebbcd88fe91ca595f12957e85583 |
SHA-256 | 143ed44988419ba84cc3956e602e297f025149f19faa65f32c0e8311b71fed5b |
v3.4.1 #
April 16, 2019 minor
Fixes:
- Fixed defect that caused high CPU consumption (via thread exhaustion) in some cases when NPM Audit was enabled.
dependency-track-embedded.war #
Algorithm | Checksum |
SHA-1 | f8da8e34a3cabcf72b721488f5294710ff632bf6 |
SHA-256 | 72391cc636c2159ffc0c516f2001688129a3b6424164c98ce9045c0fd5c3219b |
dependency-track.war #
Algorithm | Checksum |
SHA-1 | 1cdb5b6c5698229b21acbc610df77ec819ad5180 |
SHA-256 | 619e9ae00feb9f9723bef68981d32932d2d5cdf808b192619bf072d525224f5e |
v3.4.0 #
December 22, 2018 major
Features:
- Improvements to Findings API
- Created Finding Packaging Format for the native exporting of findings
- Added support for external integrations including:
- Fortify Software Security Center
- Kenna Security
- Added repository (and outdated version detection) support for NuGet and Pypi
- Updated SPDX license list to v3.3
- Added support for identifying FSF Libre licenses
- Updated Java version in Docker container
- Docker container can now be fully configured with environment variables
- Added Test Configuration button when configuring SMTP settings
- Added logfile rotation with default 10MB cap (configurable)
Fixes:
- Corrected issue that incorrectly returned suppressed vulnerabilities when queried for non-suppressed ones
- Fixed issue that resulted in server/UI timeouts due to excessive license payload
- Fixed NPE that occurred when the configured SMTP server didn’t require authentication
- Added workaround for outstanding OSS Index defect where the service didn’t process PackageURLs containing qualifiers
- Updated OpenUnirest which addressed configuration issue with library not honoring proxy server settings
dependency-track-embedded.war #
Algorithm | Checksum |
SHA-1 | 676e04e0ef002e371da3b5eab239b0ab55dffe57 |
SHA-256 | 006801f124d190e929ab7e6352adcc0bf89047259eff5a15cf4d54a01d7b402d |
dependency-track.war #
Algorithm | Checksum |
SHA-1 | 15309c0818034ac99f603b52f242748b255818b9 |
SHA-256 | 624fa3e7f458b163a0bbb8f05ee7cb1cf052d6d4ea53ff2b43686dd55bb83135 |
v3.3.1 #
November 13, 2018 minor
Features:
- Improved findings API to support a wider range of use-cases
Fixes:
- When importing some npm dependencies (via Dependency-Check report), some modules would get misidentified causing an NPE
- Fixed non-standard Java versioning schemes (such as Debian OpenJDK) that caused version comparison to fail
- Corrected issue that resulted in suppressed vulnerabilities to be returned from a query as if they were not suppressed
- Fixed issue preventing saving of SMTP settings with anonymous authentication
Upgrade Notes:
The format of the findings API has changed and will not be versioned. This API is used to present findings from the audit tab in the UI. If this API was being used outside the UI, please note that the response format has changed.
dependency-track-embedded.war #
Algorithm | Checksum |
SHA-1 | f7a0fcf9568a765b9bb3cdf3465f475810c333e8 |
SHA-256 | f5693cab665932c80e7056c37ed93bf61a1638e252e48e9c0717b8d0c4740ea4 |
dependency-track.war #
Algorithm | Checksum |
SHA-1 | bfcf20a5cb87d562b781419f7b989c35ff67e390 |
SHA-256 | 91156bc404ab84a09e912302888ef06c52813764e88ad73039550a9ff2e82b91 |
v3.3.0 #
October 25, 2018 major
Features:
- The ability to manually upload a CycloneDX or SPDX BOM from the user interface
- Optional automated provisioning of LDAP users
- Optional synchronization of team membership based on a users LDAP group membership
- Added API that provides component metadata from a project in CycloneDX format
- Added ability to track the progress of work performed when a BOM is uploaded
- Added tracking of audited and unaudited metrics
- Added ability to add new project version and optionally clone source metadata
- Added ability to search by tag name when displaying projects
- Added checksum generation when publishing a release (backported to 3.2.2)
- The NSP Advisory API has been removed and replaced with the NPM Public Advisory API (backported to v3.2.1)
Fixes:
- Fixed numerous LDAP compatibility issues
- Added additional logging when BOM upload is not in a supported format
Upgrade Notes:
This release of Dependency-Track supports a wide range of LDAP implementations and has been tested with Active Directory, ApacheDS, Fedora 389 Directory, and NetIQ/Novell eDirectory. In order to ensure compatibility, some existing LDAP configuration properties have been changed.
# This property has been removed
alpine.ldap.domain
# This property now refers to the users DN
alpine.ldap.bind.username
# Format now applies only to the value of alpine.ldap.attribute.name.
# Examples have been modified. A users DN is no longer a valid format.
alpine.ldap.auth.username.format
# New properties
alpine.ldap.groups.filter
alpine.ldap.user.groups.filter
alpine.ldap.user.provisioning
alpine.ldap.team.synchronization
See Also:
- Configuration (updated)
- LDAP Configuration (examples)
dependency-track-embedded.war #
Algorithm | Checksum |
SHA-1 | 413b47068dd1272f0ea6c4af67dc1465fcf10674 |
SHA-256 | 5632d6efa8c6ea2633bb767d09c73c4ee68e9319b638ce00da4c422f5123c906 |
dependency-track.war #
Algorithm | Checksum |
SHA-1 | 1a8dc64a7535375fdd4ff789eeb9d3635dcba019 |
SHA-256 | 96e20c0b72e3d8c460dfe3ce2b9aca72c6114492747db9afffca9784c64d23b9 |
v3.2.2 #
October 02, 2018 minor
Fixes:
- Critical defect which may lead to duplicate or erroneous requests to NPM Audit API
Changes:
- Added checksums.xml including SHA-1, SHA-256, SHA-512 checksums for traditional and embedded wars to GitHub releases.
dependency-track-embedded.war #
Algorithm | Checksum |
SHA-1 | fead4ed834b4738b8c19c427ae57653f7af4a3b8 |
SHA-256 | ee53ceacb07b0b0b4dfa88e2bdc2e905668f0dd6d42ca1000b3204d0a2ee1842 |
dependency-track.war #
Algorithm | Checksum |
SHA-1 | defbb7a40bb12c3beacdeb43fb5fd325d226da50 |
SHA-256 | c154f0f07c9875d602d3e1df93d93d617e83f350ef683bdb16eb193d03a86ea5 |
v3.2.1 #
September 21, 2018 minor
Features:
- The NSP Advisory API has been removed and replaced with the NPM Public Advisory API
Fixes:
- Processing and permission corrections to new multi-part BOM upload API
- UI corrections for vulnerabilities with unassigned severity
- Fixes for displaying and processing of vulnerabilities without CVSS scores
- Minor changes to severity colour scheme
Upgrade Notes:
All previous NSP vulnerabilities will automatically be migrated to NPM vulnerabilities. No additional action is required. Unlike NSP vulnerabilities, NPM does not provide CVSS scores or vectors. Therefore all NPM vulnerabilities will no longer display the CVSS vector, or the base, impact, or exploitability scores and corresponding chart data.
v3.2.0 #
September 06, 2018 major
Features:
- Configurable notifications of new vulnerabilities, vulnerable dependencies, analysis decision changes, and system events
- Added Slack, Microsoft Teams, Outbound Webhook, Email, and system console notification publishers
- Replaced NSP Check API with NPM Audit API
- Added support for Sonatype OSS Index
- Updated SPDX license IDs to v3.2
- General improvements in logging when error conditions are encountered
- Improvements to Dependency-Check XML report parsing
- Added native CPE 2.2 and 2.3 parsing capability
- Enhanced administrative interface with options for repositories and general configuration
- Updated Java version used in Docker container
Fixes:
- The audit table did not reflect the correct analysis and suppressed data
- Added validation when processing Dependency-Check XML reports containing invalid Maven GAVs
- Corrected issue with NVD mirroring affecting Docker containers and case-sensitive filesystems
Upgrade Notes:
-
The PROJECT_CREATION_UPLOAD permission was introduced in this release. Existing API keys that need the ability to dynamically create projects (without providing them full PORTFOLIO_MANAGEMENT permission) will need this permission added to their account or through their team membership.
-
The SYSTEM_CONFIGURATION permission was introduced in this release. Existing administrative users that need the ability to perform more general purpose system configurations need to add this permission to their accounts.
-
Upgrades to v3.2.0 can be successfully performed from systems running v3.1.x. If a previous version is being used, an upgrade to 3.1.x is required prior to upgrading to v3.2.0.
v3.1.1 #
June 20, 2018 minor
Fixes:
- Fixed issue where new permissions were not being added to database on upgrades
v3.1.0 #
June 19, 2018 major
Features:
- Support for advanced auditing workflow to easily triage findings
- Support for external repositories to retrieve additional component metadata from
- Support for SPDX 3.1 license IDs
- NVD mirroring support for Dependency-Check (and other) clients
- Support for out-of-date version detection (rubygems, maven, and npm)
- Enhanced API to (optionally) autocreate project on bom/scan upload
- Better support for Dependency-Check “relatedDependencies”
- Added individual component metrics (independent of dependency metrics)
- Added per project and per component overview with metrics and refresh support
- Specific table columns can now be sorted with full pagination support
- Improved error logging when issues are encountered during BOM and scan processing
- Enhanced LDAP integration to support strong authentication mechanisms and configurable user formats
- General performance improvements on multi-core machines
- Minor enhancements to user interface
Fixes:
- Fixed defect that prevented paginated results on project tag searches
- Fixed defect affecting GAV identifiers in Dependency-Check Gradle/CLI reports not being in parenthesis
Upgrade Notes:
- The VULNERABILITY_ANALYSIS permission was introduced in this release. Existing users that need the ability to audit findings will need this permission added to their account or through their team membership.
- MySQL now requires ANSI_QUOTES to be added to the SQL mode. Refer to Database Support for details.
v3.0.4 #
May 02, 2018 minor
Fixes:
- Fixed defect resulting in incorrect results returned when filtering on components in the project view
- Synced CycloneDX specification to latest v1.0.1 release
v3.0.3 #
April 13, 2018 minor
Fixes:
- Fixed defect resulting in incorrect vulnerability counts for projects
- Fixed defect which prevented project metrics from returning results
- Fixed issue related to the assignment of tags on project creation
- Added the VIEW_PORTFOLIO permission to the ‘automation’ team on new installs
- Updated several dependencies
- Performance improvements in database connection pool
- Fixed defect where database connections were not being reconnected if the connection was lost
- Fixed multiple defects related to component reconciliation when processing BOM and scan uploads
v3.0.2 #
March 30, 2018 minor
Fixes:
- Responded to changes in NVD data feed URLs by correcting the XML 1.2 and 2.0 URLs used for mirroring.
v3.0.1 #
March 29, 2018 minor
Fixes:
- Fixed data model issue which prevented multiple versions of the same project name from being persisted.
- Fixed issue in admin console which did not properly display the number of team members.
Upgrade Notes:
If v3.0.0 was deployed, shutdown Dependency-Track, execute the following statement against the database, and deploy v3.0.1.
/*
Removes the constraint on having a unique project name thus preventing
multiple versions of the project from existing.
https://github.com/DependencyTrack/dependency-track/issues/118
*/
ALTER TABLE PROJECT DROP CONSTRAINT PROJECT_NAME_IDX;
v3.0.0 #
March 27, 2018 major
Project Reboot Successful! This is the first release after being developed from the ground up.
Features:
- Dramatically increases visibility into the use of vulnerable components
- Supports an unlimited number of projects and components
- Projects can range from applications, operating systems, firmware, to IoT devices
- Tracks vulnerabilities across entire project portfolio
- Tracks vulnerabilities by component
- Easily identify projects that are potentially vulnerable to newly published vulnerabilities
- Supports standardized SPDX license ID’s and tracks license use by component
- Supports CycloneDX and SPDX bill-of-material formats
- Easy to read metrics for components, projects, and portfolio
- API-first design facilitates easy integration with other systems
- API documentation available in Swagger 2.0 (OpenAPI 3 support coming soon)
- Flexible authentication supports internally managed users, Active Directory/LDAP, and API Keys
- Simple to install and configure. Get up and running in just a few minutes
Fixes: