Dependency-Track logo Dependency-Track

Subscribe with RSS to keep up with the latest changes.


November 13, 2018 minor


  • Improved findings API to support a wider range of use-cases


  • When importing some npm dependencies (via Dependency-Check report), some modules would get misidentified causing an NPE
  • Fixed non-standard Java versioning schemes (such as Debian OpenJDK) that caused version comparison to fail
  • Corrected issue that resulted in suppressed vulnerabilities to be returned from a query as if they were not suppressed
  • Fixed issue preventing saving of SMTP settings with anonymous authentication

Upgrade Notes:

The format of the findings API has changed and will not be versioned. This API is used to present findings from the audit tab in the UI. If this API was being used outside the UI, please note that the response format has changed.

Algorithm Checksum
SHA-1 f7a0fcf9568a765b9bb3cdf3465f475810c333e8
SHA-256 f5693cab665932c80e7056c37ed93bf61a1638e252e48e9c0717b8d0c4740ea4
Algorithm Checksum
SHA-1 bfcf20a5cb87d562b781419f7b989c35ff67e390
SHA-256 91156bc404ab84a09e912302888ef06c52813764e88ad73039550a9ff2e82b91


October 25, 2018 major


  • The ability to manually upload a CycloneDX or SPDX BOM from the user interface
  • Optional automated provisioning of LDAP users
  • Optional synchronization of team membership based on a users LDAP group membership
  • Added API that provides component metadata from a project in CycloneDX format
  • Added ability to track the progress of work performed when a BOM is uploaded
  • Added tracking of audited and unaudited metrics
  • Added ability to add new project version and optionally clone source metadata
  • Added ability to search by tag name when displaying projects
  • Added checksum generation when publishing a release (backported to 3.2.2)
  • The NSP Advisory API has been removed and replaced with the NPM Public Advisory API (backported to v3.2.1)


  • Fixed numerous LDAP compatibility issues
  • Added additional logging when BOM upload is not in a supported format

Upgrade Notes:

This release of Dependency-Track supports a wide range of LDAP implementations and has been tested with Active Directory, ApacheDS, Fedora 389 Directory, and NetIQ/Novell eDirectory. In order to ensure compatibility, some existing LDAP configuration properties have been changed.

# This property has been removed
# This property now refers to the users DN
# Format now applies only to the value of 
# Examples have been modified. A users DN is no longer a valid format.
# New properties

See Also:

Algorithm Checksum
SHA-1 413b47068dd1272f0ea6c4af67dc1465fcf10674
SHA-256 5632d6efa8c6ea2633bb767d09c73c4ee68e9319b638ce00da4c422f5123c906
Algorithm Checksum
SHA-1 1a8dc64a7535375fdd4ff789eeb9d3635dcba019
SHA-256 96e20c0b72e3d8c460dfe3ce2b9aca72c6114492747db9afffca9784c64d23b9


October 02, 2018 minor


  • Critical defect which may lead to duplicate or erroneous requests to NPM Audit API


  • Added checksums.xml including SHA-1, SHA-256, SHA-512 checksums for traditional and embedded wars to GitHub releases.
Algorithm Checksum
SHA-1 fead4ed834b4738b8c19c427ae57653f7af4a3b8
SHA-256 ee53ceacb07b0b0b4dfa88e2bdc2e905668f0dd6d42ca1000b3204d0a2ee1842
Algorithm Checksum
SHA-1 defbb7a40bb12c3beacdeb43fb5fd325d226da50
SHA-256 c154f0f07c9875d602d3e1df93d93d617e83f350ef683bdb16eb193d03a86ea5


September 21, 2018 minor


  • The NSP Advisory API has been removed and replaced with the NPM Public Advisory API


  • Processing and permission corrections to new multi-part BOM upload API
  • UI corrections for vulnerabilities with unassigned severity
  • Fixes for displaying and processing of vulnerabilities without CVSS scores
  • Minor changes to severity colour scheme

Upgrade Notes:

All previous NSP vulnerabilities will automatically be migrated to NPM vulnerabilities. No additional action is required. Unlike NSP vulnerabilities, NPM does not provide CVSS scores or vectors. Therefore all NPM vulnerabilities will no longer display the CVSS vector, or the base, impact, or exploitability scores and corresponding chart data.


September 06, 2018 major


  • Configurable notifications of new vulnerabilities, vulnerable dependencies, analysis decision changes, and system events
  • Added Slack, Microsoft Teams, Outbound Webhook, Email, and system console notification publishers
  • Replaced NSP Check API with NPM Audit API
  • Added support for Sonatype OSS Index
  • Updated SPDX license IDs to v3.2
  • General improvements in logging when error conditions are encountered
  • Improvements to Dependency-Check XML report parsing
  • Added native CPE 2.2 and 2.3 parsing capability
  • Enhanced administrative interface with options for repositories and general configuration
  • Updated Java version used in Docker container


  • The audit table did not reflect the correct analysis and suppressed data
  • Added validation when processing Dependency-Check XML reports containing invalid Maven GAVs
  • Corrected issue with NVD mirroring affecting Docker containers and case-sensitive filesystems

Upgrade Notes:

  • The PROJECT_CREATION_UPLOAD permission was introduced in this release. Existing API keys that need the ability to dynamically create projects (without providing them full PORTFOLIO_MANAGEMENT permission) will need this permission added to their account or through their team membership.

  • The SYSTEM_CONFIGURATION permission was introduced in this release. Existing administrative users that need the ability to perform more general purpose system configurations need to add this permission to their accounts.

  • Upgrades to v3.2.0 can be successfully performed from systems running v3.1.x. If a previous version is being used, an upgrade to 3.1.x is required prior to upgrading to v3.2.0.


June 20, 2018 minor


  • Fixed issue where new permissions were not being added to database on upgrades


June 19, 2018 major


  • Support for advanced auditing workflow to easily triage findings
  • Support for external repositories to retrieve additional component metadata from
  • Support for SPDX 3.1 license IDs
  • NVD mirroring support for Dependency-Check (and other) clients
  • Support for out-of-date version detection (rubygems, maven, and npm)
  • Enhanced API to (optionally) autocreate project on bom/scan upload
  • Better support for Dependency-Check “relatedDependencies”
  • Added individual component metrics (independent of dependency metrics)
  • Added per project and per component overview with metrics and refresh support
  • Specific table columns can now be sorted with full pagination support
  • Improved error logging when issues are encountered during BOM and scan processing
  • Enhanced LDAP integration to support strong authentication mechanisms and configurable user formats
  • General performance improvements on multi-core machines
  • Minor enhancements to user interface


  • Fixed defect that prevented paginated results on project tag searches
  • Fixed defect affecting GAV identifiers in Dependency-Check Gradle/CLI reports not being in parenthesis

Upgrade Notes:

  • The VULNERABILITY_ANALYSIS permission was introduced in this release. Existing users that need the ability to audit findings will need this permission added to their account or through their team membership.
  • MySQL now requires ANSI_QUOTES to be added to the SQL mode. Refer to Database Support for details.


May 02, 2018 minor


  • Fixed defect resulting in incorrect results returned when filtering on components in the project view
  • Synced CycloneDX specification to latest v1.0.1 release


April 13, 2018 minor


  • Fixed defect resulting in incorrect vulnerability counts for projects
  • Fixed defect which prevented project metrics from returning results
  • Fixed issue related to the assignment of tags on project creation
  • Added the VIEW_PORTFOLIO permission to the ‘automation’ team on new installs
  • Updated several dependencies
  • Performance improvements in database connection pool
  • Fixed defect where database connections were not being reconnected if the connection was lost
  • Fixed multiple defects related to component reconciliation when processing BOM and scan uploads


March 30, 2018 minor


  • Responded to changes in NVD data feed URLs by correcting the XML 1.2 and 2.0 URLs used for mirroring.


March 29, 2018 minor


  • Fixed data model issue which prevented multiple versions of the same project name from being persisted.
  • Fixed issue in admin console which did not properly display the number of team members.

Upgrade Notes:

If v3.0.0 was deployed, shutdown Dependency-Track, execute the following statement against the database, and deploy v3.0.1.

Removes the constraint on having a unique project name thus preventing
multiple versions of the project from existing.


March 27, 2018 major

Project Reboot Successful! This is the first release after being developed from the ground up.


  • Dramatically increases visibility into the use of vulnerable components
  • Supports an unlimited number of projects and components
  • Projects can range from applications, operating systems, firmware, to IoT devices
  • Tracks vulnerabilities across entire project portfolio
  • Tracks vulnerabilities by component
  • Easily identify projects that are potentially vulnerable to newly published vulnerabilities
  • Supports standardized SPDX license ID’s and tracks license use by component
  • Supports CycloneDX and SPDX bill-of-material formats
  • Easy to read metrics for components, projects, and portfolio
  • API-first design facilitates easy integration with other systems
  • API documentation available in Swagger 2.0 (OpenAPI 3 support coming soon)
  • Flexible authentication supports internally managed users, Active Directory/LDAP, and API Keys
  • Simple to install and configure. Get up and running in just a few minutes