Dependency-Track logo Dependency-Track

Subscribe with RSS to keep up with the latest changes.

v3.1.1

June 20, 2018 minor

Fixes:

  • Fixed issue where new permissions were not being added to database on upgrades

v3.1.0

June 19, 2018 major

Features:

  • Support for advanced auditing workflow to easily triage findings
  • Support for external repositories to retrieve additional component metadata from
  • Support for SPDX 3.1 license IDs
  • NVD mirroring support for Dependency-Check (and other) clients
  • Support for out-of-date version detection (rubygems, maven, and npm)
  • Enhanced API to (optionally) autocreate project on bom/scan upload
  • Better support for Dependency-Check “relatedDependencies”
  • Added individual component metrics (independent of dependency metrics)
  • Added per project and per component overview with metrics and refresh support
  • Specific table columns can now be sorted with full pagination support
  • Improved error logging when issues are encountered during BoM and scan processing
  • Enhanced LDAP integration to support strong authentication mechanisms and configurable user formats
  • General performance improvements on multi-core machines
  • Minor enhancements to user interface

Fixes:

  • Fixed defect that prevented paginated results on project tag searches
  • Fixed defect affecting GAV identifiers in Dependency-Check Gradle/CLI reports not being in parenthesis

Upgrade Notes:

  • The VULNERABILITY_ANALYSIS permission was introduced in this release. Existing users that need the ability to audit findings will need this permission added to their account or through their team membership.
  • MySQL now requires ANSI_QUOTES to be added to the SQL mode. Refer to Database Support for details.

v3.0.4

May 02, 2018 minor

Fixes:

  • Fixed defect resulting in incorrect results returned when filtering on components in the project view
  • Synced CycloneDX specification to latest v1.0.1 release

v3.0.3

April 13, 2018 minor

Fixes:

  • Fixed defect resulting in incorrect vulnerability counts for projects
  • Fixed defect which prevented project metrics from returning results
  • Fixed issue related to the assignment of tags on project creation
  • Added the VIEW_PORTFOLIO permission to the ‘automation’ team on new installs
  • Updated several dependencies
  • Performance improvements in database connection pool
  • Fixed defect where database connections were not being reconnected if the connection was lost
  • Fixed multiple defects related to component reconciliation when processing BoM and scan uploads

v3.0.2

March 30, 2018 minor

Fixes:

  • Responded to changes in NVD data feed URLs by correcting the XML 1.2 and 2.0 URLs used for mirroring.

v3.0.1

March 29, 2018 minor

Fixes:

  • Fixed data model issue which prevented multiple versions of the same project name from being persisted.
  • Fixed issue in admin console which did not properly display the number of team members.

Upgrade Notes:

If v3.0.0 was deployed, shutdown Dependency-Track, execute the following statement against the database, and deploy v3.0.1.

/*
Removes the constraint on having a unique project name thus preventing
multiple versions of the project from existing.
https://github.com/DependencyTrack/dependency-track/issues/118
*/
ALTER TABLE PROJECT DROP CONSTRAINT PROJECT_NAME_IDX;

v3.0.0

March 27, 2018 major

Project Reboot Successful! This is the first release after being developed from the ground up.

Features:

  • Dramatically increases visibility into the use of vulnerable components
  • Supports an unlimited number of projects and components
  • Projects can range from applications, operating systems, firmware, to IoT devices
  • Tracks vulnerabilities across entire project portfolio
  • Tracks vulnerabilities by component
  • Easily identify projects that are potentially vulnerable to newly published vulnerabilities
  • Supports standardized SPDX license ID’s and tracks license use by component
  • Supports CycloneDX and SPDX bill-of-material formats
  • Easy to read metrics for components, projects, and portfolio
  • API-first design facilitates easy integration with other systems
  • API documentation available in Swagger 2.0 (OpenAPI 3 support coming soon)
  • Flexible authentication supports internally managed users, Active Directory/LDAP, and API Keys
  • Simple to install and configure. Get up and running in just a few minutes

Fixes: