Dependency-Track logo Dependency-Track

Subscribe with RSS to keep up with the latest changes.


June 20, 2018 minor


  • Fixed issue where new permissions were not being added to database on upgrades


June 19, 2018 major


  • Support for advanced auditing workflow to easily triage findings
  • Support for external repositories to retrieve additional component metadata from
  • Support for SPDX 3.1 license IDs
  • NVD mirroring support for Dependency-Check (and other) clients
  • Support for out-of-date version detection (rubygems, maven, and npm)
  • Enhanced API to (optionally) autocreate project on bom/scan upload
  • Better support for Dependency-Check “relatedDependencies”
  • Added individual component metrics (independent of dependency metrics)
  • Added per project and per component overview with metrics and refresh support
  • Specific table columns can now be sorted with full pagination support
  • Improved error logging when issues are encountered during BoM and scan processing
  • Enhanced LDAP integration to support strong authentication mechanisms and configurable user formats
  • General performance improvements on multi-core machines
  • Minor enhancements to user interface


  • Fixed defect that prevented paginated results on project tag searches
  • Fixed defect affecting GAV identifiers in Dependency-Check Gradle/CLI reports not being in parenthesis

Upgrade Notes:

  • The VULNERABILITY_ANALYSIS permission was introduced in this release. Existing users that need the ability to audit findings will need this permission added to their account or through their team membership.
  • MySQL now requires ANSI_QUOTES to be added to the SQL mode. Refer to Database Support for details.


May 02, 2018 minor


  • Fixed defect resulting in incorrect results returned when filtering on components in the project view
  • Synced CycloneDX specification to latest v1.0.1 release


April 13, 2018 minor


  • Fixed defect resulting in incorrect vulnerability counts for projects
  • Fixed defect which prevented project metrics from returning results
  • Fixed issue related to the assignment of tags on project creation
  • Added the VIEW_PORTFOLIO permission to the ‘automation’ team on new installs
  • Updated several dependencies
  • Performance improvements in database connection pool
  • Fixed defect where database connections were not being reconnected if the connection was lost
  • Fixed multiple defects related to component reconciliation when processing BoM and scan uploads


March 30, 2018 minor


  • Responded to changes in NVD data feed URLs by correcting the XML 1.2 and 2.0 URLs used for mirroring.


March 29, 2018 minor


  • Fixed data model issue which prevented multiple versions of the same project name from being persisted.
  • Fixed issue in admin console which did not properly display the number of team members.

Upgrade Notes:

If v3.0.0 was deployed, shutdown Dependency-Track, execute the following statement against the database, and deploy v3.0.1.

Removes the constraint on having a unique project name thus preventing
multiple versions of the project from existing.


March 27, 2018 major

Project Reboot Successful! This is the first release after being developed from the ground up.


  • Dramatically increases visibility into the use of vulnerable components
  • Supports an unlimited number of projects and components
  • Projects can range from applications, operating systems, firmware, to IoT devices
  • Tracks vulnerabilities across entire project portfolio
  • Tracks vulnerabilities by component
  • Easily identify projects that are potentially vulnerable to newly published vulnerabilities
  • Supports standardized SPDX license ID’s and tracks license use by component
  • Supports CycloneDX and SPDX bill-of-material formats
  • Easy to read metrics for components, projects, and portfolio
  • API-first design facilitates easy integration with other systems
  • API documentation available in Swagger 2.0 (OpenAPI 3 support coming soon)
  • Flexible authentication supports internally managed users, Active Directory/LDAP, and API Keys
  • Simple to install and configure. Get up and running in just a few minutes