Skip to content

Releases: DependencyTrack/dependency-track

4.11.1

19 May 16:40
@dependencytrack-bot dependencytrack-bot
4.11.1
08f9372
Compare
Choose a tag to compare
4.11.1 Latest
Latest

For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.

# SHA1
aa3d8ffc6b8f9d15a801148a93275ebeba922010  dependency-track-apiserver.jar
c57f1b8c003d95daa871096cbc37a6c03cd08907  dependency-track-bundled.jar
# SHA256
ed08e60e0761ced93454c14194da02be5950805911dbc7f7c611bdf0e753b437  dependency-track-apiserver.jar
e7613d6654083ab6e2c4ae24459444efe4d83df5d2c4d27e58a94bc809e2627a  dependency-track-bundled.jar
# SHA512
75f4fcd203ccbbf494047b5866942b7a08fd1f97e98f40cd5aac57dd3401fcb2dc0e2e8953d54035dd3dd96e28c4df563ecee52df05769e8e530dc27e3e72f9b  dependency-track-apiserver.jar
10e590eb849e1179688c787c3f52a5e333f20962c8f2ab4cec0b6a3f872991ff7d9f80748439bb33281e615c0bcd8ed65530abcc34f018f8b7f171c104e5caf5  dependency-track-bundled.jar

What's Changed

Bug Fixes 🐛

  • Backport: Fix failing JSON BOM validation when specVersion is not one of the first fields by @nscuro in #3698
  • Backport: Fix broken global vuln audit view for MSSQL by @nscuro in #3701
  • Backport: fix os handling when trivy sets pkgType on properties by @nscuro (original change by @fnxpt) in #3729

Other Changes

  • Add changelog for v4.11.1 and bump bundled frontend by @nscuro in #3733

Full Changelog: 4.11.0...4.11.1

Contributors

fnxpt and nscuro
Assets 6

4.11.0

07 May 14:15
@dependencytrack-bot dependencytrack-bot
4.11.0
d0c0e23
Compare
Choose a tag to compare
4.11.0

For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.

# SHA1
a9dae58a25c8aeeb54134ff054214505eb170db9  dependency-track-apiserver.jar
59b78c3f6b1979ba29c1bd754b7dc1005101fc49  dependency-track-bundled.jar
# SHA256
03160957fced99c3d923bbb5c6cb352740da1970bd4775b52bb451b95c4cefaf  dependency-track-apiserver.jar
1a34808cd6c7a9bf7b181e4f175c077f1ee5d5a9daf327b330db9b1c63aac2d3  dependency-track-bundled.jar
# SHA512
79a34a20a93f57a1bde94fa876c03141c7696f177c560397ecf4fdd68da168419f3703eb0a4c7e40cb677536b15640f89dddb8f5e8cf32dda3115b8f6d5cf6b3  dependency-track-apiserver.jar
af25807596c617d2bdff437ba9fd4d2e8cdf28f220b8844d8ab3a53fe0510d65ac30167dbb752c22e5f96536362389099e5c4b25302e4adec84d48d6c4d15198  dependency-track-bundled.jar

What's Changed

Enhancements 🚀

  • Return processing token when cloning project #2842 by @rkg-mm in #3260
  • Hyades backport: Preprocess CWE dictionary by @nscuro in #3284
  • Add "Show in Dependency-Graph" Button in "Affected Projects" List [improved version] by @rkg-mm in #3285
  • Add "Show in Dependency-Graph" Button in "Affected Projects" List by @rbt-mm in #2942
  • Update SPDX license list to v3.22 by @nscuro in #3368
  • Store computed severities in the database by @nscuro in #3408
  • feat(vulnerabilities): enhance API to support frontend changes for active/inactive affected projects by @setchy in #3425
  • Subject prefix by @LaVibeX in #3422
  • Trivy by @fnxpt in #3259
  • Webhook alert token and new user alerts by @fnxpt in #3275
  • Global Audit View: Vulnerabilities by @rbt-mm in #2472
  • Refactor BOM upload processing for better efficiency, correctness, and consistency by @nscuro in #3357
  • Bump CWE dictionary to v4.13 by @nscuro in #3491
  • Apply consistent formatting to SQL queries; Use text blocks instead of string concatenation by @nscuro in #3492
  • Align retry configuration and behavior across analyzers by @nscuro in #3494
  • Add auto-generated changelog to GitHub releases by @nscuro in #3502
  • Bump SPDX license list to v3.23 by @nscuro in #3508
  • Validate uploaded BOMs against CycloneDX schema by @nscuro in #3522
  • Add endpoint for updating API key comment by @nscuro in #3537
  • OpenAPI spec fixes and improvements by @nscuro in #3557
  • Disable automatic API key generation for teams. Fixes part of issue #2552. by @mprencipe in #3574
  • Generate SARIF File Of Project Vulnerability Findings by @aravindparappil46 in #3561
  • New feature: VulnDB Aliases! by @LaVibeX in #3588
  • Implement the hackage and nixpkgs meta analyzers by @MangoIV in #3549
  • Add support for component properties by @nscuro in #3499
  • Leverage component properties for Trivy scans by @fnxpt in #3620
  • Improve Lucene observability by @nscuro in #3535
  • Include pagination parameters in OpenAPI spec by @nscuro in #3625
  • Include sorting query parameters in OpenAPI spec by @nscuro in #3631
  • support for experimental configurations by @fnxpt in #3621
  • Gracefully handle unique constraint violations by @nscuro in #3648
  • Add support for worker pool drain timeout by @nscuro in #3657
  • Fall back to no authentication when OSS Index API token decryption fails by @nscuro in #3661
  • Truncate ComponentProperty value at 1024 characters by @nscuro in #3662
  • Add the project name and project URL to bom processing notifications by @2000rosser in #3666
  • Bump bundled frontend to v4.11.0 by @nscuro in #3681

Bug Fixes 🐛

  • Fix dropping of CWE table failing due to FK constraint by @nscuro in #3304
  • Fix notifications not being sent for child projects where active is null by @nscuro in #3305
  • Fix NPE in VersionDistancePolicyEvaluator when project has no direct dependencies by @nscuro in #3307
  • Fix ClassCastException when updating an existing ProjectMetadata#authors field by @nscuro in #3311
  • feat: Improve Error handling and add default version type by @jadyndev in #3313
  • Fix NVD API's last modified timestamp requiring restart to be applied by @nscuro in #3322
  • Project cloning logic for cloning policy violations and Violationanalysis by @mge-mm in #3248
  • Ignore withdrawn Github advisories by @kepten in #3394
  • Fix VulnDB parser being unable to import vulnerability records when 'nvd_additional_information' is empty by @lukas-braune in #3437
  • Fix URISyntaxException when NPM PURL contains special characters by @nscuro in #3456
  • Finding Attributed On date is not retained when cloning projects by @sebD in #3488
  • adding cargo to IMetaAnalyzer by @leec94 in #3511
  • Fix type of purl fields in Swagger docs by @sebD in #3512
  • Perform License Resolution On Name Field During SBOM Import by @aravindparappil46 in #3555
  • Update License Of Existing Components On BOM Upload by @aravindparappil46 in #3556
  • Provide meaningful error message for bom and vex exceeding Jackson's character limit by @nscuro in #3558
  • Fix unhandled NotFoundExceptions causing a HTTP 500 response by @nscuro in #3559
  • Extend length of PURL and PURLCOORDINATES columns from 255 to 786 by @nscuro in #3560
  • Validate UUID request parameters by @nscuro in #3590
  • Vuln db severity by @LaVibeX in #3595
  • Fix JDOFatalUserException for long reference URLs from OSS Index by @nscuro in #3650
  • Catch all unhandled ClientErrorExceptions by @nscuro in #3659
  • Fix unique constraint violation during NVD mirroring via feed files by @nscuro in #3664
  • De-duplicate CPEs in NVD feed file parsing by @nscuro in #3667
  • Fix missing default repos for Hackage and Nixpkgs by @nscuro in #3678

Dependency Updates 🤖

  • Bump org.apache.httpcomponents.client5:httpclient5 from 5.2.1 to 5.3 by @dependabot in #3282
  • Bump github/codeql-action from 2.22.8 to 2.22.9 by @dependabot in #3289
  • Bump aquasecurity/trivy-action from 0.14.0 to 0.16.0 by @dependabot in #3288
  • Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.15.0 to 1.15.1 by @dependabot in #3298
  • Bump io.github.jeremylong:open-vulnerability-clients from 5.1.0 to 5.1.1 by @dependabot in #3320
  • Bump eclipse-temurin from 5f85d29 to e96937d in /src/main/docker by @depen...
Read more

Contributors

AnthonyMastrean, setchy, and 20 other contributors
Assets 6

4.10.1

19 Dec 10:55
@dependencytrack-bot dependencytrack-bot
4.10.1
fcb8e78
Compare
Choose a tag to compare
4.10.1

For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.

# SHA1
1d728ce1788e5db8b3a9308338a9e7e8ab5af12e  dependency-track-apiserver.jar
be32e1bc64d0b9b8019e340717d4ae3c12442ecd  dependency-track-bundled.jar
# SHA256
e30731cd1915d3a1578cf5d8c8596d247fb11a82a3fe4c1ba2fb9fad01667aef  dependency-track-apiserver.jar
ffa0ab6dc9be894d0887ca3e10c4ffe3a333305d98de940413fcdbb05e2bcebd  dependency-track-bundled.jar
# SHA512
6c6d31ff9c7545225932af0f7315a37e657833717fb10be5402dc5f7c8db160d3c6482b290197238731d845d8e4ee8e4f215f5266314dd761d64396f7d6c42c7  dependency-track-apiserver.jar
00078670bd970beca99a7711a2afa7858ba9d4ee5c51adf4af0a9f5a025f16ac99ec8138f9fc9fd139caf428f6084a8107281f620a5f4a21161a5c1538b91fe7  dependency-track-bundled.jar
Assets 6

4.10.0

08 Dec 15:13
@dependencytrack-bot dependencytrack-bot
4.10.0
5c2a855
Compare
Choose a tag to compare
4.10.0

For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.

# SHA1
c308b1f6a2d73fc2bba9da2cc33bf7e3ec49e851  dependency-track-apiserver.jar
b94fb9cbaa91c4e332bcec266e10a0f325f12e22  dependency-track-bundled.jar
# SHA256
d06f4550e16451ccb7843c36534172744934a7dc69e1d48e970a6eec24e49dc3  dependency-track-apiserver.jar
cf27db44e637b4bc551c16e659e81890f4c5d4f3b4ea9893ebf1717bff98b999  dependency-track-bundled.jar
# SHA512
4f190398de8084b1d481dc2e6ca3bb80afc675c96bba3dda1eaf1dc4faf8382c7a22f8be5953ed170dfc6765bd8a2efd67aa7d98826ce72c88e35cd16821f0f0  dependency-track-apiserver.jar
292f8af307adb3f52197ff1722e9565590f75a06a541fab2a54256dd2880a4abbf021cafdc43a112e7bf11364461bc5a26f90597b97d0190daf7365fcfd4efc5  dependency-track-bundled.jar
Assets 6

4.9.1

30 Oct 12:03
@dependencytrack-bot dependencytrack-bot
4.9.1
206a03c
Compare
Choose a tag to compare
4.9.1

For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.

# SHA1
99da5f705c3b0048ecf621e8c738a87147c693d9  dependency-track-apiserver.jar
487801d69bffb2e8def5aad9aa55c34be8cddcb2  dependency-track-bundled.jar
# SHA256
5d925f08f85fe7f39231357c4a4c8057fd354e048b7c9407efb20af78033ecec  dependency-track-apiserver.jar
19ac4ede2932ff54c42e0466cdf7d5b410f7a44784562f237fc5b4b8891a8dc8  dependency-track-bundled.jar
# SHA512
59d37703aeef5376638d07ff544454c8660e0ba0c910bafac6998fb358a8b076063faacb4c4580617988b92a02872d409a3ccf3b2a89541cea2b452cda8f7ab1  dependency-track-apiserver.jar
c7c2c0cbcf3dd3d0fd94f7ca815f342d42818bed610217c7a6e4071b945340da393ed02b80ea6d58bb5da79a058f809b89820248a77b130750c64b3da0d09733  dependency-track-bundled.jar
Assets 6

4.9.0

16 Oct 18:59
@dependencytrack-bot dependencytrack-bot
4.9.0
9d02526
Compare
Choose a tag to compare
4.9.0

For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.

# SHA1
cd4ec4f1ed075f37476f46da11451158d7460502  dependency-track-apiserver.jar
6f3a077219fb49a502a88fcbb40e05865a23f5c5  dependency-track-bundled.jar
# SHA256
281f091107ef79d9b1e9361dc78608260b364eaa7dbbaeb29d4f7aef1a4bf67b  dependency-track-apiserver.jar
4ca0b061ed83fa0b34ede8158f3ec0e2a7380c2736731995cf330f809076951f  dependency-track-bundled.jar
# SHA512
b4368b1373438c0063b779631a40ec78e58ce0b82df4ca9e028a85c89777dd1b8fabbdf05d904552a45a70e79f6fff33bba1538f28529a07be556829c27ddea7  dependency-track-apiserver.jar
54e0d025744520b49b260b7dc37b7b4ad59771e24a7bed764ea2379063408326ef1fe42e67a22d3194d54fbf286f5eebfd69675463227ffc155e421955d5bb48  dependency-track-bundled.jar
Assets 6

4.8.2

16 May 22:09
@dependencytrack-bot dependencytrack-bot
4.8.2
f771e5f
Compare
Choose a tag to compare
4.8.2

For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.

# SHA1
bfc8758eb30ab90f4280cb37ea959964f74706b9  dependency-track-apiserver.jar
52bd8b0c0646d0759e30f5b1600f5fb17e4ede36  dependency-track-bundled.jar
# SHA256
2b1d249d98f72b863deb4769665efc119a3ef8db195838decddce9a2a12f36b4  dependency-track-apiserver.jar
2f8171cd2a93f060110e0f7f5f1555a17db11de0a3cb0cb5b6068dfe3cd8e5e3  dependency-track-bundled.jar
# SHA512
d8750ed0b25346f7e4e0f4212646fee9fce795325220023bc594d40af64aff3379d5e70d41839549ff38cb0dedbe627b4ec15eb336fb45de8bb33c9f398cb4fe  dependency-track-apiserver.jar
ab7be72fd28d0ccf8a64fc660e473566ac9591513b666d484f9b2632545c3384a47b677eccf6a326ec9b9ad2e990a6708ade4dc107da3f67a753a14ea925d449  dependency-track-bundled.jar
Assets 6

4.8.1

16 May 11:18
@dependencytrack-bot dependencytrack-bot
4.8.1
097b765
Compare
Choose a tag to compare
4.8.1

For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.

# SHA1
553d17a940220d79b686ce6b64d65c0854915f1b  dependency-track-apiserver.jar
b2f0e053083ac672a9eaef19f7363ac854bdb91a  dependency-track-bundled.jar
# SHA256
56db674f5b467eac0a5b3fde99bc6285fd9135ad84e8fa0328ed6ace64fc723c  dependency-track-apiserver.jar
e1bd03ea89b312c2125791a0d46ca99aa62365140a4f175d2f45cbb1d59a87a6  dependency-track-bundled.jar
# SHA512
55cdc0a5ba08c2ad10eb18cc5a6e1c41843dcae5d8aa64dae62ae6163fb720fb3eb08640cb93bc104307ae385afcb11c70d531bf7b0abd8dee61fd0fe71db5f4  dependency-track-apiserver.jar
1fddddf849ffc44cfc15ce9abbc01b4a4ddecdfe3b3e408fc9fc1b45ca8d37ef370288f6c204fa1cf2bb9460f61d4721e97ddb808997b92ae2b90d7b8cb14191  dependency-track-bundled.jar

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

Special thanks to everyone who contributed code to fix defects:
@heubeck, @jakubrak, @sahibamittal, @valentijnscholten

Contributors

valentijnscholten, sahibamittal, and 2 other contributors
Assets 6

4.8.0

18 Apr 19:32
@dependencytrack-bot dependencytrack-bot
4.8.0
1976be1
Compare
Choose a tag to compare
4.8.0

For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.

# SHA1
883754d3ed227a124976c3f9247345be48cc0561  dependency-track-apiserver.jar
979f02a5bf3ea5d8b0bba7d4e73a725de1920219  dependency-track-bundled.jar
# SHA256
0ab7e3a1d0cd308a9193a6bec7b561f3911d19052312a82e4a59607d4ff50fd0  dependency-track-apiserver.jar
af9f6d79e7828b4f744f9f82215486c0b5649abf6544d0374c945b2ab5d8b58a  dependency-track-bundled.jar
# SHA512
36beb0aa1658c784ff580989a76bfca45cb58d8fcf4f1067aa38adddcbdd725f353b55f6e49cc0182e4db6c71240052002ce790bbbcef189ccefc8cd8e85d8b8  dependency-track-apiserver.jar
0050ecf12c2c93d9ffd0e210b9aed3592fac74816ade3c17344500aafded9a7bda37d634f64dcd3180aec6bebf3eac73a6331fbdbaaabf58732dde38a6d2dc43  dependency-track-bundled.jar

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

Special thanks to everyone who contributed code to implement enhancements and fix defects:
@Ehoky, @Gator8, @Hunroll, @StephenKing, @ch8matt, @jkowalleck, @lme-nca, @malice00, @mcombuechen
@mehab, @msymons, @mvandermade, @rbt-mm, @roadSurfer, @s-spindler, @sahibamittal, @syalioune
@valentijnscholten, @walterdeboer, @zgael

Contributors

StephenKing, mcombuechen, and 18 other contributors
Assets 6

4.7.1

31 Jan 21:45
@dependencytrack-bot dependencytrack-bot
4.7.1
93321f8
Compare
Choose a tag to compare
4.7.1

For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.

# SHA1
ef119b6f5fb422687e5152528bdb3e40e89c8733  dependency-track-apiserver.jar
94ca9179dad020c45adfdf0152b3f20081f7cf8b  dependency-track-bundled.jar
# SHA256
7fbccad45c730226ab9df1ff51aaa2dba90b93cf22547bbe395d3f3b849c8371  dependency-track-apiserver.jar
fe3fad9d43235df30880e547f838f65fe6365919dbc19107e4da349a5dce104f  dependency-track-bundled.jar
# SHA512
b201ff7e071d34f909ae7e9f9eea28cfa2f1995d6c547d82fe30ddaa421ae6560b316872d6e65b4d1aaee1375197ec369e18371fab9662fbdc8f900d30ce1d55  dependency-track-apiserver.jar
9661c1573a63b82108f9483ebd9e169489baf49f39755ad4ded7f527229e87781018d5e59025f11ec8760cb6af40d2d39e00cb969771d1e4776e5bba377a41b8  dependency-track-bundled.jar

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.
Special thanks to everyone who contributed code to fix defects:

@JoergBruenner, @mehab, @rbt-mm, @sergioasantiago, @syalioune

Contributors

sergioasantiago, syalioune, and 3 other contributors
Assets 6