Releases: DependencyTrack/dependency-track
Releases · DependencyTrack/dependency-track
4.14.0
For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.
# SHA1
a06d7f57876befc80b6653fcc44b321958388f12 dependency-track-apiserver.jar
6573a4522dd84520859ab951d86d8a9e4dd43fb2 dependency-track-bundled.jar
# SHA256
2e3d5bcfb7b5d4ad4daf789bc5ca3802ef05d012c516090e8bc5323f46585f53 dependency-track-apiserver.jar
a8edd7c94ba811bae73d9213d769687c493e1bd95435dbe39dfeee28ff1f8008 dependency-track-bundled.jar
# SHA512
67c4c949d33cc9f8a421063cba03c6c437598fbca187963c168bba7db9cb8944b58d622c0430baa81cbdff127ec7611e2d9ddb97683efcfd5b617301c8b912a4 dependency-track-apiserver.jar
c877cab44769763a8a3db85abe47a6bd297b17e756d81971dc72a58bdf53d58eb0e1514683cf894f13e2d9e4fa230ccf773bc5f379a0c5e6ddc6195ef317ecf3 dependency-track-bundled.jar
What's Changed
Enhancements 🚀
- Convert tests to JUnit 5 by @stohrendorf in #4832
- Make POLICY_VIOLATION emails more informative by @kacper-uminski in #4935
- handleRequestException: add baseUrl to log by @rseleven in #4857
- Classify GPL with CPE as weak copyleft by @marschall in #4942
- switch cvss handling to metaeffekt by @stohrendorf in #4968
- docs: More specific description of BOM upload by @jakub-bochenski in #4876
- Add Alpine-based container image variants by @nscuro in #5051
- Various Maven build tweaks by @nscuro in #5052
- Create pr-detect-merge-conflicts GitHub workflow by @valentijnscholten in #4516
- Remove system requirements check; Lower resource requirements by @nscuro in #5058
- Extract JRE creation with jlink into separate script by @nscuro in #5059
- Implement Version Parameter when exporting BOM's by @noevembr in #5073
- feat: support configurable match mode for internal component regex (AND/OR) by @ch8matt in #5066
- feat(findings): Add EPSS filtering support to findings API by @marineotter in #5094
- Migrate to NVD 2.0 data feeds by @nscuro in #5226
- Test performance improvements by @stohrendorf in #4901
- Make OSS Index credentials required by @framayo in #5287
- Add Support for CycloneDX Scope Data by @anantk24 in #5224
- Bump SPDX license list to 3.27.0 by @nscuro in #5338
- Run Dependabot on latest release branch by @nscuro in #5465
- Include project UUID in log messages. by @ElenaStroebele in #5500
- Added projectUuid via MDC to logger statements within VEX upload. by @ElenaStroebele in #5615
- Implemented VERS approach for PURL version matching with VERSATILE. by @ElenaStroebele in #5591
- Incremental updates for OsvDownloadTask by @jonbally in #5537
- Add Repository Bearer Authentication by @valentijnscholten in #4483
- Dockerfile tweaks by @nscuro in #5657
- Add configurable base URL for OSS Index API by @brianf in #5736
- feat(policy): add Internal Status policy condition support by @ch8matt in #5570
- Various tweaks for OSS Index analyzer by @nscuro in #5793
- Switch to G1GC and limit default Docker Compose memory to 4GB by @nscuro in #5794
- Update Trivy protos by @nscuro in #5861
- Tweak vulnerability persistence logic by @nscuro in #5862
- Add CVSSv4 support by @nscuro in #5863
- feat: add EPSS score support for GitHub Advisory (GHSA) vulnerabilities by @valentijnscholten in #5829
- Include CVSS vectors and metadata in Finding model by @AndreVirtimo in #5844
- Bump SPDX license list to v3.28.0 by @nscuro in #5888
- Bump CWE dictionary to v4.19.1 by @nscuro in #5889
Bug Fixes 🐛
- Fix
NEW_VULNERABILITIES_SUMMARYnotification dispatch failing for PostgreSQL by @nscuro in #4829 - Fix team email addresses not being available when publishing scheduled notification emails by @nscuro in #4845
- Prevent duplicate tag names and relationships by @nscuro in #4837
- Fix missing
NONEvalue in classifier check constraint by @nscuro in #4884 - Fix tag deletion failing when tag is used by project collection logic by @nscuro in #4858
- Fix failing v4.13.1 migration for MSSQL deployments that pre-date v4.11.0 by @nscuro in #4907
- Fix summary notifications not sent when "skip if unchanged" is enabled by @nscuro in #4910
- Align naming of isLatest parameter between PUT and POST endpoints for BOM upload by @snieguu in #4905
- Add Metrics update trigger after cloning a project by @joshcrispo in #4806
- Enable source filtering in SARIF format for /finding/project/{UUID} by @snieguu in #4949
- Add apiserver health check to Compose files by @nscuro in #5034
- Handle dangling SPDX expression operators by @nscuro in #5033
- Improve Composer meta analyzer's ability to deal with minified metadata by @ch8matt in #5019
- Add whitespace sanitization in fuzzySearch CPE to fix CPE validation errors by @jonbally in #5061
- Fix too many query parameters when retrieving vuln aliases by @nscuro in #5101
- Fix failing v4.13.1 migration for H2 deployments that pre-date v4.11.0 by @nscuro in #5100
- Fix Issue#5105: OSV Ubuntu advisory contains severity without type (ubuntu priority) by @jonbally in #5106
- Ensure VulnerableSoftware query is able to leverage indexes by @nscuro in #5134
- Fix BOM export failing for projects of type NONE by @nscuro in #5148
- Bulk load component relationships for BOM export by @nscuro in #5147
- Fix inverted component matching by @stohrendorf in #5160
- Fix failing TrivyAnalysisTaskIntegrationTest by @nscuro in #5231
- Handle URLs in composer package metadata pattern by @nscuro in #5233
- Fix inconsistent ordering in findings endpoints by @nscuro in #5245
- Fix failing Trivy OS matching for distro versions with special characters by @nscuro in #5248
- fix null when NuGet package has only pre-released versions by @snieguu in #5264
- improve detection if version is commit sha or release tag for github purl by @snieguu in #5265
- Fix NullPointerException in GithubMetaAnalyzer when analyzing GitHub Actions by @emil-wire in #5275
- Make CPE matching case-insensitive by @stohrendorf in #5280
- fix #5291: v4135Updater SQL query by @muellerst-hg in #5292
- return only tags of the policy itself by @stohrendorf in #531...
Contributors
brianf, Granjow, and 27 other contributors
Assets 6
4.13.6
For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.
# SHA1
3964cf821761609912487077fa41d513dad37d1a dependency-track-apiserver.jar
8f2aa10424403b2b201d0c48b243ea3bbe458761 dependency-track-bundled.jar
# SHA256
1048a039391992fc36b23433d8987689baca33e68cc2130254787d1a3d1c66cc dependency-track-apiserver.jar
ab47deb0c5be2d947d57cf5862fef714023b4ce4d794ac00a855cf7590eb111e dependency-track-bundled.jar
# SHA512
ded2d415406d082682cf42b4d22da6ead30623a6a9b8c751cd135ba5530367ea3e17b670243c714d972e6a14be8ec5b9a3eeb51c0ea7b46c6332af1a663de08d dependency-track-apiserver.jar
c434e3e29daf6a8d2e8d8a5cb496ebc5e4d3969d0944436d01503fb185d2f1f4f0c49ddc9cdafe832749608262ede7ee946de638e615460454580ed70837707e dependency-track-bundled.jar
What's Changed
Enhancements 🚀
Bug Fixes 🐛
- Backport: Improve vulnerablesoftware cpe normalization performance by @stohrendorf in #5419
- Backport: drop missing entities in case of stale lucene data by @stohrendorf in #5428
- Backport: Fix referential integrity violation in team deletion by @stohrendorf in #5447
- Backport: Fix referential integrity violation in project batch delete by @stohrendorf in #5446
- Backport: Corrected typo in e-mail template method and corrected test. by @stohrendorf in #5434
- Backport: avoid NPEs in ComposerMetaAnalyzer by @stohrendorf in #5519
- Backport: Change toString() of Project to use name and version instead of PURL by @nscuro in #5532
- Backport: Validate description length for PUT /api/v1/project by @nscuro in #5538
Dependency Updates 🤖
- build(deps): bump org.apache.httpcomponents.client5:httpclient5 from 5.4.3 to 5.5.1 by @dependabot[bot] in #5475
- build(deps): bump org.postgresql:postgresql from 42.7.7 to 42.7.8 by @dependabot[bot] in #5469
- build(deps): bump lib.protobuf-java.version from 4.30.2 to 4.33.0 by @dependabot[bot] in #5472
- build(deps): bump eclipse-temurin from
8234720todb16895in /src/main/docker by @dependabot[bot] in #5466 - build(deps): bump debian from
8810492toa771c85in /src/main/docker by @dependabot[bot] in #5467 - build(deps): bump org.apache.commons:commons-text from 1.13.0 to 1.14.0 by @dependabot[bot] in #5479
- build(deps): bump org.apache.maven:maven-artifact from 3.9.9 to 3.9.11 by @dependabot[bot] in #5480
- build(deps): bump com.microsoft.sqlserver:mssql-jdbc from 12.10.0.jre11 to 12.10.2.jre11 by @dependabot[bot] in #5478
- build(deps-dev): bump net.javacrumbs.json-unit:json-unit-assertj from 4.1.0 to 4.1.1 by @dependabot[bot] in #5485
- build(deps): bump org.codehaus.mojo:exec-maven-plugin from 3.5.0 to 3.6.2 by @dependabot[bot] in #5487
- build(deps): bump debian from
a771c85to17a6a8ain /src/main/docker by @dependabot[bot] in #5484 - build(deps): bump eclipse-temurin from 21.0.8_9-jre-jammy to 21.0.9_10-jre-jammy in /src/main/docker by @dependabot[bot] in #5508
- build(deps): bump debian from
17a6a8atoe024987in /src/main/docker by @dependabot[bot] in #5492 - build(deps-dev): bump com.icegreen:greenmail-junit4 from 2.1.3 to 2.1.7 by @dependabot[bot] in #5493
- build(deps): bump org.apache.maven.plugins:maven-antrun-plugin from 3.1.0 to 3.2.0 by @dependabot[bot] in #5494
- build(deps): bump org.apache.maven.plugins:maven-clean-plugin from 3.4.1 to 3.5.0 by @dependabot[bot] in #5529
- build(deps): bump org.cyclonedx:cyclonedx-core-java from 11.0.0 to 11.0.1 by @dependabot[bot] in #5528
- build(deps): bump eclipse-temurin from
8c18c36to2843f15in /src/main/docker by @dependabot[bot] in #5527 - build(deps): bump com.google.cloud.sql:postgres-socket-factory from 1.24.1 to 1.27.0 by @dependabot[bot] in #5470
- Backport: Bump bundled frontend to 4.13.6 by @nscuro in #5545
- Backport: Bump Alpine to 3.4.0 by @nscuro in #5547
Other Changes
- Backport: Fix link for Sonatype OSS Index Analyzer by @nscuro in #5531
- Backport: Add sbomify to list of community integrations by @nscuro in #5536
- Add changelog for v4.13.6 by @nscuro in #5546
Full Changelog: 4.13.5...4.13.6
Contributors
nscuro, stohrendorf, and dependabot
Assets 6
4.13.5
For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.
# SHA1
f38abe7b93f7cb88f3bba4c78c30a9ce7dc45c0d dependency-track-apiserver.jar
5aea8e0662f8aa4d9e53b52c14367c5345602e34 dependency-track-bundled.jar
# SHA256
bf55097e63b46ed16042024636b855f676ba67e6e5824e7da80f3cec863a3f77 dependency-track-apiserver.jar
4a373de4d5aca924fb533ebfc7e1eb4fb5a249d81c948bd367a52fa53125a610 dependency-track-bundled.jar
# SHA512
ac6f680fb0db71621ad3a3aa8a7ea4bbab54feadc376fc86e236474cc9aa3457f021ea8005044b064f0d616c060ed89f51d8f84c0710805e2db9146f1f32b492 dependency-track-apiserver.jar
d93e02459d3d7026356424a903c226408ca1397844db8fa9786f18375f9f00af6e148800dd96b8405330d6cd455c1b55d43eaf311a97511d8bf9db64dc8e99dc dependency-track-bundled.jar
What's Changed
Enhancements 🚀
- Backport: Make OSS Index credentials required by @nscuro in #5351
- Backport: Bump SPDX license list to 3.27.0 by @nscuro in #5356
Bug Fixes 🐛
- Backport: Make CPE matching case-insensitive by @stohrendorf in #5299
- Backport: improve detection if version is commit sha or release tag for github purl by @nscuro in #5350
- Backport: only return tags directly associated with a policy by @nscuro in #5353
- Backport: Check for non-empty timestamp files in doDownload of NistMirrorTask by @nscuro in #5354
- Backport: Fix NullPointerException in GithubMetaAnalyzer when analyzing GitHub Actions by @nscuro in #5359
- Backport: download OSV mirror files to temp files to keep connection lifetime short by @nscuro in #5360
- Backport: NuGet Analyzer Improvements by @nscuro in #5381
Dependency Updates 🤖
- Backport: Bump open-vulnerability-clients to 9.0.1 by @nscuro in #5352
- Backport: Bump cyclonedx-core-java to 11.0.0 by @nscuro in #5355
- Backport: Bump Alpine to 3.3.0 by @nscuro in #5357
- Backport: Bump bundled frontend to 4.13.5 by @nscuro in #5384
Other Changes
Full Changelog: 4.13.4...4.13.5
Contributors
nscuro and stohrendorf
Assets 6
4.13.4
For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.
# SHA1
048b46829358cfde1f4d90b9298984224c75f6ae dependency-track-apiserver.jar
b3eb198254783462dc7d147791537fa50b11483e dependency-track-bundled.jar
# SHA256
2ca674108a08bf71642ddec6704125fae720161c4c40268fd19557e8b116d9d0 dependency-track-apiserver.jar
a8252f66f9b3c9253553e1d2a40fb0169f90c31895e36f57bc5992068ff473f5 dependency-track-bundled.jar
# SHA512
25d697390a5a0316b85b67e01f29caaeba8cec955318a7ecd762189aefad0175bf338228361790796b153e53953c663cd05dca940d51dc4a30d015fb897a1c47 dependency-track-apiserver.jar
698f3f8ddc9958c7bd17f17e66c3b79d04181b509bd8fd42f01ee58aeb23cf5a88b208bcc13b6815c7d5396b049881c830aee1810420ae09923fbef766cf33ea dependency-track-bundled.jar
What's Changed
Enhancements 🚀
Bug Fixes 🐛
- Backport: Handle URLs in composer package metadata pattern by @nscuro in #5234
- Backport: Fix failing TrivyAnalysisTaskIntegrationTest by @nscuro in #5241
- Backport: Fix inconsistent ordering in findings endpoints by @nscuro in #5247
- Handle
adduser/addgroupremoval in Debian base image by @nscuro in #5246 - Backport: Fix failing Trivy OS matching for distro versions with special characters by @nscuro in #5249
Dependency Updates 🤖
- Bump Debian base image to latest digest by @nscuro in #5240
- Backport: Bump angus-mail to 2.0.4 by @nscuro in #5242
- Backport: Bump Temurin base image to 21.0.8_9 by @nscuro in #5243
- Backport: Bump commons-lang3 to 3.18.0 by @nscuro in #5244
- Bump bundled frontend to 4.13.4 by @nscuro in #5253
Other Changes
Full Changelog: 4.13.3...4.13.4
Contributors
nscuro
Assets 6
4.13.3
For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.
# SHA1
ba7866fa7b8be30f2058606ee77539b126ab61f1 dependency-track-apiserver.jar
70ac64f18c4b219d283df0c056e74f001287159b dependency-track-bundled.jar
# SHA256
8b6b2f29bdfd6f3e81ed2c9754a3ab2b4e27bbb9c33e52f720700d7e73558adb dependency-track-apiserver.jar
1ae9984304854845cc5741d1dd1288e7b0a748539f448e0d0899ef635bb33c28 dependency-track-bundled.jar
# SHA512
706389f889eb177701d65e1ffefb30540f0ac9761128554f37e1edb637d73a58c981c87ca783e4b4eed982b813f4d359d590ca6ccd7132c10da83056935d2328 dependency-track-apiserver.jar
09e1ce042f64bd2ea5214fab3ebf2d2c86255b7c781490c14f2afcb517c056ef791713ba939e5de20b2b32a21949e5ac8a70ae3610432da1fa42681feceff626 dependency-track-bundled.jar
What's Changed
Bug Fixes 🐛
- Backport: Fix OSV ubuntu advisory containing severity without type by @nscuro in #5168
- Backport: Fix too many query parameters when retrieving vuln aliases by @nscuro in #5167
- Backport: Add apiserver health check to Compose files by @nscuro in #5171
- Backport: Handle dangling SPDX expression operators by @nscuro in #5173
- Backport: Fix BOM export failing for projects of type NONE by @nscuro in #5178
- Backport: Ensure VulnerableSoftware query is able to leverage indexes by @nscuro in #5177
- Backport: Add whitespace sanitization in fuzzySearch CPE to fix CPE validation errors by @nscuro in #5176
- Backport: Bulk load component relationships for BOM export by @nscuro in #5179
- Backport: Improve Composer meta analyzer's ability to deal with minified metadata by @nscuro in #5175
- Backport: Fix failing v4.13.1 migration for H2 deployments that pre-date v4.11.0 by @nscuro in #5180
Dependency Updates 🤖
- Backport: bump org.apache.commons:commons-compress by @nscuro in #5169
- Backport: Bump PostgreSQL JDBC driver to 42.7.7 by @nscuro in #5174
- Bump Docker base images to latest digests by @nscuro in #5181
- Backport: Bump bundled frontend to 4.13.3 by @nscuro in #5184
Other Changes
- Backport: Add AWS Cognito configuration example by @nscuro in #5172
- Add changelog for v4.13.3 by @nscuro in #5182
Full Changelog: 4.13.2...4.13.3
Contributors
nscuro
Assets 6
4.13.2
For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.
# SHA1
845f970ba9c00a26d6d0b5a77c24cd12ee5feeea dependency-track-apiserver.jar
61d5c535ab19a6f67e48ee8efa20bf9656d084f7 dependency-track-bundled.jar
# SHA256
f1d66b81a44d7d3528fad42d1e1fb498e2151c2c5e78c1070942be54456bf7d1 dependency-track-apiserver.jar
4494b0090cd699db2099248c0fdd67a07d130731bbc476287251aa84d008bfa4 dependency-track-bundled.jar
# SHA512
988cdaf174c32381c1ec2803439e951b48a942a8702d29743e009d3dff42129489c6e249273516bb3e084f836568caf5cd34ece6ec972145da7337c325a48201 dependency-track-apiserver.jar
f86e6a0b62be8620d581c19759b319d7902075877322c62b7c26fd9e311ed4f283e94304f3644603ad33c0798f869921bb1b574967e0fca894c6f0cf85fbe8fe dependency-track-bundled.jar
What's Changed
Bug Fixes 🐛
- Backport: Fix failing v4.13.1 migration for MSSQL deployments that pre-date v4.11.0 by @nscuro in #4911
- Backport: Fix summary notifications not sent when "skip if unchanged" is enabled by @nscuro in #4913
Dependency Updates 🤖
Other Changes
Full Changelog: 4.13.1...4.13.2
Contributors
nscuro
Assets 6
4.13.1
For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.
# SHA1
b5e613f1f484179e770333828ef25c020ed9f03a dependency-track-apiserver.jar
173511869286b1335950bd07477421d684c96251 dependency-track-bundled.jar
# SHA256
c88b2e7879b1d534741ce5483f96621b650d6a4dcacabb470eeeeb43e7c7c627 dependency-track-apiserver.jar
53c7fca478125fad1c35d6732815a6c09e120abc6ea57a8a88eb2af3ed2efab2 dependency-track-bundled.jar
# SHA512
b5c30fd2aaac36b5437da0802bf60f3b1740d64b413c16c6a5f6eb2bc8b44c62ff5e4d8c8789b8380e76692fbbb410b043d919c0952a3b1e166bc4d9a0683a44 dependency-track-apiserver.jar
d8cb6f7318da182f4a1ad4a94995c79211282c2d68ddf8d4cad93f5003311f79cebbe39f51b880320c01c6fe757b3334a87747cbee9940d8d70d26fd636609fd dependency-track-bundled.jar
What's Changed
Bug Fixes 🐛
- Backport: Fix
NEW_VULNERABILITIES_SUMMARYnotification dispatch failing for PostgreSQL by @nscuro in #4859 - Backport: Fix team email addresses not being available when publishing scheduled notification emails by @nscuro in #4860
- Backport: Prevent duplicate tag names and relationships by @nscuro in #4861
- Backport: Fix missing
NONEvalue in classifier check constraint by @nscuro in #4887 - Backport: Fix tag deletion failing when tag is used by project collection logic by @nscuro in #4888
Dependency Updates 🤖
- Backport: Bump Temurin base image to 21.0.7 by @nscuro in #4886
- Bump bundled frontend to 4.13.1 by @nscuro in #4903
Other Changes
- Backport: Improve the stability of tag binding by @nscuro in #4885
- Add changelog for v4.13.1 by @nscuro in #4889
Full Changelog: 4.13.0...4.13.1
Contributors
nscuro
Assets 6
4.13.0
Warning
Please consult the upgrade notes in the changelog before upgrading! Some changes in this release are irreversible,
and you won't be able to roll back simply by downgrading the application version!
For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.
# SHA1
c5ef70f1e8df186a929a7c2ad24962a3b97af379 dependency-track-apiserver.jar
feeac3362ae6ea5d42cf6dde7e5e079599372eaa dependency-track-bundled.jar
# SHA256
0f2af7a93a21850da62c2b2e86babfb0b0f18abd80f380dfb80bf84c59f605e4 dependency-track-apiserver.jar
a81e61f1e21a732474a11345d71e7853d50ec2faea1f7d44bacfb29902673ebd dependency-track-bundled.jar
# SHA512
436330854efc77e4c3b1c0484ec0e61b80fdde07445f3a31cb35ac195e0db2e2268cf11e6b71b72d58a1b90d2ca77d0fdf0d62fdbcae4045d94346b607f21a7c dependency-track-apiserver.jar
a26173afcfd4416ef9b15e9d99d53cccff0b60510b2399c29b190a7123d200afe73c5d5d4b3d0ff7ad171bd87abfc15ddb211f3afb4627e598f8ed04271ce00e dependency-track-bundled.jar
What's Changed
Enhancements 🚀
- Provide support for AWS JDBC Driver by @VinodAnandan in #4304
- Add property to control
verifiedflag in DefectDojo integration by @Malaydewangan09 in #4273 - Reduce memory usage of metrics update tasks by @nscuro in #4325
- Optimize vulnerability synchronization logic to not perform redundant writes by @LaVibeX in #4359
- Introduce "collection" projects for better usage of hierarchical view #2041 by @rkg-mm in #3258
- Add /v1/project/batchDelete API method that deletes with SQL by @mikael-carneholm-2-wcar in #4383
- Reduce database round-trips during BOM processing by @nscuro in #4486
- Compose Metadata Analyzer: Refactor to support V2 and V1 repositories by @valentijnscholten in #4470
- composer meta analyzer: add DEBUG logging by @valentijnscholten in #4546
- Update quickstart Compose file to use Postgres instead of H2 by @nscuro in #4576
- Bump Alpine to 3.2.0 and handle API key migration by @Gepardgame in #4566
- Prevent application startup when migrations fail by @nscuro in #4681
- Implement basic telemetry collection by @nscuro in #4651
- Add support for Snyk API version 2024-10-15 by @ad8-adriant in #4715
- #4620 add "lastVulnerabilityAnalysis" to project by @stohrendorf in #4642
- add endpoint to mass-create tags by @stohrendorf in #4766
- Add feature to define the test title for DefectDojo integration by @AndreVirtimo in #4796
- Add trivy scanning options by @mjwrona in #4782
- Bump SPDX license list to v3.26.0 by @nscuro in #4800
- Bump CWE dictionary to v4.16 by @nscuro in #4801
- Add support for scheduled summary notifications by @nscuro in #4783
Bug Fixes 🐛
- Prevent duplicate policy violations by @nscuro in #4216
- Log contains now username when user gets deleted by @Gepardgame in #4222
- Fix unintended manual flushing mode due to DataNucleus
ExecutionContextpooling by @nscuro in #4221 - Enhance policy violation de-duplication logic by @nscuro in #4231
- Fix inaccuracies of Trivy analyzer by @nscuro in #4245
- Fix redundant query for "ignore unfixed" config during Trivy analysis by @nscuro in #4246
- Fix excessive memory usage of portfolio repository meta analysis by @nscuro in #4311
- Fix nullable metrics fields having getters of primitive type by @nscuro in #4326
- Fix CPE matching logic for NVD Rest by @calderonth in #4339
- Fix update component to allow empty values by @immalla in #4229
- Fix incorrect CWE schema in OpenAPI spec by @fupgang in #4350
- Fix component hash policy evaluator by @francislance in #4306
- Fix NullPointerException when fetching findings by @nscuro in #4369
- Fix policy evaluation not happening upon creation or update of individual components by @fupgang in #4374
- Fix Trivy analyzer vulnerability matching for Go packages by @nscuro in #4394
- Add cyclonedx json media type when exporting components by @wratner in #4409
- Fix NPE when cloning projects with broken dependency graph by @nscuro in #4414
- Fix
project.activebeing nullable by @nscuro in #4415 - Move GHSA notification logic outside recursion by @antoinbo in #4401
- Fix broken pagination in
/api/v1/cweendpoint by @nscuro in #4421 - Fix notification tests not working for Jira by @nscuro in #4456
- Fix component de-duplication potentially causing duplicate dependency graph entries by @nscuro in #4458
- Fix component SWID tag ID not being considered in project cloning by @nscuro in #4480
- Fix onlyOutdated ungrouped component filtering by @sedan07 in #4511
- Fix REST endpoints for adding tags by @nscuro in #4541
- Recreate outdated check constraints for
CLASSIFIERcolumns by @nscuro in #4544 - Handle GitHub GraphQL API rate limiting by @nscuro in #4578
- Fix possible NPEs during tag binding by @nscuro in #4594
- Fix erroneous URL-encoding of the Maven groupId by @nscuro in #4602
- Fix false negatives in CPE matching for ANY and NA versions by @nscuro in #4610
- Refactor
VulnerabilityAnalysisTaskto be more efficient by @nscuro in #4623 - Refactor
VulnerabilityManagementUploadTaskto be more efficient by @nscuro in #4624 - Handle invalid CVSS vectors and processing failures for OSV by @nscuro in #4636
- Fix possible NPEs in TrivyAnalysisTask by @nscuro in #4668
- Analyze all components of a project at once instead of in batches by @nscuro in #4670
- Fix notification webhook sending blank headers by @LennartC in #4679
- Fix incomplete API key migration by @nscuro in #4682
- Disable
includetag for Pebble templates by @nscuro in #4684 - Fix NPE during NVD mirroring via REST API when encountering invalid CPEs by @nscuro in #4732
- Remove erroneous client-side caching in Trivy analyzer by @nscuro in #4735
- Fix notification limiting to tags not working reliably by @nscuro in #4733
- Fix tags from BOM upload request not being applied for existing projects by @nscuro in #4738
- Fix component properties not being cloned by @nscuro in #4745
- handle corner case if no vulnerabilities have compatible aliases by @stohrendorf in https://github.com/DependencyTrack/dependency-tra...
Contributors
Granjow, setchy, and 28 other contributors
Assets 6
4.12.7
For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.
# SHA1
a3a30181b15a14bcd3ea3ef7ed338d2ce5e86bb5 dependency-track-apiserver.jar
2c416320eda0aee60a268047643da006ad7edf24 dependency-track-bundled.jar
# SHA256
cc271be5577eee0a562c19acd60a693accbe6b8b1a24294472a43462f6aa94fd dependency-track-apiserver.jar
48defc20ebe19214bb7cf73bf61f8c09f467d0c8585a5e6c0671ad563bbd4884 dependency-track-bundled.jar
# SHA512
29561b22a734a6d8fb33cb48c51d081dbece71a4530ec0296a1d8d3e8ae16027245b62387aa7057b916db891093824df04dd265550cfd0f4dc181ceff4f64ea5 dependency-track-apiserver.jar
c86816d53570e459a57d54254192aa26c5132c0e4b9662bdb347bbe3fc9e500d3dd2b4359679bce984d5ba124c68926d5cc0079e634908c975cc3c8ee8dd3e24 dependency-track-bundled.jar
What's Changed
Bug Fixes 🐛
- Backport: Fix NPE during NVD mirroring via REST API when encountering invalid CPEs by @nscuro in #4734
- Backport: Remove erroneous client-side caching in Trivy analyzer by @nscuro in #4736
- Backport: Fix notification limiting to tags not working reliably by @nscuro in #4737
- Backport: Fix tags from BOM upload request not being applied for existing projects by @nscuro in #4740
- Backport: Fix component properties not being cloned by @nscuro in #4746
Dependency Updates 🤖
Other Changes
Full Changelog: 4.12.6...4.12.7
Contributors
nscuro
Assets 6
4.12.6
For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.
# SHA1
f59a0777e631a6bd4e4dc7b42c3df2ac9e8ce4d8 dependency-track-apiserver.jar
be4ed743244851cd47873cbbb6c065f0c2eace9d dependency-track-bundled.jar
# SHA256
4196b1eb91cb27304a53a0b897f0ffb766e3f49607094880618b480ce9ee3124 dependency-track-apiserver.jar
e036fc1bd0d0914f421307a59911cb7cab1ba158599b125e404a4a3079e6ea26 dependency-track-bundled.jar
# SHA512
3ffe4f6e7139e2a562c94edeb0f8197816ed468ccfc30baf3cfd2faeacda00ddea4c2b8a4b82f99a47ec34b52008d155e9f5d7b1cecc25f93542bcd29395565f dependency-track-apiserver.jar
a9dec98602080cba59f3c7e01ece4e090cc9b695e55fabbc0ce9eee042121964a340dcec8844d438dc37ed26b62219234b71278b42e102c253b815ad6f8b9d5d dependency-track-bundled.jar
What's Changed
Bug Fixes 🐛
- Backport: Fix possible NPEs in TrivyAnalysisTask by @nscuro in #4671
- Backport: Analyze all components of a project at once instead of in batches by @nscuro in #4673
- Backport: Fix notification webhook sending blank header by @nscuro (original change by @LennartC) in #4680
- Backport: Disable
includetag for Pebble templates by @nscuro in #4685
Dependency Updates 🤖
- Backport: Bump net.minidev:json-smart to 2.5.2 by @nscuro in #4672
- Backport: Bump bundled frontend to 4.12.6 by @nscuro in #4690
Other Changes
Full Changelog: 4.12.5...4.12.6
Contributors
LennartC and nscuro