Skip to content

Latest commit

 

History

History
65 lines (51 loc) · 3.7 KB

2021-08-02-v4.3.0.md

File metadata and controls

65 lines (51 loc) · 3.7 KB
Raw
title type
v4.3.0
major

Features:

  • Implemented Portfolio Access Control (beta) - #140
  • OpenID Connect: Source user claims from /userinfo and ID token - #1008
    • Resolves an issue where some IdPs would provide specific claims only in one and not the other of the two
  • Added Go Modules repository support
  • Added timeout for idle transactions - #941
  • Components with missing or unknown license are now evaluated against policy condition - #1105

Fixes:

  • Resolved issue where active projects could only be displayed when showing inactive projects - #963
  • Resolved high load issues with Postgres while simultaneously increasing performance for all database platforms - #1026
  • Resolved issue with OSS Index where PURLs without a version will lead to scan failure - #1115

Security:

Portfolio ACL logic has been implemented. In its current form, Portfolio Access Control is a beta feature in v4.3. As a result, the project will not treat bypass or absent ACL logic as a security defect. There are a few known gaps in ACL logic that will exist in v4.3. These gaps are tracked in #1127.

ACL logic covers:

  • /v1/bom/*
    • Uploading SBOMs to projects or exporting SBOMs from projects or components
  • v1/component/*
    • CRUD operations on components
  • /v1/finding/*
    • Security findings for projects and components
  • /v1/metrics/*
    • Project and component metrics
  • /v1/project/*
    • _RUD operations on projects
  • /v1/service/*
    • CRUD operations on components
  • /v1/violation/*
    • Project and component policy violations
  • /v1/vulnerability/*
    • CRUD operations on vulnerable projects or components

The user interface clearly states that Portfolio Access Control is beta. By default, Portfolio Access Control is disabled.

Upgrade Notes:

  • OpenID Connect: The client ID of the frontend has to be passed to the API server via the alpine.oidc.client.id property
    • Required for the API server to be able to validate ID tokens. Refer to the [OIDC documentation]({{ site.baseurl }}{% link _docs/getting-started/openidconnect-configuration.md %}) for details.
  • Removed legacy support for SPDX (RDF and tag/value) - #1053
  • Removed legacy support for the traditional WAR (was previously deprecated and unsupported) - #1070
dependency-track-apiserver.jar

| Algorithm | Checksum | | SHA-1 | 1c19a467705631c3c4449fa3f95c9d4a73d26caa | | SHA-256 | 34e0cc69eb6934d9e25573d29870cefce75d07d97fb06d58e8830f566256e1dc |

dependency-track-bundled.jar

| Algorithm | Checksum | | SHA-1 | 3e3a9edb9a9077fc5e2b2634f5967d1a61b0e1cb | | SHA-256 | 78c5a7acf02d5d5f7231c444fdc58b38f12ebec20453c51106200ca0d644b387 |

Software Bill of Materials (SBOM)

bom.json bom.xml