Skip to content

Latest commit

 

History

History
205 lines (181 loc) · 14.5 KB

2022-10-11-v4.6.0.md

File metadata and controls

205 lines (181 loc) · 14.5 KB
title type
v4.6.0
major

Highlights:

  • Vulnerability Aliases. By ingesting data from multiple sources of vulnerability intelligence, there will be cases where different advisories describe the same vulnerability. For example, CVE-2022-31197 and GHSA-r38f-c4h4-hqq2 describe the same defect, yet their descriptions and risk ratings differ. Dependency-Track 4.6 now recognizes when multiple advisories alias each other, and includes this information in notifications and REST API responses. Aliases will additionally be considered when calculating portfolio metrics, so that duplicate vulnerabilities do not skyrocket the risk scoring. Further improvements to aliases will be coming in future releases.
  • OSV Integration (Beta). Dependency-Track now optionally mirrors vulnerability intelligence data from the Open Source Vulnerabilities database (OSV). OSV normalizes and enriches data from multiple other vulnerability databases. Mirroring can be limited to a configurable selection of ecosystems.
  • New Policy Conditions.
    • Using the tag condition, policies can be restricted to projects with certain properties or priorities (e.g. high-risk, internet-facing, etc.)
    • Using the CWE condition, policies can assist in prioritizing findings of certain weaknesses
    • Using the component hash condition, policies can be used to flag usage of malicious or tainted packages
  • Performance. Various improvements, most prominently regarding metrics updates. Organizations, especially those with large portfolios of multiple thousands of projects, will see a drastic reduction in runtime and resource usage.
  • Observability. By exposition of system metrics via the Prometheus text-based format, operators can now monitor their instances using Prometheus, Grafana, or other compatible observability stacks. Metrics exposition is optional and must be enabled, refer to the [monitoring] documentation for details.
  • Customization. Users with advanced customization needs can now create and modify notification templates, as well as specify custom intervals for recurring tasks. Refer to the [notifications] and [recurring tasks] documentation for details.
  • Authentication for Internal Repositories. Dependency-Track can now authenticate with artifact repositories like Nexus Repository Manager or Artifactory to fetch information about internal artifacts.

Features:

  • Added support for authentication with internal package repositories - #881
  • Added support for configuration of [recurring tasks] intervals - #1542
  • Added support for policy violation badges - #1690
  • Added support for disabling alerts - #1173
  • Added support for CWEs in policy conditions - #1768
  • Added support for component hashes in policy conditions - #1775
  • Added support for tags in policy conditions - #1565
  • Added support for fuzzy CPE matching - #1799
  • Added support for notification publishing via Mattermost - #1702
  • Added support for reimporting findings to an existing DefectDojo test instead of creating a new test upon each upload - #1622
  • Added support for ingesting and displaying component author information - #1726
  • Added support for vulnerability aliases - #1912
  • Added support for custom notification templates - #275
  • Added experimental [OSV integration] - #931
  • Added support for Prometheus [metrics exposition] - #1796
  • Refactored metrics update functionality to be faster and more efficient - #1704
  • Upgraded to Java 17 - #1804
  • Removed source maps from frontend production build - #192
  • Added name of the authenticated user to the profile menu in the UI - #167
  • Added support for performing cross-site frontend requests with cookies - #156
  • Added columns for CVSS and EPSS to the component vulnerabilities view - #1948
  • Added listing of affected projects to email notification templates - #2005

Fixes:

  • Resolved defect that made it impossible to delete a project when assigned to a policy - #1852
  • Resolved defect related non-thread-safe usage of the internal Lucene search index - #1791
  • Resolved defect that caused the subject of email notifications saying null in certain situations - #1818
  • Resolved defect that caused the VulnDB analyzer failing to mark components as vulnerable - #1780
  • Resolved defect where the affectedComponents field of vulnerabilities would not be populated - #1766
  • Resolved defect that caused vulnerability details taking too long to load - #1765
  • Resolved defect that caused an internal server error when uploading a VEX document via HTTP PUT - #1836
  • Resolved defect that caused an internal server error when creating a vulnerability without CWEs - #1664
  • Resolved defect that caused an internal server error when submitting analysis details with more than 255 characters - #1661
  • Resolved defect that caused an internal server error when importing a SaaSBOM - #1790
  • Resolved defect that caused NVD mirroring notifications not working correctly - #1429
  • Resolved defect that caused VEX import not ingesting analyses for internal vulnerabilities - #1692
  • Resolved defect that caused excessive memory utilization when identifying internal components - #1947
  • Resolved defect that caused wrong project tags to be displayed after switching versions - #188
  • Resolved defect that caused component licenses to not be displayed on some occasions - #223
  • Resolved defect that caused horizontal scroll bars to be displayed unnecessarily in the UI - #248
  • Resolved defect that made it impossible to provide component hashes in uppercase - #1174
  • Resolved defect that prevented vulnerabilities in PHP components to be identified based on GitHub Advisories data - #1998
  • Resolved defect that caused a NumberFormatException to be thrown when resolving CWEs for findings - #2029
  • Resolved projects search filter not working when viewing projects by tag - #405
  • Resolved notifications with group NEW_VULNERABLE_DEPENDENCY not working at all - #1611
  • Resolved multiple minor UI defects related to API key management - #240
  • Resolved UI defect that caused vulnerability details not being displayed when only the CVSS vector, but not the scores were returned by the API - #239
  • Resolved UI defect that caused an incorrect tooltip being displayed for the email field in the email configuration test modal - #161
  • Resolved UI defect that caused the policy management view to not be updated when restricting a policy to a project - #169
  • Resolved UI defect that caused input fields losing focus after saving - #98

Security:

  • Fixed a defect that could cause API keys to be logged in clear text when handling API requests using keys with insufficient permissions - GHSA-gh7v-4hxp-gqp4

Upgrade Notes:

  • The new baseline Java version is 17 (#1804)
    • Java versions later than 17 may work as well, but haven't been tested
    • Users deploying DT via [executable WAR] will need to upgrade Java accordingly
    • Users deploying DT via [containers] don't need to do anything
  • The embedded H2 database has been upgraded to major version 2
    • Manual upgrade steps are required, refer to the [H2 v2 migration guide]
    • Without the manual migration, Dependency-Track 4.6 will not work with H2 databases created by earlier versions
    • Reminder: H2 is not, and never has been, supported for production usage
  • With #1429, handling of notification levels has changed
    • Previously, an alert with level ERROR would trigger on notifications with levels ERROR, WARNING, and INFORMATIONAL
    • Now, an alert with level ERROR will only trigger on notifications with level ERROR
    • An alert with level WARNING will trigger on notifications with level WARNING and ERROR etc.
    • The new behavior is similar to how structured logging libraries work
    • This change primarily affects notifications of the SYSTEM scope, which are used to report statuses of various tasks, e.g. DATASOURCE_MIRRORING
    • Notifications in the PORTFOLIO scope (e.g. NEW_VULNERABILITY) all have the INFORMATIONAL level
    • Users who configured alerts with scope PORTFOLIO and level ERROR should change the level to INFORMATIONAL after the upgrade

For a complete list of changes, refer to the respective GitHub milestones:

We thank all organizations and individuals who contributed to this release.
Special thanks to everyone who contributed code to implement enhancements and fix defects:

@AbdelHajou, @awegg, @dGuerr, @k3rnelpan1c-dev, @maaheeb, @officerNordberg, @rbt-mm, @rkg-mm, @s-spindler, @sahibamittal, @stephan-strate, @syalioune, @tmehnert, @yangsec888

Algorithm Checksum
SHA-1 e40fb14764fb5eb9fcd654472434c3701c44f208
SHA-256 29d422816b593ddef89b07e9bc1c72a5cfb141eaea4a1d59615309089bab03ea
Algorithm Checksum
SHA-1 9e1b283c442e1bfb2c5c4ea23b1a1590cf7afc5d
SHA-256 1e6ba17e6dc1f6422826a020ece5ec6ae2bef1aa9ae563f57653ed6bc0944f14
Algorithm Checksum
SHA-1 0f8967a4f777d33fd285d7fe8786f08690ffedd9
SHA-256 14791981d23850b72e39cee8c6378c6e25de0f8f5ee46b5c244c28bd6262db9a
Software Bill of Materials (SBOM)

[containers]: {{ site.baseurl }}{% link _docs/getting-started/deploy-docker.md %} [executable WAR]: {{ site.baseurl }}{% link _docs/getting-started/deploy-exewar.md %} [H2 v2 migration guide]: {{ site.baseurl }}{% link _docs/getting-started/database-support.md %}#migrating-to-h2-v2 [metrics exposition]: {{ site.baseurl }}{% link _docs/getting-started/monitoring.md %} [monitoring]: {{ site.baseurl }}{% link _docs/getting-started/monitoring.md %} [notifications]: {{ site.baseurl }}{% link _docs/integrations/notifications.md %} [recurring tasks]: {{ site.baseurl }}{% link _docs/getting-started/recurring-tasks.md %} [OSV integration]: {{ site.baseurl }}{% link _docs/datasources/osv.md %}