| title | type |
|---|---|
v4.12.0 |
major |
Highlights:
- Tags, Tags, Tags. This release contains a breadth of tag-related features:
- Alerts can be limited to projects with specific tags
- Projects can be included or excluded from BOM validation using tags
- Projects can be tagged as part of a BOM upload request
- Tag input fields of the frontend now offer auto-complete
- Tag Management. It is now possible to view and manage tags in the system through the new
tag management view, and associated REST API endpoints. This makes it possible to see how many,
and which projects, policies, and alerts are associated with a given tag. Projects, policies,
and alerts can be un-tagged, and tags can be deleted altogether.
- This feature was discussed and demoed in our July community meeting! Watch it here
- Global Policy Violation Audit View. Analog to the Global Vulnerability Audit View shipped in version 4.11.0, this release includes a new interface to discover and filter policy violations across all projects in the portfolio.
- Authorization for Badges. Badges were previously not protected by authentication and authorization, and thus
were disabled by default. With this release, unauthenticated access is deprecated. Instead, authenticating
as a team with
VIEW_BADGESpermission is required. This can be combined with portfolio access control, such that a key can only access the badges of a subset of projects. Refer to the [badges documentation] for details. - Modernization. Behind the scenes, the tech stack that Dependency-Track is built on was upgraded to the latest and greatest. We moved from Java 17 to Java 21, from Java EE to Jakarta EE 10, from Jetty 10 to Jetty 12, and from Swagger v2 to OpenAPI v3.
Features:
- Exclude pre-releases from NuGet latest version check - apiserver/#3468
- Add global audit view for policy violations - apiserver/#3544
- Raise baseline Java version to 21 - apiserver/#3682
- Include whether a project's version is active in the
/api/v1/project/{uuid}response - apiserver/#3691 - Remove legacy
BomUploadProcessingTask- apiserver/#3722 - Gracefully handle
NotSortableExceptions in the REST API - apiserver/#3724 - Migrate REST API docs from Swagger v2 to OpenAPI v3 - apiserver/#3726
- Migrate to Jakarta EE 10 and Jetty 12 - apiserver/#3730
- Add support for EPSS policy conditions - apiserver/#3746
- Consider the group/namespace when searching components - apiserver/#3761
- Add notification for BOM validation failures - apiserver/#3796
- Bump CWE dictionary to v4.14 - apiserver/#3819
- Add ability to tag project upon BOM upload - apiserver/#3843
- Improve performance of finding retrieval via REST API - apiserver/#3869
- Add REST endpoints for tag retrieval - apiserver/#3881
- Deprecate
/api/v1/tag/{policyUuid}in favor of/api/v1/tag/policy/{uuid}- apiserver/#3887 - Enable string de-duplication JVM option per default - apiserver/#3893
- Add REST endpoints for bulk tagging & un-tagging of projects - apiserver/#3894
- Add REST endpoint for tag deletion - apiserver/#3896
- Add OIDC Documentation for OneLogin - apiserver/#3921
- Add REST endpoints to tag and untag policies in bulk - apiserver/#3924
- Support the
component.authorsfield of CycloneDX v1.6 - apiserver/#3969 - Make project cloning an atomic operation - apiserver/#3982
- Add option to test notifications - apiserver/#3983
- This feature was demoed in our September community meeting! Watch it here
- Log warning when dependency graph is missing the root node - apiserver/#3990
- Add ability to limit notifications to projects with specific tags - apiserver/#4031
- This feature was demoed in our September community meeting! Watch it here
- Enhance badge API to require authorization - apiserver/#4059
- Support assigning of teams for portfolio ACL when creating a project - apiserver/#4093
- Disable redundant shutdown hook of the embedded H2 database - apiserver/#4106
- Support inclusion and exclusion of projects from BOM validation with tags - apiserver/#4109
- This feature was demoed in our September community meeting! Watch it here
- Update Dependency-Track's own BOM to CycloneDX v1.5 - apiserver/#4110
- Migrate Trivy integration to use Protobuf instead of JSON - apiserver/#4116
- Support customizable welcome message to display on login page - apiserver/#4131
- Raise maximum length of team names from 50 to 255 characters - apiserver/#4134
- Improve Jetty startup time - apiserver/#4134
- Support configuration of system-wide default locale - apiserver/#4136
- Bump SPDX license list to v3.25.0, bringing in 34 new licenses - apiserver/#4145
- Include team name in audit trail when auditing vulnerabilities with API key - apiserver/#4154
- Introduce
isLatestflag for projects, and allow policies to be limited to latest version - apiserver/#4184 - Ensure modifying project endpoints are transactional - apiserver/#4194
- Support for serving the frontend from a custom path - frontend/#801
- Add dynamic policy violation badges - frontend/#810
- Add quick search for projects also using a component - frontend/#848
- Add database name and version to About dialog - frontend/#870
- Make Severity and CWE columns of findings table sortable - frontend/#907
- Raise baseline Node version to 20 - frontend/#927
- Add autocomplete support for tag inputs - frontend/#936
- Save user preference for expanded navigation sidebar - frontend/#988
- Add ability to download component table as CSV - frontend/#993
- Add confirmation prompt for project deletion - frontend/#996
Fixes:
- Fix wrong types in OpenAPI spec for UNIX timestamp fields - apiserver/#3731
- Fix
JDOUserExceptionwhen multiple licenses match a component's license name - apiserver/#3958 - Fix broken anchors in documentation - apiserver/#3965
- Fix BOM validation failing for XML with multiple namespaces - apiserver/#4020
- Handle breaking change in Trivy 0.54.0 server API - apiserver/#4023
- Fix project link for new vulnerable dependency for email - apiserver/#4026
- Fix occasional
column list index is out of rangeexceptions - apiserver/#4104 - Fix missing URL encoding for repository metadata analyzers - apiserver/#4107
- Fix project being rendered as PURL in email notifications - apiserver/#4108
- Fix incorrect rendering of special characters in email notifications - apiserver/#4141
- Use empty string instead of SNAPSHOT as version in BOM download if project doesn't have a version - apiserver/#4142
- Handle empty component and service names in uploaded BOMs - apiserver/#4146
- Handle existing duplicate component properties - apiserver/#4147
- Fix infinite recursion during policy condition serialization - apiserver/#4165
- Fix
directDependenciesof cloned projects referring to original component UUIDs - apiserver/#4153 - Fix CPE not being imported from CycloneDX
metadata.component- apiserver/#4174 - Fix update of an internal vulnerability clearing associated Affected Components - apiserver/#4208
- Fix metrics endpoint API docs erroneously claiming to return project and component data - apiserver/#4195
- Fix
IndexOutOfBoundsExceptionwhen mirroring OSV vulnerability without severity - apiserver/#4196 - Fix vulnerability endpoints returning projects and components that the principal shouldn't have access to when portfolio ACL is enabled - apiserver/#4201
- Fix links with
href="#"being pushed to Vue router - frontend/#1012
Upgrade Notes:
- The API server now requires Java 21 or newer. Users deploying Dependency-Track via containers don't have to do anything, since those have been shipped with Java 21 since version 4.10.0. Users deploying Dependency-Track as JAR will need to upgrade their Java installation accordingly.
- The
/api/swagger.jsonendpoint no longer exists. The REST API documentation is now available at/api/openapi.jsonand/api/openapi.yamlrespectively. The documentation format follows the OpenAPI v3 specification, the Swagger v2 format is no longer provided. - The
/api/v1/tag/{policyUuid}REST API endpoint has been deprecated in favor of/api/v1/tag/policy/{uuid}. Users relying on the outdated endpoint for their custom integrations are encouraged to migrate to the new endpoint. - The legacy BOM processing logic was removed. The BOM Processing V2 option introduced in v4.11 is now the default and the only available option. To gauge the impact of this change, consider enabling the experimental option in an existing v4.11 deployment first.
- Deletion of tags requires the new
TAG_MANAGEMENTpermission. The permission is not added to existing users or teams automatically. Administrators should assign it to users and teams as needed. - Accessing badges requires the new
VIEW_BADGESpermission. The permission is not added to existing users or teams automatically. Administrators should assign it to users and teams as needed. - Unauthenticated access to badges is deprecated and will be fully removed in v4.13.
- To support serving of the frontend from custom paths (frontend/#801), frontend containers can currently not function with a read-only filesystem (as commonly used in Kubernetes environments). Refer to frontend/#940 for details.
For a complete list of changes, refer to the respective GitHub milestones:
We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.
Special thanks to everyone who contributed code to implement enhancements and fix defects: @2000rosser, @Gepardgame, @JCHacking, @SaberStrat, @Squixx, @aravindparappil46, @brentos99 @fupgang, @gbonnefille, @mehab, @nvcastelli, @peterakimball, @rbt-mm, @rcsilva83, @rh0dy, @rkg-mm, @setchy
| Algorithm | Checksum |
|---|---|
| SHA-1 | 0cfe5d6cd014a0a25cdb0379e5a75596adc3d448 |
| SHA-256 | 83d31e132643249f7752154adc49690353484a66de6e77db7e25f0c1309528eb |
| Algorithm | Checksum |
|---|---|
| SHA-1 | f7a1af3a5bf5f5b864d0db519fe2944391496f32 |
| SHA-256 | 3b4e27b29fd8a19cc5a250d394df43e0b046781f4d37c11720f8db8b9714d669 |
| Algorithm | Checksum |
|---|---|
| SHA-1 | 312dd2186deb81e50da00f2d42888711352f7853 |
| SHA-256 | 589eb0aae9a3fbdfde4bdd4dda000a2fb6e08a27e66a52ef9b17c1eaa022d46e |
[badges documentation]: {{ site.baseurl }}{% link _docs/integrations/badges.md %}