Skip to content

Releases: DependencyTrack/dependency-track

5.0.2

Choose a tag to compare

@dependencytrack-bot dependencytrack-bot released this 18 Jun 13:11
Immutable release. Only release title and notes can be modified.

What's Changed

Bug Fixes 🐛

  • Backport: Fix bad CPE query performance for internal vuln analyzer by @nscuro in #6441
  • Backport: Fix admin re-seeding when USER table is populated by @nscuro in #6442
  • Backport: v4-migrator: Don't migrate obsolete notification groups for notification rules by @nscuro in #6444
  • Backport: dex: Fix over-reporting of activity task queue depth metric by @nscuro in #6447
  • Backport: Fix duplicate project name/version handling for /v1/project POST and PATCH endpoints by @nscuro in #6448
  • Backport: Fix MIME type of email notification templates not being set correctly by @nscuro in #6455

Dependency Updates 🤖

  • Backport: Bump Alpine base image to 3.24.1 by @nscuro in #6451

Full Changelog: 5.0.1...5.0.2

5.0.1

Choose a tag to compare

@dependencytrack-bot dependencytrack-bot released this 12 Jun 12:39
Immutable release. Only release title and notes can be modified.

What's Changed

Enhancements 🚀

  • Backport: v4-migrator: Add TCP keepalive and optional socket timeout by @nscuro in #6348
  • Backport: v4-migrator: Fail fast when detecting bootstrap being pointed at v4 database by @nscuro in #6361
  • Backport: Allow out-of-order execution of Flyway migrations by @nscuro in #6366

Bug Fixes 🐛

  • Backport: Make REPOSITORY.AUTHENTICATIONREQUIRED non-nullable by @nscuro in #6349
  • Backport: Apply stricter PURL normalization for NPM package metadata resolution by @nscuro in #6350
  • Backport: Bypass outbox for notification rule tests by @nscuro in #6351
  • Backport: Fix NO_PROXY being rejected as legacy Alpine property by @nscuro in #6352
  • Backport: Reject parent objects with null UUID when creating/updating/patching projects by @nscuro in #6354
  • Backport: v4-migrator: only run post-load actions when load phase completes successfully by @nscuro in #6353
  • Backport: Fix NPE during LDAP auth when bind credentials are not configured by @nscuro in #6356
  • Backport: Fix suppressed vulns being considered for policy evaluation by @nscuro in #6357
  • Backport: Fix incomplete field coverage of /v1/finding/project/{uuid}'s searchText filter by @nscuro in #6358
  • Backport: Fix OIDC UserInfo endpoint not being invoked when team sync is enabled and ID token contains no teams claim by @nscuro in #6359
  • Backport: Fix URL-encoding of OSV ecosystem names by @nscuro in #6360
  • Backport: Support non-UTC timezones for metrics operations by @nscuro in #6363
  • Backport: Fix email notification publisher not populating the "From" header by @nscuro in #6362
  • Backport: v4-migrator: Fix confusing debug log for missing tgt_permission table by @nscuro in #6364
  • Backport: Fix URL-encoding of OSV ecosystem names when retrieving incremental advisories by @nscuro in #6375
  • Backport: Handle PAC-inaccessible target projects more gracefully for BOM uploads with autoCreate=true by @nscuro in #6377
  • Backport: Fix broken HTTP proxy basic auth by @nscuro in #6381
  • Backport: Fix team of API key not being auto-assigned project access after project creation by @nscuro in #6389

Full Changelog: 5.0.0...5.0.1

5.0.0

Choose a tag to compare

@dependencytrack-bot dependencytrack-bot released this 07 Jun 15:32
Immutable release. Only release title and notes can be modified.

Warning

Upgrading from v4 requires manual action.

  • Migration is manual. See the migration guide. v4 must be ≥ 4.14.2 and offline during the upgrade. v5 requires PostgreSQL 14+ (H2, MySQL, SQL Server dropped).
  • See Changes in v5 for what's new and what changed, including container-only distribution (no more WAR), REST API v1 changes, and new notification schemas.
  • The official Helm chart is not yet compatible and fails rendering on v5 tags. Hold off if you deploy via Helm. See the Kubernetes deployment guide.

What's Changed

Enhancements 🚀

  • Add problem type for invalid sort field errors by @nscuro in #6281
  • Change tie-breaker sort columns for finding queries to allow more efficient sorting by @nscuro in #6289

Bug Fixes 🐛

  • Fix LocalFileStorageTest flakiness by @nscuro in #6282
  • v4-migrator: Grant SECRET_MANAGEMENT to principals with SYSTEM_CONFIGURATION permission by @nscuro in #6283
  • Do not suggest internal sort tie-breaker columns as sortable via API by @nscuro in #6286
  • Fix AuthZ being enforced on CORS preflight requests by @nscuro in #6288

Documentation 📃

Other Changes

  • Remove unused code and unnecessary indirections by @nscuro in #6284

Full Changelog: 5.0.0-rc.5...5.0.0

5.0.0-rc.5

5.0.0-rc.5 Pre-release
Pre-release

Choose a tag to compare

@dependencytrack-bot dependencytrack-bot released this 05 Jun 22:54
Immutable release. Only release title and notes can be modified.

What's Changed

Enhancements 🚀

  • v4-migrator: Add completion logs and annotate row-count diffs in verify phase by @nscuro in #6261
  • Include isLatest flag in nested versions object of /api/v1/project responses by @nscuro in #6263
  • Support component hash mismatch policy conditions by @nscuro in #6266
  • Make latest version publish timestamp available to CEL policy engine by @nscuro in #6267

Bug Fixes 🐛

  • v4-migrator: Explicitly cast ID columns to BIGINT during extract phase by @nscuro in #6253
  • Fix missing allowed permission for /api/v2/projects/{uuid}/clone by @nscuro in #6262
  • Fix missing fields from GET /api/v1/project response by @nscuro in #6275
  • Fix EPSS < and <= policy conditions matching when vuln has no EPSS score by @nscuro in #6274
  • Improve escaping of quoted strings for CEL policy inputs by @nscuro in #6276
  • Restore legacy behavior of LICENSE and LICENSE_GROUP policy conditions by @nscuro in #6273
  • v4-migrator: Fix scheduled notification rules not being migrated by @nscuro in #6277

Dependency Updates 🤖

  • chore(deps-dev): Bump io.swagger.parser.v3:swagger-parser from 2.1.42 to 2.1.43 by @dependabot[bot] in #6254
  • chore(deps): Bump lib.logback.version from 1.5.32 to 1.5.33 by @dependabot[bot] in #6255
  • chore(deps): Bump net.javacrumbs.json-unit:json-unit-assertj from 5.1.1 to 5.1.2 by @dependabot[bot] in #6270
  • chore(deps): Bump com.github.kagkarlsson:db-scheduler from 16.10.0 to 16.11.0 by @dependabot[bot] in #6269

Documentation 📃

  • Add community meeting reference to README by @nscuro in #6265
  • Update ADR-011 with follow-up about Kafka removal by @nscuro in #6278
  • Document expected ADR format and writing style by @nscuro in #6279

Other Changes

  • Always run manifest generation for DN plugin, even when restoring from cache by @nscuro in #6264
  • Streamline responses of API v1 project list endpoints by @nscuro in #6280

Full Changelog: 5.0.0-rc.4...5.0.0-rc.5

5.0.0-rc.4

5.0.0-rc.4 Pre-release
Pre-release

Choose a tag to compare

@dependencytrack-bot dependencytrack-bot released this 03 Jun 14:51
Immutable release. Only release title and notes can be modified.

What's Changed

Enhancements 🚀

  • Improve latest version detection for Cargo and Ruby Gems by @nscuro in #6245
  • Try to only report stable versions as latest for Maven by @nscuro in #6244

Bug Fixes 🐛

  • Enforce separate limits for compressed and uncompressed repository responses by @nscuro in #6239
  • Fix ineffective assignment of random BOM refs during import by @nscuro in #6241
  • Fix latent minor BOM import bugs by @nscuro in #6242
  • v4-migrator: Run ANALYZE on staging src tables before transform by @nscuro in #6247
  • v4-migrator: Dedupe components before join with repo meta component table by @nscuro in #6248
  • dex: Prevent possible deadlock when creating task queues by @nscuro in #6249

Full Changelog: 5.0.0-rc.3...5.0.0-rc.4

5.0.0-rc.3

5.0.0-rc.3 Pre-release
Pre-release

Choose a tag to compare

@dependencytrack-bot dependencytrack-bot released this 02 Jun 11:26
Immutable release. Only release title and notes can be modified.

What's Changed

Enhancements 🚀

Bug Fixes 🐛

  • v4-migrator: Fix overly paranoid schema name validation by @nscuro in #6219
  • v4-migrator: Fix trigger deactivation for PROJECT_ACCESS_USERS by @nscuro in #6220
  • v4-migrator: Populate PERMISSION table in bootstrap phase by @nscuro in #6221
  • Fix e2e tests for Linux by @nscuro in #6222
  • v4-migrator: Fix cross-schema type dependencies by @nscuro in #6226
  • Fix lastRiskScore of collection projects missing from project list API endpoints by @nscuro in #6228
  • Fix wait condition for apiserver container in e2e tests by @nscuro in #6238

Dependency Updates 🤖

  • chore(deps-dev): Bump org.apache.maven.plugins:maven-failsafe-plugin from 3.5.5 to 3.5.6 by @dependabot[bot] in #6233
  • chore(deps): Bump org.apache.maven.plugins:maven-surefire-plugin from 3.5.5 to 3.5.6 by @dependabot[bot] in #6232
  • chore(deps): Bump oasdiff/oasdiff-action from 0.0.47 to 0.0.48 by @dependabot[bot] in #6231
  • chore(deps): Bump docker/setup-buildx-action from 4.0.0 to 4.1.0 by @dependabot[bot] in #6230
  • chore(deps): Bump docker/login-action from 4.1.0 to 4.2.0 by @dependabot[bot] in #6229

Other Changes

Full Changelog: 5.0.0-rc.2...5.0.0-rc.3

5.0.0-rc.2

5.0.0-rc.2 Pre-release
Pre-release

Choose a tag to compare

@dependencytrack-bot dependencytrack-bot released this 31 May 23:24
Immutable release. Only release title and notes can be modified.

Warning

This release drops the compatibility shim that translated v4-era alpine.* and unprefixed property names (for example alpine.ldap.enabled, database.url, bcrypt.rounds) into their dt.* equivalents. Migrate any configuration still using those names to the current dt.* properties. The API server refuses to start when it encounters a legacy key to prevent silent misconfiguration.

The original alpine.* to dt.* migration is documented in the v0.7.0-alpha.3 upgrade notes. See Configuration Properties for the authoritative list of supported properties and their corresponding environment variable spellings.

Apologies for introducing breaking changes in an RC build.

Find the full upgrade guide here: https://dependencytrack.github.io/docs/next/guides/upgrading/v5.0.0-rc.2/

What's Changed

Breaking Changes 🚨

  • Standardize config property names and remove legacy shims by @nscuro in #6215

Enhancements 🚀

  • Migrate vulnerability metrics to materialized view by @nscuro in #6213

Bug Fixes 🐛

  • Raise max response body size for Cargo by @nscuro in #6214

Documentation 📃

Other Changes

  • Update GHA job names to be more practical for status check enforcement by @nscuro in #6208
  • Add GHA workflow for nightly e2e tests by @nscuro in #6209
  • Remove unused code and drop unnecessary dependencies by @nscuro in #6211

Full Changelog: 5.0.0-rc.1...5.0.0-rc.2

5.0.0-rc.1

5.0.0-rc.1 Pre-release
Pre-release

Choose a tag to compare

@dependencytrack-bot dependencytrack-bot released this 28 May 19:05
Immutable release. Only release title and notes can be modified.

What's Changed

Enhancements 🚀

4.14.2

Choose a tag to compare

@dependencytrack-bot dependencytrack-bot released this 07 May 16:45
Immutable release. Only release title and notes can be modified.

For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.

# SHA1
953074d95757bea162931b7811885945bbe992aa  dependency-track-apiserver.jar
53f3198f5422e1117f53859c5f42403f48a4a4e3  dependency-track-bundled.jar
# SHA256
3ff379380d35b9ff924014b680e7f3718c119f59b2cc4ee6ece4345a3ca1c110  dependency-track-apiserver.jar
fca1c0c69d543f4be3501f04d3293beef5b5db9fbad24d55cfc70ea2cc8e2b4f  dependency-track-bundled.jar
# SHA512
4e6119cfc05ed8767cdf1302b31c47814a025d854fa5f793a6b1bb0341732762a40cc5f3b93f59e7432e75d3cf7f2aa44320df129b85cea9e1de8fb81a053fc5  dependency-track-apiserver.jar
a047cd00ebdc59074c096c7ab6b095e0367e563f07c6565ab33413d6b9c5dbcb42a89cc71136dbe04b9ef48697f00673a15c0e18313dcde6c9c04a069c901b33  dependency-track-bundled.jar

What's Changed

Enhancements 🚀

  • Backport: Improve performance of vuln data source mirroring by @nscuro in #6040
  • Backport: Handle epoch PURL qualifier for version comparison by @nscuro in #6083
  • Backport: Add project filters to component identity search by @nscuro in #6087

Bug Fixes 🐛

  • Backport: Send composer package names with "/" separator to Trivy by @nscuro in #6117

Dependency Updates 🤖

  • build(deps): bump io.github.jeremylong:open-vulnerability-clients from 9.0.3 to 9.0.4 by @dependabot[bot] in #6021
  • build(deps-dev): bump io.github.ascopes:protobuf-maven-plugin from 5.1.0 to 5.1.2 by @dependabot[bot] in #6015
  • build(deps): bump debian from 99fc6d2 to e51bfcd in /src/main/docker by @dependabot[bot] in #6014
  • build(deps-dev): bump io.github.ascopes:protobuf-maven-plugin from 5.1.2 to 5.1.3 by @dependabot[bot] in #6037
  • build(deps): bump alpine from 2510918 to 5b10f43 in /src/main/docker by @dependabot[bot] in #6030
  • build(deps): bump eclipse-temurin from 305fb0c to d36843a in /src/main/docker by @dependabot[bot] in #6029
  • build(deps): bump org.metaeffekt.core:ae-security from 0.153.2 to 0.153.3 by @dependabot[bot] in #6047
  • build(deps-dev): bump io.swagger.parser.v3:swagger-parser from 2.1.39 to 2.1.40 by @dependabot[bot] in #6046
  • Backport: Bump maven-artifact to 3.9.15 by @nscuro in #6048
  • build(deps): bump org.apache.httpcomponents.client5:httpclient5 from 5.6 to 5.6.1 by @dependabot[bot] in #6060
  • build(deps): bump io.github.jeremylong:open-vulnerability-clients from 9.0.4 to 9.0.5 by @dependabot[bot] in #6066
  • build(deps): bump debian from e51bfcd to 8f0c555 in /src/main/docker by @dependabot[bot] in #6052
  • build(deps): bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.28.2 to 1.28.3 by @dependabot[bot] in #6071
  • build(deps-dev): bump org.testcontainers:testcontainers from 2.0.4 to 2.0.5 by @dependabot[bot] in #6076
  • build(deps): bump com.google.cloud.sql:postgres-socket-factory from 1.28.2 to 1.28.3 by @dependabot[bot] in #6073
  • build(deps): bump com.google.cloud.sql:mysql-socket-factory-connector-j-8 from 1.28.2 to 1.28.3 by @dependabot[bot] in #6072
  • build(deps): bump org.metaeffekt.core:ae-security from 0.153.3 to 0.154.0 by @dependabot[bot] in #6080
  • build(deps): bump org.apache.maven:maven-artifact from 3.9.14 to 3.9.15 by @dependabot[bot] in #6045
  • build(deps): bump org.postgresql:postgresql from 42.7.10 to 42.7.11 by @dependabot[bot] in #6101
  • build(deps-dev): bump io.swagger.parser.v3:swagger-parser from 2.1.40 to 2.1.41 by @dependabot[bot] in #6100
  • Backport: Bump versatile to 0.18.1 by @nscuro in #6116
  • Backport: Bump bundled frontend to 4.14.2 by @nscuro in #6122

Other Changes

Full Changelog: 4.14.1...4.14.2

4.14.1

Choose a tag to compare

@dependencytrack-bot dependencytrack-bot released this 03 Apr 17:43
Immutable release. Only release title and notes can be modified.

For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.

# SHA1
750b0c768208d7c6b7e32e8f1a7500eb94788069  dependency-track-apiserver.jar
61eac5828458dfea46507c26f3384bb452ebeefe  dependency-track-bundled.jar
# SHA256
142bdfa36defffc2304d03f9ef7ecd162f1185dcbc00933a73529cac7f12980c  dependency-track-apiserver.jar
6cedc727a3f8eb2343397e50a1b5515a99c2a361b7c55aa60dbeff85c1f4af2d  dependency-track-bundled.jar
# SHA512
b2e37486f0775793c0d2dfc6a0adfae96e8bdc6b09d4708902ad504ea9e6b24505753319c183b4549d080cd4e71c8e1efa13cd916cc67434603d9d0b28aeb274  dependency-track-apiserver.jar
f0bc70a0d5e6bce155dca1ec051e7a333c8c4ff836e002a6acabacf5a8a4e8298c7a223e8cd1a86f4a5bca5fb7c0c5f99bf6aea7cc602e9c51bc3cfab1100aa2  dependency-track-bundled.jar

What's Changed

Enhancements 🚀

  • Backport: Add support for NuGet versioning scheme by @nscuro in #5958
  • Backport: Fix wasteful existence queries by @nscuro in #5960
  • Backport: Add support for Composer versioning scheme by @nscuro in #5963
  • Backport: Support Sonatype Guide tokens for OSS Index analyzer by @nscuro in #5996

Bug Fixes 🐛

  • Backport: Fix PURL-specific version matching being bypassed for components with CPE by @nscuro in #5959
  • Backport: Fix potentially wrong version being used for CPE comparison by @nscuro in #5962
  • Backport: Fix scheduled notification query failing when ID columns are not of type BIGINT by @nscuro in #5979
  • Backport: Avoid NPE when computing Trivy pkgType (#5982) by @stohrendorf in #5987
  • Backport: Use ecosystem-aware version comparison for latest version detection by @nscuro in #5995
  • Backport: Remove leading whitespace from vulnerability badge SVG template by @nscuro in #6000

Dependency Updates 🤖

  • build(deps): bump eclipse-temurin from 2866f12 to a6884e6 in /src/main/docker by @dependabot[bot] in #5921
  • build(deps): bump debian from 85dfcff to 99fc6d2 in /src/main/docker by @dependabot[bot] in #5920
  • build(deps): bump com.microsoft.sqlserver:mssql-jdbc from 13.2.1.jre11 to 13.4.0.jre11 by @dependabot[bot] in #5916
  • build(deps): bump lib.resilience4j.version from 2.3.0 to 2.4.0 by @dependabot[bot] in #5915
  • build(deps): bump org.apache.maven:maven-artifact from 3.9.13 to 3.9.14 by @dependabot[bot] in #5905
  • build(deps-dev): bump io.swagger.parser.v3:swagger-parser from 2.1.38 to 2.1.39 by @dependabot[bot] in #5896
  • build(deps): bump io.github.nscuro:versatile-core from 0.16.1 to 0.17.0 by @dependabot[bot] in #5930
  • build(deps): bump eclipse-temurin from a6884e6 to d556bfd in /src/main/docker by @dependabot[bot] in #5928
  • build(deps): bump org.metaeffekt.core:ae-security from 0.153.1 to 0.153.2 by @dependabot[bot] in #5929
  • build(deps-dev): bump org.testcontainers:testcontainers from 2.0.3 to 2.0.4 by @dependabot[bot] in #5939
  • build(deps): bump com.google.cloud.sql:postgres-socket-factory from 1.28.1 to 1.28.2 by @dependabot[bot] in #5940
  • build(deps): bump com.google.cloud.sql:mysql-socket-factory-connector-j-8 from 1.28.1 to 1.28.2 by @dependabot[bot] in #5941
  • build(deps): bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.28.1 to 1.28.2 by @dependabot[bot] in #5942
  • build(deps): bump io.github.nscuro:versatile-core from 0.17.0 to 0.18.0 by @dependabot[bot] in #5947
  • build(deps): bump lib.protobuf-java.version from 4.34.0 to 4.34.1 by @dependabot[bot] in #5954
  • build(deps-dev): bump io.github.ascopes:protobuf-maven-plugin from 5.0.2 to 5.1.0 by @dependabot[bot] in #5983
  • build(deps): bump eclipse-temurin from d556bfd to 305fb0c in /src/main/docker by @dependabot[bot] in #5990
  • Backport: Bump bundled frontend to 4.14.1 by @nscuro in #6004

Other Changes

  • Backport: Disable Trivy integration tests by @nscuro in #5961
  • Backport: Add age and version distance to operational policy criteria by @nscuro in #5964
  • Backport: Harden GitHub Actions workflows by @nscuro in #5980
  • Backport: Address zizmor GitHub Actions findings by @nscuro in #5981
  • Backport: Fix version in docs by @nscuro in #6005
  • Backport: Fix release workflow by @nscuro in #6006
  • Add changelog for v4.14.1 by @nscuro in #5999

Full Changelog: 4.14.0...4.14.1