Skip to content

4.11.0
Compare
Choose a tag to compare
@dependencytrack-bot dependencytrack-bot released this 07 May 14:15
· 32 commits to 4.11.x since this release
4.11.0
d0c0e23

For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.

# SHA1
a9dae58a25c8aeeb54134ff054214505eb170db9  dependency-track-apiserver.jar
59b78c3f6b1979ba29c1bd754b7dc1005101fc49  dependency-track-bundled.jar
# SHA256
03160957fced99c3d923bbb5c6cb352740da1970bd4775b52bb451b95c4cefaf  dependency-track-apiserver.jar
1a34808cd6c7a9bf7b181e4f175c077f1ee5d5a9daf327b330db9b1c63aac2d3  dependency-track-bundled.jar
# SHA512
79a34a20a93f57a1bde94fa876c03141c7696f177c560397ecf4fdd68da168419f3703eb0a4c7e40cb677536b15640f89dddb8f5e8cf32dda3115b8f6d5cf6b3  dependency-track-apiserver.jar
af25807596c617d2bdff437ba9fd4d2e8cdf28f220b8844d8ab3a53fe0510d65ac30167dbb752c22e5f96536362389099e5c4b25302e4adec84d48d6c4d15198  dependency-track-bundled.jar

What's Changed

Enhancements 🚀

  • Return processing token when cloning project #2842 by @rkg-mm in #3260
  • Hyades backport: Preprocess CWE dictionary by @nscuro in #3284
  • Add "Show in Dependency-Graph" Button in "Affected Projects" List [improved version] by @rkg-mm in #3285
  • Add "Show in Dependency-Graph" Button in "Affected Projects" List by @rbt-mm in #2942
  • Update SPDX license list to v3.22 by @nscuro in #3368
  • Store computed severities in the database by @nscuro in #3408
  • feat(vulnerabilities): enhance API to support frontend changes for active/inactive affected projects by @setchy in #3425
  • Subject prefix by @LaVibeX in #3422
  • Trivy by @fnxpt in #3259
  • Webhook alert token and new user alerts by @fnxpt in #3275
  • Global Audit View: Vulnerabilities by @rbt-mm in #2472
  • Refactor BOM upload processing for better efficiency, correctness, and consistency by @nscuro in #3357
  • Bump CWE dictionary to v4.13 by @nscuro in #3491
  • Apply consistent formatting to SQL queries; Use text blocks instead of string concatenation by @nscuro in #3492
  • Align retry configuration and behavior across analyzers by @nscuro in #3494
  • Add auto-generated changelog to GitHub releases by @nscuro in #3502
  • Bump SPDX license list to v3.23 by @nscuro in #3508
  • Validate uploaded BOMs against CycloneDX schema by @nscuro in #3522
  • Add endpoint for updating API key comment by @nscuro in #3537
  • OpenAPI spec fixes and improvements by @nscuro in #3557
  • Disable automatic API key generation for teams. Fixes part of issue #2552. by @mprencipe in #3574
  • Generate SARIF File Of Project Vulnerability Findings by @aravindparappil46 in #3561
  • New feature: VulnDB Aliases! by @LaVibeX in #3588
  • Implement the hackage and nixpkgs meta analyzers by @MangoIV in #3549
  • Add support for component properties by @nscuro in #3499
  • Leverage component properties for Trivy scans by @fnxpt in #3620
  • Improve Lucene observability by @nscuro in #3535
  • Include pagination parameters in OpenAPI spec by @nscuro in #3625
  • Include sorting query parameters in OpenAPI spec by @nscuro in #3631
  • support for experimental configurations by @fnxpt in #3621
  • Gracefully handle unique constraint violations by @nscuro in #3648
  • Add support for worker pool drain timeout by @nscuro in #3657
  • Fall back to no authentication when OSS Index API token decryption fails by @nscuro in #3661
  • Truncate ComponentProperty value at 1024 characters by @nscuro in #3662
  • Add the project name and project URL to bom processing notifications by @2000rosser in #3666
  • Bump bundled frontend to v4.11.0 by @nscuro in #3681

Bug Fixes 🐛

  • Fix dropping of CWE table failing due to FK constraint by @nscuro in #3304
  • Fix notifications not being sent for child projects where active is null by @nscuro in #3305
  • Fix NPE in VersionDistancePolicyEvaluator when project has no direct dependencies by @nscuro in #3307
  • Fix ClassCastException when updating an existing ProjectMetadata#authors field by @nscuro in #3311
  • feat: Improve Error handling and add default version type by @jadyndev in #3313
  • Fix NVD API's last modified timestamp requiring restart to be applied by @nscuro in #3322
  • Project cloning logic for cloning policy violations and Violationanalysis by @mge-mm in #3248
  • Ignore withdrawn Github advisories by @kepten in #3394
  • Fix VulnDB parser being unable to import vulnerability records when 'nvd_additional_information' is empty by @lukas-braune in #3437
  • Fix URISyntaxException when NPM PURL contains special characters by @nscuro in #3456
  • Finding Attributed On date is not retained when cloning projects by @sebD in #3488
  • adding cargo to IMetaAnalyzer by @leec94 in #3511
  • Fix type of purl fields in Swagger docs by @sebD in #3512
  • Perform License Resolution On Name Field During SBOM Import by @aravindparappil46 in #3555
  • Update License Of Existing Components On BOM Upload by @aravindparappil46 in #3556
  • Provide meaningful error message for bom and vex exceeding Jackson's character limit by @nscuro in #3558
  • Fix unhandled NotFoundExceptions causing a HTTP 500 response by @nscuro in #3559
  • Extend length of PURL and PURLCOORDINATES columns from 255 to 786 by @nscuro in #3560
  • Validate UUID request parameters by @nscuro in #3590
  • Vuln db severity by @LaVibeX in #3595
  • Fix JDOFatalUserException for long reference URLs from OSS Index by @nscuro in #3650
  • Catch all unhandled ClientErrorExceptions by @nscuro in #3659
  • Fix unique constraint violation during NVD mirroring via feed files by @nscuro in #3664
  • De-duplicate CPEs in NVD feed file parsing by @nscuro in #3667
  • Fix missing default repos for Hackage and Nixpkgs by @nscuro in #3678

Dependency Updates 🤖

  • Bump org.apache.httpcomponents.client5:httpclient5 from 5.2.1 to 5.3 by @dependabot in #3282
  • Bump github/codeql-action from 2.22.8 to 2.22.9 by @dependabot in #3289
  • Bump aquasecurity/trivy-action from 0.14.0 to 0.16.0 by @dependabot in #3288
  • Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.15.0 to 1.15.1 by @dependabot in #3298
  • Bump io.github.jeremylong:open-vulnerability-clients from 5.1.0 to 5.1.1 by @dependabot in #3320
  • Bump eclipse-temurin from 5f85d29 to e96937d in /src/main/docker by @dependabot in #3319
  • Bump github/codeql-action from 2.22.9 to 3.22.11 by @dependabot in #3318
  • Bump debian from 375fb84 to d4494b6 in /src/main/docker by @dependabot in #3325
  • Bump org.eclipse.jetty:jetty-maven-plugin from 10.0.18 to 10.0.19 by @dependabot in #3331
  • Bump org.slf4j:log4j-over-slf4j from 2.0.9 to 2.0.10 by @dependabot in #3345
  • Bump github/codeql-action from 3.22.11 to 3.22.12 by @dependabot in #3340
  • Bump org.slf4j:log4j-over-slf4j from 2.0.10 to 2.0.11 by @dependabot in #3362
  • Bump actions/dependency-review-action from 3.1.4 to 3.1.5 by @dependabot in #3359
  • Bump aquasecurity/trivy-action from 0.16.0 to 0.16.1 by @dependabot in #3358
  • Bump actions/download-artifact from 3.0.2 to 4.1.0 by @dependabot in #3341
  • Bump actions/upload-artifact from 3.1.3 to 4.0.0 by @dependabot in #3317
  • Bump debian from d4494b6 to f7235f3 in /src/main/docker by @dependabot in #3370
  • Bump actions/download-artifact from 4.1.0 to 4.1.1 by @dependabot in #3378
  • Bump actions/upload-artifact from 4.0.0 to 4.1.0 by @dependabot in #3377
  • Bump github/codeql-action from 3.22.12 to 3.23.0 by @dependabot in #3376
  • Bump eclipse-temurin from e96937d to 6b234f2 in /src/main/docker by @dependabot in #3387
  • Bump actions/upload-artifact from 4.1.0 to 4.2.0 by @dependabot in #3400
  • Bump actions/dependency-review-action from 3.1.5 to 4.0.0 by @dependabot in #3401
  • Bump github/codeql-action from 3.23.0 to 3.23.1 by @dependabot in #3399
  • Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.15.1 to 1.15.2 by @dependabot in #3391
  • Bump eclipse-temurin from 21.0.1_12-jre-jammy to 21.0.2_13-jre-jammy in /src/main/docker by @dependabot in #3410
  • Bump org.apache.httpcomponents.client5:httpclient5 from 5.3 to 5.3.1 by @dependabot in #3409
  • Bump eclipse-temurin from 651d253 to 24d6ced in /src/main/docker by @dependabot in #3413
  • Bump Alpine to 2.2.5-SNAPSHOT by @nscuro in #3417
  • Bump github/codeql-action from 3.23.1 to 3.23.2 by @dependabot in #3418
  • Bump actions/upload-artifact from 4.2.0 to 4.3.0 by @dependabot in #3419
  • Bump org.eclipse.jetty:jetty-maven-plugin from 10.0.19 to 10.0.20 by @dependabot in #3428
  • Bump debian from f7235f3 to 4255c9f in /src/main/docker by @dependabot in #3427
  • Bump eclipse-temurin from 24d6ced to 91e50ea in /src/main/docker by @dependabot in #3432
  • Bump com.microsoft.sqlserver:mssql-jdbc from 12.4.2.jre11 to 12.6.0.jre11 by @dependabot in #3431
  • Bump github/codeql-action from 3.23.2 to 3.24.0 by @dependabot in #3435
  • Bump net.javacrumbs.json-unit:json-unit-assertj from 3.2.2 to 3.2.4 by @dependabot in #3440
  • Bump org.json:json from 20231013 to 20240205 by @dependabot in #3441
  • Bump org.slf4j:log4j-over-slf4j from 2.0.11 to 2.0.12 by @dependabot in #3439
  • Bump actions/upload-artifact from 4.3.0 to 4.3.1 by @dependabot in #3460
  • Bump actions/download-artifact from 4.1.1 to 4.1.2 by @dependabot in #3459
  • Bump aquasecurity/trivy-action from 0.16.1 to 0.17.0 by @dependabot in #3458
  • Bump lib.lucene.version from 8.11.2 to 8.11.3 by @dependabot in #3457
  • Bump debian from 4255c9f to 435ba09 in /src/main/docker by @dependabot in #3462
  • Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.15.2 to 1.16.0 by @dependabot in #3466
  • Bump eclipse-temurin from 91e50ea to 0672ad3 in /src/main/docker by @dependabot in #3471
  • Bump github/codeql-action from 3.24.0 to 3.24.3 by @dependabot in #3473
  • Bump eclipse-temurin from 0672ad3 to 636b9a7 in /src/main/docker by @dependabot in #3476
  • Bump org.apache.commons:commons-compress from 1.25.0 to 1.26.0 by @dependabot in #3475
  • Bump actions/dependency-review-action from 4.0.0 to 4.1.0 by @dependabot in #3474
  • Bump io.github.jeremylong:open-vulnerability-clients from 5.1.1 to 5.1.2 by @dependabot in #3481
  • Bump net.javacrumbs.json-unit:json-unit-assertj from 3.2.4 to 3.2.5 by @dependabot in #3480
  • Bump com.github.tomakehurst:wiremock-jre8 from 2.35.1 to 2.35.2 by @dependabot in #3479
  • Bump com.microsoft.sqlserver:mssql-jdbc from 12.6.0.jre11 to 12.6.1.jre11 by @dependabot in #3478
  • Bump net.javacrumbs.json-unit:json-unit-assertj from 3.2.5 to 3.2.7 by @dependabot in #3486
  • Bump various dependencies by @nscuro in #3487
  • Bump actions/dependency-review-action from 4.1.0 to 4.1.3 by @dependabot in #3497
  • Bump github/codeql-action from 3.24.3 to 3.24.5 by @dependabot in #3496
  • Bump Alpine to 2.2.5 by @nscuro in #3515
  • Bump aquasecurity/trivy-action from 0.17.0 to 0.18.0 by @dependabot in #3525
  • Bump github/codeql-action from 3.24.5 to 3.24.6 by @dependabot in #3524
  • Bump actions/download-artifact from 4.1.2 to 4.1.4 by @dependabot in #3523
  • Bump org.json:json from 20240205 to 20240303 by @dependabot in #3527
  • Bump docker/setup-buildx-action from 3.0.0 to 3.1.0 by @dependabot in #3526
  • Bump eclipse-temurin from 636b9a7 to d9f7b83 in /src/main/docker by @dependabot in #3532
  • Bump org.testcontainers:testcontainers from 1.19.6 to 1.19.7 by @dependabot in #3533
  • Bump io.github.jeremylong:open-vulnerability-clients from 5.1.2 to 6.0.0 by @dependabot in #3542
  • Bump org.apache.commons:commons-compress from 1.26.0 to 1.26.1 by @dependabot in #3541
  • Bump docker/build-push-action from 5.1.0 to 5.2.0 by @dependabot in #3539
  • Bump actions/setup-java from 4.0.0 to 4.1.0 by @dependabot in #3540
  • Bump debian from 435ba09 to d10f054 in /src/main/docker by @dependabot in #3543
  • Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.16.0 to 1.17.0 by @dependabot in #3547
  • Bump docker/build-push-action from 5.2.0 to 5.3.0 by @dependabot in #3564
  • Bump actions/checkout from 4.1.1 to 4.1.2 by @dependabot in #3563
  • Bump docker/setup-buildx-action from 3.1.0 to 3.2.0 by @dependabot in #3562
  • Bump actions/setup-java from 4.1.0 to 4.2.1 by @dependabot in #3565
  • Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.17.0 to 1.17.1 by @dependabot in #3567
  • Bump github/codeql-action from 3.24.6 to 3.24.9 by @dependabot in #3578
  • Bump actions/dependency-review-action from 4.1.3 to 4.2.4 by @dependabot in #3577
  • Bump docker/login-action from 3.0.0 to 3.1.0 by @dependabot in #3576
  • Bump io.github.jeremylong:open-vulnerability-clients from 6.0.0 to 6.0.1 by @dependabot in #3586
  • Bump aquasecurity/trivy-action from 0.18.0 to 0.19.0 by @dependabot in #3592
  • Bump actions/dependency-review-action from 4.2.4 to 4.2.5 by @dependabot in #3593
  • Bump github/codeql-action from 3.24.9 to 3.24.10 by @dependabot in #3606
  • Bump docker/setup-buildx-action from 3.2.0 to 3.3.0 by @dependabot in #3605
  • Bump debian from d10f054 to 2c96e00 in /src/main/docker by @dependabot in #3610
  • Bump org.slf4j:log4j-over-slf4j from 2.0.12 to 2.0.13 by @dependabot in #3619
  • Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.17.1 to 1.18.0 by @dependabot in #3623
  • Bump actions/checkout from 4.1.2 to 4.1.3 by @dependabot in #3636
  • Bump github/codeql-action from 3.24.10 to 3.25.1 by @dependabot in #3635
  • Bump actions/upload-artifact from 4.3.1 to 4.3.2 by @dependabot in #3634
  • Bump actions/download-artifact from 4.1.4 to 4.1.5 by @dependabot in #3633
  • Bump debian from 2c96e00 to ff39497 in /src/main/docker by @dependabot in #3640
  • Bump Temurin base image to 21.0.3_9 by @nscuro in #3652
  • Bump github/codeql-action from 3.25.1 to 3.25.3 by @dependabot in #3656
  • Bump actions/upload-artifact from 4.3.2 to 4.3.3 by @dependabot in #3653
  • Bump actions/checkout from 4.1.3 to 4.1.4 by @dependabot in #3654
  • Bump actions/download-artifact from 4.1.5 to 4.1.7 by @dependabot in #3655
  • Bump actions/dependency-review-action from 4.2.5 to 4.3.2 by @dependabot in #3671
  • Bump dependencies to their latest version by @nscuro in #3674

Other Changes

  • Fix GitHub purl example in v4.10.0 changelog by @lnksz in #3300
  • Updated terminology.md to describe the Risk Score calculation by @AnthonyMastrean in #3347
  • ACL: Add projects to team should only show not yet added projects by @rkg-mm in #3261
  • docs: fix build status badge by @setchy in #3386
  • docs(azure-ad): large enterprise group configuration by @setchy in #3414
  • Fix image link on openidconnect-configuration.md by @mikkeschiren in #3411
  • Improve test coverage of Trivy integration by @nscuro in #3493
  • Adds NVD disclaimer at the top of the documentation page for NVD. by @sebD in #3490
  • Report test coverage for all branches, not just master by @nscuro in #3514
  • Fix CI Build status badge by @baburkin in #3513
  • Upload test coverage for PRs via separate workflow by @nscuro in #3517
  • Update changelog for v4.11.0 by @nscuro in #3531
  • Clarify OpenID Connect group mapping to teams by @nscuro in #3536
  • Transfer copyright from Steve Springett to OWASP Foundation by @nscuro in #3573
  • Normalize capitalization of PyPI by @gtback in #3597
  • Advertise official Helm chart in docs by @nscuro in #3604
  • Update changelog for v4.11 with recent changes by @nscuro in #3618
  • Trivy tweaks by @nscuro in #3630
  • Log debug information upon possible secret key corruption by @nscuro in #3651
  • Update v4.11 changelog with recent changes by @nscuro in #3658
  • Start Jersey TestContainer once per class vs. once per test method by @nscuro in #3668
  • Run builds and CI on feature-* branches by @nscuro in #3672
  • Update v4.11 changelog with recent changes by @nscuro in #3673
  • Simplify BomUploadProcessingTaskTest by @nscuro in #3676
  • Disable Maven transfer progress in CI by @nscuro in #3677
  • Fix changelog typo; Set release date; Bump docs version by @nscuro in #3679
  • Reduce verbosity of ResourceTests by @nscuro in #3680

New Contributors

Full Changelog: 4.10.1...4.11.0

Contributors

AnthonyMastrean, setchy, and 20 other contributors
Assets 6