Skip to content

Latest commit

 

History

History
193 lines (172 loc) · 12.6 KB

2023-10-16-v4.9.0.md

File metadata and controls

193 lines (172 loc) · 12.6 KB
Raw
title type
v4.9.0
major

Features:

  • Support import of CycloneDX v1.5 BOMs - apiserver/#2850
  • Introduce odt_ prefix for API keys to ease leak detection - apiserver/#3047
  • Add support for SPDX license expressions - apiserver/#2400
    • Refer to [Policy Compliance] for details on how license expressions behave in policies
  • Update SPDX license list to v3.21 - apiserver/#3006
  • Support resolving of custom licenses by name, instead of only by ID - apiserver/#2769
  • Add version distance policy condition - apiserver/#2537
  • Separate policy evaluation into its own background task - apiserver/#2523
  • Allow policy violation state to be set via API - apiserver/#2997
  • Add "Outdated only" and "Direct only" options for viewing components of a project - apiserver/#2568
  • Update bundled CWE dictionary to v4.12 - apiserver/#2877
  • Reduce number of API requests necessary to populate the dependency graph of a project - apiserver/#2623
  • Include JDBC connectors for Google Cloud SQL - apiserver/#2651
  • Update default Snyk API version to 2023-06-22 - apiserver/#2911
  • Log warnings when analyses from VEX could not be applied - apiserver/#2989
  • Update Docker base image latest Debian stable - apiserver/#2904
  • Update temurin base image to 17.0.8.1_1 - apiserver/#3069
  • Add extensive test suite for CPE matching logic - apiserver/#2243
  • Update documentation for private vulnerability database - apiserver/#2990
  • Add docs and example config for logging in JSON format - apiserver/#2933
  • Add note about required plan for the Snyk integration to docs - apiserver/#2899
  • Update example Grafana dashboard - apiserver/#2788
  • Add Docker Compose files for simplified local testing - apiserver/#2675
  • Add auto-provisioning of Grafana to Docker Compose development setup - apiserver/#2879
  • Hide username and password fields on login view when OIDC is enabled - frontend/#613
  • Make NGINX listen on both IPv4 and IPv6 interfaces - frontend/#427
  • Display external references and description in project overview - frontend/#485
  • Use separate icons for current and out-of-date components to improve accessibility - frontend/#311
  • Propagate searchText query parameter to list views - frontend/#563
  • Raise baseline NodeJS version to 18 - frontend/#470
  • Upgrade CoreJS to 3.x - frontend/#548

Fixes:

  • Fix memory leak in policy evaluation - apiserver/#2872
  • Fix memory leak in VEX upload processing - apiserver/#2873
  • Fix VDR export erroneously containing non-vulnerable components - apiserver/#2878
  • Fix VEX export erroneously containing dependency graph - apiserver/#3067
  • Fix false positives in CPE matching when version attribute of a CVE's CPE is NA - apiserver/#1832
  • Fix false negatives in CPE matching when part or vendor attribute of a component's CPE is ANY - apiserver/#2988
  • Fix Uncaught internal server error when fetching components by hash if Portfolio Access Control is enabled - apiserver/#2953
  • Fix Affected Component format for CPEs with version ranges - apiserver/#2967
  • Fix missing duplicate check when cloning projects - apiserver/#2966
  • Fix NullPointerException when checking for existence of projects without version - apiserver/#3068
  • Fix module import issues when working on the code base with Eclipse - apiserver/#2971
  • Fix version distance policy being evaluated despite not being configured - apiserver/#2980
  • Fix @JsonIgnore having no effect on transient fields - apiserver/#3051
  • Fix misleading docs about authentication and authorization enforcement being optional - apiserver/#3047
  • Fix default Slack notification template producing invalid JSON for PROJECT_AUDIT_CHANGE notifications - apiserver/#2838
  • Fix default Mattermost notification template producing invalid JSON for NEW_VULNERABLE_DEPENDENCY notifications - apiserver/#3093
  • Fix number of project versions displayed in dropdown being limited to 10 - frontend/#397
  • Fix unauthenticated users not being redirected to login page - frontend/#502
  • Fix no permissions being defined for dashboard route - frontend/#506
  • Fix regression in Docker Compose file regarding application directory - frontend/#494
  • Fix external references dropdown rendering outside the screen - frontend/#539
  • Fix vulnerability aliases not being displayed in expanded rows of findings table - frontend/#559
  • Fix type error in external references dropdown - frontend/#565
  • Fix license expression input fields - frontend/#580
  • Fix wrong message being displayed when creating policies - frontend/#610
  • Fix file permissions of NGINX config file - frontend/#611

Upgrade Notes:

  • API keys generated after the upgrade will be prefixed with odt_. Existing API keys without this prefix will continue to work. The prefix is configurable via alpine.api.key.prefix, although customization is not recommended. Refer to [Configuration] for details.
  • Users ingesting SBOMs with CPE data may notice an uptick in vulnerabilities being identified by the internal analyzer. This is expected as a result of apiserver/#2988 being fixed. If newly identified vulnerabilities turn out to be largely false positives, let the project team know by [reporting a defect].

For a complete list of changes, refer to the respective GitHub milestones:

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

Special thanks to everyone who contributed code to implement enhancements and fix defects:
@HagarJNode, @Meroje, @Nikemare, @RingoDev, @Shawyeok, @dustin-decker, @hborchardt, @heubeck, @mattmatician, @melba-lopez, @muellerst-hg, @nathan-mittelette, @sahibamittal, @sephiroth-j, @syalioune, @takumakume, @valentijnscholten, @walterdeboer

dependency-track-apiserver.jar
Algorithm Checksum
SHA-1 cd4ec4f1ed075f37476f46da11451158d7460502
SHA-256 281f091107ef79d9b1e9361dc78608260b364eaa7dbbaeb29d4f7aef1a4bf67b
dependency-track-bundled.jar
Algorithm Checksum
SHA-1 6f3a077219fb49a502a88fcbb40e05865a23f5c5
SHA-256 4ca0b061ed83fa0b34ede8158f3ec0e2a7380c2736731995cf330f809076951f
frontend-dist.zip
Algorithm Checksum
SHA-1 151f24f7b92e93dcf6600c4b8ee9e0ebd7b3560b
SHA-256 1ff2ace778d08529b42ee297fb6e3b0bbe8b2593b2b8686e8b3e3c9472663c2a
Software Bill of Materials (SBOM)

[Configuration]: {{ site.baseurl }}{% link _docs/getting-started/configuration.md %} [Policy Compliance]: {{ site.baseurl }}{% link _docs/usage/policy-compliance.md %}#license-violation [reporting a defect]: https://github.com/DependencyTrack/dependency-track/issues/new?assignees=&labels=defect%2Cin+triage&projects=&template=defect-report.yml