DependencyTrack/dependency-track 4.12.0

on GitHub

For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.

# SHA1
0cfe5d6cd014a0a25cdb0379e5a75596adc3d448  dependency-track-apiserver.jar
f7a1af3a5bf5f5b864d0db519fe2944391496f32  dependency-track-bundled.jar
# SHA256
83d31e132643249f7752154adc49690353484a66de6e77db7e25f0c1309528eb  dependency-track-apiserver.jar
3b4e27b29fd8a19cc5a250d394df43e0b046781f4d37c11720f8db8b9714d669  dependency-track-bundled.jar
# SHA512
44b47c7f864a09733b45fce747c3f6a115a0ba4d753d179b78a613404ab7bdd9008cef3539f5af72193506a7cd1b88fca5041a858a0f287612f2ac5572650fae  dependency-track-apiserver.jar
6e6b1210749d89b1ccc29ddc4dcbf2e38c926663f888f644488e63ffda00eb29c79eff1b180941dc798210f5ecf7c2a0e4175e03130f69a08beee36d66aef9fa  dependency-track-bundled.jar

What's Changed

Enhancements 🚀

• Raise baseline Java version to 21 by @nscuro in #3682
• Add active Field To Project Versions by @aravindparappil46 in #3691
• Support ingestion of CycloneDX v1.6 BOMs by @nscuro in #3710
• Gracefully handle NotSortableExceptions by @nscuro in #3724
• Migrate from Swagger v2 to OpenAPI v3 by @nscuro in #3726
• Improve OpenAPI v3 integration by @nscuro in #3728
• Add EPSS conditions to policies by @2000rosser in #3746
• Search component by group by @rcsilva83 in #3761
• Add Notification For BOM_VALIDATION_FAILED by @aravindparappil46 in #3796
• Bump CWE dictionary to v4.14 by @nscuro in #3819
• Bump SPDX license list to v3.24.0 by @nscuro in #3846
• feat: autocreate project with tags by @JCHacking in #3843
• Improve performance of findings retrieval by @nscuro in #3869
• Add REST endpoints for tag retrieval by @nscuro in #3881
• Deprecate /api/v1/tag/{policyUuid} in favor of /api/v1/tag/policy/{uuid} by @nscuro in #3887
• Enable string de-duplication JVM option per default by @nscuro in #3893
• Add REST endpoints for bulk tagging & un-tagging of projects by @nscuro in #3894
• Add REST endpoint for tag deletion by @nscuro in #3896
• Add REST endpoints to tag and untag policies in bulk by @nscuro in #3924
• Log warning when dependency graph is missing the root node by @nscuro in #3990
• Add option to test notification publisher by @2000rosser in #3983
• Add support for authors field by @2000rosser in #3969
• Add tag support for notifications, and REST endpoints for tagging & untagging notifications in bulk by @nscuro in #4031
• Disable H2 shutdown hook by @nscuro in #4106
• Support inclusion/exclusion of projects from BOM validation with tags by @nscuro in #4109
• Migrate Trivy integration to use Protobuf instead of JSON by @nscuro in #4116
• Bump generated BOM to CycloneDX v1.5; Add external references by @nscuro in #4110
• Bump Alpine to 3.1.0 and adopt new framework features by @nscuro in #4134
• Support customizable welcome message to display on login page by @Gepardgame in #4131
• Add AUTHOR -> AUTHORS migration by @nscuro in #4143
• Bump SPDX license list to v3.25.0 by @2000rosser in #4145
• Support configuration of system-wide default locale by @Gepardgame in #4136
• Include team name in audit trail for API-submitted audit changes by @Gepardgame in #4154
• Global Audit View: Policy Violations by @rbt-mm in #3544
• Support assigning of teams for portfolio ACL when creating a project by @Gepardgame in #4093
• Introduce isLatest project flag & allow policies to be limited to latest version by @rkg-mm in #4184
• Enhance badge API to require authorization by @SaberStrat in #4059
• Exclude pre-releases from NuGet latest version check by @brentos99 in #3468
• Ensure modifying project endpoints are transactional by @nscuro in #4194
• Fix redundant ConfigProperty queries in BadgeResource by @nscuro in #4202

Bug Fixes 🐛

• Fix failing JSON BOM validation when specVersion is not one of the first fields by @nscuro in #3697
• Fix broken global vuln audit view for MSSQL by @nscuro in #3700
• fix os handling when trivy sets pkgType on properties by @fnxpt in #3727
• Fix OpenAPI types of UNIX timestamp fields by @nscuro in #3731
• Handle breaking change in Trivy server API by @nscuro in #3738
• Add date format to support offset in nuget analyser by @sahibamittal in #3736
• Fix project name not showing in Jira tickets by @lgrguricmileusnic in #3745
• Fix jakarta.servlet-api not being inherited from alpine-server by @nscuro in #3770
• Fix licenses not being resolved by name by @nscuro in #3782
• Fix Slack notifications failing when no base URL is configured by @nscuro in #3791
• Issue-3769 : fix update component external references by @sahibamittal in #3805
• vulnerabilityAudit incorrectly displaying non-active projects by @2000rosser in #3839
• Fix BOM validation failing when URL contains encoded [ and ] characters by @nscuro in #3865
• Prevent XXE injection during CycloneDX validation and parsing by @nscuro in #3870
• Fix BOM_CONSUMED and BOM_PROCESSED notifications being dispatched with wrong scope by @nscuro in #3877
• Relax lowercase requirement for /api/v1/tag/{name}/project and /api/v1/tag/{name}/policy by @nscuro in #3888
• Fix NPE when querying component metadata for projects without findings by @nscuro in #3889
• Set license name instead of ID when using custom license by @2000rosser in #3915
• Fix JDOUserException when multiple licenses match a component's license name by @nscuro in #3958
• Add regression test for missing parent property in /v1/project/{uuid} response by @nscuro in #3959
• Fix missing projectTags parameter for POST /v1/bom endpoint by @nscuro in #3960
• Ensure no unique constraint violation for ProjectMetadata by @nscuro in #3982
• Fix validation error when XML BOM declares multiple namespaces by @philippn in #4020
• added missing endpoints in index html for open api upgrade by @mehab in #4022
• Handle breaking change in Trivy v0.54.0 server API by @nscuro in #4023
• Fix project link for new vulnerable dependency for email by @2000rosser in #4026
• Fix vex export returning invalid CycloneDX by @SaberStrat in #3948
• Ensure URL-encoding of repository URL path segments by @nscuro in #4107
• Fix project being rendered as PURL in email notifications by @nscuro in #4108
• Use empty string instead of SNAPSHOT as version in BOM download if project doesn't have a version by @Gepardgame in #4142
• Handle empty component and service names by @nscuro in #4146
• Handle existing duplicate component properties by @nscuro in #4147
• Fix infinite recursion during policy condition serialization by @nscuro in #4165
• Feat: Fix that Emails render all symbols right by @Gepardgame in #4141
• Fix directDependencies of cloned projects referring to original component UUIDs by @nscuro in #4171
• Fix CPE not being imported from CycloneDX metadata.component by @nscuro in #4174
• Visible Endpoint returns only Visible Teams(name, uuid) by @Gepardgame in #4177
• Cache Trivy DB for integration tests by @nscuro in #4181
• Fix breaking change in PUT /api/v1/project endpoint by @nscuro in #4185
• Fix metrics endpoint API docs erroneously claiming to return project and component data by @nscuro in #4195
• Fix OSV severity level calculation by @peterakimball in #4196
• Fix: Unauthorized access to projects over /vulnerability/{source}/vuln/{vuln}(/projects) when ACL is enabled by @Gepardgame in #4201
• Fix affectedComponents getting removed when updating an internal vulnerability by @nscuro in #4208

Dependency Updates 🤖

• Bump org.testcontainers:testcontainers from 1.19.7 to 1.19.8 by @dependabot in #3687
• Bump Alpine to 2.2.6-SNAPSHOT by @nscuro in #3675
• Bump actions/checkout from 4.1.4 to 4.1.5 by @dependabot in #3693
• Bump github/codeql-action from 3.25.3 to 3.25.4 by @dependabot in #3694
• Bump aquasecurity/trivy-action from 0.19.0 to 0.20.0 by @dependabot in #3695
• Bump debian from ff39497 to 2b2e35d in /src/main/docker by @dependabot in #3708
• Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.18.0 to 1.18.1 by @dependabot in #3707
• Bump Alpine to 2.2.6-SNAPSHOT by @nscuro in #3711
• Bump org.eclipse.jetty:jetty-maven-plugin from 10.0.20 to 10.0.21 by @dependabot in #3725
• Bump github/codeql-action from 3.25.4 to 3.25.6 by @dependabot in #3739
• Bump actions/checkout from 4.1.5 to 4.1.6 by @dependabot in #3734
• Bump org.codehaus.mojo:exec-maven-plugin from 3.2.0 to 3.3.0 by @dependabot in #3743
• Bump org.apache.commons:commons-compress from 1.26.1 to 1.26.2 by @dependabot in #3748
• Bump aquasecurity/trivy-action from 0.20.0 to 0.21.0 by @dependabot in #3753
• Bump org.apache.maven:maven-artifact from 3.9.6 to 3.9.7 by @dependabot in #3754
• Bump bundled frontend to 4.11.2 by @nscuro in #3793
• Bump docker/login-action from 3.1.0 to 3.2.0 by @dependabot in #3799
• Bump github/codeql-action from 3.25.6 to 3.25.7 by @dependabot in #3800
• Bump org.eclipse.jetty.ee10:jetty-ee10-maven-plugin from 12.0.9 to 12.0.10 by @dependabot in #3804
• Bump org.apache.maven.plugins:maven-checkstyle-plugin from 3.3.1 to 3.4.0 by @dependabot in #3813
• Bump github/codeql-action from 3.25.7 to 3.25.8 by @dependabot in #3829
• Bump aquasecurity/trivy-action from 0.21.0 to 0.22.0 by @dependabot in #3828
• Bump actions/dependency-review-action from 4.3.2 to 4.3.3 by @dependabot in #3827
• Bump debian from 2b2e35d to 0200978 in /src/main/docker by @dependabot in #3842
• Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.18.1 to 1.19.0 by @dependabot in #3837
• Bump cyclonedx-core-java to 9.0.2 by @nscuro in #3847
• Bump actions/checkout from 4.1.6 to 4.1.7 by @dependabot in #3852
• Bump docker/build-push-action from 5.3.0 to 5.4.0 by @dependabot in #3853
• Bump github/codeql-action from 3.25.8 to 3.25.10 by @dependabot in #3854
• Bump org.apache.maven:maven-artifact from 3.9.7 to 3.9.8 by @dependabot in #3851
• Bump org.apache.maven.plugins:maven-clean-plugin from 3.3.2 to 3.4.0 by @dependabot in #3859
• Bump aquasecurity/trivy-action from 0.22.0 to 0.23.0 by @dependabot in #3872
• Bump docker/build-push-action from 5.4.0 to 6.1.0 by @dependabot in #3873
• Bump bundled frontend to 4.11.4 by @nscuro in #3874
• Bump net.javacrumbs.json-unit:json-unit-assertj from 3.2.7 to 3.3.0 by @dependabot in #3890
• Bump io.github.jeremylong:open-vulnerability-clients from 6.0.1 to 6.1.0 by @dependabot in #3901
• Bump docker/build-push-action from 6.1.0 to 6.2.0 by @dependabot in #3902
• Bump github/codeql-action from 3.25.10 to 3.25.11 by @dependabot in #3903
• Bump debian from 0200978 to f8bbfa0 in /src/main/docker by @dependabot in #3912
• Bump io.github.jeremylong:open-vulnerability-clients from 6.1.0 to 6.1.1 by @dependabot in #3914
• Bump net.javacrumbs.json-unit:json-unit-assertj from 3.3.0 to 3.4.0 by @dependabot in #3916
• Bump org.eclipse.jetty.ee10:jetty-ee10-maven-plugin from 12.0.10 to 12.0.11 by @dependabot in #3917
• Bump io.github.jeremylong:open-vulnerability-clients from 6.1.1 to 6.1.2 by @dependabot in #3926
• Bump docker/build-push-action from 6.2.0 to 6.3.0 by @dependabot in #3928
• Bump actions/upload-artifact from 4.3.3 to 4.3.4 by @dependabot in #3931
• Bump docker/setup-qemu-action from 3.0.0 to 3.1.0 by @dependabot in #3929
• Bump docker/setup-buildx-action from 3.3.0 to 3.4.0 by @dependabot in #3930
• Bump io.github.jeremylong:open-vulnerability-clients from 6.1.2 to 6.1.6 by @dependabot in #3964
• Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.19.0 to 1.19.1 by @dependabot in #3968
• Bump actions/dependency-review-action from 4.3.3 to 4.3.4 by @dependabot in #3974
• Bump github/codeql-action from 3.25.11 to 3.25.12 by @dependabot in #3976
• Bump actions/download-artifact from 4.1.7 to 4.1.8 by @dependabot in #3977
• Bump aquasecurity/trivy-action from 0.23.0 to 0.24.0 by @dependabot in #3975
• Bump net.javacrumbs.json-unit:json-unit-assertj from 3.4.0 to 3.4.1 by @dependabot in #3985
• Bump org.testcontainers:testcontainers from 1.19.8 to 1.20.0 by @dependabot in #3987
• Bump io.github.jeremylong:open-vulnerability-clients from 6.1.6 to 6.1.7 by @dependabot in #3984
• Bump docker/build-push-action from 6.3.0 to 6.4.1 by @dependabot in #3992
• Bump github/codeql-action from 3.25.12 to 3.25.13 by @dependabot in #3993
• Bump debian from f8bbfa0 to 57bd74e in /src/main/docker by @dependabot in #3997
• Bump com.fasterxml.woodstox:woodstox-core from 6.6.2 to 7.0.0 by @dependabot in #4001
• Bump com.google.cloud.sql:postgres-socket-factory from 1.18.0 to 1.19.1 by @dependabot in #4002
• Bump docker/setup-qemu-action from 3.1.0 to 3.2.0 by @dependabot in #4009
• Bump github/codeql-action from 3.25.13 to 3.25.15 by @dependabot in #4012
• Bump docker/login-action from 3.2.0 to 3.3.0 by @dependabot in #4011
• Bump org.eclipse.jetty.ee10:jetty-ee10-maven-plugin from 12.0.11 to 12.0.12 by @dependabot in #4019
• Bump docker/setup-buildx-action from 3.4.0 to 3.5.0 by @dependabot in #4010
• Bump org.testcontainers:testcontainers from 1.20.0 to 1.20.1 by @dependabot in #4025
• Bump com.microsoft.sqlserver:mssql-jdbc from 12.6.1.jre11 to 12.8.0.jre11 by @dependabot in #4024
• Bump org.kohsuke:github-api from 1.321 to 1.323 by @dependabot in #4028
• Bump com.puppycrawl.tools:checkstyle from 10.16.0 to 10.17.0 by @dependabot in #4029
• Bump docker/setup-buildx-action from 3.5.0 to 3.6.1 by @dependabot in #4035
• Bump actions/upload-artifact from 4.3.4 to 4.3.5 by @dependabot in #4033
• Bump docker/build-push-action from 6.4.1 to 6.5.0 by @dependabot in #4034
• Bump org.slf4j:log4j-over-slf4j from 2.0.13 to 2.0.14 by @dependabot in #4038
• Bump org.codehaus.mojo:exec-maven-plugin from 3.3.0 to 3.4.0 by @dependabot in #4037
• Bump org.apache.commons:commons-compress from 1.26.2 to 1.27.0 by @dependabot in #4052
• Bump org.slf4j:log4j-over-slf4j from 2.0.14 to 2.0.15 by @dependabot in #4053
• Bump Temurin base image to 21.0.4_7 by @nscuro in #4055
• Bump bundled frontend to v4.11.6 by @nscuro in #4058
• Bump docker/build-push-action from 6.5.0 to 6.6.1 by @dependabot in #4063
• Bump github/codeql-action from 3.25.15 to 3.26.0 by @dependabot in #4062
• Bump org.slf4j:log4j-over-slf4j from 2.0.15 to 2.0.16 by @dependabot in #4064
• Bump actions/upload-artifact from 4.3.5 to 4.3.6 by @dependabot in #4061
• Bump actions/setup-java from 4.2.1 to 4.2.2 by @dependabot in #4060
• Bump org.codehaus.mojo:exec-maven-plugin from 3.4.0 to 3.4.1 by @dependabot in #4068
• Bump debian from 57bd74e to 382967f in /src/main/docker by @dependabot in #4069
• Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.19.1 to 1.20.0 by @dependabot in #4076
• Bump Alpine to 3.0.1 by @nscuro in #4075
• Bump org.apache.maven:maven-artifact from 3.9.8 to 3.9.9 by @dependabot in #4084
• Bump docker/build-push-action from 6.6.1 to 6.7.0 by @dependabot in #4083
• Bump github/codeql-action from 3.26.0 to 3.26.2 by @dependabot in #4082
• Bump org.apache.commons:commons-compress from 1.27.0 to 1.27.1 by @dependabot in #4085
• Bump org.apache.maven.plugins:maven-checkstyle-plugin from 3.4.0 to 3.5.0 by @dependabot in #4089
• Bump com.microsoft.sqlserver:mssql-jdbc from 12.8.0.jre11 to 12.8.1.jre11 by @dependabot in #4090
• Bump github/codeql-action from 3.26.2 to 3.26.5 by @dependabot in #4096
• Bump DataNucleus to 6.0.8 by @nscuro in #4104
• Bump actions/upload-artifact from 4.3.6 to 4.4.0 by @dependabot in #4115
• Bump github/codeql-action from 3.26.5 to 3.26.6 by @dependabot in #4114
• Bump io.github.jeremylong:open-vulnerability-clients from 6.1.7 to 6.2.0 by @dependabot in #4113
• Bump debian from 382967f to 64bc71f in /src/main/docker by @dependabot in #4125
• Bump org.eclipse.jetty.ee10:jetty-ee10-maven-plugin from 12.0.12 to 12.0.13 by @dependabot in #4130
• Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.20.0 to 1.20.1 by @dependabot in #4129
• Bump lib.protobuf-java.version from 4.28.0 to 4.28.1 by @dependabot in #4139
• Bump actions/setup-java from 4.2.2 to 4.3.0 by @dependabot in #4150
• Bump github/codeql-action from 3.26.6 to 3.26.7 by @dependabot in #4149
• Bump lib.protobuf-java.version from 4.28.1 to 4.28.2 by @dependabot in #4159
• Bump org.apache.httpcomponents.client5:httpclient5 from 5.3.1 to 5.4 by @dependabot in #4162
• Bump github/codeql-action from 3.26.7 to 3.26.8 by @dependabot in #4167
• Bump lib.lucene.version from 8.11.3 to 8.11.4 by @dependabot in #4172
• Bump debian from 64bc71f to a75706a in /src/main/docker by @dependabot in #4182
• Bump various dependencies by @nscuro in #4187
• Bump actions/setup-java from 4.3.0 to 4.4.0 by @dependabot in #4191
• Bump debian from a75706a to 939e69e in /src/main/docker by @dependabot in #4192
• Bump docker/build-push-action from 6.7.0 to 6.8.0 by @dependabot in #4190
• Bump github/codeql-action from 3.26.8 to 3.26.9 by @dependabot in #4189
• Bump actions/checkout from 4.1.7 to 4.2.0 by @dependabot in #4188
• Bump org.testcontainers:testcontainers from 1.20.1 to 1.20.2 by @dependabot in #4199
• Bump io.github.jeremylong:open-vulnerability-clients from 6.2.0 to 7.0.0 by @dependabot in #4198
• Bump mysql-connector-j to 8.2.0 by @nscuro in #4204
• Bump bundled frontend to 4.12.0 by @nscuro in #4209

Other Changes

• Update database support docs by @nscuro in #3712
• Remove workarounds for #2677 by @nscuro in #3713
• Fix compiler warnings by @nscuro in #3714
• Remove legacy BomUploadProcessingTask by @nscuro in #3722
• Migrate to Jakarta EE 10 and Jetty 12 by @nscuro in #3730
• Creating ADOPTERS.md as well as ADOPTERS ISSUE Type for future adopters showcase by @spawar-apex in #3803
• Added Air France-KLM as DT adopter by @nekhtan in #3892
• docs: add docs for base_path by @Squixx in #3899
• Cleanup temporary workarounds by @nscuro in #3947
• Add OIDC Documentation for OneLogin by @rh0dy in #3921
• fix: fix anchors in changelog documentation by @JCHacking in #3965
• Update changelog for v4.12.0 with recent changes by @nscuro in #4032
• Port regression test for parent field occasionally missing in /api/v1/project/{uuid} responses by @nscuro in #4050
• Add test for license finding by Id or Name by @gbonnefille in #4091
• Update changelog for v4.12.0 with recent changes by @nscuro in #4111
• Fix missing parenthesis in documentation by @LelouBil in #4178
• Fix potential race condition in PolicyEngineTest#notificationTest by @nscuro in #4203
• Fix getAffectedProjectACLDisabledTest flakiness by @nscuro in #4205
• Work around ghcr.io rate limiting for Trivy database downloads by @nscuro in #4207
• Update changelog for v4.12.0 with recent changes by @nscuro in #4186

New Contributors

• @lgrguricmileusnic made their first contribution in #3745
• @rcsilva83 made their first contribution in #3761
• @spawar-apex made their first contribution in #3803
• @JCHacking made their first contribution in #3843
• @nekhtan made their first contribution in #3892
• @Squixx made their first contribution in #3899
• @rh0dy made their first contribution in #3921
• @philippn made their first contribution in #4020
• @SaberStrat made their first contribution in #3948
• @gbonnefille made their first contribution in #4091
• @Gepardgame made their first contribution in #4131
• @brentos99 made their first contribution in #3468
• @LelouBil made their first contribution in #4178
• @peterakimball made their first contribution in #4196

Full Changelog: 4.11.0...4.12.0