For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.
# SHA1
0cfe5d6cd014a0a25cdb0379e5a75596adc3d448 dependency-track-apiserver.jar
f7a1af3a5bf5f5b864d0db519fe2944391496f32 dependency-track-bundled.jar
# SHA256
83d31e132643249f7752154adc49690353484a66de6e77db7e25f0c1309528eb dependency-track-apiserver.jar
3b4e27b29fd8a19cc5a250d394df43e0b046781f4d37c11720f8db8b9714d669 dependency-track-bundled.jar
# SHA512
44b47c7f864a09733b45fce747c3f6a115a0ba4d753d179b78a613404ab7bdd9008cef3539f5af72193506a7cd1b88fca5041a858a0f287612f2ac5572650fae dependency-track-apiserver.jar
6e6b1210749d89b1ccc29ddc4dcbf2e38c926663f888f644488e63ffda00eb29c79eff1b180941dc798210f5ecf7c2a0e4175e03130f69a08beee36d66aef9fa dependency-track-bundled.jar
What's Changed
Enhancements 🚀
- Raise baseline Java version to 21 by @nscuro in #3682
- Add active Field To Project Versions by @aravindparappil46 in #3691
- Support ingestion of CycloneDX v1.6 BOMs by @nscuro in #3710
- Gracefully handle
NotSortableExceptions by @nscuro in #3724 - Migrate from Swagger v2 to OpenAPI v3 by @nscuro in #3726
- Improve OpenAPI v3 integration by @nscuro in #3728
- Add EPSS conditions to policies by @2000rosser in #3746
- Search component by group by @rcsilva83 in #3761
- Add Notification For
BOM_VALIDATION_FAILEDby @aravindparappil46 in #3796 - Bump CWE dictionary to v4.14 by @nscuro in #3819
- Bump SPDX license list to v3.24.0 by @nscuro in #3846
- feat: autocreate project with tags by @JCHacking in #3843
- Improve performance of findings retrieval by @nscuro in #3869
- Add REST endpoints for tag retrieval by @nscuro in #3881
- Deprecate
/api/v1/tag/{policyUuid}in favor of/api/v1/tag/policy/{uuid}by @nscuro in #3887 - Enable string de-duplication JVM option per default by @nscuro in #3893
- Add REST endpoints for bulk tagging & un-tagging of projects by @nscuro in #3894
- Add REST endpoint for tag deletion by @nscuro in #3896
- Add REST endpoints to tag and untag policies in bulk by @nscuro in #3924
- Log warning when dependency graph is missing the root node by @nscuro in #3990
- Add option to test notification publisher by @2000rosser in #3983
- Add support for authors field by @2000rosser in #3969
- Add tag support for notifications, and REST endpoints for tagging & untagging notifications in bulk by @nscuro in #4031
- Disable H2 shutdown hook by @nscuro in #4106
- Support inclusion/exclusion of projects from BOM validation with tags by @nscuro in #4109
- Migrate Trivy integration to use Protobuf instead of JSON by @nscuro in #4116
- Bump generated BOM to CycloneDX v1.5; Add external references by @nscuro in #4110
- Bump Alpine to 3.1.0 and adopt new framework features by @nscuro in #4134
- Support customizable welcome message to display on login page by @Gepardgame in #4131
- Add
AUTHOR->AUTHORSmigration by @nscuro in #4143 - Bump SPDX license list to v3.25.0 by @2000rosser in #4145
- Support configuration of system-wide default locale by @Gepardgame in #4136
- Include team name in audit trail for API-submitted audit changes by @Gepardgame in #4154
- Global Audit View: Policy Violations by @rbt-mm in #3544
- Support assigning of teams for portfolio ACL when creating a project by @Gepardgame in #4093
- Introduce
isLatestproject flag & allow policies to be limited to latest version by @rkg-mm in #4184 - Enhance badge API to require authorization by @SaberStrat in #4059
- Exclude pre-releases from NuGet latest version check by @brentos99 in #3468
- Ensure modifying project endpoints are transactional by @nscuro in #4194
- Fix redundant
ConfigPropertyqueries inBadgeResourceby @nscuro in #4202
Bug Fixes 🐛
- Fix failing JSON BOM validation when
specVersionis not one of the first fields by @nscuro in #3697 - Fix broken global vuln audit view for MSSQL by @nscuro in #3700
- fix os handling when trivy sets pkgType on properties by @fnxpt in #3727
- Fix OpenAPI types of UNIX timestamp fields by @nscuro in #3731
- Handle breaking change in Trivy server API by @nscuro in #3738
- Add date format to support offset in nuget analyser by @sahibamittal in #3736
- Fix project name not showing in Jira tickets by @lgrguricmileusnic in #3745
- Fix
jakarta.servlet-apinot being inherited fromalpine-serverby @nscuro in #3770 - Fix licenses not being resolved by name by @nscuro in #3782
- Fix Slack notifications failing when no base URL is configured by @nscuro in #3791
- Issue-3769 : fix update component external references by @sahibamittal in #3805
- vulnerabilityAudit incorrectly displaying non-active projects by @2000rosser in #3839
- Fix BOM validation failing when URL contains encoded
[and]characters by @nscuro in #3865 - Prevent XXE injection during CycloneDX validation and parsing by @nscuro in #3870
- Fix
BOM_CONSUMEDandBOM_PROCESSEDnotifications being dispatched with wrong scope by @nscuro in #3877 - Relax lowercase requirement for
/api/v1/tag/{name}/projectand/api/v1/tag/{name}/policyby @nscuro in #3888 - Fix NPE when querying component metadata for projects without findings by @nscuro in #3889
- Set license name instead of ID when using custom license by @2000rosser in #3915
- Fix
JDOUserExceptionwhen multiple licenses match a component's license name by @nscuro in #3958 - Add regression test for missing
parentproperty in/v1/project/{uuid}response by @nscuro in #3959 - Fix missing
projectTagsparameter forPOST /v1/bomendpoint by @nscuro in #3960 - Ensure no unique constraint violation for
ProjectMetadataby @nscuro in #3982 - Fix validation error when XML BOM declares multiple namespaces by @philippn in #4020
- added missing endpoints in index html for open api upgrade by @mehab in #4022
- Handle breaking change in Trivy v0.54.0 server API by @nscuro in #4023
- Fix project link for new vulnerable dependency for email by @2000rosser in #4026
- Fix vex export returning invalid CycloneDX by @SaberStrat in #3948
- Ensure URL-encoding of repository URL path segments by @nscuro in #4107
- Fix project being rendered as PURL in email notifications by @nscuro in #4108
- Use empty string instead of
SNAPSHOTas version in BOM download if project doesn't have a version by @Gepardgame in #4142 - Handle empty component and service names by @nscuro in #4146
- Handle existing duplicate component properties by @nscuro in #4147
- Fix infinite recursion during policy condition serialization by @nscuro in #4165
- Feat: Fix that Emails render all symbols right by @Gepardgame in #4141
- Fix
directDependenciesof cloned projects referring to original component UUIDs by @nscuro in #4171 - Fix CPE not being imported from CycloneDX
metadata.componentby @nscuro in #4174 - Visible Endpoint returns only Visible Teams(name, uuid) by @Gepardgame in #4177
- Cache Trivy DB for integration tests by @nscuro in #4181
- Fix breaking change in
PUT /api/v1/projectendpoint by @nscuro in #4185 - Fix metrics endpoint API docs erroneously claiming to return project and component data by @nscuro in #4195
- Fix OSV severity level calculation by @peterakimball in #4196
- Fix: Unauthorized access to projects over /vulnerability/{source}/vuln/{vuln}(/projects) when ACL is enabled by @Gepardgame in #4201
- Fix
affectedComponentsgetting removed when updating an internal vulnerability by @nscuro in #4208
Dependency Updates 🤖
- Bump org.testcontainers:testcontainers from 1.19.7 to 1.19.8 by @dependabot in #3687
- Bump Alpine to
2.2.6-SNAPSHOTby @nscuro in #3675 - Bump actions/checkout from 4.1.4 to 4.1.5 by @dependabot in #3693
- Bump github/codeql-action from 3.25.3 to 3.25.4 by @dependabot in #3694
- Bump aquasecurity/trivy-action from 0.19.0 to 0.20.0 by @dependabot in #3695
- Bump debian from
ff39497to2b2e35din /src/main/docker by @dependabot in #3708 - Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.18.0 to 1.18.1 by @dependabot in #3707
- Bump Alpine to
2.2.6-SNAPSHOTby @nscuro in #3711 - Bump org.eclipse.jetty:jetty-maven-plugin from 10.0.20 to 10.0.21 by @dependabot in #3725
- Bump github/codeql-action from 3.25.4 to 3.25.6 by @dependabot in #3739
- Bump actions/checkout from 4.1.5 to 4.1.6 by @dependabot in #3734
- Bump org.codehaus.mojo:exec-maven-plugin from 3.2.0 to 3.3.0 by @dependabot in #3743
- Bump org.apache.commons:commons-compress from 1.26.1 to 1.26.2 by @dependabot in #3748
- Bump aquasecurity/trivy-action from 0.20.0 to 0.21.0 by @dependabot in #3753
- Bump org.apache.maven:maven-artifact from 3.9.6 to 3.9.7 by @dependabot in #3754
- Bump bundled frontend to 4.11.2 by @nscuro in #3793
- Bump docker/login-action from 3.1.0 to 3.2.0 by @dependabot in #3799
- Bump github/codeql-action from 3.25.6 to 3.25.7 by @dependabot in #3800
- Bump org.eclipse.jetty.ee10:jetty-ee10-maven-plugin from 12.0.9 to 12.0.10 by @dependabot in #3804
- Bump org.apache.maven.plugins:maven-checkstyle-plugin from 3.3.1 to 3.4.0 by @dependabot in #3813
- Bump github/codeql-action from 3.25.7 to 3.25.8 by @dependabot in #3829
- Bump aquasecurity/trivy-action from 0.21.0 to 0.22.0 by @dependabot in #3828
- Bump actions/dependency-review-action from 4.3.2 to 4.3.3 by @dependabot in #3827
- Bump debian from
2b2e35dto0200978in /src/main/docker by @dependabot in #3842 - Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.18.1 to 1.19.0 by @dependabot in #3837
- Bump
cyclonedx-core-javato9.0.2by @nscuro in #3847 - Bump actions/checkout from 4.1.6 to 4.1.7 by @dependabot in #3852
- Bump docker/build-push-action from 5.3.0 to 5.4.0 by @dependabot in #3853
- Bump github/codeql-action from 3.25.8 to 3.25.10 by @dependabot in #3854
- Bump org.apache.maven:maven-artifact from 3.9.7 to 3.9.8 by @dependabot in #3851
- Bump org.apache.maven.plugins:maven-clean-plugin from 3.3.2 to 3.4.0 by @dependabot in #3859
- Bump aquasecurity/trivy-action from 0.22.0 to 0.23.0 by @dependabot in #3872
- Bump docker/build-push-action from 5.4.0 to 6.1.0 by @dependabot in #3873
- Bump bundled frontend to 4.11.4 by @nscuro in #3874
- Bump net.javacrumbs.json-unit:json-unit-assertj from 3.2.7 to 3.3.0 by @dependabot in #3890
- Bump io.github.jeremylong:open-vulnerability-clients from 6.0.1 to 6.1.0 by @dependabot in #3901
- Bump docker/build-push-action from 6.1.0 to 6.2.0 by @dependabot in #3902
- Bump github/codeql-action from 3.25.10 to 3.25.11 by @dependabot in #3903
- Bump debian from
0200978tof8bbfa0in /src/main/docker by @dependabot in #3912 - Bump io.github.jeremylong:open-vulnerability-clients from 6.1.0 to 6.1.1 by @dependabot in #3914
- Bump net.javacrumbs.json-unit:json-unit-assertj from 3.3.0 to 3.4.0 by @dependabot in #3916
- Bump org.eclipse.jetty.ee10:jetty-ee10-maven-plugin from 12.0.10 to 12.0.11 by @dependabot in #3917
- Bump io.github.jeremylong:open-vulnerability-clients from 6.1.1 to 6.1.2 by @dependabot in #3926
- Bump docker/build-push-action from 6.2.0 to 6.3.0 by @dependabot in #3928
- Bump actions/upload-artifact from 4.3.3 to 4.3.4 by @dependabot in #3931
- Bump docker/setup-qemu-action from 3.0.0 to 3.1.0 by @dependabot in #3929
- Bump docker/setup-buildx-action from 3.3.0 to 3.4.0 by @dependabot in #3930
- Bump io.github.jeremylong:open-vulnerability-clients from 6.1.2 to 6.1.6 by @dependabot in #3964
- Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.19.0 to 1.19.1 by @dependabot in #3968
- Bump actions/dependency-review-action from 4.3.3 to 4.3.4 by @dependabot in #3974
- Bump github/codeql-action from 3.25.11 to 3.25.12 by @dependabot in #3976
- Bump actions/download-artifact from 4.1.7 to 4.1.8 by @dependabot in #3977
- Bump aquasecurity/trivy-action from 0.23.0 to 0.24.0 by @dependabot in #3975
- Bump net.javacrumbs.json-unit:json-unit-assertj from 3.4.0 to 3.4.1 by @dependabot in #3985
- Bump org.testcontainers:testcontainers from 1.19.8 to 1.20.0 by @dependabot in #3987
- Bump io.github.jeremylong:open-vulnerability-clients from 6.1.6 to 6.1.7 by @dependabot in #3984
- Bump docker/build-push-action from 6.3.0 to 6.4.1 by @dependabot in #3992
- Bump github/codeql-action from 3.25.12 to 3.25.13 by @dependabot in #3993
- Bump debian from
f8bbfa0to57bd74ein /src/main/docker by @dependabot in #3997 - Bump com.fasterxml.woodstox:woodstox-core from 6.6.2 to 7.0.0 by @dependabot in #4001
- Bump com.google.cloud.sql:postgres-socket-factory from 1.18.0 to 1.19.1 by @dependabot in #4002
- Bump docker/setup-qemu-action from 3.1.0 to 3.2.0 by @dependabot in #4009
- Bump github/codeql-action from 3.25.13 to 3.25.15 by @dependabot in #4012
- Bump docker/login-action from 3.2.0 to 3.3.0 by @dependabot in #4011
- Bump org.eclipse.jetty.ee10:jetty-ee10-maven-plugin from 12.0.11 to 12.0.12 by @dependabot in #4019
- Bump docker/setup-buildx-action from 3.4.0 to 3.5.0 by @dependabot in #4010
- Bump org.testcontainers:testcontainers from 1.20.0 to 1.20.1 by @dependabot in #4025
- Bump com.microsoft.sqlserver:mssql-jdbc from 12.6.1.jre11 to 12.8.0.jre11 by @dependabot in #4024
- Bump org.kohsuke:github-api from 1.321 to 1.323 by @dependabot in #4028
- Bump com.puppycrawl.tools:checkstyle from 10.16.0 to 10.17.0 by @dependabot in #4029
- Bump docker/setup-buildx-action from 3.5.0 to 3.6.1 by @dependabot in #4035
- Bump actions/upload-artifact from 4.3.4 to 4.3.5 by @dependabot in #4033
- Bump docker/build-push-action from 6.4.1 to 6.5.0 by @dependabot in #4034
- Bump org.slf4j:log4j-over-slf4j from 2.0.13 to 2.0.14 by @dependabot in #4038
- Bump org.codehaus.mojo:exec-maven-plugin from 3.3.0 to 3.4.0 by @dependabot in #4037
- Bump org.apache.commons:commons-compress from 1.26.2 to 1.27.0 by @dependabot in #4052
- Bump org.slf4j:log4j-over-slf4j from 2.0.14 to 2.0.15 by @dependabot in #4053
- Bump Temurin base image to
21.0.4_7by @nscuro in #4055 - Bump bundled frontend to v4.11.6 by @nscuro in #4058
- Bump docker/build-push-action from 6.5.0 to 6.6.1 by @dependabot in #4063
- Bump github/codeql-action from 3.25.15 to 3.26.0 by @dependabot in #4062
- Bump org.slf4j:log4j-over-slf4j from 2.0.15 to 2.0.16 by @dependabot in #4064
- Bump actions/upload-artifact from 4.3.5 to 4.3.6 by @dependabot in #4061
- Bump actions/setup-java from 4.2.1 to 4.2.2 by @dependabot in #4060
- Bump org.codehaus.mojo:exec-maven-plugin from 3.4.0 to 3.4.1 by @dependabot in #4068
- Bump debian from
57bd74eto382967fin /src/main/docker by @dependabot in #4069 - Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.19.1 to 1.20.0 by @dependabot in #4076
- Bump Alpine to 3.0.1 by @nscuro in #4075
- Bump org.apache.maven:maven-artifact from 3.9.8 to 3.9.9 by @dependabot in #4084
- Bump docker/build-push-action from 6.6.1 to 6.7.0 by @dependabot in #4083
- Bump github/codeql-action from 3.26.0 to 3.26.2 by @dependabot in #4082
- Bump org.apache.commons:commons-compress from 1.27.0 to 1.27.1 by @dependabot in #4085
- Bump org.apache.maven.plugins:maven-checkstyle-plugin from 3.4.0 to 3.5.0 by @dependabot in #4089
- Bump com.microsoft.sqlserver:mssql-jdbc from 12.8.0.jre11 to 12.8.1.jre11 by @dependabot in #4090
- Bump github/codeql-action from 3.26.2 to 3.26.5 by @dependabot in #4096
- Bump DataNucleus to 6.0.8 by @nscuro in #4104
- Bump actions/upload-artifact from 4.3.6 to 4.4.0 by @dependabot in #4115
- Bump github/codeql-action from 3.26.5 to 3.26.6 by @dependabot in #4114
- Bump io.github.jeremylong:open-vulnerability-clients from 6.1.7 to 6.2.0 by @dependabot in #4113
- Bump debian from
382967fto64bc71fin /src/main/docker by @dependabot in #4125 - Bump org.eclipse.jetty.ee10:jetty-ee10-maven-plugin from 12.0.12 to 12.0.13 by @dependabot in #4130
- Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.20.0 to 1.20.1 by @dependabot in #4129
- Bump lib.protobuf-java.version from 4.28.0 to 4.28.1 by @dependabot in #4139
- Bump actions/setup-java from 4.2.2 to 4.3.0 by @dependabot in #4150
- Bump github/codeql-action from 3.26.6 to 3.26.7 by @dependabot in #4149
- Bump lib.protobuf-java.version from 4.28.1 to 4.28.2 by @dependabot in #4159
- Bump org.apache.httpcomponents.client5:httpclient5 from 5.3.1 to 5.4 by @dependabot in #4162
- Bump github/codeql-action from 3.26.7 to 3.26.8 by @dependabot in #4167
- Bump lib.lucene.version from 8.11.3 to 8.11.4 by @dependabot in #4172
- Bump debian from
64bc71ftoa75706ain /src/main/docker by @dependabot in #4182 - Bump various dependencies by @nscuro in #4187
- Bump actions/setup-java from 4.3.0 to 4.4.0 by @dependabot in #4191
- Bump debian from
a75706ato939e69ein /src/main/docker by @dependabot in #4192 - Bump docker/build-push-action from 6.7.0 to 6.8.0 by @dependabot in #4190
- Bump github/codeql-action from 3.26.8 to 3.26.9 by @dependabot in #4189
- Bump actions/checkout from 4.1.7 to 4.2.0 by @dependabot in #4188
- Bump org.testcontainers:testcontainers from 1.20.1 to 1.20.2 by @dependabot in #4199
- Bump io.github.jeremylong:open-vulnerability-clients from 6.2.0 to 7.0.0 by @dependabot in #4198
- Bump mysql-connector-j to 8.2.0 by @nscuro in #4204
- Bump bundled frontend to 4.12.0 by @nscuro in #4209
Other Changes
- Update database support docs by @nscuro in #3712
- Remove workarounds for #2677 by @nscuro in #3713
- Fix compiler warnings by @nscuro in #3714
- Remove legacy
BomUploadProcessingTaskby @nscuro in #3722 - Migrate to Jakarta EE 10 and Jetty 12 by @nscuro in #3730
- Creating ADOPTERS.md as well as ADOPTERS ISSUE Type for future adopters showcase by @spawar-apex in #3803
- Added Air France-KLM as DT adopter by @nekhtan in #3892
- docs: add docs for base_path by @Squixx in #3899
- Cleanup temporary workarounds by @nscuro in #3947
- Add OIDC Documentation for OneLogin by @rh0dy in #3921
- fix: fix anchors in changelog documentation by @JCHacking in #3965
- Update changelog for v4.12.0 with recent changes by @nscuro in #4032
- Port regression test for
parentfield occasionally missing in/api/v1/project/{uuid}responses by @nscuro in #4050 - Add test for license finding by Id or Name by @gbonnefille in #4091
- Update changelog for v4.12.0 with recent changes by @nscuro in #4111
- Fix missing parenthesis in documentation by @LelouBil in #4178
- Fix potential race condition in
PolicyEngineTest#notificationTestby @nscuro in #4203 - Fix
getAffectedProjectACLDisabledTestflakiness by @nscuro in #4205 - Work around ghcr.io rate limiting for Trivy database downloads by @nscuro in #4207
- Update changelog for v4.12.0 with recent changes by @nscuro in #4186
New Contributors
- @lgrguricmileusnic made their first contribution in #3745
- @rcsilva83 made their first contribution in #3761
- @spawar-apex made their first contribution in #3803
- @JCHacking made their first contribution in #3843
- @nekhtan made their first contribution in #3892
- @Squixx made their first contribution in #3899
- @rh0dy made their first contribution in #3921
- @philippn made their first contribution in #4020
- @SaberStrat made their first contribution in #3948
- @gbonnefille made their first contribution in #4091
- @Gepardgame made their first contribution in #4131
- @brentos99 made their first contribution in #3468
- @LelouBil made their first contribution in #4178
- @peterakimball made their first contribution in #4196
Full Changelog: 4.11.0...4.12.0