Features:
- Implemented Portfolio Access Control (beta) - #140
- OpenID Connect: Source user claims from
/userinfoand ID token - #1008- Resolves an issue where some IdPs would provide specific claims only in one and not the other of the two
- Added Go Modules repository support
- Added timeout for idle transactions - #941
- Components with missing or unknown license are now evaluated against policy condition - #1105
Fixes:
- Resolved issue where active projects could only be displayed when showing inactive projects - #963
- Resolved high load issues with Postgres while simultaneously increasing performance for all database platforms - #1026
- Resolved issue with OSS Index where PURLs without a version will lead to scan failure - #1115
Security:
Portfolio ACL logic has been implemented. In its current form, Portfolio Access Control is a beta feature in v4.3. As a result, the project will not treat bypass or absent ACL logic as a security defect. There are a few known gaps in ACL logic that will exist in v4.3. These gaps are tracked in #1127.
ACL logic covers:
- /v1/bom/*
- Uploading SBOMs to projects or exporting SBOMs from projects or components
- v1/component/*
- CRUD operations on components
- /v1/finding/*
- Security findings for projects and components
- /v1/metrics/*
- Project and component metrics
- /v1/project/*
- _RUD operations on projects
- /v1/service/*
- CRUD operations on components
- /v1/violation/*
- Project and component policy violations
- /v1/vulnerability/*
- CRUD operations on vulnerable projects or components
The user interface clearly states that Portfolio Access Control is beta. By default, Portfolio Access Control is disabled.
Upgrade Notes:
- OpenID Connect: The client ID of the frontend has to be passed to the API server via the
alpine.oidc.client.idproperty- Required for the API server to be able to validate ID tokens. Refer to the OIDC documentation for details.
- Removed legacy support for SPDX (RDF and tag/value) - #1053
- Removed legacy support for the traditional WAR (was previously deprecated and unsupported) - #1070
dependency-track-apiserver.jar
| Algorithm | Checksum |
| SHA-1 | 1c19a467705631c3c4449fa3f95c9d4a73d26caa |
| SHA-256 | 34e0cc69eb6934d9e25573d29870cefce75d07d97fb06d58e8830f566256e1dc |
dependency-track-bundled.jar
| Algorithm | Checksum |
| SHA-1 | 3e3a9edb9a9077fc5e2b2634f5967d1a61b0e1cb |
| SHA-256 | 78c5a7acf02d5d5f7231c444fdc58b38f12ebec20453c51106200ca0d644b387 |