Features:
- Added support for consuming VEX - #1387
- Added support for management of internal vulnerabilities - #96
- Added new
VULNERABILITY_MANAGEMENTpermission, which is required to create, edit and delete internal vulnerabilities
- Added new
- Added support for EPSS - #1178
- Added support for notifications on policy violations - #1396
- Added support for fetching projects by classifier - #1185
- Added support for multiple CWEs being assigned to vulnerabilities - #1467
- API, FPF and notifications now include an additional JSON array field
cwes - The
cwefield is still supported, but deprecated, and will be removed in a later release
- API, FPF and notifications now include an additional JSON array field
- Added new
VIEW_POLICY_VIOLATIONpermission that grants read-only access to policy violations and the audit trail - #1433 - Added ability to modify specific project fields via
PATCHrequests - #1586 - Grant access to the team that created a project via BOM upload when portfolio ACL is enabled - #1529
- Improved resource efficiency of portfolio metrics updates - #1481
- Reversed order of NVD feed downloads so that latest vulnerabilities are loaded first - #1557
- Included policy violation analysis in daily portfolio analysis - #1492
- Added OIDC setup example for Azure AD - #1564
Fixes:
- Resolved defect where the
VULNERABILITY_ANALYSISpermission was required to see policy violations - #126 - Resolved defect where audit trail entries were generated for
JustificationandResponse, even though they didn’t actually change - #1566 - Resolved defect where vulnerabilities from GitHub Advisories could not be matched with Go modules - #1574
- Resolved defect where filtering projects by tag would ignore the active / inactive filter - #1501
- Resolved defect where NVD mirroring could not be enabled - #1576
- Updated URL of the Atlassian package repository - #1568
- Resolved multiple defects in calculation of portfolio metrics - #1530
- Resolved defect where incomplete NVD data could be mirrored - #1480
- Resolved defect where portfolio changes wouldn’t immediately be reflected in results of the search API - #1605
- Resolved defect where policy violations of type Security would not be displayed - #91
- Resolved defect where analysis justification and response would be reset when suppressing a finding - #140
- Resolved defect where the analysis status of policy violations would not be displayed - #130
Security:
Upgrade Notes:
- The
nistdirectory inside the Dependency-Track data directory will be deleted upon upgrade. This will force the NVD to be downloaded and reprocessed. - Users and teams with
POLICY_VIOLATION_ANALYSISpermission are automatically granted theVIEW_POLICY_VIOLATIONpermission during the automatic upgrade. - Location of
config.jsonin the frontend container changed from/app/static/config.jsonto/opt/owasp/dependency-track-frontend/static/config.json
dependency-track-apiserver.war
| Algorithm | Checksum |
| SHA-1 | 8db4707e3458b122e73cce92e7dc143c115db962 |
| SHA-256 | 0c3d75501a0545f90e862aa0e2920f0c6146abcd436983531de7757ff294f568 |
dependency-track-bundled.war
| Algorithm | Checksum |
| SHA-1 | 984aafe85ac2dc361f9b0adf3c26d99decbab641 |
| SHA-256 | 360176e810072b9ad393ba4f36e261c333ba45f4a662fe6b180e7481d70a14e1 |