Skip to content

Latest commit

 

History

History
201 lines (177 loc) · 13.3 KB

2022-12-16-v4.7.0.md

File metadata and controls

201 lines (177 loc) · 13.3 KB
Raw
title type
v4.7.0
major

Highlights:

  • Hierarchical Project Relationships. Projects can now be organized in hierarchies, using simple parent-child-relationships. Hierarchies are visualized in the UI, and allow projects to inherit various configurations from their parent, including notification rules and applicable policies.
  • Improved Dependency Graph. The dependency graph can now be displayed in its entirety. Previously, the depth was limited to only three levels. Additionally, it's now possible to navigate from a specific component (e.g. from the Audit Vulnerabilities tab) directly to the dependency graph. In doing so, Dependency-Track will show all paths in the graph leading up to this component, making it easy to understand how a given component is introduced to the project.
  • Snyk Integration (Beta). Dependency-Track can now make use of [Snyk] to scan and continuously monitor components for vulnerabilities. This provides access to Snyk's proprietary vulnerability database, maintained by their dedicated research team. The Snyk integration requires a paid subscription with REST API access.
  • Jira Integration. It is now possible to publish notifications to Jira, making it easier to integrate events that require action to be taken into existing Jira workflows.

Features:

  • Added support for hierarchical project relationships - apiserver/#84
    • Added support for including project children in alert rule limitations - apiserver/#2013
    • Added support for including project children in policies - apiserver/#2215
  • Added support for vulnerability analysis with Snyk - apiserver/#365
  • Added ability to focus on certain components in the dependency graph - frontend/#336
  • Added support for OWASP Risk Rating methodology - apiserver/#1493
  • Added source attributions for affected component version ranges of mirrored vulnerabilities - apiserver/#1815
  • Added support for limiting alerts to selection of teams - apiserver/#1608
  • Added support for optional EXTRA_JAVA_OPTIONS environment variable in API server container - apiserver/#2040
  • Improved component batching behavior and resilience of the OSS Index analyzer - apiserver/#2023
  • Added option to include ACLs when cloning a project - apiserver/#1534
  • Added Reanalyze button to the Audit Vulnerabilities tab - apiserver/#2128
  • Added support for custom licenses - apiserver/#2153
  • Added Jira notification publisher - apiserver/#2118
  • Added documentation for setting up OIDC with Google - apiserver/#2185
  • Added support for license URLs - apiserver/#1977
  • Allow bypassing of system requirements check - apiserver/#2197
  • Added Swagger types for BOM operations of the REST API - apiserver/#2230
  • Include commenter in PROJECT_AUDIT_CHANGE email notifications - apiserver/#2227
  • Added ability to check for unresolved licenses in policy conditions - apiserver/#1518
  • Added proper caching for repository meta analysis - apiserver/#1943
  • Added health check, corruption check, and ability to manually trigger rebuilds for search indexes - apiserver/#2200
  • Added support for project metadata, including ingestion from uploaded BOMs - apiserver/#1200
  • Added use case examples to documentation - apiserver/#2211
  • Added Azure DevOps extension to community integrations - apiserver/#2258
  • Added total heap size and CPU usage lines to sample Grafana dashboard - apiserver/#2256
  • Do not create temporary database connection pools when executing upgrades - apiserver/#2232
  • Added persistence metrics to sample Grafana dashboard - apiserver/#2245
  • Added ability to search for components by identity within a specific project - apiserver/#2228
  • Treat tag names as case-insensitive - apiserver/#1717
  • Added notification for newly created projects - apiserver/#2173
  • Added ability to [configure database connection pools] separately - apiserver/#2238
  • Added ability to [configure the secret key path] - apiserver/#2238
  • Include services in the BOM distributed for the API server - apiserver/#2175
  • Added support for Vulnerability Disclosure Report (VDR) exports - apiserver/#1800
  • Make projects clickable in ACL configuration view - frontend/#320
  • Display component version status in Audit Vulnerabilities and Exploit Predictions tab - frontend/#356
  • Display last BOM import timestamp in project overview - frontend/#147

Fixes:

  • Fix dependency graph only showing 3 levels of transitive relationships - frontend/#85
  • Fix alert limitations to not be applied for POLICY_VIOLATION and PROJECT_AUDIT_CHANGE notifications - apiserver/#975
  • Fix NVD mirroring to fail when using CIFS volumes - apiserver/#2048
  • When determining the latest version of a Maven component, use the release version advertised by the repository, instead of latest - apiserver/#2075
  • Fix incorrect project URL in email notifications - apiserver/#2172
  • Fix missing project information in NEW_VULNERABLE_DEPENDENCY notification emails - apiserver/#2139
  • Fix search indexes not being (re-) built - apiserver/#2104
  • Fix Component in Affected Components tab of vulnerability details showing undefined in some cases - apiserver/#2231
  • Fix incorrect datasource for instance dropdown in sample Grafana dashboard - apiserver/#2068
  • Fix broke heap usage gauge in sample Grafana dashboard - apiserver/#2073
  • Fix CPEs not matching on identical versions - apiserver/#2240
  • Fix inability to delete teams that are part of one or more ACL - apiserver/#1532

Upgrade Notes:

  • Creating new or searching for existing tags will now treat tag names as case-insensitive (apiserver/#1717). Users relying on tags being treated as case-sensitive (e.g. critical and CRITICAL being treated as different) should review their use of tags prior to upgrading.
  • Names of the HikariCP connection pools in the exposed Prometheus metrics have changed from HikariPool-3 and HikariPool-4 to transactional and non-transactional (apiserver/#2238). Users monitoring those pools are advised to update their monitoring configuration accordingly (e.g. Grafana dashboards).
  • Distribution of the API server SBOM in XML format has been dropped (apiserver/#2175). Users consuming the API server BOM in XML format should migrate to consuming the JSON-formatted BOM instead.

For a complete list of changes, refer to the respective GitHub milestones:

We thank all organizations and individuals who contributed to this release.
Special thanks to everyone who contributed code to implement enhancements and fix defects:

@AZenker, @JoergBruenner, @KramNamez, @Mvld3r, @Zargath, @awegg, @ch8matt, @japurva1502, @kekkegenkai, @mehab, @nathan-mittelette, @omerlh, @rbt-mm, @ribbybibby, @s-spindler, @sahibamittal, @syalioune, @valentijnscholten

dependency-track-apiserver.jar
Algorithm Checksum
SHA-1 99f1a012a983b8256d9346e64d3dd27e92d1c808
SHA-256 373e8efa1a8995193b7c068ea34974040627553647905d38e1dce053333eeb10
dependency-track-bundled.jar
Algorithm Checksum
SHA-1 c7faee42162e1712377fbd8a03dfd9e3ef251a23
SHA-256 631807c24fd76c0f44d4494a44147e0414ab471ac1e12fe4ebff054f363a8f0f
frontend-dist.zip
Algorithm Checksum
SHA-1 8696218e07d438896f236f691f2ca658faf0377a
SHA-256 23cc72eea3361edeaff84efe0a1a0327e47367419466307867103bac2b14ad75
Software Bill of Materials (SBOM)

[configure database connection pools]: {{ site.baseurl }}{% link _docs/getting-started/database-support.md %}#connection-pooling [configure the secret key path]: {{ site.baseurl }}{% link _docs/getting-started/configuration.md %}#secret-key [Snyk]: https://snyk.io/