Skip to content

Latest commit

 

History

History
61 lines (51 loc) · 5.43 KB

2022-02-17-v4.4.0.md

File metadata and controls

61 lines (51 loc) · 5.43 KB
title type
v4.4.0
major

Features:

  • Expanded vulnerability auditing and BOM export capabilities to include Vulnerability Exploitability Exchange (VEX) - #1365
  • Added Download BOM option to frontend supporting inventory, inventory with vulnerabilities, and vex - #1365
  • Added support for GitHub Advisories as a source of vulnerability intelligence - #1225
  • Removed legacy support for NPM Advisories and NPM Audit - #1225
  • Added support for CycloneDX external references to component details - #920
  • Added new VIEW_VULNERABILITY permission that grants read-only access to project vulnerabilities and the audit trail. The permission also grants access to the findings API.
  • Added support for ARM64 (including AArch64) container images - #1213
  • Added Dependency-Track SBOMs for frontend and API Server to /.well-known/sbom - #1363
  • Added API endpoint for teams/self specific to API key principals - #861
  • Added support for Cisco WebEx as a target for alerts and notifications - #1170
  • NVD feed location is now configurable to support mirrors - #1274
  • Added support for OSS Index external references to increase CVE association - #1197
  • Added separate log events for "invalid username/password" and "account locked" - #1189
  • Added i18n support for vulnerability audit states - #946
  • Added policy violations column to projects page - #94

Fixes:

  • Resolved defect where the project a component belongs to may not be returned in API response - #1227
  • Resolved defect where notifications limited to specific projects weren't properly limited - #1150
  • Resolved NPE in GoModulesMetaAnalyzer when a component without group was analyzed - #1220
  • Add workaround for OSS Index ignoring the component version when prefixed with v - #1220
  • Resolved OIDC post-login redirects for identity providers that do not support custom parameters in the redirect_uri parameter - #113
  • Resolved defect that produced JDOObjectNotFoundException on heavy loads - #1168
  • Optimized performance of VulnerabilityAnalysisTask that previously caused high load - #1212
  • Resolved defect that prevented vulnerability identification for some hardware devices - #1320
  • Updated docker-compose.yml to include correct CORS configuration - #1325
  • Resolved incompatible dependency issue with VulnDB integration - #1349
  • The upload button in the UI is now deactivated until a file is specified - #86
  • Resolved issue where tooltip in UI graphs may not be displayed - #92
  • Resolved issue where v in some ecosystem versions caused issue with analysis - #1243 #1220
  • Resolved issue with BOMs containing UTF-8 byte order markers where rejected as invalid - #1214
  • Resolved issue where consuming a BOM with zero components would not trigger a metric update - #1183

Security:

Upgrade Notes:

  • Users and teams with VULNERABILITY_ANALYSIS permission are automatically granted the VIEW_VULNERABILITY permission during the automatic upgrade.
dependency-track-apiserver.war

| Algorithm | Checksum | | SHA-1 | c81d753ce4376cee1ae4d2a8cf9710a9b8ceee45 | | SHA-256 | 31e685e79b658f661ce28f8c5cbc96906d23d408a2ade70ff7e7a8e20f054972 |

dependency-track-bundled.war

| Algorithm | Checksum | | SHA-1 | 2b15b51c64938997ec9fbcf66054436064d9ef23 | | SHA-256 | c45835bc09ffe30c3b8ab675267259120230992bc984348293ae32b28ce1b54c |

Software Bill of Materials (SBOM)

bom.json bom.xml