4.13.0

Warning

Please consult the upgrade notes in the changelog before upgrading! Some changes in this release are irreversible,
and you won't be able to roll back simply by downgrading the application version!

For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.

# SHA1
c5ef70f1e8df186a929a7c2ad24962a3b97af379  dependency-track-apiserver.jar
feeac3362ae6ea5d42cf6dde7e5e079599372eaa  dependency-track-bundled.jar
# SHA256
0f2af7a93a21850da62c2b2e86babfb0b0f18abd80f380dfb80bf84c59f605e4  dependency-track-apiserver.jar
a81e61f1e21a732474a11345d71e7853d50ec2faea1f7d44bacfb29902673ebd  dependency-track-bundled.jar
# SHA512
436330854efc77e4c3b1c0484ec0e61b80fdde07445f3a31cb35ac195e0db2e2268cf11e6b71b72d58a1b90d2ca77d0fdf0d62fdbcae4045d94346b607f21a7c  dependency-track-apiserver.jar
a26173afcfd4416ef9b15e9d99d53cccff0b60510b2399c29b190a7123d200afe73c5d5d4b3d0ff7ad171bd87abfc15ddb211f3afb4627e598f8ed04271ce00e  dependency-track-bundled.jar

What's Changed

Enhancements 🚀

• Provide support for AWS JDBC Driver by @VinodAnandan in #4304
• Add property to control verified flag in DefectDojo integration by @Malaydewangan09 in #4273
• Reduce memory usage of metrics update tasks by @nscuro in #4325
• Optimize vulnerability synchronization logic to not perform redundant writes by @LaVibeX in #4359
• Introduce "collection" projects for better usage of hierarchical view #2041 by @rkg-mm in #3258
• Add /v1/project/batchDelete API method that deletes with SQL by @mikael-carneholm-2-wcar in #4383
• Reduce database round-trips during BOM processing by @nscuro in #4486
• Compose Metadata Analyzer: Refactor to support V2 and V1 repositories by @valentijnscholten in #4470
• composer meta analyzer: add DEBUG logging by @valentijnscholten in #4546
• Update quickstart Compose file to use Postgres instead of H2 by @nscuro in #4576
• Bump Alpine to 3.2.0 and handle API key migration by @Gepardgame in #4566
• Prevent application startup when migrations fail by @nscuro in #4681
• Implement basic telemetry collection by @nscuro in #4651
• Add support for Snyk API version 2024-10-15 by @ad8-adriant in #4715
• #4620 add "lastVulnerabilityAnalysis" to project by @stohrendorf in #4642
• add endpoint to mass-create tags by @stohrendorf in #4766
• Add feature to define the test title for DefectDojo integration by @AndreVirtimo in #4796
• Add trivy scanning options by @mjwrona in #4782
• Bump SPDX license list to v3.26.0 by @nscuro in #4800
• Bump CWE dictionary to v4.16 by @nscuro in #4801
• Add support for scheduled summary notifications by @nscuro in #4783

Bug Fixes 🐛

• Prevent duplicate policy violations by @nscuro in #4216
• Log contains now username when user gets deleted by @Gepardgame in #4222
• Fix unintended manual flushing mode due to DataNucleus ExecutionContext pooling by @nscuro in #4221
• Enhance policy violation de-duplication logic by @nscuro in #4231
• Fix inaccuracies of Trivy analyzer by @nscuro in #4245
• Fix redundant query for "ignore unfixed" config during Trivy analysis by @nscuro in #4246
• Fix excessive memory usage of portfolio repository meta analysis by @nscuro in #4311
• Fix nullable metrics fields having getters of primitive type by @nscuro in #4326
• Fix CPE matching logic for NVD Rest by @calderonth in #4339
• Fix update component to allow empty values by @immalla in #4229
• Fix incorrect CWE schema in OpenAPI spec by @fupgang in #4350
• Fix component hash policy evaluator by @francislance in #4306
• Fix NullPointerException when fetching findings by @nscuro in #4369
• Fix policy evaluation not happening upon creation or update of individual components by @fupgang in #4374
• Fix Trivy analyzer vulnerability matching for Go packages by @nscuro in #4394
• Add cyclonedx json media type when exporting components by @wratner in #4409
• Fix NPE when cloning projects with broken dependency graph by @nscuro in #4414
• Fix project.active being nullable by @nscuro in #4415
• Move GHSA notification logic outside recursion by @antoinbo in #4401
• Fix broken pagination in /api/v1/cwe endpoint by @nscuro in #4421
• Fix notification tests not working for Jira by @nscuro in #4456
• Fix component de-duplication potentially causing duplicate dependency graph entries by @nscuro in #4458
• Fix component SWID tag ID not being considered in project cloning by @nscuro in #4480
• Fix onlyOutdated ungrouped component filtering by @sedan07 in #4511
• Fix REST endpoints for adding tags by @nscuro in #4541
• Recreate outdated check constraints for CLASSIFIER columns by @nscuro in #4544
• Handle GitHub GraphQL API rate limiting by @nscuro in #4578
• Fix possible NPEs during tag binding by @nscuro in #4594
• Fix erroneous URL-encoding of the Maven groupId by @nscuro in #4602
• Fix false negatives in CPE matching for ANY and NA versions by @nscuro in #4610
• Refactor VulnerabilityAnalysisTask to be more efficient by @nscuro in #4623
• Refactor VulnerabilityManagementUploadTask to be more efficient by @nscuro in #4624
• Handle invalid CVSS vectors and processing failures for OSV by @nscuro in #4636
• Fix possible NPEs in TrivyAnalysisTask by @nscuro in #4668
• Analyze all components of a project at once instead of in batches by @nscuro in #4670
• Fix notification webhook sending blank headers by @LennartC in #4679
• Fix incomplete API key migration by @nscuro in #4682
• Disable include tag for Pebble templates by @nscuro in #4684
• Fix NPE during NVD mirroring via REST API when encountering invalid CPEs by @nscuro in #4732
• Remove erroneous client-side caching in Trivy analyzer by @nscuro in #4735
• Fix notification limiting to tags not working reliably by @nscuro in #4733
• Fix tags from BOM upload request not being applied for existing projects by @nscuro in #4738
• Fix component properties not being cloned by @nscuro in #4745
• handle corner case if no vulnerabilities have compatible aliases by @stohrendorf in #4767
• Log all analysis changes to audit trail by @stohrendorf in #4750
• Fix possible NPE during affected version attribution sync by @nscuro in #4798
• Fix regression in Snyk vulnerability assignment by @nscuro in #4810
• Fix missing migration of CONFIGPROPERTY.PROPERTYVALUE by @nscuro in #4812
• Fix occasional JsonParseException during NVD API mirroring by @nscuro in #4814
• Fix UpgradeInitializer halting the entire process upon failure by @nscuro in #4818

Dependency Updates 🤖

• Bump org.eclipse.jetty.ee10:jetty-ee10-maven-plugin from 12.0.13 to 12.0.14 by @dependabot in #4210
• Bump com.icegreen:greenmail-junit4 from 2.0.1 to 2.1.0 by @dependabot in #4226
• Bump github/codeql-action from 3.26.9 to 3.26.11 by @dependabot in #4225
• Bump docker/build-push-action from 6.8.0 to 6.9.0 by @dependabot in #4223
• Bump docker/setup-buildx-action from 3.6.1 to 3.7.1 by @dependabot in #4224
• Bump github/codeql-action from 3.26.11 to 3.26.12 by @dependabot in #4253
• Bump aquasecurity/trivy-action from 0.24.0 to 0.27.0 by @dependabot in #4254
• Bump actions/checkout from 4.2.0 to 4.2.1 by @dependabot in #4251
• Bump actions/upload-artifact from 4.4.0 to 4.4.3 by @dependabot in #4252
• Bump debian from 939e69e to fffe160 in /src/main/docker by @dependabot in #4269
• Bump cyclonedx-core-java to 9.1.0 by @nscuro in #4270
• Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 by @dependabot in #4281
• Bump org.codehaus.mojo:exec-maven-plugin from 3.4.1 to 3.5.0 by @dependabot in #4289
• Bump github/codeql-action from 3.26.12 to 3.26.13 by @dependabot in #4282
• Bump lib.protobuf-java.version from 4.28.2 to 4.28.3 by @dependabot in #4299
• Bump org.testcontainers:testcontainers from 1.20.2 to 1.20.3 by @dependabot in #4292
• Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.20.1 to 1.21.0 by @dependabot in #4213
• Bump Alpine to 3.1.1 by @nscuro in #4308
• Bump software.amazon.jdbc:aws-advanced-jdbc-wrapper from 2.5.0 to 2.5.1 by @dependabot in #4307
• Bump Temurin base image to 21.0.5_11 by @nscuro in #4314
• Bump bundled frontend to 4.12.1 by @nscuro in #4318
• Bump org.apache.httpcomponents.client5:httpclient5 from 5.4 to 5.4.1 by @dependabot in #4338
• Bump actions/setup-java from 4.4.0 to 4.5.0 by @dependabot in #4335
• Bump actions/dependency-review-action from 4.3.4 to 4.3.5 by @dependabot in #4333
• Bump github/codeql-action from 3.26.13 to 3.27.0 by @dependabot in #4334
• Bump io.github.jeremylong:open-vulnerability-clients from 7.0.0 to 7.0.1 by @dependabot in #4331
• Bump org.apache.maven.plugins:maven-checkstyle-plugin from 3.5.0 to 3.6.0 by @dependabot in #4329
• Bump org.eclipse.jetty.ee10:jetty-ee10-maven-plugin from 12.0.14 to 12.0.15 by @dependabot in #4358
• Bump software.amazon.jdbc:aws-advanced-jdbc-wrapper from 2.5.1 to 2.5.2 by @dependabot in #4353
• Bump actions/dependency-review-action from 4.3.5 to 4.4.0 by @dependabot in #4348
• Bump net.javacrumbs.json-unit:json-unit-assertj from 3.4.1 to 3.5.0 by @dependabot in #4347
• Bump actions/checkout from 4.2.1 to 4.2.2 by @dependabot in #4332
• Bump github/codeql-action from 3.27.0 to 3.27.1 by @dependabot in #4364
• Bump debian from fffe160 to 32f6d6f in /src/main/docker by @dependabot in #4365
• Bump github/codeql-action from 3.27.1 to 3.27.4 by @dependabot in #4388
• Bump com.icegreen:greenmail-junit4 from 2.1.0 to 2.1.1 by @dependabot in #4387
• Bump net.javacrumbs.json-unit:json-unit-assertj from 3.5.0 to 4.0.0 by @dependabot in #4386
• Bump actions/dependency-review-action from 4.4.0 to 4.5.0 by @dependabot in #4404
• Bump aquasecurity/trivy-action from 0.28.0 to 0.29.0 by @dependabot in #4403
• Bump github/codeql-action from 3.27.4 to 3.27.5 by @dependabot in #4405
• Bump org.testcontainers:testcontainers from 1.20.3 to 1.20.4 by @dependabot in #4398
• Bump lib.protobuf-java.version from 4.28.3 to 4.29.0 by @dependabot in #4416
• Bump debian from 32f6d6f to 4d63ef5 in /src/main/docker by @dependabot in #4431
• Bump Alpine to 3.1.2 by @nscuro in #4433
• Bump com.icegreen:greenmail-junit4 from 2.1.1 to 2.1.2 by @dependabot in #4427
• Bump docker/build-push-action from 6.9.0 to 6.10.0 by @dependabot in #4429
• Bump io.github.jeremylong:open-vulnerability-clients from 7.0.1 to 7.0.2 by @dependabot in #4425
• Bump software.amazon.jdbc:aws-advanced-jdbc-wrapper from 2.5.2 to 2.5.3 by @dependabot in #4428
• Bump net.javacrumbs.json-unit:json-unit-assertj from 4.0.0 to 4.1.0 by @dependabot in #4426
• Bump bundled frontend to 4.12.2 by @nscuro in #4440
• Bump github/codeql-action from 3.27.5 to 3.27.6 by @dependabot in #4447
• Bump com.google.cloud.sql:postgres-socket-factory from 1.20.1 to 1.21.0 by @dependabot in #4452
• Bump com.puppycrawl.tools:checkstyle from 10.18.1 to 10.20.2 by @dependabot in #4451
• Bump lib.protobuf-java.version from 4.29.0 to 4.29.1 by @dependabot in #4443
• Bump com.google.cloud.sql:mysql-socket-factory-connector-j-8 from 1.20.1 to 1.21.0 by @dependabot in #4450
• Bump org.eclipse.jetty.ee10:jetty-ee10-maven-plugin from 12.0.15 to 12.0.16 by @dependabot in #4454
• Bump github/codeql-action from 3.27.6 to 3.27.9 by @dependabot in #4466
• Bump lib.protobuf-java.version from 4.29.1 to 4.29.2 by @dependabot in #4473
• Bump org.apache.commons:commons-text from 1.12.0 to 1.13.0 by @dependabot in #4467
• Bump docker/setup-buildx-action from 3.7.1 to 3.8.0 by @dependabot in #4491
• Bump actions/setup-java from 4.5.0 to 4.6.0 by @dependabot in #4492
• Bump actions/upload-artifact from 4.4.3 to 4.5.0 by @dependabot in #4493
• Bump github/codeql-action from 3.27.9 to 3.28.0 by @dependabot in #4490
• Bump io.github.jeremylong:open-vulnerability-clients from 7.0.2 to 7.1.0 by @dependabot in #4494
• Bump debian from 4d63ef5 to 5f21ebd in /src/main/docker by @dependabot in #4499
• Bump software.amazon.jdbc:aws-advanced-jdbc-wrapper from 2.5.3 to 2.5.4 by @dependabot in #4496
• Bump org.json:json from 20240303 to 20241224 by @dependabot in #4505
• Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.21.0 to 1.21.2 by @dependabot in #4523
• Bump org.json:json from 20241224 to 20250107 by @dependabot in #4534
• Bump lib.protobuf-java.version from 4.29.2 to 4.29.3 by @dependabot in #4540
• Bump docker/build-push-action from 6.10.0 to 6.11.0 by @dependabot in #4548
• Bump github/codeql-action from 3.28.0 to 3.28.1 by @dependabot in #4551
• Bump docker/setup-qemu-action from 3.2.0 to 3.3.0 by @dependabot in #4549
• Bump actions/upload-artifact from 4.5.0 to 4.6.0 by @dependabot in #4550
• Bump debian from 5f21ebd to b5ace51 in /src/main/docker by @dependabot in #4554
• Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.21.2 to 1.22.0 by @dependabot in #4561
• Bump io.github.jeremylong:open-vulnerability-clients from 7.1.0 to 7.2.0 by @dependabot in #4558
• Bump docker/build-push-action from 6.11.0 to 6.12.0 by @dependabot in #4565
• Bump github/codeql-action from 3.28.1 to 3.28.5 by @dependabot in #4587
• Bump docker/build-push-action from 6.12.0 to 6.13.0 by @dependabot in #4586
• Bump io.github.jeremylong:open-vulnerability-clients from 7.2.0 to 7.2.1 by @dependabot in #4585
• Bump bundled frontend to 4.12.3 by @nscuro in #4588
• Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.22.0 to 1.23.0 by @dependabot in #4584
• Bump actions/setup-java from 4.6.0 to 4.7.0 by @dependabot in #4606
• Bump org.apache.httpcomponents.client5:httpclient5 from 5.4.1 to 5.4.2 by @dependabot in #4608
• Bump github/codeql-action from 3.28.5 to 3.28.8 by @dependabot in #4607
• Bump debian from b5ace51 to 5724d31 in /src/main/docker by @dependabot in #4616
• Bump com.icegreen:greenmail-junit4 from 2.1.2 to 2.1.3 by @dependabot in #4617
• Bump Temurin base image to 21.0.6_7 by @nscuro in #4627
• Bump github/codeql-action from 3.28.8 to 3.28.9 by @dependabot in #4635
• Bump docker/setup-qemu-action from 3.3.0 to 3.4.0 by @dependabot in #4634
• Bump docker/setup-buildx-action from 3.8.0 to 3.9.0 by @dependabot in #4633
• Bump bundled frontend to 4.12.4 by @nscuro in #4640
• Bump io.github.jeremylong:open-vulnerability-clients from 7.2.1 to 7.2.2 by @dependabot in #4653
• Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.23.0 to 1.23.1 by @dependabot in #4649
• Bump bundled frontend to 4.12.5 by @nscuro in #4658
• Bump net.minidev:json-smart to 2.5.2 by @nscuro in #4669
• Bump org.testcontainers:testcontainers from 1.20.4 to 1.20.5 by @dependabot in #4675
• Bump org.apache.maven.plugins:maven-clean-plugin from 3.4.0 to 3.4.1 by @dependabot in #4676
• Bump docker/build-push-action from 6.13.0 to 6.14.0 by @dependabot in #4688
• Bump github/codeql-action from 3.28.9 to 3.28.10 by @dependabot in #4687
• Bump actions/upload-artifact from 4.6.0 to 4.6.1 by @dependabot in #4686
• Bump bundled frontend to 4.12.6 by @nscuro in #4689
• Bump debian from 5724d31 to 5484adc in /src/main/docker by @dependabot in #4692
• Bump org.slf4j:log4j-over-slf4j from 2.0.16 to 2.0.17 by @dependabot in #4697
• Bump docker/setup-buildx-action from 3.9.0 to 3.10.0 by @dependabot in #4710
• Bump actions/download-artifact from 4.1.8 to 4.1.9 by @dependabot in #4711
• Bump docker/setup-qemu-action from 3.4.0 to 3.6.0 by @dependabot in #4709
• Bump io.github.jeremylong:open-vulnerability-clients from 7.2.2 to 7.3.0 by @dependabot in #4712
• Bump org.testcontainers:testcontainers from 1.20.5 to 1.20.6 by @dependabot in #4718
• Bump docker/build-push-action from 6.14.0 to 6.15.0 by @dependabot in #4708
• Bump lib.protobuf-java.version from 4.29.3 to 4.30.0 by @dependabot in #4719
• Bump org.eclipse.jetty.ee10:jetty-ee10-maven-plugin from 12.0.16 to 12.0.17 by @dependabot in #4723
• Bump github/codeql-action from 3.28.10 to 3.28.11 by @dependabot in #4741
• Bump bundled frontend to 4.12.7 by @nscuro in #4752
• Bump us.springett:cpe-parser from 2.1.0 to 3.0.0 by @dependabot in #4747
• Bump lib.protobuf-java.version from 4.30.0 to 4.30.1 by @dependabot in #4757
• Bump docker/login-action from 3.3.0 to 3.4.0 by @dependabot in #4759
• Bump aquasecurity/trivy-action from 0.29.0 to 0.30.0 by @dependabot in #4758
• Bump com.microsoft.sqlserver:mssql-jdbc from 12.8.1.jre11 to 12.10.0.jre11 by @dependabot in #4762
• Bump debian from 5484adc to 70b337e in /src/main/docker by @dependabot in #4763
• Bump org.eclipse.jetty.ee10:jetty-ee10-maven-plugin from 12.0.17 to 12.0.18 by @dependabot in #4761
• Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.23.1 to 1.24.0 by @dependabot in #4768
• Bump software.amazon.jdbc:aws-advanced-jdbc-wrapper from 2.5.4 to 2.5.5 by @dependabot in #4728
• Bump actions/download-artifact from 4.1.9 to 4.2.1 by @dependabot in #4773
• Bump github/codeql-action from 3.28.11 to 3.28.12 by @dependabot in #4774
• Bump actions/upload-artifact from 4.6.1 to 4.6.2 by @dependabot in #4772
• Bump org.apache.httpcomponents.client5:httpclient5 from 5.4.2 to 5.4.3 by @dependabot in #4785
• Bump lib.protobuf-java.version from 4.30.1 to 4.30.2 by @dependabot in #4786
• Bump com.google.cloud.sql:cloud-sql-connector-jdbc-sqlserver from 1.24.0 to 1.24.1 by @dependabot in #4788
• Bump io.github.jeremylong:open-vulnerability-clients from 7.3.0 to 7.3.1 by @dependabot in #4792
• Bump github/codeql-action from 3.28.12 to 3.28.13 by @dependabot in #4793
• Bump dependencies that Dependabot missed by @nscuro in #4805
• Bump Alpine to 3.2.0 by @nscuro in #4807
• Bump org.eclipse.jetty.ee10:jetty-ee10-maven-plugin from 12.0.18 to 12.0.19 by @dependabot in #4811
• Bump pebble to 3.2.4 by @nscuro in #4815
• Remove aws-advanced-jdbc-wrapper again by @nscuro in #4817
• Bump bundled frontend to 4.13.0 by @nscuro in #4821

Other Changes

• Update Deploying Docker guide to Compose v2 by @danihengeveld in #4276
• Added Dutch tax office as adopter by @SudoHenk in #4287
• Add World Kinect to ADOPTERS.md by @nscuro in #4293
• Add Rohde & Schwarz to ADOPTERS.md by @nscuro in #4297
• Format ADOPTERS.md as table by @nscuro in #4298
• Disable DataNucleus L2 cache globally by @nscuro in #4310
• Restrict max heap size of Jetty run config to 2GB by @nscuro in #4312
• Update link to Azure DevOps Extension in docs by @Zargath in #4423
• Update DEVELOPING.md with command for single unit-test by @valentijnscholten in #4472
• Docs: Mention Flashpoint as new owner of Vulndb by @valentijnscholten in #4501
• Component Analyse Cache: make description more clear by @valentijnscholten in #4504
• Postpone deprecation of unauthenticated access to Badge API by @SaberStrat in #4502
• docs: Clarify OpenAPI endpoint location by @Granjow in #4556
• Fix miscellaneous typos by @stevenbuccini in #4547
• Add SecObserve to community integrations by @StefanFl in #4580
• chore: fix typos in properties file by @setchy in #4674
• docs: Update Azure AD configuration to Entra ID by @dhfherna in #4778
• Add changelog for v4.13.0 by @nscuro in #4802

New Contributors

• @danihengeveld made their first contribution in #4276
• @SudoHenk made their first contribution in #4287
• @Malaydewangan09 made their first contribution in #4273
• @calderonth made their first contribution in #4339
• @immalla made their first contribution in #4229
• @fupgang made their first contribution in #4350
• @francislance made their first contribution in #4306
• @wratner made their first contribution in #4409
• @antoinbo made their first contribution in #4401
• @mikael-carneholm-2-wcar made their first contribution in #4383
• @sedan07 made their first contribution in #4511
• @Granjow made their first contribution in #4556
• @stevenbuccini made their first contribution in #4547
• @StefanFl made their first contribution in #4580
• @LennartC made their first contribution in #4679
• @ad8-adriant made their first contribution in #4715
• @stohrendorf made their first contribution in #4642
• @AndreVirtimo made their first contribution in #4796
• @mjwrona made their first contribution in #4782
• @dhfherna made their first contribution in #4778

Full Changelog: 4.12.0...4.13.0