Skip to content

Latest commit

 

History

History
60 lines (50 loc) · 5.14 KB

2022-05-18-v4.5.0.md

File metadata and controls

60 lines (50 loc) · 5.14 KB
title type
v4.5.0
major

Features:

  • Added support for consuming VEX - #1387
  • Added support for management of internal vulnerabilities - #96
    • Added new VULNERABILITY_MANAGEMENT permission, which is required to create, edit and delete internal vulnerabilities
  • Added support for EPSS - #1178
  • Added support for notifications on policy violations - #1396
  • Added support for fetching projects by classifier - #1185
  • Added support for multiple CWEs being assigned to vulnerabilities - #1467
    • API, FPF and notifications now include an additional JSON array field cwes
    • The cwe field is still supported, but deprecated, and will be removed in a later release
  • Added new VIEW_POLICY_VIOLATION permission that grants read-only access to policy violations and the audit trail - #1433
  • Added ability to modify specific project fields via PATCH requests - #1586
  • Grant access to the team that created a project via BOM upload when portfolio ACL is enabled - #1529
  • Improved resource efficiency of portfolio metrics updates - #1481
  • Reversed order of NVD feed downloads so that latest vulnerabilities are loaded first - #1557
  • Included policy violation analysis in daily portfolio analysis - #1492
  • Added OIDC setup example for Azure AD - #1564

Fixes:

  • Resolved defect where the VULNERABILITY_ANALYSIS permission was required to see policy violations - #126
  • Resolved defect where audit trail entries were generated for Justification and Response, even though they didn't actually change - #1566
  • Resolved defect where vulnerabilities from GitHub Advisories could not be matched with Go modules - #1574
  • Resolved defect where filtering projects by tag would ignore the active / inactive filter - #1501
  • Resolved defect where NVD mirroring could not be enabled - #1576
  • Updated URL of the Atlassian package repository - #1568
  • Resolved multiple defects in calculation of portfolio metrics - #1530
  • Resolved defect where incomplete NVD data could be mirrored - #1480
  • Resolved defect where portfolio changes wouldn't immediately be reflected in results of the search API - #1605
  • Resolved defect where policy violations of type Security would not be displayed - #91
  • Resolved defect where analysis justification and response would be reset when suppressing a finding - #140
  • Resolved defect where the analysis status of policy violations would not be displayed - #130

Security:

Upgrade Notes:

  • The nist directory inside the Dependency-Track data directory will be deleted upon upgrade. This will force the NVD to be downloaded and reprocessed.
  • Users and teams with POLICY_VIOLATION_ANALYSIS permission are automatically granted the VIEW_POLICY_VIOLATION permission during the automatic upgrade.
  • Location of config.json in the frontend container changed from /app/static/config.json to /opt/owasp/dependency-track-frontend/static/config.json
dependency-track-apiserver.war

| Algorithm | Checksum | | SHA-1 | 8db4707e3458b122e73cce92e7dc143c115db962 | | SHA-256 | 0c3d75501a0545f90e862aa0e2920f0c6146abcd436983531de7757ff294f568 |

dependency-track-bundled.war

| Algorithm | Checksum | | SHA-1 | 984aafe85ac2dc361f9b0adf3c26d99decbab641 | | SHA-256 | 360176e810072b9ad393ba4f36e261c333ba45f4a662fe6b180e7481d70a14e1 |

Software Bill of Materials (SBOM)

bom.json bom.xml