-
-
Notifications
You must be signed in to change notification settings - Fork 580
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #3076 from nscuro/v4.9.0-changelog
Add changelog for 4.9.0 release
- Loading branch information
Showing
2 changed files
with
194 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,193 @@ | ||
| --- | ||
| title: v4.9.0 | ||
| type: major | ||
| --- | ||
|
|
||
| **Features:** | ||
|
|
||
| * Support import of CycloneDX v1.5 BOMs - [apiserver/#2850] | ||
| * Introduce `odt_` prefix for API keys to ease leak detection - [apiserver/#3047] | ||
| * Add support for SPDX license expressions - [apiserver/#2400] | ||
| * Refer to [Policy Compliance] for details on how license expressions behave in policies | ||
| * Update SPDX license list to v3.21 - [apiserver/#3006] | ||
| * Support resolving of custom licenses by name, instead of only by ID - [apiserver/#2769] | ||
| * Add version distance policy condition - [apiserver/#2537] | ||
| * Separate policy evaluation into its own background task - [apiserver/#2523] | ||
| * Allow policy violation state to be set via API - [apiserver/#2997] | ||
| * Add "Outdated only" and "Direct only" options for viewing components of a project - [apiserver/#2568] | ||
| * Update bundled CWE dictionary to v4.12 - [apiserver/#2877] | ||
| * Reduce number of API requests necessary to populate the dependency graph of a project - [apiserver/#2623] | ||
| * Include JDBC connectors for Google Cloud SQL - [apiserver/#2651] | ||
| * Update default Snyk API version to `2023-06-22` - [apiserver/#2911] | ||
| * Log warnings when analyses from VEX could not be applied - [apiserver/#2989] | ||
| * Update Docker base image latest Debian stable - [apiserver/#2904] | ||
| * Update temurin base image to `17.0.8.1_1` - [apiserver/#3069] | ||
| * Add extensive test suite for CPE matching logic - [apiserver/#2243] | ||
| * Update documentation for private vulnerability database - [apiserver/#2990] | ||
| * Add docs and example config for logging in JSON format - [apiserver/#2933] | ||
| * Add note about required plan for the Snyk integration to docs - [apiserver/#2899] | ||
| * Update example Grafana dashboard - [apiserver/#2788] | ||
| * Add Docker Compose files for simplified local testing - [apiserver/#2675] | ||
| * Add auto-provisioning of Grafana to Docker Compose development setup - [apiserver/#2879] | ||
| * Hide username and password fields on login view when OIDC is enabled - [frontend/#613] | ||
| * Make NGINX listen on both IPv4 and IPv6 interfaces - [frontend/#427] | ||
| * Display external references and description in project overview - [frontend/#485] | ||
| * Use separate icons for current and out-of-date components to improve accessibility - [frontend/#311] | ||
| * Propagate `searchText` query parameter to list views - [frontend/#563] | ||
| * Raise baseline NodeJS version to 18 - [frontend/#470] | ||
| * Upgrade CoreJS to 3.x - [frontend/#548] | ||
|
|
||
| **Fixes:** | ||
|
|
||
| * Fix memory leak in policy evaluation - [apiserver/#2872] | ||
| * Fix memory leak in VEX upload processing - [apiserver/#2873] | ||
| * Fix VDR export erroneously containing non-vulnerable components - [apiserver/#2878] | ||
| * Fix VEX export erroneously containing dependency graph - [apiserver/#3067] | ||
| * Fix false positives in CPE matching when *version* attribute of a CVE's CPE is `NA` - [apiserver/#1832] | ||
| * Fix false negatives in CPE matching when *part* or *vendor* attribute of a component's CPE is `ANY` - [apiserver/#2988] | ||
| * Fix Uncaught internal server error when fetching components by hash if *Portfolio Access Control* is enabled - [apiserver/#2953] | ||
| * Fix *Affected Component* format for CPEs with version ranges - [apiserver/#2967] | ||
| * Fix missing duplicate check when cloning projects - [apiserver/#2966] | ||
| * Fix `NullPointerException` when checking for existence of projects without version - [apiserver/#3068] | ||
| * Fix module import issues when working on the code base with Eclipse - [apiserver/#2971] | ||
| * Fix version distance policy being evaluated despite not being configured - [apiserver/#2980] | ||
| * Fix `@JsonIgnore` having no effect on `transient` fields - [apiserver/#3051] | ||
| * Fix misleading docs about authentication and authorization enforcement being optional - [apiserver/#3047] | ||
| * Fix default Slack notification template producing invalid JSON for `PROJECT_AUDIT_CHANGE` notifications - [apiserver/#2838] | ||
| * Fix default Mattermost notification template producing invalid JSON for `NEW_VULNERABLE_DEPENDENCY` notifications - [apiserver/#3093] | ||
| * Fix number of project versions displayed in dropdown being limited to 10 - [frontend/#397] | ||
| * Fix unauthenticated users not being redirected to login page - [frontend/#502] | ||
| * Fix no permissions being defined for dashboard route - [frontend/#506] | ||
| * Fix regression in Docker Compose file regarding application directory - [frontend/#494] | ||
| * Fix external references dropdown rendering outside the screen - [frontend/#539] | ||
| * Fix vulnerability aliases not being displayed in expanded rows of findings table - [frontend/#559] | ||
| * Fix type error in external references dropdown - [frontend/#565] | ||
| * Fix license expression input fields - [frontend/#580] | ||
| * Fix wrong message being displayed when creating policies - [frontend/#610] | ||
| * Fix file permissions of NGINX config file - [frontend/#611] | ||
|
|
||
| **Upgrade Notes:** | ||
|
|
||
| * API keys generated after the upgrade will be prefixed with `odt_`. Existing API keys without this prefix will | ||
| continue to work. The prefix is configurable via `alpine.api.key.prefix`, although customization is not recommended. | ||
| Refer to [Configuration] for details. | ||
| * Users ingesting SBOMs with CPE data may notice an uptick in vulnerabilities being identified by the internal analyzer. | ||
| This is expected as a result of [apiserver/#2988] being fixed. If newly identified vulnerabilities turn out to be largely | ||
| false positives, let the project team know by [reporting a defect]. | ||
|
|
||
| For a complete list of changes, refer to the respective GitHub milestones: | ||
|
|
||
| * [API server milestone 4.9.0](https://github.com/DependencyTrack/dependency-track/milestone/24?closed=1) | ||
| * [Frontend milestone 4.9.0](https://github.com/DependencyTrack/frontend/milestone/14?closed=1) | ||
|
|
||
| We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes. | ||
|
|
||
| Special thanks to everyone who contributed code to implement enhancements and fix defects: | ||
| [@HagarJNode], [@Meroje], [@Nikemare], [@RingoDev], [@Shawyeok], [@dustin-decker], [@hborchardt], [@heubeck], | ||
| [@mattmatician], [@melba-lopez], [@muellerst-hg], [@nathan-mittelette], [@sahibamittal], [@sephiroth-j], [@syalioune], | ||
| [@takumakume], [@valentijnscholten], [@walterdeboer] | ||
|
|
||
| ###### dependency-track-apiserver.jar | ||
|
|
||
| | Algorithm | Checksum | | ||
| |:----------|:---------| | ||
| | SHA-1 | | | ||
| | SHA-256 | | | ||
|
|
||
| ###### dependency-track-bundled.jar | ||
|
|
||
| | Algorithm | Checksum | | ||
| |:----------|:---------| | ||
| | SHA-1 | | | ||
| | SHA-256 | | | ||
|
|
||
| ###### frontend-dist.zip | ||
|
|
||
| | Algorithm | Checksum | | ||
| |:----------|:-----------------------------------------------------------------| | ||
| | SHA-1 | 151f24f7b92e93dcf6600c4b8ee9e0ebd7b3560b | | ||
| | SHA-256 | 1ff2ace778d08529b42ee297fb6e3b0bbe8b2593b2b8686e8b3e3c9472663c2a | | ||
|
|
||
| ###### Software Bill of Materials (SBOM) | ||
|
|
||
| * API Server: [bom.json](https://github.com/DependencyTrack/dependency-track/releases/download/4.9.0/bom.json) | ||
| * Frontend: [bom.json](https://github.com/DependencyTrack/frontend/releases/download/4.9.0/bom.json) | ||
|
|
||
| [apiserver/#1832]: https://github.com/DependencyTrack/dependency-track/issues/1832 | ||
| [apiserver/#2243]: https://github.com/DependencyTrack/dependency-track/issues/2243 | ||
| [apiserver/#2400]: https://github.com/DependencyTrack/dependency-track/pull/2400 | ||
| [apiserver/#2523]: https://github.com/DependencyTrack/dependency-track/pull/2523 | ||
| [apiserver/#2537]: https://github.com/DependencyTrack/dependency-track/pull/2537 | ||
| [apiserver/#2568]: https://github.com/DependencyTrack/dependency-track/pull/2568 | ||
| [apiserver/#2623]: https://github.com/DependencyTrack/dependency-track/pull/2623 | ||
| [apiserver/#2651]: https://github.com/DependencyTrack/dependency-track/pull/2651 | ||
| [apiserver/#2675]: https://github.com/DependencyTrack/dependency-track/pull/2675 | ||
| [apiserver/#2769]: https://github.com/DependencyTrack/dependency-track/pull/2769 | ||
| [apiserver/#2788]: https://github.com/DependencyTrack/dependency-track/pull/2780 | ||
| [apiserver/#2838]: https://github.com/DependencyTrack/dependency-track/issues/2838 | ||
| [apiserver/#2850]: https://github.com/DependencyTrack/dependency-track/issues/2850 | ||
| [apiserver/#2872]: https://github.com/DependencyTrack/dependency-track/pull/2872 | ||
| [apiserver/#2873]: https://github.com/DependencyTrack/dependency-track/pull/2873 | ||
| [apiserver/#2877]: https://github.com/DependencyTrack/dependency-track/pull/2877 | ||
| [apiserver/#2878]: https://github.com/DependencyTrack/dependency-track/pull/2878 | ||
| [apiserver/#2879]: https://github.com/DependencyTrack/dependency-track/pull/2879 | ||
| [apiserver/#2899]: https://github.com/DependencyTrack/dependency-track/pull/2899 | ||
| [apiserver/#2904]: https://github.com/DependencyTrack/dependency-track/pull/2904 | ||
| [apiserver/#2911]: https://github.com/DependencyTrack/dependency-track/pull/2911 | ||
| [apiserver/#2933]: https://github.com/DependencyTrack/dependency-track/pull/2933 | ||
| [apiserver/#2953]: https://github.com/DependencyTrack/dependency-track/pull/2953 | ||
| [apiserver/#2966]: https://github.com/DependencyTrack/dependency-track/pull/2966 | ||
| [apiserver/#2967]: https://github.com/DependencyTrack/dependency-track/pull/2967 | ||
| [apiserver/#2971]: https://github.com/DependencyTrack/dependency-track/pull/2971 | ||
| [apiserver/#2980]: https://github.com/DependencyTrack/dependency-track/pull/2980 | ||
| [apiserver/#2988]: https://github.com/DependencyTrack/dependency-track/issues/2988 | ||
| [apiserver/#2989]: https://github.com/DependencyTrack/dependency-track/pull/2989 | ||
| [apiserver/#2990]: https://github.com/DependencyTrack/dependency-track/pull/2990 | ||
| [apiserver/#2997]: https://github.com/DependencyTrack/dependency-track/pull/2997 | ||
| [apiserver/#3006]: https://github.com/DependencyTrack/dependency-track/pull/3006 | ||
| [apiserver/#3047]: https://github.com/DependencyTrack/dependency-track/pull/3047 | ||
| [apiserver/#3051]: https://github.com/DependencyTrack/dependency-track/pull/3051 | ||
| [apiserver/#3067]: https://github.com/DependencyTrack/dependency-track/pull/3067 | ||
| [apiserver/#3068]: https://github.com/DependencyTrack/dependency-track/pull/3068 | ||
| [apiserver/#3069]: https://github.com/DependencyTrack/dependency-track/pull/3069 | ||
| [apiserver/#3093]: https://github.com/DependencyTrack/dependency-track/issues/3093 | ||
| [frontend/#311]: https://github.com/DependencyTrack/frontend/issues/311 | ||
| [frontend/#397]: https://github.com/DependencyTrack/frontend/issues/397 | ||
| [frontend/#427]: https://github.com/DependencyTrack/frontend/pull/427 | ||
| [frontend/#470]: https://github.com/DependencyTrack/frontend/issues/470 | ||
| [frontend/#485]: https://github.com/DependencyTrack/frontend/pull/485 | ||
| [frontend/#494]: https://github.com/DependencyTrack/frontend/pull/494 | ||
| [frontend/#502]: https://github.com/DependencyTrack/frontend/pull/502 | ||
| [frontend/#506]: https://github.com/DependencyTrack/frontend/pull/506 | ||
| [frontend/#539]: https://github.com/DependencyTrack/frontend/issues/539 | ||
| [frontend/#548]: https://github.com/DependencyTrack/frontend/pull/548 | ||
| [frontend/#559]: https://github.com/DependencyTrack/frontend/pull/559 | ||
| [frontend/#563]: https://github.com/DependencyTrack/frontend/pull/563 | ||
| [frontend/#565]: https://github.com/DependencyTrack/frontend/pull/565 | ||
| [frontend/#580]: https://github.com/DependencyTrack/frontend/pull/580 | ||
| [frontend/#610]: https://github.com/DependencyTrack/frontend/pull/610 | ||
| [frontend/#611]: https://github.com/DependencyTrack/frontend/pull/576 | ||
| [frontend/#613]: https://github.com/DependencyTrack/frontend/pull/613 | ||
|
|
||
| [Configuration]: {{ site.baseurl }}{% link _docs/getting-started/configuration.md %} | ||
| [Policy Compliance]: {{ site.baseurl }}{% link _docs/usage/policy-compliance.md %}#license-violation | ||
| [reporting a defect]: https://github.com/DependencyTrack/dependency-track/issues/new?assignees=&labels=defect%2Cin+triage&projects=&template=defect-report.yml | ||
|
|
||
| [@HagarJNode]: https://github.com/HagarJNode | ||
| [@Meroje]: https://github.com/Meroje | ||
| [@Nikemare]: https://github.com/Nikemare | ||
| [@RingoDev]: https://github.com/RingoDev | ||
| [@Shawyeok]: https://github.com/Shawyeok | ||
| [@dustin-decker]: https://github.com/dustin-decker | ||
| [@hborchardt]: https://github.com/hborchardt | ||
| [@heubeck]: https://github.com/heubeck | ||
| [@mattmatician]: https://github.com/mattmatician | ||
| [@melba-lopez]: https://github.com/melba-lopez | ||
| [@muellerst-hg]: https://github.com/muellerst-hg | ||
| [@nathan-mittelette]: https://github.com/nathan-mittelette | ||
| [@sahibamittal]: https://github.com/sahibamittal | ||
| [@sephiroth-j]: https://github.com/sephiroth-j | ||
| [@syalioune]: https://github.com/syalioune | ||
| [@takumakume]: https://github.com/takumakume | ||
| [@valentijnscholten]: https://github.com/valentijnscholten | ||
| [@walterdeboer]: https://github.com/walterdeboer |