Skip to content

5.5.0

Latest
Latest
Compare
Choose a tag to compare
@dependencytrack-bot dependencytrack-bot released this 18 Jul 15:42
· 1 commit to 5.5.x since this release
5.5.0
f3d3b45

What's Changed

Enhancements 🚀

  • Raise baseline Java version to 21 by @nscuro in #628
  • Migrate MirrorVulnerabilityProcessor from Kafka Streams to Parallel Consumer by @nscuro in #553
  • Replaced custom Vers with versatile library by @sahibamittal in #598
  • Add MDC to logback configuration by @nscuro in #626
  • Drop duplicate indexes by @nscuro in #625
  • Refactor KafkaEventDispatcher for better support of efficient Kafka producer usage patterns by @nscuro in #631
  • Migrate RepositoryMetaResultProcessor from Kafka Streams to Parallel Consumer by @nscuro in #554
  • Store cluster ID in database by @nscuro in #639
  • Ingest BOM generation timestamp by @sahibamittal in #643
  • Run builds and CI on feature branches by @nscuro in #651
  • Epss mirroring by @sahibamittal in #636
  • Migrate VulnerabilityScanResultProcessor from Kafka Streams to Parallel Consumer by @nscuro in #637
  • Issue 947 : Add support for manual vulnerability tags by @sahibamittal in #654
  • Publish histograms for event processing durations by @nscuro in #652
  • Prevent concurrent processing of multiple BOMs for the same project by @nscuro in #678
  • Encode length constraints for vuln policy fields in JSON schema by @nscuro in #681
  • Track request duration metrics by @nscuro in #679
  • Port: Add "Show in Dependency-Graph" Button in "Affected Projects" List by @leec94 in #671
  • Port: ACL: Add projects to team should only show not yet added projects by @leec94 in #689
  • Add workflow for project cloning by @sahibamittal in #690
  • Port: Preprocess CWE dictionary by @nscuro in #688
  • Include CVSS and OWASP RR vectors in notifications by @VithikaS in #696
  • Support multiple modes of operation for vulnerability policies by @sahibamittal in #669
  • Port: enhance API to support frontend changes for active/inactive affected projects by @leec94 in #701
  • Port: Add endpoint for updating API key comment by @sahibamittal in #702
  • Port: Refactor BOM upload processing for better efficiency, correctness, and consistency by @nscuro in #705
  • Port: Bump CWE dictionary to v4.13 by @nscuro in #713
  • Port: Add support for component properties + @ValidUuid by @sahibamittal in #712
  • Port: Bump SPDX license list to v3.23 by @nscuro in #714
  • Port: Add ConstraintViolationExceptionMapper to support @ValidUuid by @sahibamittal in #721
  • Port: Include pagination parameters in OpenAPI spec by @nscuro in #720
  • Port: Store computed severities in the database by @nscuro in #706
  • Port: Disable automatic API key generation for teams by @nscuro in #725
  • Customize risk score calculation by @leec94 in #718
  • Port: Global Audit View for vulnerabilities by @sahibamittal in #723
  • Port: add hackage and nixpkgs analyzers by @sahibamittal in #729
  • Port: Validate uploaded BOMs against CycloneDX schema by @nscuro in #715
  • Port: Webhook alert token and new user alerts by @sahibamittal in #742
  • Port: OpenAPI spec fixes and improvements by @nscuro in #722
  • Port: Add the project name and project URL to bom processing notifications by @nscuro in #745
  • Port: Include sorting query parameters in OpenAPI spec by @nscuro in #743
  • Port: Generate SARIF File Of Project Vulnerability Findings by @sahibamittal in #746
  • Improve efficiency of InternalComponentIdentificationTask by @nscuro in #719
  • Improve Liquibase logging integration by @nscuro in #734
  • Port: Truncate component property value by @sahibamittal in #748
  • Make PROJECT.ACTIVE non-nullable by @nscuro in #761
  • Port: Support ingestion of CycloneDX v1.6 BOMs by @nscuro in #754
  • Add initial DevServices-like implementation by @nscuro in #730
  • Port: Improve performance of findings retrieval by @nscuro in #757
  • Improve JDBI integration with Alpine by @nscuro in #692
  • Add /api/v1/project/concise endpoints by @nscuro in #693
  • Update CDX schema to v1.6 by @sahibamittal in #780

Bug Fixes 🐛

  • Fix incorrect coverage variation reported by Codacy for PRs by @nscuro in #627
  • Port: Project cloning logic for cloning policy violations and Violationanalysis by @leec94 in #691
  • Port: Fix for update component external references by @sahibamittal in #697
  • Port mapping for attributed on while cloning project by @sahibamittal in #700
  • Fix CVSS and OWASP RR vectors missing from PROJECT_VULN_ANALYSIS_COMPLETE notifications by @nscuro in #699
  • Port: Fix jira and slack notification by @sahibamittal in #703
  • Port: Apply consistent formatting to SQL query by @sahibamittal in #709
  • Add timeout for Kafka API describeTopics commands by @nscuro in #711
  • Port: Perform License Resolution On Name Field During SBOM Import by @nscuro in #717
  • Port: Fix type of purl fields in Swagger docs by @nscuro in #716
  • Port: Fix subject mappings for project in NewVulnerableDependencySubject by @sahibamittal in #710
  • Fix ProcessedVulnerabilityScanResultProcessorTest flakiness by @nscuro in #732
  • Port: Provide meaningful error message for bom and vex exceeding Jackson's character limit by @nscuro in #724
  • Port: Fix JDOFatalUserException for long reference URLs from OSS Index by @sahibamittal in #747
  • Port: Catch all unhandled ClientErrorExceptions by @nscuro in #744
  • Port: Log debug information upon possible secret key corruption by @sahibamittal in #750
  • Fix missing argument list for DROP FUNCTION migrations by @nscuro in #751
  • Port: Fix BOM validation failing when URL contains encoded [ and ] characters by @nscuro in #755
  • Port: Prevent XXE injection during CycloneDX validation and parsing by @nscuro in #756
  • Fix breaking change in vulnerability policy schema by @nscuro in #762
  • Fix NPE when querying component metadata for projects without findings by @nscuro in #765
  • Fix failing analysis updates by @nscuro in #769

Dependency Updates 🤖

  • Bump lib.testcontainers.version from 1.19.6 to 1.19.7 by @dependabot in #613
  • Bump eclipse-temurin from 636b9a7 to d9f7b83 in /src/main/docker by @dependabot in #617
  • Bump docker/build-push-action from 5.1.0 to 5.2.0 by @dependabot in #616
  • Bump bufbuild/buf-setup-action from 1.29.0 to 1.30.0 by @dependabot in #615
  • Bump org.apache.commons:commons-compress from 1.26.0 to 1.26.1 by @dependabot in #614
  • Bump actions/setup-java from 4.1.0 to 4.2.1 by @dependabot in #623
  • Bump debian from 435ba09 to d10f054 in /src/main/docker by @dependabot in #624
  • Bump docker/build-push-action from 5.2.0 to 5.3.0 by @dependabot in #622
  • Bump docker/login-action from 3.0.0 to 3.1.0 by @dependabot in #621
  • Bump docker/setup-buildx-action from 3.1.0 to 3.2.0 by @dependabot in #620
  • Bump bufbuild/buf-lint-action from 1.1.0 to 1.1.1 by @dependabot in #635
  • Bump bufbuild/buf-breaking-action from 1.1.3 to 1.1.4 by @dependabot in #634
  • Bump aquasecurity/trivy-action from 0.18.0 to 0.19.0 by @dependabot in #642
  • Bump lib.net.javacrumbs.shedlock.version from 5.12.0 to 5.13.0 by @dependabot in #644
  • Bump bufbuild/buf-setup-action from 1.30.0 to 1.30.1 by @dependabot in #645
  • Bump docker/setup-buildx-action from 3.2.0 to 3.3.0 by @dependabot in #646
  • Bump io.github.nscuro:versatile from 0.6.0 to 0.6.1 by @dependabot in #647
  • Bump Redpanda to v23.3.11 by @nscuro in #648
  • Bump dependencies by @nscuro in #649
  • Bump debian from d10f054 to 2c96e00 in /src/main/docker by @dependabot in #653
  • Bump org.slf4j:log4j-over-slf4j from 2.0.12 to 2.0.13 by @dependabot in #650
  • Bump actions/checkout from 4.1.1 to 4.1.3 by @dependabot in #655
  • Bump io.minio:minio from 8.5.9 to 8.5.10 by @dependabot in #660
  • Bump debian from 2c96e00 to ff39497 in /src/main/docker by @dependabot in #661
  • Bump bufbuild/buf-setup-action from 1.30.1 to 1.31.0 by @dependabot in #664
  • Bump actions/download-artifact from 4.1.4 to 4.1.7 by @dependabot in #663
  • Bump Redpanda to v23.3.13 by @nscuro in #665
  • Bump Temurin base image to 21.0.3_9 by @nscuro in #666
  • Bump lib.testcontainers.version from 1.19.7 to 1.19.8 by @dependabot in #672
  • Bump org.eclipse.jetty:jetty-maven-plugin from 10.0.20 to 10.0.21 by @dependabot in #675
  • Bump actions/checkout from 4.1.3 to 4.1.5 by @dependabot in #674
  • Bump aquasecurity/trivy-action from 0.19.0 to 0.20.0 by @dependabot in #673
  • Bump bufbuild/buf-setup-action from 1.31.0 to 1.32.0 by @dependabot in #676
  • Bump debian from ff39497 to 2b2e35d in /src/main/docker by @dependabot in #677
  • Bump bufbuild/buf-setup-action from 1.32.0 to 1.32.1 by @dependabot in #684
  • Bump aquasecurity/trivy-action from 0.20.0 to 0.21.0 by @dependabot in #685
  • Bump org.apache.maven:maven-artifact from 3.9.6 to 3.9.7 by @dependabot in #686
  • Bump cvss-calculator to 1.4.3 by @nscuro in #687
  • Bump docker/login-action from 3.1.0 to 3.2.0 by @dependabot in #695
  • Bump bufbuild/buf-setup-action from 1.32.1 to 1.32.2 by @dependabot in #694
  • Bump org.apache.maven.plugins:maven-checkstyle-plugin from 3.3.1 to 3.4.0 by @dependabot in #698
  • Bump docker/build-push-action from 5.3.0 to 5.4.0 by @dependabot in #707
  • Bump aquasecurity/trivy-action from 0.21.0 to 0.22.0 by @dependabot in #708
  • Bump various dependencies by @nscuro in #731
  • Bump docker/build-push-action from 5.4.0 to 6.0.0 by @dependabot in #739
  • Bump bufbuild/buf-setup-action from 1.32.2 to 1.33.0 by @dependabot in #737
  • Bump actions/checkout from 4.1.5 to 4.1.7 by @dependabot in #738
  • Bump org.apache.maven:maven-artifact from 3.9.7 to 3.9.8 by @dependabot in #741
  • Bump debian from 2b2e35d to 0200978 in /src/main/docker by @dependabot in #740
  • Bump io.github.nscuro:versatile from 0.6.1 to 0.7.0 by @dependabot in #749
  • Bump org.apache.maven.plugins:maven-clean-plugin from 3.3.2 to 3.4.0 by @dependabot in #752
  • Bump io.minio:minio from 8.5.10 to 8.5.11 by @dependabot in #753
  • Bump aquasecurity/trivy-action from 0.22.0 to 0.23.0 by @dependabot in #760
  • Bump docker/build-push-action from 6.0.0 to 6.1.0 by @dependabot in #759
  • Bump bufbuild/buf-setup-action from 1.33.0 to 1.34.0 by @dependabot in #758
  • Bump net.javacrumbs.json-unit:json-unit-assertj from 3.2.7 to 3.3.0 by @dependabot in #764
  • Bump docker/build-push-action from 6.1.0 to 6.2.0 by @dependabot in #767
  • Bump org.apache.kafka:kafka-clients from 3.7.0 to 3.7.1 by @dependabot in #766
  • Bump nimbusds oauth version by @sahibamittal in #770
  • Bump org.eclipse.jetty:jetty-maven-plugin from 10.0.21 to 10.0.22 by @dependabot in #772
  • Bump net.javacrumbs.json-unit:json-unit-assertj from 3.3.0 to 3.4.0 by @dependabot in #771
  • Bump actions/upload-artifact from 4.3.1 to 4.3.4 by @dependabot in #777
  • Bump actions/download-artifact from 4.1.7 to 4.1.8 by @dependabot in #778
  • Bump docker/setup-qemu-action from 3.0.0 to 3.1.0 by @dependabot in #776
  • Bump docker/build-push-action from 6.2.0 to 6.3.0 by @dependabot in #775
  • Bump docker/setup-buildx-action from 3.3.0 to 3.4.0 by @dependabot in #774
  • Bump debian from 0200978 to f8bbfa0 in /src/main/docker by @dependabot in #779
  • Bump docker/build-push-action from 6.3.0 to 6.4.0 by @dependabot in #782
  • Bump aquasecurity/trivy-action from 0.23.0 to 0.24.0 by @dependabot in #781
  • Bump net.javacrumbs.json-unit:json-unit-assertj from 3.4.0 to 3.4.1 by @dependabot in #784
  • Upgrade wiremock and kotlin versions by @sahibamittal in #783
  • Bump lib.testcontainers.version from 1.19.8 to 1.20.0 by @dependabot in #786

Documentation 📃

  • Enrich application.properties with annotations by @nscuro in #633
  • Link to docs for DB migration and doc update checkboxes by @nscuro in #728

Other Changes

  • Bump version to 5.5.0-SNAPSHOT by @nscuro in #612
  • Transfer copyright from Steve Springett to OWASP Foundation by @nscuro in #629
  • Add license header and enforce presence with Checkstyle by @nscuro in #632
  • Raise Kafka client log level from INFO to WARN by @nscuro in #640
  • Skip Checkstyle for Jetty and DataNucleus Enhance run configs by @nscuro in #657
  • Update labels used in release notes by @nscuro in #658
  • Remove unused dev scripts by @nscuro in #667
  • Port: Start Jersey TestContainer once per class vs. once per test method by @nscuro in #670
  • Config cleanup by @nscuro in #668
  • Port: Return processing token when cloning project by @leec94 in #659
  • Add KAFKA_BOOTSTRAP_SERVERS to Jetty run configuration by @nscuro in #680
  • Port: Disable Maven transfer progress in CI by @nscuro in #726
  • Port: Reduce verbosity of ResourceTests by @nscuro in #727
  • Remove dependency on kafka-junit by @nscuro in #736
  • Disable logging to file by @nscuro in #735
  • Mark CALC_RISK_SCORE as STABLE instead of IMMUTABLE by @nscuro in #733

New Contributors

Full Changelog: 5.4.0...5.5.0

Contributors

leec94, nscuro, and 3 other contributors
Assets 5
Loading