5.5.0

What's Changed

Enhancements 🚀

• Raise baseline Java version to 21 by @nscuro in #628
• Migrate MirrorVulnerabilityProcessor from Kafka Streams to Parallel Consumer by @nscuro in #553
• Replaced custom Vers with versatile library by @sahibamittal in #598
• Add MDC to logback configuration by @nscuro in #626
• Drop duplicate indexes by @nscuro in #625
• Refactor KafkaEventDispatcher for better support of efficient Kafka producer usage patterns by @nscuro in #631
• Migrate RepositoryMetaResultProcessor from Kafka Streams to Parallel Consumer by @nscuro in #554
• Store cluster ID in database by @nscuro in #639
• Ingest BOM generation timestamp by @sahibamittal in #643
• Run builds and CI on feature branches by @nscuro in #651
• Epss mirroring by @sahibamittal in #636
• Migrate VulnerabilityScanResultProcessor from Kafka Streams to Parallel Consumer by @nscuro in #637
• Issue 947 : Add support for manual vulnerability tags by @sahibamittal in #654
• Publish histograms for event processing durations by @nscuro in #652
• Prevent concurrent processing of multiple BOMs for the same project by @nscuro in #678
• Encode length constraints for vuln policy fields in JSON schema by @nscuro in #681
• Track request duration metrics by @nscuro in #679
• Port: Add "Show in Dependency-Graph" Button in "Affected Projects" List by @leec94 in #671
• Port: ACL: Add projects to team should only show not yet added projects by @leec94 in #689
• Add workflow for project cloning by @sahibamittal in #690
• Port: Preprocess CWE dictionary by @nscuro in #688
• Include CVSS and OWASP RR vectors in notifications by @VithikaS in #696
• Support multiple modes of operation for vulnerability policies by @sahibamittal in #669
• Port: enhance API to support frontend changes for active/inactive affected projects by @leec94 in #701
• Port: Add endpoint for updating API key comment by @sahibamittal in #702
• Port: Refactor BOM upload processing for better efficiency, correctness, and consistency by @nscuro in #705
• Port: Bump CWE dictionary to v4.13 by @nscuro in #713
• Port: Add support for component properties + @ValidUuid by @sahibamittal in #712
• Port: Bump SPDX license list to v3.23 by @nscuro in #714
• Port: Add ConstraintViolationExceptionMapper to support @ValidUuid by @sahibamittal in #721
• Port: Include pagination parameters in OpenAPI spec by @nscuro in #720
• Port: Store computed severities in the database by @nscuro in #706
• Port: Disable automatic API key generation for teams by @nscuro in #725
• Customize risk score calculation by @leec94 in #718
• Port: Global Audit View for vulnerabilities by @sahibamittal in #723
• Port: add hackage and nixpkgs analyzers by @sahibamittal in #729
• Port: Validate uploaded BOMs against CycloneDX schema by @nscuro in #715
• Port: Webhook alert token and new user alerts by @sahibamittal in #742
• Port: OpenAPI spec fixes and improvements by @nscuro in #722
• Port: Add the project name and project URL to bom processing notifications by @nscuro in #745
• Port: Include sorting query parameters in OpenAPI spec by @nscuro in #743
• Port: Generate SARIF File Of Project Vulnerability Findings by @sahibamittal in #746
• Improve efficiency of InternalComponentIdentificationTask by @nscuro in #719
• Improve Liquibase logging integration by @nscuro in #734
• Port: Truncate component property value by @sahibamittal in #748
• Make PROJECT.ACTIVE non-nullable by @nscuro in #761
• Port: Support ingestion of CycloneDX v1.6 BOMs by @nscuro in #754
• Add initial DevServices-like implementation by @nscuro in #730
• Port: Improve performance of findings retrieval by @nscuro in #757
• Improve JDBI integration with Alpine by @nscuro in #692
• Add /api/v1/project/concise endpoints by @nscuro in #693
• Update CDX schema to v1.6 by @sahibamittal in #780

Bug Fixes 🐛

• Fix incorrect coverage variation reported by Codacy for PRs by @nscuro in #627
• Port: Project cloning logic for cloning policy violations and Violationanalysis by @leec94 in #691
• Port: Fix for update component external references by @sahibamittal in #697
• Port mapping for attributed on while cloning project by @sahibamittal in #700
• Fix CVSS and OWASP RR vectors missing from PROJECT_VULN_ANALYSIS_COMPLETE notifications by @nscuro in #699
• Port: Fix jira and slack notification by @sahibamittal in #703
• Port: Apply consistent formatting to SQL query by @sahibamittal in #709
• Add timeout for Kafka API describeTopics commands by @nscuro in #711
• Port: Perform License Resolution On Name Field During SBOM Import by @nscuro in #717
• Port: Fix type of purl fields in Swagger docs by @nscuro in #716
• Port: Fix subject mappings for project in NewVulnerableDependencySubject by @sahibamittal in #710
• Fix ProcessedVulnerabilityScanResultProcessorTest flakiness by @nscuro in #732
• Port: Provide meaningful error message for bom and vex exceeding Jackson's character limit by @nscuro in #724
• Port: Fix JDOFatalUserException for long reference URLs from OSS Index by @sahibamittal in #747
• Port: Catch all unhandled ClientErrorExceptions by @nscuro in #744
• Port: Log debug information upon possible secret key corruption by @sahibamittal in #750
• Fix missing argument list for DROP FUNCTION migrations by @nscuro in #751
• Port: Fix BOM validation failing when URL contains encoded [ and ] characters by @nscuro in #755
• Port: Prevent XXE injection during CycloneDX validation and parsing by @nscuro in #756
• Fix breaking change in vulnerability policy schema by @nscuro in #762
• Fix NPE when querying component metadata for projects without findings by @nscuro in #765
• Fix failing analysis updates by @nscuro in #769

Dependency Updates 🤖

• Bump lib.testcontainers.ver...

5.4.0

What's Changed

Enhancements 🚀

• Rename topic prefix config by @sahibamittal in #589
• Remove unnecessary length constraints from VARCHAR(N) columns by @sahibamittal in #579
• Replace json string with proto in Version Distance Cel Policy by @VithikaS in #580
• Ingest metadata.tools and make it available in CEL policies by @nscuro in #588
• Build against Java 21 in CI by @nscuro in #597

Bug Fixes 🐛

• Handle direct dependency relationships in is_exclusive_dependency_of by @nscuro in #590
• Fix notification templates by @nscuro in #571
• Fix ClassCastException when updating an existing ProjectMetadata#authors field by @nscuro in #592
• Fix NPE in IntegrityMetaInitializerTask by @nscuro in #596
• Fix race condition in doesProjectExist by @nscuro in #601

Dependency Updates 🤖

• Bump dependencies and re-enable checkstyle by @nscuro in #584
• Bump debian from 4255c9f to 435ba09 in /src/main/docker by @dependabot in #586
• Bump eclipse-temurin from 21_35-jre-jammy to 21.0.2_13-jre-jammy in /src/main/docker by @dependabot in #585
• Bump org.apache.commons:commons-compress from 1.25.0 to 1.26.0 by @dependabot in #587
• Bump net.javacrumbs.json-unit:json-unit-assertj from 3.2.4 to 3.2.5 by @dependabot in #591
• Bump net.javacrumbs.json-unit:json-unit-assertj from 3.2.5 to 3.2.7 by @dependabot in #593
• Bump Redpanda to v23.3.6 by @nscuro in #595
• Bump lib.testcontainers.version from 1.18.3 to 1.19.6 by @dependabot in #594
• Bump lib.net.javacrumbs.shedlock.version from 5.11.0 to 5.12.0 by @dependabot in #603
• Bump actions/setup-java from 4.0.0 to 4.1.0 by @dependabot in #604
• Bump actions/download-artifact from 4.1.2 to 4.1.4 by @dependabot in #605
• Bump aquasecurity/trivy-action from 0.17.0 to 0.18.0 by @dependabot in #606
• Bump docker/setup-buildx-action from 3.0.0 to 3.1.0 by @dependabot in #607
• Bump io.minio:minio from 8.5.8 to 8.5.9 by @dependabot in #608
• Bump org.json:json from 20240205 to 20240303 by @dependabot in #609
• Bump PostgreSQL JDBC driver to v42.7.2 by @nscuro in #610

Other Changes

• Bump version to 5.4.0-SNAPSHOT by @nscuro in #583
• Revert "Remove unnecessary length constraints from VARCHAR(N) columns" by @nscuro in #600
• Report test coverage to Codacy by @nscuro in #602

Full Changelog: 5.3.0...5.4.0

5.3.0

What's Changed

Enhancements 🚀

• Use Liquibase for database migrations by @VithikaS in #442
• Add now variable for time comparisons in CEL expressions by @nscuro in #448
• Additions to Liquibase integration by @nscuro in #449
• Rename package org.hyades to org.dependencytrack by @mehab in #454
• Remove unused code by @nscuro in #456
• Add vers range validation before compilation by @sahibamittal in #455
• Create table for vulnerability policy by @VithikaS in #462
• Add JDBI integration by @nscuro in #461
• Implement VulnerabilityPolicyEvaluator (without dynamic loading of required fields) by @nscuro in #464
• Implement database-backed VulnerabilityPolicyProvider by @nscuro in #470
• Reuse testcontainers database across test methods by @nscuro in #476
• Construct NEW_VULNERABILITY and NEW_VULNERABLE_DEPENDENCY notification subjects with JDBI by @nscuro in #471
• Use ResultSet#getTimestamp over ResultSet#getDate when mapping vuln policies by @nscuro in #481
• Extend Analysis model to additionally hold rating overrides by @sahibamittal in #472
• Improve performance of is_dependency_of query by @nscuro in #484
• Dynamic loading of fields for policy evaluation by @nscuro in #465
• Cleanup vuln policy bundle properties by @nscuro in #486
• Integrate vulnerability policy evaluation into scan result processing by @nscuro in #474
• Record matched vuln policy conditions in audit trail by @nscuro in #491
• Add s3 bundle fetch policy support by @mehab in #487
• Add REST endpoint for vulnerability policies by @VithikaS in #490
• Set CEL policy container name to org.dependencytrack.policy by @nscuro in #497
• Add PROJECT_AUDIT_CHANGE notification on policy eval by @sahibamittal in #506
• Handle reversal of analyses applied via vulnerability policy by @nscuro in #512
• Support bearer auth for policy bundle server by @mehab in #516
• Add capability to use regular expressions and vers ranges in dependency graph traversal by @nscuro in #527
• Add workflow step for policy bundle sync by @nscuro in #528
• Add pagination and ordering boilerplate for JDBI by @nscuro in #513
• Jdbi queries for Vulnerability Policies by @VithikaS in #520
• Populate VULNERABILITY_POLICY_BUNDLE during vuln policy bundle sync by @nscuro in #533
• Remove created and updated fields from vuln policy schema by @nscuro in #531
• Add support for github meta analyzer by @sahibamittal in #539
• Add LogSuccessfulPublish parameter NotificationRule by @sahibamittal in #536
• Update component metrics in project metrics update procedure by @nscuro in #544
• Declare DB functions as language sql and immutable by @nscuro in #543
• Remove CPE table and its code usage by @sahibamittal in #547
• Backport minor bug fixes by @sahibamittal in #550
• Implement foundational API for parallel-consumer based Kafka processors by @nscuro in #552
• Implement is_exclusive_dependency_of function for CEL expressions by @nscuro in #537
• Create GIN index on "COMPONENT"."DIRECT_DEPENDENCIES" to support dependency graph traversal by @nscuro in #551
• Allow usage of separate database user for running migrations by @nscuro in #561
• Update dbschema-generate.sh schema to use Liquibase by @nscuro in #565
• Add strict token permissions in GH workflows and update image to Java 21 JRE by @sahibamittal in #572
• Reduce verbosity of Maven in CI by @nscuro in #575
• Add supplier manufacturer support by @sahibamittal in #570
• Migrate all tests to use Postgres testcontainers instead of H2 by @nscuro in #573

Bug Fixes 🐛

• Fix resource leak in CelPolicyLibrary#matchesVersionDistance by @nscuro in #451
• Move vuln policy schema to resources by @nscuro in #482
• Fix is_dependency_of query template by @nscuro in #485
• Fix vuln policy ratings getting persisted as "null" string when null by @nscuro in #492
• Consider rating overrides for NEW_VULNERABILITY and NEW_VULNERABLE_DEPENDENCY notifications by @nscuro in #488
• Fix regression in NEW_VULNERABILITY and NEW_VULNERABLE_DEPENDENCY title & content by @nscuro in #493
• Tweak vuln policy validation during bundle processing by @nscuro in #498
• Fix missing log message arguments by @nscuro in #500
• Address thread safety issues with CelPolicy*RowMappers by @nscuro in #501
• Fix various minor bugs in vulnerability policy evaluation by @nscuro in #503
• Use lock for VulnerabilityPolicyFetchTask by @nscuro in #504
• Fix inconsistent AnalysisComment ordering in case of equal timestamp values by @nscuro in #511
• Fix suppression not being reverted upon policy deletion by @nscuro in #515
• Fix validFrom and validUntil not being considered when evaluating vuln policies by @nscuro in #519
• Close response to prevent resource leakage by @VithikaS in #523
• Fix NPE in PROJECT_AUDIT_CHANGE notification creation by @nscuro in #530
• Fix enum constraint checks missing from Liquibase changelog by @nscuro in #538
• Fix broken component filter in project view by @nscuro in #548
• Fix policy bundle sync being trigger-able even though the feature is disabled by @nscuro in #556
• Prevent invalid policy bundles from being processed by @nscuro in #557
• Fix failure to delete PolicyViolations when they have an audit trail by @nscuro in #562
• Fix GitHub Actions workflow permissions by @nscuro in #574
• Fix FK constraint violation when deleting project with associated metadata by @nscuro in #577
• Fix partial license objects being returned by /api/v1/component for components with unresolved license by @nscuro in #578

Dependency Updates 🤖

• Bump org.apache.commons:commons-compress from 1.24.0 to 1.25.0 by @dependabot in #440
• Bump lib.protobuf-java.version from 3.25.0 to 3.25.1 by @dependabot in #439
• Bump bufbuild/buf-setup-action from 1.27.2 to 1.28.0 by @dependabot in #435
• Bump org.proj...

5.2.2

What's Changed

Enhancements 🚀

• Support more Component fields in is_dependency_of and depends_on CEL functions by @nscuro in #431
• Add support for version distance policies in CEL by @mehab in #401
• Integrity Analysis on Bom Upload when integrity metadata already exists by @VithikaS in #434

Bug Fixes 🐛

• Fix invalid SQL query when published_at field is required by CEL policy by @nscuro in #430
• hash check fixed to fail on even a single hash mismatch by @mehab in #433

Dependency Updates 🤖

• Bump lib.protobuf-java.version from 3.24.4 to 3.25.0 by @dependabot in #424
• Bump lib.net.javacrumbs.shedlock.version from 5.9.1 to 5.10.0 by @dependabot in #432
• Bump aquasecurity/trivy-action from 0.13.1 to 0.14.0 by @dependabot in #436

Other Changes

• Version bump by @VithikaS in #437

Full Changelog: 5.2.1...5.2.2

5.2.1

What's Changed

Bug Fixes 🐛

• Fix component published date not being returned when no integrity analysis exists for it by @VithikaS in #428
• Fix BOM processing failure when BOM contains services by @nscuro in #427

Full Changelog: 5.2.0...5.2.1

5.2.0

What's Changed

Enhancements 🚀

• Port cyclonedx vex importer change from upstream by @VithikaS in #368
• Added transient List of ProjectVersions and set Metrics in Project by @nscuro in #367
• Allow operator and violation when creating policy resource by @VithikaS in #373
• Bump CWE dictionary to v4.12 by @nscuro in #369
• Add support for custom license resolution by name by @nscuro in #364
• Move scripts directory; Use standard directory for IntelliJ run configurations; Add project icon by @nscuro in #370
• Version Distance policy evaluator by @VithikaS in #374
• Add new endpoint for DependencyGraph by @sahibamittal in #366
• Update SPDX license list to v3.21 by @nscuro in #375
• changes for end points with integrity meta by @mehab in #377
• Support pass-through properties for Kafka Streams and Kafka Producer by @nscuro in #376
• Vex resource test by @VithikaS in #381
• Include Cloud SQL database connector for PostgreSQL by @nscuro in #383
• Let GitHub generate release notes by @nscuro in #386
• Port image upgrades from upstream by @VithikaS in #387
• Implement SPDX expressions by @nscuro in #393
• Cyclonedx-core-java library version bump by @VithikaS in #397
• SPDX expression support improvements by @nscuro in #396
• Schema upgrade v5.2.0 by @VithikaS in #402
• Diff changes made by scanners to existing vulnerabilities by @nscuro in #423

Bug Fixes 🐛

• Fix repo meta and vuln analysis tasks not considering projects with active=null by @nscuro in #357
• port change for jsonignore on transient field by @VithikaS in #362
• Fix NPE during BOM processing when component doesn't have a PURL by @nscuro in #363
• Fix NullPointerException when checking for existence of projects without version - port upstream fix by @VithikaS in #365
• Fix version distance policy being evaluated despite not being configured by @VithikaS in #382
• Fix AffectedComponent format for CPEs with version ranges by @VithikaS in #385
• Fix invalid Mattermost & Slack notification templates by @nscuro in #384
• Fix integrity meta initializer by @VithikaS in #391
• Fix impossible SQL query conditions causing DB indexes to be bypassed by @nscuro in #403
• Integrity analysis if integrity metadata is present by @VithikaS in #409
• Add null check on publishedAt by @VithikaS in #412
• Fix inconsistent purlCoordinates by @nscuro in #413
• Send integrity meta events only for supported types by @VithikaS in #416
• Fix BOM validation failing for spec versions lower than 1.5 by @nscuro in #414
• Downgrade Jetty Maven Plugin to 10.x by @nscuro in #415
• Address performance regression during BOM processing by @nscuro in #419
• Fix FK violation during BOM processing by @nscuro in #422
• Fix singleton events not being untracked upon unexpected failures by @nscuro in #425

Dependency Updates 🤖

• Bump lib.kafka.version from 3.5.1 to 3.6.0 by @dependabot in #344
• Bump bufbuild/buf-setup-action from 1.26.1 to 1.27.0 by @dependabot in #347
• Bump us.springett:cvss-calculator from 1.4.1 to 1.4.2 by @dependabot in #349
• Bump lib.protobuf-java.version from 3.24.3 to 3.24.4 by @dependabot in #345
• Bump org.apache.maven:maven-artifact from 3.9.4 to 3.9.5 by @dependabot in #346
• Bump debian from bullseye-20230919-slim to bullseye-20231009-slim in /src/main/docker by @dependabot in #354
• Bump org.json:json from 20230618 to 20231013 by @dependabot in #353
• Bump lib.net.javacrumbs.shedlock.version from 5.8.0 to 5.9.0 by @dependabot in #352
• Bump bufbuild/buf-lint-action from 1.0.3 to 1.1.0 by @dependabot in #351
• Bump lib.net.javacrumbs.shedlock.version from 5.9.0 to 5.9.1 by @dependabot in #378
• Bump Snappy to 1.1.10.5 by @nscuro in #379
• Bump bufbuild/buf-setup-action from 1.27.0 to 1.27.1 by @dependabot in #390
• Bump actions/checkout from 4.1.0 to 4.1.1 by @dependabot in #389
• Bump debian from 9071e18 to 8cfbea7 in /src/main/docker by @dependabot in #388
• Bump org.apache.maven.plugins:maven-checkstyle-plugin from 3.3.0 to 3.3.1 by @dependabot in #394
• Bump org.apache.maven.plugins:maven-clean-plugin from 3.3.1 to 3.3.2 by @dependabot in #400
• Bump bufbuild/buf-setup-action from 1.27.1 to 1.27.2 by @dependabot in #406
• Bump aquasecurity/trivy-action from 0.12.0 to 0.13.0 by @dependabot in #407
• Bump org.eclipse.jetty:jetty-maven-plugin from 10.0.16 to 11.0.18 by @dependabot in #411
• Bump Redpanda to v23.2.13 by @nscuro in #398
• Bump aquasecurity/trivy-action from 0.13.0 to 0.13.1 by @dependabot in #418
• Bump debian from 8cfbea7 to 1529b15 in /src/main/docker by @dependabot in #417

Other Changes

• Incoming events with hash information for apiserver by @mehab in #343
• added integrity analysis event on apiserver by @mehab in #339
• Integrity check by @VithikaS in #355
• clean up of integrity anlysis table by @VithikaS in #359
• Cleanup leftovers of bundled distribution and H2 by @nscuro in #360
• Fix GHA set-output deprecation warnings by @nscuro in #361
• Feature/add component age policy by @mehab in #358
• Add outdated components and direct dependencies in component endpoint by @sahibamittal in #372
• send integrity meta events outside of transaction and handle integrity violation by @VithikaS in #380
• converting to single query for getting component meta information by @mehab in #395
• Integrity analysis if enabled by @VithikaS in #399
• Force downgrade of logstash-logback-encoder to 7.3 by @nscuro in #404
• Remove unused frontend.version property by @nscuro in #405
• Remove mockserver-netty dependency by @nscuro in #408
• fix query for fetching integrity data by @VithikaS in #410
• modify batch update query by @VithikaS in #420
• Bump version to `5...

5.1.0

For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.

5.0.4

For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.

5.0.3

For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.

5.0.2

For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes.
If additional details are required, consult the closed issues for this release milestone.