• Add support for NuGet versioning scheme - apiserver/#5958
• Add support for Composer versioning scheme - apiserver/#5963
• Document age and version distance operational policy criteria - apiserver/#5964
• Use ecosystem-aware version comparison for latest version detection - apiserver/#5995
• Support Sonatype Guide tokens for OSS Index analyzer - apiserver/#5996
• Improve Chinese translations - frontend/#1490

Fixes:

• Fix PURL-specific version matching being bypassed for components with CPE - apiserver/#5959
• Fix wasteful existence queries - apiserver/#5960
• Fix potentially wrong version being used for CPE comparison - apiserver/#5962
• Fix scheduled notification query failing when ID columns are not of type BIGINT - apiserver/#5979
• Avoid NPE when computing Trivy pkgType - apiserver/#5987
• Remove leading whitespace from vulnerability badge SVG template - apiserver/#6000
• Fix Japanese Trivy analyzer strings - frontend/#1489

For a complete list of changes, refer to the respective GitHub milestones:

• API server milestone 4.14.1
• Frontend milestone 4.14.1

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

Special thanks to everyone who contributed code to implement enhancements and fix defects:

@Zureno, @jonbally, @retanoj, @shayFoo, @stohrendorf

dependency-track-apiserver.jar

dependency-track-bundled.jar

frontend-dist.zip

Software Bill of Materials (SBOM)

• API Server: bom.json
• Frontend: bom.json

• Ecosystem-aware version matching. Vulnerability analysis now uses version comparison algorithms native to the component’s ecosystem, rather than relying on generic semantic versioning. For example, Debian versions are compared using the dpkg sorting algorithm. Supported ecosystems are Alpine Linux, Debian, Go, Maven, NPM, PyPI, and RPM.
• Distro-aware vulnerability matching. Linux distributions like Debian backport security fixes to older releases, meaning a component may be vulnerable in one distro release but not another. Dependency-Track now uses the distro qualifier of package URLs (e.g., pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u2?distro=debian-13.3) to determine the OS release and match vulnerabilities accordingly. Currently supported for Alpine Linux, Debian, and Ubuntu.
  • Note: Requires vulnerability data from OSV, as the NVD does not contextualize version ranges by OS release. Not all BOM generators populate the distro PURL qualifier today.
• CVSSv4 support. Upstream vulnerability sources are increasingly publishing CVSSv4 scores. Dependency-Track now ingests and displays CVSSv4 vectors and derived severities alongside existing CVSSv2 and CVSSv3 data.

Features:

• Include project UUID in log messages - apiserver/#5500
• Add support for incremental mirroring of OSV - apiserver/#5537
• Add internal status policy condition support - apiserver/#5570
• Implement VERS approach for PURL version matching - apiserver/#5591
• Add projectUuid via MDC to logger statements within VEX upload - apiserver/#5615
• Specify newer version of Docker Compose in README - apiserver/#5648
• Add configurable base URL for OSS Index API - apiserver/#5736
• Update OSS Index documentation - apiserver/#5774
• Improve efficiency and caching behaviour of OSS Index analyzer - apiserver/#5793
• Switch to G1GC and limit default Docker Compose memory to 4GB - apiserver/#5794
• Add EPSS score support for GitHub Advisory vulnerabilities - apiserver/#5829
• Add page on users and permissions to documentation - apiserver/#5831
• Include CVSS vectors and metadata in Finding model - apiserver/#5844
• Tweak vulnerability persistence logic - apiserver/#5862
• Add CVSSv4 support - apiserver/#5863
• Delete NVD feed timestamp files during v4.14.0 upgrade - apiserver/#5886
• Bump SPDX license list to v3.28.0 - apiserver/#5888
• Bump CWE dictionary to v4.19.1 - apiserver/#5889
• Make username optional for Repositories Bearer Auth - frontend/#1128
• Improve German Translation - frontend/#1227
• Add suffix to vulnerability locale keys - frontend/#1276
• Add match mode selector to internal component config - frontend/#1283
• Display license ID - frontend/#1311
• Support for scope mentioned in CycloneDX format - frontend/#1319
• Add support for IS_INTERNAL policy condition - frontend/#1394
• Add Traditional Chinese (zh-TW) language support - frontend/#1412
• Remove database information from About dialogue - frontend/#1421
• Add OSS Index Base URL configuration field - frontend/#1431
• Add CVSSv4 support - frontend/#1455
• Add missing internal_status i18n key for zh-TW locale - frontend/#1456

Fixes:

• Fix sneaky double quote - apiserver/#5420
• Fix incorrect UTF-8 encoding in notification payload - apiserver/#5574
• Fix excessive memory usage of Nix analyzer - apiserver/#5653
• Fix wrong NPM component coordinate separator for Trivy analysis - apiserver/#5679
• Fix performance issue with PURL lookups - apiserver/#5711
• Fall back to generic versioning scheme if no PURL is available - apiserver/#5714
• Fix incorrect URL for VulnDB analyzer - apiserver/#5751
• Ensure container zombie processes are reaped - apiserver/#5758
• Fix singleton events not being labelled as such - apiserver/#5775
• Consider OS distro during vulnerability matching - apiserver/#5783
• Fix re-initialization of teams when opening create-modal - frontend/#1410

Upgrade Notes:

• To backfill CVSSv4 and EPSS data, mirror watermarks for NVD and GitHub Advisories will be reset,
  triggering a full re-mirror on next invocation.

For a complete list of changes, refer to the respective GitHub milestones:

• API server milestone 4.14.0
• Frontend milestone 4.14.0

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

Special thanks to everyone who contributed code to implement enhancements and fix defects:

@anantk24, @AndreVirtimo, @arjavdongaonkar, @brianf, @ch8matt, @ElenaStroebele, @fupgang, @Granjow, @jonbally, @jvirgovic, @setchy, @snieguu, @stohrendorf, @tobiasgies, @valentijnscholten, @WoozyMasta, @wengct

dependency-track-apiserver.jar

dependency-track-bundled.jar

frontend-dist.zip

Software Bill of Materials (SBOM)

• API Server: bom.json
• Frontend: bom.json

To use the new image variant, append the -alpine suffix to the image tag, e.g.:

• docker.io/dependencytrack/apiserver:latest-alpine
• docker.io/dependencytrack/bundled:4.13.6-alpine

The previous Debian-based image variant continues to be the default for now, but will eventually be discontinued in a future release. Users experiencing issues with alpine images can safely fall back to non-alpine variants.

Features:

• Add Alpine-based container variants - apiserver/#5533
• Update Ukrainian translation - frontend/#1385

Fixes:

• Improve performance of database migration to v4.13.5 - apiserver/#5419
• Ignore stale Lucene index entries - apiserver/#5428
• Fix typo in email notification template - apiserver/#5434
• Fix referential integrity violation during bulk project deletion - apiserver/#5446
• Fix referential integrity violation during team deletion - apiserver/#5447
• Fix NPE in Composer component metadata analyzer - apiserver/#5519
• Fix XML External Entity injection via validation of CycloneDX BOMs in XML format - apiserver/#5528 / GHSA-93r8-3g93-w2gq
• Fix OSS Index documentation link - apiserver/#5531
• Change toString() method of Project to use name and version instead of PURL - apiserver/#5532
• Fix broken routing when BASE_PATH is configured - frontend/#1381
• Fix policy tag selection dialogue using the wrong REST API endpoint - frontend/#1382
• Fix persistent Cross-Site-Scripting via welcome message - frontend/#1383 / GHSA-7xvh-c266-cfr5
• Fix redirect loop when authenticated user is lacking permissions - frontend/#1386

For a complete list of changes, refer to the respective GitHub milestones:

• API server milestone 4.13.6
• Frontend milestone 4.13.6

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

Special thanks to everyone who contributed code to implement enhancements and fix defects:

@ElenaStroebele, @arjavdongaonkar, @aurifi, @ch8matt, @illenko, @sahibamittal, @snieguu, @stohrendorf

dependency-track-apiserver.jar

dependency-track-bundled.jar

frontend-dist.zip

Software Bill of Materials (SBOM)

• API Server: bom.json
• Frontend: bom.json

Sonatype has started to enforce an authentication requirement for OSS Index.

The OSS Index analyzer has historically been enabled by default for Dependency-Track, and configuration of credentials for authentication was not strictly necessary.

This has now changed, and users who wish to continue using OSS Index will need to register for a free account, and configure credentials in the analyzer’s settings.

Please refer to Sonatype’s announcement for further details.

In the midterm, we’ll be looking into enabling OSV per default to compensate for this change.

Fixes:

• Fix CPE matching not being fully case-insensitive - apiserver/#5299
• Improve detection whether version of a github PURL is a commit SHA or release tag - apiserver/#5350
• Make OSS Index credentials required - apiserver/#5351
• Fix occasional NullPointerException when mirroring the NVD via REST API - apiserver/#5352
• Fix /api/v1/tag/policy/{uuid} endpoint returning more tags than are assigned to a policy - apiserver/#5353
• Fix possible failure of NVD mirroring due to corrupted timestamp files - apiserver/#5354
• Fix BOM validation failing due to unrecognized new SPDX license IDs - apiserver/#5355
• Fix new SPDX license IDs not being recognized - apiserver/#5356
• Fix high CPU utilization when watchdog logger is configured - apiserver/#5357
• Fix NullPointerException in GithubMetaAnalyzer when analyzing GitHub Actions - apiserver/#5359
• Fix connection reset during OSV mirroring - apiserver/#5360
• Fix compatibility of custom NuGet repositories with JFrog Artifactory - apiserver/#5381
• Fix custom NuGet repositories not working with Sonatype Nexus - apiserver/#5381
• Fix possible disclosure of private NuGet repository credentials to api.nuget.org - apiserver/#5381 / GHSA-83g2-vgqh-mgxc

For a complete list of changes, refer to the respective GitHub milestones:

• API server milestone 4.13.5
• Frontend milestone 4.13.5

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

Special thanks to everyone who contributed code to implement enhancements and fix defects:

@colinfyfe, @framayo, @jonbally, @snieguu, @stohrendorf

dependency-track-apiserver.jar

dependency-track-bundled.jar

frontend-dist.zip

Software Bill of Materials (SBOM)

• API Server: bom.json
• Frontend: bom.json

Users who cannot perform this upgrade immediately can configure NVD mirroring to be performed via the NVD REST API instead. Refer to the NVD datasource documentation for details.

Features:

• Migrate to NVD 2.0 data feeds - apiserver/#5236

Fixes:

• Handle URLs in composer package metadata pattern - apiserver/#5234
• Fix failing TrivyAnalysisTaskIntegrationTest - apiserver/#5241
• Handle adduser / addgroup removal in Debian base image - apiserver/#5246
• Fix inconsistent ordering in findings endpoints - apiserver/#5247
• Fix failing Trivy OS matching for distro versions with special characters - apiserver/#5249

For a complete list of changes, refer to the respective GitHub milestones:

• API server milestone 4.13.4
• Frontend milestone 4.13.4

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

dependency-track-apiserver.jar

dependency-track-bundled.jar

frontend-dist.zip

Software Bill of Materials (SBOM)

• API Server: bom.json
• Frontend: bom.json

• Add AWS Cognito configuration example - apiserver/#5172

Fixes:

• Fix too many query parameters when retrieving vuln aliases - apiserver/#5167
• Add apiserver health check to Compose files - apiserver/#5171
• Fix OSV ubuntu advisory containing severity without type - apiserver/#5168
• Handle dangling SPDX expression operators - apiserver/#5173
• Fix BOM export failing for projects of type NONE - apiserver/#5178
• Add whitespace sanitization in fuzzySearch CPE to fix CPE validation errors - apiserver/#5176
• Ensure VulnerableSoftware query is able to leverage indexes - apiserver/#5177
• Bulk load component relationships for BOM export - apiserver/#5179
• Improve Composer meta analyzer’s ability to deal with minified metadata - apiserver/#5175
• Fix failing v4.13.1 migration for H2 deployments that pre-date v4.11.0 - apiserver/#5180

For a complete list of changes, refer to the respective GitHub milestones:

• API server milestone 4.13.3
• Frontend milestone 4.13.3

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

Special thanks to everyone who contributed code to implement enhancements and fix defects:

@ch8matt, @jonbally, @vdieieva

dependency-track-apiserver.jar

dependency-track-bundled.jar

frontend-dist.zip

Software Bill of Materials (SBOM)

• API Server: bom.json
• Frontend: bom.json

• Fix failing v4.13.1 migration for MSSQL deployments that pre-date v4.11.0 - apiserver/#4911
• Fix summary notifications not sent when “skip if unchanged” is enabled - apiserver/#4913

For a complete list of changes, refer to the respective GitHub milestones:

• API server milestone 4.13.2
• Frontend milestone 4.13.2

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

dependency-track-apiserver.jar

dependency-track-bundled.jar

frontend-dist.zip

Software Bill of Materials (SBOM)

• API Server: bom.json
• Frontend: bom.json

• Show collection projects using a tag in the tags list - frontend/#1241

Fixes:

• Fix NEW_VULNERABILITIES_SUMMARY notification dispatch failing for PostgreSQL - apiserver/#4859
• Fix team email addresses not being available when publishing scheduled notification emails - apiserver/#4860
• Prevent duplicate tag names and relationships - apiserver/#4861
• Fix missing NONE value in classifier check constraint - apiserver/#4887
• Improve stability of tag binding - apiserver/#4885
• Fix tag deletion failing when tag is used by project collection logic - apiserver/#4888

For a complete list of changes, refer to the respective GitHub milestones:

• API server milestone 4.13.1
• Frontend milestone 4.13.1

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

dependency-track-apiserver.jar

dependency-track-bundled.jar

frontend-dist.zip

Software Bill of Materials (SBOM)

• API Server: bom.json
• Frontend: bom.json

• API Key Overhaul. API keys are no longer stored as plain text values in the database, but as SHA3-256 hashes. It will no longer be possible to view the full, plain text API keys in the administration panel. Instead, full keys will only be shown once after their creation. To allow keys to be identifiable despite this change, the API key format was adjusted to include a public identifier portion. Keys generated by version 4.13.0 and later will follow the format odt_<publicId>_<key>, where publicId consists of 8 random characters, and key of the usual 32 random characters. The public ID is intended to identify API keys without disclosing their secret. It will be visible in the UI, and it will also appear in logs.
  • Keys generated by earlier versions of Dependency-Track will continue to work, in their case the first 5 characters are assumed to be the public ID.
  • This feature was discussed and demoed in our February community meeting! Watch it here
• Collection Projects. Dependency-Track has had support for project hierarchies for a while, but until now their utility was still somewhat limited. Collection projects change this, as they allow parent projects to act as aggregates of their children. While they are a major improvement to the project hierarchy mechanism, there is still more work to be done. And the team is always looking for feedback on how to make it better.
  • This feature was discussed and demoed in our January community meeting! Watch it here
• Scheduled Summary Notifications. Instead of publishing notifications immediately when a new vulnerability or policy violation is identified, it is now possible to configure scheduled summary notifications. This aids in reducing alert fatigue. Refer to the notifications documentation for more details.
• Reduced Memory Footprint. The persistence framework used by Dependency-Track to interact with the database comes with overambitious caching enabled per default. Disabling this cache mechanism has been a recommendation the team gave to users struggling with memory requirements for a while. After evaluating whether it provides any justifiable benefit at all, it was decided to turn this feature off entirely. Users with large portfolios should see a noticeable drop in heap utilization and pressure on the garbage collector.
• Observability Improvements. Logs emitted while handling REST API requests now include context about the authenticated user, the path of the endpoint being called, as well as the request method. This makes it easier to trace where problems are occurring, and who initiated the requests that cause them.

Features:

• Introduce collection projects for better utilization of project hierarchies - apiserver/#3258
• Add property to control verified flag in DefectDojo integration - apiserver/#4273
• Disable DataNucleus L2 cache globally - apiserver/#4310
• Optimize vulnerability synchronization logic to not perform redundant writes - apiserver/#4359
• Add REST API endpoint for batch deletion of projects - apiserver/#4383
• Update link to Azure DevOps Extension in docs - apiserver/#4423
• Reduce database round-trips during BOM processing - apiserver/#4486
• Postpone deprecation of unauthenticated access to Badge API - apiserver/#4502
• Clarify descriptions of component analysis cache properties - apiserver/#4504
• Add debug logging for Composer meta analyzer - apiserver/#4546
• Clarify OpenAPI endpoint location in the docs - apiserver/#4556
• Migrate API keys to new format - apiserver/#4566, apiserver/#4682
• Update quickstart Compose file to use Postgres instead of H2 - apiserver/#4576
• Add SecObserve to community integrations - apiserver/#4580
• Track “last vulnerability analysis” timestamp for projects - apiserver/#4642
• Implement basic telemetry collection - apiserver/#4651
• Prevent application startup when migrations fail - apiserver/#4681
• Add support for Snyk API version 2024-10-15 - apiserver/#4715
• Add REST API endpoint for bulk creation of tags - apiserver/#4766
• Update Azure AD configuration docs to Entra ID - apiserver/#4778
• Make it configurable whether Trivy should scan only OS packages, only libraries, or both - apiserver/#4782
• Add support for scheduled summary notifications - apiserver/#4783
• Add ability to configure the DefectDojo test title - apiserver/#4796
• Bump SPDX license list to v3.26.0 - apiserver/#4800
• Bump CWE dictionary to v4.16 - apiserver/#4801
• Add new optional column Classifier in project component view - frontend/#1058
• Remove deprecation notice of toggle for unauthenticated access to SVG badges - frontend/#1129
• Add timestamp formatting to chart tooltips - frontend/#1152
• Handle new API key format and generation process - frontend/#1157
• Add telemetry admin view - frontend/#1164
• Add autocomplete to project collection logic tag dropdown - frontend/#1198

Fixes:

• Fix failure to synchronize vulnerability aliases when the source of a vulnerability is unrecognized - apiserver/#4767
• Fix possible NPE during affected version attribution sync - apiserver/#4798
• Fix occasional JsonParseException during NVD API mirroring - apiserver/#4814
• Fix UpgradeInitializer halting the entire process upon failure - apiserver/#4818
• Fix column visibility preference not considered for project list - frontend/#1169
• Fix tag autocomplete dropdown library style overriding issue - frontend/#1213

Upgrade Notes:

Please make a database backup before upgrading! Some changes in this release are irreversible,
and you won’t be able to roll back simply by downgrading the application version!

• Existing API keys will be automatically hashed during this upgrade. It will not be possible to view them in plain text ever again after the upgrade completed. Outside of making a database backup, consider noting down all the keys you might need somewhere safe before performing this upgrade.
• Dependency-Track instances will automatically share minimal telemetry information on a daily basis. Find a list of collected data, as well as instructions for opting out, in the telemetry documentation.

For a complete list of changes, refer to the respective GitHub milestones:

• API server milestone 4.13.0
• Frontend milestone 4.13.0

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

Special thanks to everyone who contributed code to implement enhancements and fix defects:

@2000rosser, @AndreVirtimo, @Gepardgame, @Granjow, @LaVibeX, @MM-msr, @Malaydewangan09, @Rudra-Garg, @SaberStrat, @StefanFl, @VinodAnandan, @Zargath, @ad8-adriant, @dhfherna, @jayolee, @mge-mm, @mikael-carneholm-2-wcar, @mjwrona, @rbt-mm, @rkg-mm, @stohrendorf, @valentijnscholten

dependency-track-apiserver.jar

dependency-track-bundled.jar

frontend-dist.zip

Software Bill of Materials (SBOM)

• API Server: bom.json
• Frontend: bom.json

• Fix NPE during NVD mirroring via REST API when encountering invalid CPEs - apiserver/#4734
• Remove erroneous client-side caching in Trivy analyzer - apiserver/#4736
• Fix notification limiting to tags not working reliably - apiserver/#4737
• Fix tags from BOM upload request not being applied for existing projects - apiserver/#4740
• Fix component properties not being cloned - apiserver/#4746

For a complete list of changes, refer to the respective GitHub milestones:

• API server milestone 4.12.7
• Frontend milestone 4.12.7

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

dependency-track-apiserver.jar

dependency-track-bundled.jar

frontend-dist.zip

Software Bill of Materials (SBOM)

• API Server: bom.json
• Frontend: bom.json