Update dependency DependencyTrack/dependency-track to v4.12.0 (!88) · Merge requests · Iron Bank Containers / Opensource / dependency-track / api

POPs-renovate-tools_03Dec2024 requested to merge renovate/dependencytrack-dependency-track-4.x into development Oct 02, 2024

This MR contains the following updates:

Package	Type	Update	Change
DependencyTrack/dependency-track		minor	`4.11.7` -> `4.12.0`
DependencyTrack/dependency-track	ironbank-github	minor	`4.11.7` -> `4.12.0`

⚠ Warning

Some dependencies could not be looked up. Check the warning logs for more information.

Release Notes

DependencyTrack/dependency-track (DependencyTrack/dependency-track)

`v4.12.0`

Compare Source

For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and upgrade notes. If additional details are required, consult the closed issues for this release milestone.


##### SHA1
0cfe5d6cd014a0a25cdb0379e5a75596adc3d448  dependency-track-apiserver.jar
f7a1af3a5bf5f5b864d0db519fe2944391496f32  dependency-track-bundled.jar

##### SHA256
83d31e132643249f7752154adc49690353484a66de6e77db7e25f0c1309528eb  dependency-track-apiserver.jar
3b4e27b29fd8a19cc5a250d394df43e0b046781f4d37c11720f8db8b9714d669  dependency-track-bundled.jar

##### SHA512
44b47c7f864a09733b45fce747c3f6a115a0ba4d753d179b78a613404ab7bdd9008cef3539f5af72193506a7cd1b88fca5041a858a0f287612f2ac5572650fae  dependency-track-apiserver.jar
6e6b1210749d89b1ccc29ddc4dcbf2e38c926663f888f644488e63ffda00eb29c79eff1b180941dc798210f5ecf7c2a0e4175e03130f69a08beee36d66aef9fa  dependency-track-bundled.jar

What's Changed

Enhancements 🚀

Raise baseline Java version to 21 by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3682
Add active Field To Project Versions by @aravindparappil46 in https://github.com/DependencyTrack/dependency-track/pull/3691
Support ingestion of CycloneDX v1.6 BOMs by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3710
Gracefully handle NotSortableExceptions by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3724
Migrate from Swagger v2 to OpenAPI v3 by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3726
Improve OpenAPI v3 integration by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3728
Add EPSS conditions to policies by @2000rosser in https://github.com/DependencyTrack/dependency-track/pull/3746
Search component by group by @rcsilva83 in https://github.com/DependencyTrack/dependency-track/pull/3761
Add Notification For BOM_VALIDATION_FAILED by @aravindparappil46 in https://github.com/DependencyTrack/dependency-track/pull/3796
Bump CWE dictionary to v4.14 by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3819
Bump SPDX license list to v3.24.0 by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3846
feat: autocreate project with tags by @JCHacking in https://github.com/DependencyTrack/dependency-track/pull/3843
Improve performance of findings retrieval by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3869
Add REST endpoints for tag retrieval by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3881
Deprecate /api/v1/tag/{policyUuid} in favor of /api/v1/tag/policy/{uuid} by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3887
Enable string de-duplication JVM option per default by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3893
Add REST endpoints for bulk tagging & un-tagging of projects by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3894
Add REST endpoint for tag deletion by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3896
Add REST endpoints to tag and untag policies in bulk by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3924
Log warning when dependency graph is missing the root node by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3990
Add option to test notification publisher by @2000rosser in https://github.com/DependencyTrack/dependency-track/pull/3983
Add support for authors field by @2000rosser in https://github.com/DependencyTrack/dependency-track/pull/3969
Add tag support for notifications, and REST endpoints for tagging & untagging notifications in bulk by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/4031
Disable H2 shutdown hook by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/4106
Support inclusion/exclusion of projects from BOM validation with tags by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/4109
Migrate Trivy integration to use Protobuf instead of JSON by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/4116
Bump generated BOM to CycloneDX v1.5; Add external references by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/4110
Bump Alpine to 3.1.0 and adopt new framework features by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/4134
Support customizable welcome message to display on login page by @Gepardgame in https://github.com/DependencyTrack/dependency-track/pull/4131
Add AUTHOR -> AUTHORS migration by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/4143
Bump SPDX license list to v3.25.0 by @2000rosser in https://github.com/DependencyTrack/dependency-track/pull/4145
Support configuration of system-wide default locale by @Gepardgame in https://github.com/DependencyTrack/dependency-track/pull/4136
Include team name in audit trail for API-submitted audit changes by @Gepardgame in https://github.com/DependencyTrack/dependency-track/pull/4154
Global Audit View: Policy Violations by @rbt-mm in https://github.com/DependencyTrack/dependency-track/pull/3544
Support assigning of teams for portfolio ACL when creating a project by @Gepardgame in https://github.com/DependencyTrack/dependency-track/pull/4093
Introduce isLatest project flag & allow policies to be limited to latest version by @rkg-mm in https://github.com/DependencyTrack/dependency-track/pull/4184
Enhance badge API to require authorization by @SaberStrat in https://github.com/DependencyTrack/dependency-track/pull/4059
Exclude pre-releases from NuGet latest version check by @brentos99 in https://github.com/DependencyTrack/dependency-track/pull/3468
Ensure modifying project endpoints are transactional by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/4194
Fix redundant ConfigProperty queries in BadgeResource by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/4202

Bug Fixes 🐛

Fix failing JSON BOM validation when specVersion is not one of the first fields by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3697
Fix broken global vuln audit view for MSSQL by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3700
fix os handling when trivy sets pkgType on properties by @fnxpt in https://github.com/DependencyTrack/dependency-track/pull/3727
Fix OpenAPI types of UNIX timestamp fields by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3731
Handle breaking change in Trivy server API by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3738
Add date format to support offset in nuget analyser by @sahibamittal in https://github.com/DependencyTrack/dependency-track/pull/3736
Fix project name not showing in Jira tickets by @lgrguricmileusnic in https://github.com/DependencyTrack/dependency-track/pull/3745
Fix jakarta.servlet-api not being inherited from alpine-server by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3770
Fix licenses not being resolved by name by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3782
Fix Slack notifications failing when no base URL is configured by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3791
Issue-3769 : fix update component external references by @sahibamittal in https://github.com/DependencyTrack/dependency-track/pull/3805
vulnerabilityAudit incorrectly displaying non-active projects by @2000rosser in https://github.com/DependencyTrack/dependency-track/pull/3839
Fix BOM validation failing when URL contains encoded [ and ] characters by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3865
Prevent XXE injection during CycloneDX validation and parsing by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3870
Fix BOM_CONSUMED and BOM_PROCESSED notifications being dispatched with wrong scope by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3877
Relax lowercase requirement for /api/v1/tag/{name}/project and /api/v1/tag/{name}/policy by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3888
Fix NPE when querying component metadata for projects without findings by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3889
Set license name instead of ID when using custom license by @2000rosser in https://github.com/DependencyTrack/dependency-track/pull/3915
Fix JDOUserException when multiple licenses match a component's license name by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3958
Add regression test for missing parent property in /v1/project/{uuid} response by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3959
Fix missing projectTags parameter for POST /v1/bom endpoint by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3960
Ensure no unique constraint violation for ProjectMetadata by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/3982
Fix validation error when XML BOM declares multiple namespaces by @philippn in https://github.com/DependencyTrack/dependency-track/pull/4020
added missing endpoints in index html for open api upgrade by @mehab in https://github.com/DependencyTrack/dependency-track/pull/4022
Handle breaking change in Trivy v0.54.0 server API by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/4023
Fix project link for new vulnerable dependency for email by @2000rosser in https://github.com/DependencyTrack/dependency-track/pull/4026
Fix vex export returning invalid CycloneDX by @SaberStrat in https://github.com/DependencyTrack/dependency-track/pull/3948
Ensure URL-encoding of repository URL path segments by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/4107
Fix project being rendered as PURL in email notifications by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/4108
Use empty string instead of SNAPSHOT as version in BOM download if project doesn't have a version by @Gepardgame in https://github.com/DependencyTrack/dependency-track/pull/4142
Handle empty component and service names by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/4146
Handle existing duplicate component properties by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/4147
Fix infinite recursion during policy condition serialization by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/4165
Feat: Fix that Emails render all symbols right by @Gepardgame in https://github.com/DependencyTrack/dependency-track/pull/4141
Fix directDependencies of cloned projects referring to original component UUIDs by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/4171
Fix CPE not being imported from CycloneDX metadata.component by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/4174
Visible Endpoint returns only Visible Teams(name, uuid) by @Gepardgame in https://github.com/DependencyTrack/dependency-track/pull/4177
Cache Trivy DB for integration tests by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/4181
Fix breaking change in PUT /api/v1/project endpoint by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/4185
Fix metrics endpoint API docs erroneously claiming to return project and component data by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/4195
Fix OSV severity level calculation by @peterakimball in https://github.com/DependencyTrack/dependency-track/pull/4196
Fix: Unauthorized access to projects over /vulnerability/{source}/vuln/{vuln}(/projects) when ACL is enabled by @Gepardgame in https://github.com/DependencyTrack/dependency-track/pull/4201
Fix affectedComponents getting removed when updating an internal vulnerability by @nscuro in https://github.com/DependencyTrack/dependency-track/pull/4208

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about these updates again.

If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Update dependency DependencyTrack/dependency-track to v4.12.0

Release Notes

v4.12.0

What's Changed

Enhancements 🚀

Bug Fixes 🐛

Dependency Updates 🤖

Other Changes

New Contributors

Configuration

Merge request reports

`v4.12.0`