Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add changelog for v4.11.5 #3946

Merged
merged 1 commit into from
Jul 8, 2024
Merged

Add changelog for v4.11.5 #3946

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions docs/_posts/2024-07-08-v4.11.5.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
---
title: v4.11.5
type: patch
---

This release primarily addresses an inability to mirror the NVD via its REST API. The NVD REST API recently experienced
increased load, causing service disruptions. Dependency-Track users who opted into API mirroring will have seen
symptoms of this as `NvdApiException: NVD Returned Status Code: 503` errors in the logs.

To reduce load on their systems, [NIST started to block](https://github.com/jeremylong/Open-Vulnerability-Project/issues/184#issuecomment-2214217254)
requests with a certain `User-Agent` header, which Dependency-Track happens to use. Upgrading to v4.11.5
will allow Dependency-Track to no longer be subject to this block.

Users who can't immediately update, yet are reliant on NVD data being current, can switch back to the
feed file based mirroring by disabling *Enable mirroring via API* in the administration panel.

**Fixes:**

* Fix broken NVD mirroring via REST API - [apiserver/#3940]
* Fix BOM processing V2 dispatching `BOM_CONSUMED` and `BOM_PROCESSED` notification with scope `SYSTEM` instead of `PORTFOLIO` - [apiserver/#3941]
* Fix BOM export producing invalid CycloneDX for custom licenses - [apiserver/#3942]

For a complete list of changes, refer to the respective GitHub milestones:

* [API server milestone 4.11.5](https://github.com/DependencyTrack/dependency-track/milestone/42?closed=1)
* [Frontend milestone 4.11.5](https://github.com/DependencyTrack/frontend/milestone/27?closed=1)

We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.

Special thanks to everyone who contributed code to implement enhancements and fix defects:
[@2000rosser]

###### dependency-track-apiserver.jar

| Algorithm | Checksum |
|:----------|:---------|
| SHA-1 | |
| SHA-256 | |

###### dependency-track-bundled.jar

| Algorithm | Checksum |
|:----------|:---------|
| SHA-1 | |
| SHA-256 | |

###### frontend-dist.zip

| Algorithm | Checksum |
|:----------|:-----------------------------------------------------------------|
| SHA-1 | 0992c02871d536eaa1d3971a01ce815daf115129 |
| SHA-256 | fa427fd6dde55fe6a327a82f52edcdbe29a04f23d360742fe446b0c8e1714647 |

###### Software Bill of Materials (SBOM)

* API Server: [bom.json](https://github.com/DependencyTrack/dependency-track/releases/download/4.11.5/bom.json)
* Frontend: [bom.json](https://github.com/DependencyTrack/frontend/releases/download/4.11.5/bom.json)

[apiserver/#3940]: https://github.com/DependencyTrack/dependency-track/pull/3940
[apiserver/#3941]: https://github.com/DependencyTrack/dependency-track/pull/3941
[apiserver/#3942]: https://github.com/DependencyTrack/dependency-track/pull/3942

[@2000rosser]: https://github.com/2000rosser