Skip to content

Changes over v4

New Features

  • New powerful CEL-based policy engine, providing more flexibility while being more efficient than the engine shipped with v4.
  • Ability to automatically audit vulnerabilities across the entire portfolio using CEL expressions.
  • Hash-based integrity analysis for components.
  • The API server now supports high availability (HA) deployments in active-active configuration.
  • Zero downtime deployments when running API server in HA configuration.
  • Greatly reduced resource footprint of the API server.
  • The status of asynchronous tasks (e.g. vulnerability analysis) is now tracked in a persistent manner, improving observability.

Architecture / Operations

  • PostgreSQL is the only supported database.
    • Support for H2, MySQL, and Microsoft SQL Server is dropped.
  • To facilitate communication between services, a Kafka-compatible broker is required.
  • Publishing of notifications, fetching component metadata from repositories, and vulnerability analysis is performed by services separately from the API server.
    • The services can be scaled up and down as needed.
    • Some services (i.e. notification-publisher) can be omitted entirely from a deployment, if publishing of notification via e.g. Webhook is not needed.
  • All services except the API server can optionally be deployed as native executables (thanks to GraalVM), offering a lower resource footprint than their JVM-based counterparts.
  • Database migrations are performed through a more reliable, changelog-based approach.

Breaking Changes

  • All deprecated endpoints mentioned below were removed:
    • POST /api/v1/policy/{policyUuid}/tag/{tagName}
    • DELETE /api/v1/policy/{policyUuid}/tag/{tagName}
    • GET /api/v1/tag/{policyUuid}
    • GET /api/v1/bom/token/{uuid}

Notifications

  • subject objects passed to notification templates are now objects generated from Protobuf definitions.
    • The respective schema is defined in notification.proto.
    • List fields now have a List suffix (i.e. vulnerabilities -> vulnerabilitiesList).
  • Level values are now prefixed with LEVEL_
    • Before: INFORMATIONAL
    • Now: LEVEL_INFORMATIONAL
  • Scope values are now prefixed with SCOPE_
    • Before: SYSTEM
    • Now: SCOPE_SYSTEM
  • Group values are now prefixed with GROUP_
    • Before: NEW_VULNERABILITY
    • Now: GROUP_NEW_VULNERABILITY
  • The timestamp value passed to notification templates is now consistently formatted with three fractional digits.
    • Before, any of:
      • 1970-01-01T00:11:06Z
      • 1970-01-01T00:11:06.000Z
      • 1970-01-01T00:11:06.000000Z
      • 1970-01-01T00:11:06.000000000Z
    • Now: 1970-01-01T00:11:06.000Z
  • The API server no longer maintains Lucene indexes.
    • The local ~/.dependency-track/index directory is no longer required.
  • All REST endpoints under /api/v1/search were removed.
  • Fuzzy matching for the internal analyzer is no longer supported.

Findings

  • The Findings response object's vulnerability will no longer contain two fields below, cwes will hold the respective ids.
    • cweId
    • cweName
  • In the SARIF file (schema defined in sarif.peb), cweId will be replaced by list of cwe ids in cwes. And name of the SARIF rule will be vulnerability's vulnId instead of cweName.