Changes over v4

New Features

• Designed for high availability. Horizontal scalability, distributed work queues, and the option to separate web and worker nodes. No single point of failure, and no additional infrastructure requirements outside the PostgreSQL database you already have.
• Resiliency as a first-class citizen. Durable execution guarantees that background work such as BOM processing, vulnerability analysis, and notifications completes even through node restarts and crashes.
• New powerful CEL-based policy engine, providing more flexibility while being more efficient than the engine shipped with v4. Policies can be complex, don't let rigid UI conditions limit you.
• Automatic portfolio-wide vulnerability analysis. Leverage the new policy engine to audit and suppress vulnerabilities before they surface in the UI or trigger notifications.
• Component integrity verification. Detect components whose hashes don't match what's published in package repositories.
• Centralized secrets management. Manage credentials for integrations securely in one place.
• Reduced resource footprint.

Architecture / Operations

• PostgreSQL is the only supported database.
  • Support for H2, MySQL, and Microsoft SQL Server is dropped.
• Database migrations are performed through a more reliable, changelog-based approach.

Breaking Changes

• All deprecated endpoints mentioned below were removed:
  • POST /api/v1/policy/{policyUuid}/tag/{tagName}
  • DELETE /api/v1/policy/{policyUuid}/tag/{tagName}
  • GET /api/v1/tag/{policyUuid}
  • GET /api/v1/bom/token/{uuid}

Notifications

• subject objects passed to notification templates are now objects generated from Protobuf definitions.
  • The respective schema is defined in notification.proto.
  • List fields now have a List suffix (i.e. vulnerabilities -> vulnerabilitiesList).
• Level values are now prefixed with LEVEL_
  • Before: INFORMATIONAL
  • Now: LEVEL_INFORMATIONAL
• Scope values are now prefixed with SCOPE_
  • Before: SYSTEM
  • Now: SCOPE_SYSTEM
• Group values are now prefixed with GROUP_
  • Before: NEW_VULNERABILITY
  • Now: GROUP_NEW_VULNERABILITY
• The timestamp value passed to notification templates is now consistently formatted with three fractional digits.
  • Before, any of:
    • 1970-01-01T00:11:06Z
    • 1970-01-01T00:11:06.000Z
    • 1970-01-01T00:11:06.000000Z
    • 1970-01-01T00:11:06.000000000Z
  • Now: 1970-01-01T00:11:06.000Z

Search

• The API server no longer maintains Lucene indexes.
  • The local ~/.dependency-track/index directory is no longer required.
• All REST endpoints under /api/v1/search were removed.
• Fuzzy matching for the internal analyzer is no longer supported.

Findings

• The Findings response object's vulnerability will no longer contain two fields below, cwes will hold the respective ids.
  • cweId
  • cweName
• In the SARIF file (schema defined in sarif.peb), cweId will be replaced by list of cwe ids in cwes. And name of the SARIF rule will be vulnerability's vulnId instead of cweName.
• The /api/v1/finding/project/{uuid} REST API endpoint now supports pagination apiserver/#1111. The page size defaults to 100. Clients currently expecting all items to be returned at once must be updated to deal with pagination.