Add changelog for v4.13.0

Signed-off-by: nscuro <nscuro@protonmail.com>
2025-10-19 07:53:18 +00:00 · 2025-04-01 21:00:47 +02:00 · 2025-04-01 21:00:47 +02:00 · 77d1183806
commit 77d1183806
parent be71607ca7
2 changed files with 196 additions and 1 deletions
--- a/docs/_config.yml
+++ b/docs/_config.yml
@ -6,7 +6,7 @@ url: "https://docs.dependencytrack.org"
 baseurl:
 show_full_navigation: true
-version: v4.12
+version: v4.13
 # Values for the jekyll-seo-tag gem (https://github.com/jekyll/jekyll-seo-tag)
 logo: /siteicon.png
--- a/docs/_posts/2025-04-07-v4.13.0.md
+++ b/docs/_posts/2025-04-07-v4.13.0.md
@ -0,0 +1,195 @@
 ---
 title: v4.13.0
 type: major
 ---
 **Highlights:**
 * **API Key Overhaul**. API keys are no longer stored as plain text values in the database,
 but as SHA3-256 hashes. It will no longer be possible to view the full, plain text API keys
 in the administration panel. Instead, full keys will only be shown *once* after their
 creation. To allow keys to be identifiable despite this change, the API key format was adjusted
 to include a *public identifier* portion. Keys generated by version 4.13.0 and later will follow
 the format `odt_<publicId>_<key>`, where `publicId` consists of 8 random characters, and `key`
 of the usual 32 random characters. The public ID is intended to identify API keys without disclosing
 their secret. It will be visible in the UI, and it will also appear in logs.
    * Keys generated by earlier versions of Dependency-Track will continue to work,
      in their case the first 5 characters are assumed to be the public ID.
    * *This feature was discussed and demoed in our February community meeting! Watch it [here](https://www.youtube.com/watch?v=UphB2IDv1Rk&t=280s)*
 * **Collection Projects**. Dependency-Track has had support for project hierarchies for a while,
 but until now their utility was still somewhat limited. Collection projects change this,
 as they allow parent projects to act as aggregates of their children. While they are a major improvement
 to the project hierarchy mechanism, there is still more work to be done. And the team is always
 looking for feedback on how to make it better.
    * *This feature was discussed and demoed in our January community meeting! Watch it [here](https://www.youtube.com/watch?v=DSyf-g2FF_w&t=745s)*
 * **Scheduled Summary Notifications**. Instead of publishing notifications immediately when
 a new vulnerability or policy violation is identified, it is now possible to configure scheduled
 summary notifications. This aids in reducing alert fatigue. Refer to the [notifications documentation]
 for more details.
 * **Reduced Memory Footprint**. The persistence framework used by Dependency-Track to interact with the database
 comes with overambitious caching enabled per default. Disabling this cache mechanism has been a recommendation
 the team gave to users struggling with memory requirements for a while. After evaluating whether it provides
 any justifiable benefit at all, it was decided to turn this feature off entirely. Users with large portfolios
 should see a noticeable drop in heap utilization and pressure on the garbage collector.
 * **Observability Improvements**. Logs emitted while handling REST API requests now include context about
 the authenticated user, the path of the endpoint being called, as well as the request method.
 This makes it easier to trace *where* problems are occurring, and *who* initiated the requests that cause them.
 **Features:**
 * Introduce collection projects for better utilization of project hierarchies - [apiserver/#3258]
 * Add property to control `verified` flag in DefectDojo integration - [apiserver/#4273]
 * Disable DataNucleus L2 cache globally - [apiserver/#4310]
 * Optimize vulnerability synchronization logic to not perform redundant writes - [apiserver/#4359]
 * Add REST API endpoint for batch deletion of projects - [apiserver/#4383]
 * Update link to Azure DevOps Extension in docs - [apiserver/#4423]
 * Reduce database round-trips during BOM processing - [apiserver/#4486]
 * Postpone deprecation of unauthenticated access to Badge API - [apiserver/#4502]
 * Clarify descriptions of component analysis cache properties - [apiserver/#4504]
 * Add debug logging for Composer meta analyzer - [apiserver/#4546]
 * Clarify OpenAPI endpoint location in the docs - [apiserver/#4556]
 * Migrate API keys to new format - [apiserver/#4566], [apiserver/#4682]
 * Update quickstart Compose file to use Postgres instead of H2 - [apiserver/#4576]
 * Add SecObserve to community integrations - [apiserver/#4580]
 * Track "last vulnerability analysis" timestamp for projects - [apiserver/#4642]
 * Implement basic telemetry collection - [apiserver/#4651]
 * Prevent application startup when migrations fail - [apiserver/#4681]
 * Add support for Snyk API version 2024-10-15 - [apiserver/#4715]
 * Add REST API endpoint for bulk creation of tags - [apiserver/#4766]
 * Update Azure AD configuration docs to Entra ID - [apiserver/#4778]
 * Make it configurable whether Trivy should scan only OS packages, only libraries, or both - [apiserver/#4782]
 * Add support for scheduled summary notifications - [apiserver/#4783]
 * Add ability to configure the DefectDojo test title - [apiserver/#4796]
 * Bump SPDX license list to v3.26.0 - [apiserver/#4800]
 * Bump CWE dictionary to v4.16 - [apiserver/#4801]
 * Add new optional column *Classifier* in project component view - [frontend/#1058]
 * Remove deprecation notice of toggle for unauthenticated access to SVG badges - [frontend/#1129]
 * Add timestamp formatting to chart tooltips - [frontend/#1152]
 * Handle new API key format and generation process - [frontend/#1157]
 * Add telemetry admin view - [frontend/#1164]
 * Add autocomplete to project collection logic tag dropdown - [frontend/#1198]
 **Fixes:**
 * Fix failure to synchronize vulnerability aliases when the source of a vulnerability is unrecognized - [apiserver/#4767]
 * Fix possible NPE during affected version attribution sync - [apiserver/#4798]
 * Fix occasional JsonParseException during NVD API mirroring - [apiserver/#4814]
 * Fix UpgradeInitializer halting the entire process upon failure - [apiserver/#4818]
 * Fix column visibility preference not considered for project list - [frontend/#1169]
 * Fix tag autocomplete dropdown library style overriding issue - [frontend/#1213]
 **Upgrade Notes:**
 **Please make a database backup before upgrading!** Some changes in this release are **irreversible**,  
 and you won't be able to roll back simply by downgrading the application version!
 * Existing API keys will be automatically hashed during this upgrade. It will not be possible
 to view them in plain text ever again after the upgrade completed. Outside of making a database
 backup, consider noting down all the keys you might need somewhere safe before performing this upgrade.
 * Dependency-Track instances will automatically share minimal telemetry information on a daily basis.
 Find a list of collected data, as well as instructions for opting out, in the [telemetry documentation].
 For a complete list of changes, refer to the respective GitHub milestones:
 * [API server milestone 4.13.0](https://github.com/DependencyTrack/dependency-track/milestone/38?closed=1)
 * [Frontend milestone 4.13.0](https://github.com/DependencyTrack/frontend/milestone/23?closed=1)
 We thank all organizations and individuals who contributed to this release, from logging issues to taking part in discussions on GitHub & Slack to testing of fixes.
 Special thanks to everyone who contributed code to implement enhancements and fix defects:  
 [@2000rosser], [@AndreVirtimo], [@Gepardgame], [@Granjow], [@LaVibeX], [@MM-msr], [@Malaydewangan09], [@Rudra-Garg],
 [@SaberStrat], [@StefanFl], [@VinodAnandan], [@Zargath], [@ad8-adriant], [@dhfherna], [@jayolee], [@mge-mm],
 [@mikael-carneholm-2-wcar], [@mjwrona], [@rbt-mm], [@rkg-mm], [@stohrendorf], [@valentijnscholten]
 ###### dependency-track-apiserver.jar
 | Algorithm | Checksum |
 |:----------|:---------|
 | SHA-1     |          |
 | SHA-256   |          |
 ###### dependency-track-bundled.jar
 | Algorithm | Checksum |
 |:----------|:---------|
 | SHA-1     |          |
 | SHA-256   |          |
 ###### frontend-dist.zip
 | Algorithm | Checksum                                                         |
 |:----------|:-----------------------------------------------------------------|
 | SHA-1     | 5f18d23205cff4627ff6330bca9f70f71810da89                         |
 | SHA-256   | e64676821351096cce62735d28a15b2ae62c4ba66c1b295ab119a9b83f94eef0 |
 ###### Software Bill of Materials (SBOM)
 * API Server: [bom.json](https://github.com/DependencyTrack/dependency-track/releases/download/4.13.0/bom.json)
 * Frontend: [bom.json](https://github.com/DependencyTrack/frontend/releases/download/4.13.0/bom.json)
 [telemetry documentation]: {{ site.baseurl }}{% link _docs/getting-started/telemetry.md %}
 [notifications documentation]: {{ site.baseurl }}{% link _docs/integrations/notifications.md %}#configuring-scheduled-notifications
 [apiserver/#3258]: https://github.com/DependencyTrack/dependency-track/pull/3258
 [apiserver/#4273]: https://github.com/DependencyTrack/dependency-track/pull/4273
 [apiserver/#4310]: https://github.com/DependencyTrack/dependency-track/pull/4310
 [apiserver/#4359]: https://github.com/DependencyTrack/dependency-track/pull/4359
 [apiserver/#4383]: https://github.com/DependencyTrack/dependency-track/pull/4383
 [apiserver/#4423]: https://github.com/DependencyTrack/dependency-track/pull/4423
 [apiserver/#4486]: https://github.com/DependencyTrack/dependency-track/pull/4486
 [apiserver/#4502]: https://github.com/DependencyTrack/dependency-track/pull/4502
 [apiserver/#4504]: https://github.com/DependencyTrack/dependency-track/pull/4504
 [apiserver/#4546]: https://github.com/DependencyTrack/dependency-track/pull/4546
 [apiserver/#4556]: https://github.com/DependencyTrack/dependency-track/pull/4556
 [apiserver/#4566]: https://github.com/DependencyTrack/dependency-track/pull/4566
 [apiserver/#4576]: https://github.com/DependencyTrack/dependency-track/pull/4576
 [apiserver/#4580]: https://github.com/DependencyTrack/dependency-track/pull/4580
 [apiserver/#4642]: https://github.com/DependencyTrack/dependency-track/pull/4642
 [apiserver/#4651]: https://github.com/DependencyTrack/dependency-track/pull/4651
 [apiserver/#4681]: https://github.com/DependencyTrack/dependency-track/pull/4681
 [apiserver/#4682]: https://github.com/DependencyTrack/dependency-track/pull/4682
 [apiserver/#4715]: https://github.com/DependencyTrack/dependency-track/pull/4715
 [apiserver/#4766]: https://github.com/DependencyTrack/dependency-track/pull/4766
 [apiserver/#4767]: https://github.com/DependencyTrack/dependency-track/pull/4767
 [apiserver/#4778]: https://github.com/DependencyTrack/dependency-track/pull/4778
 [apiserver/#4782]: https://github.com/DependencyTrack/dependency-track/pull/4782
 [apiserver/#4783]: https://github.com/DependencyTrack/dependency-track/pull/4783
 [apiserver/#4796]: https://github.com/DependencyTrack/dependency-track/pull/4796
 [apiserver/#4798]: https://github.com/DependencyTrack/dependency-track/pull/4798
 [apiserver/#4800]: https://github.com/DependencyTrack/dependency-track/pull/4800
 [apiserver/#4801]: https://github.com/DependencyTrack/dependency-track/pull/4801
 [apiserver/#4814]: https://github.com/DependencyTrack/dependency-track/pull/4814
 [apiserver/#4818]: https://github.com/DependencyTrack/dependency-track/pull/4818
 [frontend/#1058]: https://github.com/DependencyTrack/frontend/pull/1058
 [frontend/#1129]: https://github.com/DependencyTrack/frontend/pull/1129
 [frontend/#1152]: https://github.com/DependencyTrack/frontend/pull/1152
 [frontend/#1157]: https://github.com/DependencyTrack/frontend/pull/1157
 [frontend/#1164]: https://github.com/DependencyTrack/frontend/pull/1164
 [frontend/#1169]: https://github.com/DependencyTrack/frontend/pull/1169
 [frontend/#1198]: https://github.com/DependencyTrack/frontend/pull/1198
 [frontend/#1213]: https://github.com/DependencyTrack/frontend/pull/1213
 [@2000rosser]: https://github.com/2000rosser
 [@AndreVirtimo]: https://github.com/AndreVirtimo
 [@Gepardgame]: https://github.com/Gepardgame
 [@Granjow]: https://github.com/Granjow
 [@LaVibeX]: https://github.com/LaVibeX
 [@MM-msr]: https://github.com/MM-msr
 [@Malaydewangan09]: https://github.com/Malaydewangan09
 [@Rudra-Garg]: https://github.com/Rudra-Garg
 [@SaberStrat]: https://github.com/SaberStrat
 [@StefanFl]: https://github.com/StefanFl
 [@VinodAnandan]: https://github.com/VinodAnandan
 [@Zargath]: https://github.com/Zargath
 [@ad8-adriant]: https://github.com/ad8-adriant
 [@dhfherna]: https://github.com/dhfherna
 [@jayolee]: https://github.com/jayolee
 [@mge-mm]: https://github.com/mge-mm
 [@mikael-carneholm-2-wcar]: https://github.com/mikael-carneholm-2-wcar
 [@mjwrona]: https://github.com/mjwrona
 [@rbt-mm]: https://github.com/rbt-mm
 [@rkg-mm]: https://github.com/rkg-mm
 [@stohrendorf]: https://github.com/stohrendorf
 [@valentijnscholten]: https://github.com/valentijnscholten