Current Behavior

The Bouncy Castle project (ie, multiple components) released 1.80 on 14th January 2025. Two weeks ago at time of writing.

Dependency-Track is still reporting that the latest release is 1.79 for some (but not all) components....

@nscuro observed on 28th January that Maven Central reports 1.80 (well, if it did not then I would have failed in my upgrade to 1.80 that is shown in the above screenshot):

https://repo1.maven.org/maven2/org/bouncycastle/bcprov-jdk15to18/maven-metadata.xml

...and, for an example pkg:maven/org.bouncycastle/[email protected]?type=jar, DT unit tests (no caching) see:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<metadata>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcprov-jdk15to18</artifactId>
    <versioning>
        <latest>1.79</latest>
        <release>1.79</release>
        <versions>
            <version>1.63</version>
            <version>1.64</version>
            (snip)                  
            <version>1.78.1</version>
            <version>1.79</version>
        </versions>
        <lastUpdated>20241030032911</lastUpdated>
    </versioning>
</metadata>

...with this response header from Central:

Last-Modified: Wed, 30 Oct 2024 03:29:11 GMT

Steps to Reproduce

1. Upload component pkg:maven/org.bouncycastle/[email protected]?type=jar to a project
2. Check what version DT reports for latest version.

Expected Behavior

Latest version for components should be correct, updating to new values within a couple of hours of (say) Maven Central making a new version available.

Dependency-Track Version

4.12.3

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

14.12

Browser

Mozilla Firefox

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported