OWASP dependency-check 1.4.3 released!

[Jeremy Long]

The OWASP dependency-check team is pleased to announce the release of version 1.4.3! Please visit the documentation site for information on obtaining the new version (CLI, Maven Plugin, Ant Task, Gradle Plugin, Jenkins Plugin, and SBT Plugin).

Due to issues in versions of dependency-check prior to 1.4.3 I would highly recommend that users upgrade. As part of the upgrade to 1.4.3 I would recommend deleting your existing database and starting off with a fresh copy.

Release Notes

-------------------

Core Engine:

• Fixed issues with parsing CVE entries from the NVD
• Additional changes made to support HTTPS connections to the NVD as TLS 1.0 is no longer supported; alternative JVMs should now be able to connect successfully.
• Experimental analyzers were added for cocoapods and swift package manager support.
• To enable these analyzers one must specifically enable the experimental analyzers (see the documentation for the interface you are using: Maven, Gradle, etc.).
• Lots of internal code updates and bug fixes.

Gradle Plugin:

• Added documentation for skipConfigurations and scanConfigurations so that users can better configure their scan.

Maven Plugin:

• Completely re-wrote the report aggregation to resolve issues with site:stage and site:deploy producing blank reports.

Best Regards,

The OWASP dependency-check team