dependency-check 1.3.0 released!
129 views
Skip to first unread message
Jeremy Long
Aug 5, 2015, 3:51:42 PM8/5/15
to Dependency Check
All,
The OWASP dependency-check team is pleased to announce the release of version 1.3.0! Please visit the documentation site for information on obtaining the new version (CLI, Maven Plugin, Ant Task, Gradle Plugin, Jenkins Plugin).
In addition to lots of minor bugs/enhancements the noteworthy changes include:
As a reminder, Steve Springett also recently released the dependency-check SonarCube plugin - see the announcement here! https://groups.google.com/forum/#!searchin/dependency-check/sonar/dependency-check/0g3tw5vnqrM/gEXmtW6IKnYJ
If you happen to be at Black Hat USA this year, please stop by the Arsenal on Thurdsay August 6th, at 12:45pm to check out the tool!
Best Regards,
the dependency-check team
The OWASP dependency-check team is pleased to announce the release of version 1.3.0! Please visit the documentation site for information on obtaining the new version (CLI, Maven Plugin, Ant Task, Gradle Plugin, Jenkins Plugin).
In addition to lots of minor bugs/enhancements the noteworthy changes include:
- The schema for the XML report has been updated
- The database file name has changed so you may see an initial long download of the NVD data when you use the new version. As a reminder this long download only occurs on the first use as long as you update the database at least once every 7 days.
- Dale Visor, with the Institute for Defense Analysis, has contributed analyzers to support scanning C/C++ build environments
- This does not allow scanning DLL/SO files, rather these analyzers are designed to scan the cmake and autoconf files
- In addition a single purpose analyzer was added to look at openssl header files to determine what version of openssl is being used
- Wei Ma has started a gradle plugin
- Thanks to Will (colezlaw) logging is now integrated into build tools logging framework (Maven and Ant)
- The logFile option has been removed from the Maven plugin and Ant task
- Logging now uses slf4j in the core and this will make it easier to integrate with other build systems in the future (sbt, ivy, etc.)
- Added additional CVSS data to the reports - the abbreviated scores of the CVSS2 score are now displayed
- In previous versions only the evidence used to identify the CPEs were displayed, in 1.3 all of the evidence collected is displayed
- OWASP dependency-check-cli is now available via homebrew
- The CVE URLs are now exposed as command line arguments in the CLI to mirror the arguments already available in the Maven plugin and Ant task
- Added a symbolic link depth argument to the CLI to prevent endless loops (see the documentation here https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html
As a reminder, Steve Springett also recently released the dependency-check SonarCube plugin - see the announcement here! https://groups.google.com/forum/#!searchin/dependency-check/sonar/dependency-check/0g3tw5vnqrM/gEXmtW6IKnYJ
If you happen to be at Black Hat USA this year, please stop by the Arsenal on Thurdsay August 6th, at 12:45pm to check out the tool!
Best Regards,
the dependency-check team
Reply all
Reply to author
Forward
0 new messages