OWASP dependency-check 1.3.1 Released!

154 views
Skip to first unread message

Jeremy Long

unread,
Sep 21, 2015, 7:00:36 AM9/21/15
to Dependency Check
The OWASP dependency-check team is pleased to announce the release of version 1.3.1! Please visit the documentation site for information on obtaining the new version (CLIMaven PluginAnt TaskGradle PluginJenkins Plugin).

With this release additional languages are supported: Node.js, PHP, and Ruby! Please see the notes below for additional details.


Summary of Changes
  • Will (colezlaw) has contributed an analyzer to support PHP Composer Lock files! This is a new file type and as always there may be false positives and false negatives - please report both as issues to the github repo.
  • Dale Visor, with the Institute for Defense Analysis, has contributed analyzers to support scanning Node.js and Ruby (gemspec) projects!
    • While Ruby was added - it is highly recommended that Ruby projects use bundler-audit.
  • Anthony Whiteford and Hans Joachim have helped cleanup the code base and fix some minor bugs
  • A purge feature was per issue #328 that will delete the local copy of the NVD.
    • This has been exposed as a CLI argument, a Maven Goal, and an Ant Task.
  • Bzip2 is now a supported archive type
Jenkins
Support for Jenkins Workflow plugin was contributed by CloudBees. Jenkins Workflow is all about taking simple continuous delivery pipelines to the next level through scripted-based automation which adds the ability to pause and resume if a failure in the workflow occurs. (CloudBees also provides the CI environment for dependency-check).

Maven
The Maven Plugin was updated to resolve issue #189 - the aggregate report will now correctly generate an HTML report.
  • Note, issues with the aggregate goal still exist (see issue #325). While the aggregate goal will work successfully with `mvn site`, running `mvn site site:stage` will result in a blank report being staged. This issue will be addressed in the next release.
Ant
The Ant Task was significantly re-worked:
  • Updated the installation and usage instructions 
  • No longer released as a single, shaded JAR file.
  • The single task was split into three tasks: check, update, purge
-------------

Thanks again for all the support in helping this project be useful! We truly appreciate the PRs, feature requests, and reported issues. Remember, if you run into false positives you can use a suppression file; however, we would appreciate it if you would report the false positive as an issue to the github repo's issue tracker

Best Regards,

The OWASP dependency-check Team
Reply all
Reply to author
Forward
0 new messages