With this release additional languages are supported: Node.js, PHP, and Ruby! Please see the notes below for additional details.
Summary of Changes
- Will (colezlaw) has contributed an analyzer to support PHP Composer Lock files! This is a new file type and as always there may be false positives and false negatives - please report both as issues to the github repo.
- Dale Visor, with the Institute for Defense Analysis, has contributed analyzers to support scanning Node.js and Ruby (gemspec) projects!
- While Ruby was added - it is highly recommended that Ruby projects use bundler-audit.
- Anthony Whiteford and Hans Joachim have helped cleanup the code base and fix some minor bugs
- A purge feature was per issue #328 that will delete the local copy of the NVD.
- This has been exposed as a CLI argument, a Maven Goal, and an Ant Task.
- Bzip2 is now a supported archive type
Jenkins
Support for Jenkins Workflow plugin was contributed by CloudBees. Jenkins Workflow is all about taking simple continuous delivery pipelines to the next level through scripted-based automation which adds the ability to pause and resume if a failure in the workflow occurs. (CloudBees also provides the CI environment for dependency-check).
Maven
The Maven Plugin was updated to resolve issue #189 - the aggregate report will now correctly generate an HTML report.
- Note, issues with the aggregate goal still exist (see issue #325). While the aggregate goal will work successfully with `mvn site`, running `mvn site site:stage` will result in a blank report being staged. This issue will be addressed in the next release.
Ant
The Ant Task was significantly re-worked:
- Updated the installation and usage instructions
- No longer released as a single, shaded JAR file.
- The single task was split into three tasks: check, update, purge
-------------
Thanks again for all the support in helping this project be useful! We truly appreciate the PRs, feature requests, and reported issues. Remember, if you run into false positives you can use a suppression file; however, we would appreciate it if you would report the false positive as an issue to the github repo's issue tracker.
Best Regards,
The OWASP dependency-check Team