All,
The
OWASP dependency-check
team is pleased to announce the release of 1.2.9! This release contains
general maintenance, upgrading dependent libraries, minor bug fixes,
etc.
Please visit the documentation site for information on obtaining the new version (CLI, Maven Plugin, Ant Task, Jenkins Plugin). The changes of note are:
- The
Maven plugin was reworked to correctly process child modules when
creating an aggregate project. Included in the change were several other
issues end users have contacted me about.
- Reduced false negatives with regard to some versions of Spring.
- Fixed
issue #196 - Some JAR files do not contain POM files yet a full POM is
available from Central (or alternatively Nexus). Both the Central and
Nexus analyzers will now look for and retrieve the POM if one has not
been found locally. A result of this change is that if both the Central
and Nexus analyzer are disabled there is a chance of false
negatives (i.e. the dependency could not be correctly identified as
vulnerable).
- Fixed issue #185 - Maven aggregate reports now display the project name that references vulnerable dependency.
We continue to get help from the github community! This release includes PRs from
Ahmet Kiyak and
Hans Joachim Desserud - thanks, we truly appreciate the help!
Lastly, OWASP has promoted the
dependency-check project as one of their flagship projects!
Best Regards,
The OWASP dependency-check team