OWASP dependency-check 1.4.4 released!
231 views
Skip to first unread message
Jeremy Long
Nov 7, 2016, 9:03:38 AM11/7/16
to Dependency Check
The OWASP dependency-check team is pleased to announce the release of version 1.4.4! Please visit the documentation site for information on obtaining the new version (CLI, Maven Plugin, Ant Task, Gradle Plugin, Jenkins Plugin, and SBT Plugin).
Release Notes
-------------------
In addition to general code cleanup/improvements; the following significant updates were made:
- Some users of dependency-check, using OpenJDK on certain Linux distributions, were unable to download the NVD-CVE data. Two options exist: 1) use the Oracle JDK, or 2) Install and use Bouncy Castle. More information can be found here: http://jeremylong.github.io/DependencyCheck/data/tlsfailure.html
- Significant performance improvements for some builds; if identical dependencies were present multiple times in the scan (such as in an aggregate maven scan) each duplicate was scanned multiple times. Now only a single scan per unique sha1 ash is performed. Additionally, the analyzers were parallelized increasing performance.
- The gradle plugin now automatically registers itself with the 'check' phase if the Java plugin is present.
- Improved the gradle plugin's capability to detect and exclude test configurations
- Improved suppression functionality within the HTML report; if the GAV is present the initial suppression will use this instead of the more fragile SHA1 suppression.
- Fixed the issue with temporary files being unable to be deleted
- Fixed issue with multiple scans running at the same time interfering with each other by one scan deleting the other's temporary files.
- Hardened the XML parser so that XXE would be prevented
- Exposed the "hints" functionality that can be used to reduce false negatives
- See http://jeremylong.github.io/DependencyCheck/general/hints.html
- If you use this functionality, please consider submitting a PR/Issue so that we can tune the core engine for everyone's benefit
- Expanded base suppression filter to reduce false positives
- Improved version number matching to reduce false positive/negatives
- Updated the presentation on the documentation site to reference the JavaOne slides "Depending on Vulnerable Libraries"
Best Regards,
The OWASP dependency-check team
Reply all
Reply to author
Forward
0 new messages