Releases: albuch/sbt-dependency-check
v5.1.0
Upgraded dependency-check-core to v.8.1.2. See release notes for DependencyCheck from v8.1.1 to v8.1.2 for details.
Noteworthy Changes
- new setting
dependencyCheckHostedSuppressionsEnabled
to disabled the use of the hosted suppression file
Bugfixes
- New settings introduced with release
v5.0.0
were not applied
v5.0.0
Updated dependency-check-core to v.8.1.0. See release notes for DependencyCheck from v8.0.0 to v8.1.0 for details.
Breaking Changes
The database schema was updated - if using an external database the update/initialization scripts must be run!
Noteworthy changes
- New settings
dependencyCheckHostedSuppressionsUrl
,dependencyCheckHostedSuppressionsForceUpdate
anddependencyCheckHostedSuppressionsValidForHours
for a hosted suppression file to allow for faster remediation of reported false-positives. Defaults to a file maintained by the DependencyCheck project team. - New analyzer settings related to CISA Known Exploited Vulnerability Catalog:
dependencyCheckKnownExploitedEnabled
,dependencyCheckKnownExploitedUrl
anddependencyCheckKnownExploitedValidForHours
- New Settings to set authentication credentials for the RetireJS Analyzer data feed:
dependencyCheckRetireJsAnalyzerRepoUser
,dependencyCheckRetireJsAnalyzerRepoPassword
- New schema for the XML report was added to support some of the above additions
Pipefile.lock
files are now supported
v4.3.0
Update dependency-check-core to v7.4.4. See release notes for DependencyCheck from v7.3.1 to v7.4.4 for details.
Noteworthy changes
- New setting key
dependencyCheckPoetryAnalyzerEnabled
for experimental Python Poetry Analyzer - Added a vanilla HTML report for use in Jenkins
- Resolved issue processing NVD CVE data due to column width (#282)
v4.2.0
Update dependency-check-core to v7.3.0. See release notes for DependencyCheck from v7.2.0 to v7.3.0 for details.
Noteworthy changes
- Added a setting key for an experimental Dart Analyzer:
dependencyCheckDartAnalyzerEnabled
- Added a setting key for URL connection read timeouts:
dependencyCheckConnectionReadTimeout
- Added a setting key for an analzyer for Bazel's pinned
maven_install.json
:dependencyCheckMavenInstallAnalyzerEnabled
- Added a setting key to force Uupdate RetireJS data feed regardless the
dependencyCheckAutoUpdate
setting:dependencyCheckRetireJSForceUpdate
v4.1.0
Update dependency-check-core
to v7.1.0. See release notes for DependencyCheck v7.1.0 for details
v4.0.0
Updated dependency-check-core to v7.0.0. See release notes of DependencyCheck of v7.0.0 for details
Breaking changes
- The H2 database version has been upgraded to a new major version. If you use the
dependencyCheckDataDirectory
setting you will need to rundependencyCheckPurge
after upgrading. - Upgraded to dotnet core 6.0. If analyzing dotnet assemblies the system will need to have the dotnet core 6.0.x runtime available.
Noteworthy changes
- The Sarif report format has been fixed and can now be imported into GitHub if desired.
- When analyzing Scala projects ODC now includes data from the developers section.
- This will likely cause false positives on things like Apache James, please report the FP upstream at https://github.com/jeremylong/DependencyCheck and they will fix these quickly.
v3.4.1
v3.4.0
- Updated dependency-check-core to v6.5.3. See release notes of DependencyCheck for v6.5.0 to v6.5.3 for full details.
Noteworthy changes
- new setting
dependencyCheckPNPMAuditAnalayzerEnabled
anddependencyCheckPathToPNPM
for the new pnpm analyzer.
v3.3.0
- Updated dependency-check-core to v6.4.1 (#213 ). See release notes of DependencyCheck for v6.3.2 to v6.4.1 for details.
Notworthy changes
- New setting
dependencyCheckCveWaitTime
for the time in milliseconds to wait between downloads from the NVD. - New setting
dependencyCheckCveStartYear
for the first year of NVD CVE data to download from the NVD. - Several changes to reduce risk of NVD rate limiting
- Reduced chance of rate limiting when download files from NVD
- The NVD CVE data files are now being cached for up to 4 hours in case a download fails, re-running the plugin will use the cached version.
- Added download attempts with increasing wait time for CVE meta files from the NVD to prevent rate limiting issues
v3.2.0
- Updated dependency-check-core to v6.3.1 (#207). See release notes of DependencyCheck for v6.2.0 to v6.3.1 for details.
- Update sbt to v1.5.5
Notheworthy changes
- New setting
dependencyCheckCpanFileAnalyzerEnabled
for Perl CPAN File Analyzer - New setting
dependencyCheckNodePackageSkipDevDependencies
to disable checking dev dependencies for Node.js Analyzer - New Setting
dependencyCheckSwiftPackageResolvedAnalyzerEnabled
for Swift Package Resolved Analyzer