[Owasp-leaders] dependency-check 1.2.6 released!

Jeremy Long jeremy.long at owasp.org
Mon Nov 17 11:25:01 UTC 2014


All,

The dependency-check team
<https://www.owasp.org/index.php/Projects/OWASP_Dependency_Check#tab=Acknowledgements>
is pleased to announce the release of 1.2.6
<https://www.owasp.org/index.php/Projects/OWASP_Dependency_Check>! If
you've used the project and found it useful please help promote it by
retweeting
my announcement <https://twitter.com/ctxt/status/534302103196286976>. If
you haven't taken a look at dependency-check - it is a tool that can be
used as part of the solution to the OWASP Top 10 A9 - Using Components with
Known Vulnerabilities
<https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities>.
For more information on the project, how the tool works, etc. please take a
look at the documentation site
<http://jeremylong.github.io/DependencyCheck/>.

Aside from general code clean-up, several important changes are included in
this release and I would highly recommend upgrading. The documentation site
<http://jeremylong.github.io/DependencyCheck/> has been updated, the Command
Line Interface (CLI)
<https://bintray.com/jeremy-long/owasp/dependency-check/view>
<https://bintray.com/jeremy-long/owasp/dependency-check/view>and ANT task
<https://bintray.com/jeremy-long/owasp/dependency-check-ant/view> are
available on bintray <https://bintray.com/jeremy-long/owasp>, the Maven
plugin
<http://search.maven.org/#artifactdetails%7Corg.owasp%7Cdependency-check-maven%7C1.2.6%7Cmaven-plugin>
 and Ant task
<http://search.maven.org/#artifactdetails%7Corg.owasp%7Cdependency-check-ant%7C1.2.6%7Cjar>
are
available in Central
<http://search.maven.org/#search%7Cga%7C1%7Cg%3A%22org.owasp%22%20AND%20dependency-check>,
and the Jenkins plugin is available through Jenkins plugin
<https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin>
 management.

Please let us know if you have issues either by posting to the group
<https://groups.google.com/forum/#!forum/dependency-check> or opening an
issue <https://github.com/jeremylong/DependencyCheck/issues>.

Summary of changes:

   1. Fixed reported false positives.
   2. The Maven plugin now uses the dependencies GAV as declared in the
   project/POM being scanned (thanks Erik!).
   3. Resolved issue #156 to ensure consistent results rather then cycling
   removed and added issues in Jenkins.
   4. The CLI now accepts Ant style paths for the '--scan' argument.
   5. The CLI now accepts an '--exclude' argument that accepts Ant style
   exclusions.
   6. When using the CLI you can now specify a file name for the output
   file (as long as the --format is not set to ALL). The file extension must
   be xml when --format is set to xml or '.htm' or '.html' for either of the
   HTML formated reports.
   7. The Nexus Analyzer has been disabled and replaced with the Central
   Analyzer. If you specify a Nexus Pro URL in the configuration
   dependency-check will use the specified Nexus Pro server instead of using
   Central. The functionality between the two analyzers is identical; however,
   the very supportive people at Sonatype asked us to make this change - so
   please upgrade to use the Central Analyzer.
   8. Updated the URLs to download the NVD CVE data to use the gzip
   version. This has drastically decreased the time required to update the
   local cache of the NVD data. NOTE - if you are mirroring the NVD on your
   local network the original URLs to the XML files will work; but it is
   strongly advised that you change to using the gzip URLs. The current URLs
   can be obtained from the dependencycheck.properties
   <https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/dependencycheck.properties>
file:


cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz

cve.url-2.0.modified=
https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz

cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz

cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz


Best Regards,

the dependency-check team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141117/cf34e453/attachment-0001.html>


More information about the OWASP-Leaders mailing list