[Owasp-leaders] dependency-check 1.2.9 released

Jeremy Long jeremy.long at owasp.org
Sat Mar 7 13:16:50 UTC 2015


The OWASP dependency-check
<https://www.owasp.org/index.php/OWASP_Dependency_Check> team is pleased to
announce the release of 1.2.9! This release contains general maintenance,
upgrading dependent libraries, minor bug fixes, etc. Please visit the
site <http://jeremylong.github.io/DependencyCheck/> for information on
obtaining the new version (CLI
, Maven Plugin
, Ant Task
, Jenkins Plugin

The changes of note are:

   - The Maven plugin was reworked to correctly process child modules when
   creating an aggregate project. Included in the change were several other
   issues end users have contacted me about.
   - Reduced false negatives with regard to some versions of Spring.
   - Fixed issue #196 - Some JAR files do not contain POM files yet a full
   POM is available from Central (or alternatively Nexus). Both the Central
   and Nexus analyzers will now look for and retrieve the POM if one has not
   been found locally. A result of this change is that if both the Central and
   Nexus analyzer are disabled there is a chance of false negatives (i.e. the
   dependency could not be correctly identified as vulnerable).
   - Fixed issue #185 - Maven aggregate reports now display the project
   name that references vulnerable dependency.

We continue to get help from the github community! This release includes
PRs from Ahmet Kiyak <https://github.com/ahi>and Hans Joachim Desserud
<https://github.com/hansjoachim> - thanks, we truly appreciate the help!

Best Regards,

The OWASP dependency-check team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150307/e542dff8/attachment.html>

More information about the OWASP-Leaders mailing list