[Owasp-leaders] dependency-check 1.2.9 released
jeremy.long at owasp.org
Sat Mar 7 13:16:50 UTC 2015
The OWASP dependency-check
<https://www.owasp.org/index.php/OWASP_Dependency_Check> team is pleased to
announce the release of 1.2.9! This release contains general maintenance,
upgrading dependent libraries, minor bug fixes, etc. Please visit the
site <http://jeremylong.github.io/DependencyCheck/> for information on
obtaining the new version (CLI
, Maven Plugin
, Ant Task
, Jenkins Plugin
The changes of note are:
- The Maven plugin was reworked to correctly process child modules when
creating an aggregate project. Included in the change were several other
issues end users have contacted me about.
- Reduced false negatives with regard to some versions of Spring.
- Fixed issue #196 - Some JAR files do not contain POM files yet a full
POM is available from Central (or alternatively Nexus). Both the Central
and Nexus analyzers will now look for and retrieve the POM if one has not
been found locally. A result of this change is that if both the Central and
Nexus analyzer are disabled there is a chance of false negatives (i.e. the
dependency could not be correctly identified as vulnerable).
- Fixed issue #185 - Maven aggregate reports now display the project
name that references vulnerable dependency.
We continue to get help from the github community! This release includes
PRs from Ahmet Kiyak <https://github.com/ahi>and Hans Joachim Desserud
<https://github.com/hansjoachim> - thanks, we truly appreciate the help!
The OWASP dependency-check team
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders