[Owasp-leaders] OWASP dependency-check 1.3.5 released!

Jeremy Long jeremy.long at owasp.org
Sun Mar 6 12:38:46 UTC 2016


The OWASP dependency-check team is pleased to announce the release of
version 1.3.5! Thanks to all those who have used the tool and provided
feedback via the discussion group and issues in github. A special thanks
goes out to those that have submitted pull requests!

Please visit the documentation site
<http://jeremylong.github.io/DependencyCheck/> for information on obtaining
the new version (CLI
<http://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html>
, Maven Plugin
<http://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html>
, Ant Task
<http://jeremylong.github.io/DependencyCheck/dependency-check-ant/index.html>
, Gradle Plugin
<http://jeremylong.github.io/DependencyCheck/dependency-check-gradle/index.html>
, Jenkins Plugin
<https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin>
).

*Release Notes*

In addition to the general minor bug fixes and false positive reductions
here are the release notes for 1.3.5 (and 1.3.4 - I forgot to post these
previously):

Version 1.3.5

   - False negative reduction - ore entries are being parsed from the
   manifest in JAR files. In some cases, this may appear to cause false
   positives. However, these extra entries generally represent code that was
   copied from another project (possibly via shading) and as such, the
   vulnerability may also exist in the combined JAR.
   - The aggregate goal for the Maven plugin is still problematic
   <http://jeremylong.github.io/DependencyCheck/dependency-check-maven/configuration.html>;
   changes have been made to try and resolve some of the issues. However, if
   the aggregate goal is used in site reporting a blank report will be
   produced for anything beyond site:site (i.e. site:stage and site:deploy
   will likely have blank reports for the aggregate goal).
   - If using a centralized database
   <http://jeremylong.github.io/DependencyCheck/data/database.html>,
   forward compatibility has been implemented. Previously, if you have many
   installations using the same database when you upgraded to a new version
   that made an update to the database schema all installations would need to
   be upgraded as well. With version 1.3.5 when a new version of
   dependency-check comes out that makes a change to the database schema 1.3.5
   will still be able to use the same centralized database.
   - The Maven plugin now supports the non-proxy hosts
   <https://maven.apache.org/settings.html#Proxies>, as configured in the
   settings.xml.
   - Resolved an issue that occurred in some CI environments that forked
   builds, which caused multiple threads to hit a non-threadsafe method. The
   method has now been marked synchronized.
   - Support for additional databases has been added when using a
   centralized database. Specifically, MySQL, Postgres, and Oracle are now
   possible.


Version 1.3.4

   - The Maven plugin now supports encrypted passwords
   <http://maven.apache.org/guides/mini/guide-encryption.html>; useful when
   using a centralized database.
   - In the Maven plugin the autoupdate configuration was changed to
   autoUpdate. If you have set this to false and upgrade the autoupdate will
   likely default to true unless you fix the casing in the configuration.


Best Regards,

The OWASP dependency-check team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160306/1703db2f/attachment.html>


More information about the OWASP-Leaders mailing list