[Owasp-leaders] OWASP dependency-check 1.3.5 released!

Matt Konda matt.konda at owasp.org
Tue Mar 8 02:45:13 UTC 2016

Awesome work, Jeremy.

Thank you!

On Sun, Mar 6, 2016 at 6:38 AM, Jeremy Long <jeremy.long at owasp.org> wrote:

> The OWASP dependency-check team is pleased to announce the release of
> version 1.3.5! Thanks to all those who have used the tool and provided
> feedback via the discussion group and issues in github. A special thanks
> goes out to those that have submitted pull requests!
> Please visit the documentation site
> <http://jeremylong.github.io/DependencyCheck/> for information on
> obtaining the new version (CLI
> <http://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html>
> , Maven Plugin
> <http://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html>
> , Ant Task
> <http://jeremylong.github.io/DependencyCheck/dependency-check-ant/index.html>
> , Gradle Plugin
> <http://jeremylong.github.io/DependencyCheck/dependency-check-gradle/index.html>
> , Jenkins Plugin
> <https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin>
> ).
> *Release Notes*
> In addition to the general minor bug fixes and false positive reductions
> here are the release notes for 1.3.5 (and 1.3.4 - I forgot to post these
> previously):
> Version 1.3.5
>    - False negative reduction - ore entries are being parsed from the
>    manifest in JAR files. In some cases, this may appear to cause false
>    positives. However, these extra entries generally represent code that was
>    copied from another project (possibly via shading) and as such, the
>    vulnerability may also exist in the combined JAR.
>    - The aggregate goal for the Maven plugin is still problematic
>    <http://jeremylong.github.io/DependencyCheck/dependency-check-maven/configuration.html>;
>    changes have been made to try and resolve some of the issues. However, if
>    the aggregate goal is used in site reporting a blank report will be
>    produced for anything beyond site:site (i.e. site:stage and site:deploy
>    will likely have blank reports for the aggregate goal).
>    - If using a centralized database
>    <http://jeremylong.github.io/DependencyCheck/data/database.html>,
>    forward compatibility has been implemented. Previously, if you have many
>    installations using the same database when you upgraded to a new version
>    that made an update to the database schema all installations would need to
>    be upgraded as well. With version 1.3.5 when a new version of
>    dependency-check comes out that makes a change to the database schema 1.3.5
>    will still be able to use the same centralized database.
>    - The Maven plugin now supports the non-proxy hosts
>    <https://maven.apache.org/settings.html#Proxies>, as configured in the
>    settings.xml.
>    - Resolved an issue that occurred in some CI environments that forked
>    builds, which caused multiple threads to hit a non-threadsafe method. The
>    method has now been marked synchronized.
>    - Support for additional databases has been added when using a
>    centralized database. Specifically, MySQL, Postgres, and Oracle are now
>    possible.
> Version 1.3.4
>    - The Maven plugin now supports encrypted passwords
>    <http://maven.apache.org/guides/mini/guide-encryption.html>; useful
>    when using a centralized database.
>    - In the Maven plugin the autoupdate configuration was changed to
>    autoUpdate. If you have set this to false and upgrade the autoupdate will
>    likely default to true unless you fix the casing in the configuration.
> Best Regards,
> The OWASP dependency-check team
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160307/99549fcb/attachment.html>

More information about the OWASP-Leaders mailing list