[Owasp-leaders] OWASP dependency-check 1.3.5 released!
matt.konda at owasp.org
Tue Mar 8 02:45:13 UTC 2016
Awesome work, Jeremy.
On Sun, Mar 6, 2016 at 6:38 AM, Jeremy Long <jeremy.long at owasp.org> wrote:
> The OWASP dependency-check team is pleased to announce the release of
> version 1.3.5! Thanks to all those who have used the tool and provided
> feedback via the discussion group and issues in github. A special thanks
> goes out to those that have submitted pull requests!
> Please visit the documentation site
> <http://jeremylong.github.io/DependencyCheck/> for information on
> obtaining the new version (CLI
> , Maven Plugin
> , Ant Task
> , Gradle Plugin
> , Jenkins Plugin
> *Release Notes*
> In addition to the general minor bug fixes and false positive reductions
> here are the release notes for 1.3.5 (and 1.3.4 - I forgot to post these
> Version 1.3.5
> - False negative reduction - ore entries are being parsed from the
> manifest in JAR files. In some cases, this may appear to cause false
> positives. However, these extra entries generally represent code that was
> copied from another project (possibly via shading) and as such, the
> vulnerability may also exist in the combined JAR.
> - The aggregate goal for the Maven plugin is still problematic
> changes have been made to try and resolve some of the issues. However, if
> the aggregate goal is used in site reporting a blank report will be
> produced for anything beyond site:site (i.e. site:stage and site:deploy
> will likely have blank reports for the aggregate goal).
> - If using a centralized database
> forward compatibility has been implemented. Previously, if you have many
> installations using the same database when you upgraded to a new version
> that made an update to the database schema all installations would need to
> be upgraded as well. With version 1.3.5 when a new version of
> dependency-check comes out that makes a change to the database schema 1.3.5
> will still be able to use the same centralized database.
> - The Maven plugin now supports the non-proxy hosts
> <https://maven.apache.org/settings.html#Proxies>, as configured in the
> - Resolved an issue that occurred in some CI environments that forked
> builds, which caused multiple threads to hit a non-threadsafe method. The
> method has now been marked synchronized.
> - Support for additional databases has been added when using a
> centralized database. Specifically, MySQL, Postgres, and Oracle are now
> Version 1.3.4
> - The Maven plugin now supports encrypted passwords
> <http://maven.apache.org/guides/mini/guide-encryption.html>; useful
> when using a centralized database.
> - In the Maven plugin the autoupdate configuration was changed to
> autoUpdate. If you have set this to false and upgrade the autoupdate will
> likely default to true unless you fix the casing in the configuration.
> Best Regards,
> The OWASP dependency-check team
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders