[Owasp-leaders] OWASP dependency-check 1.3.5 released!

Andrew van der Stock vanderaj at owasp.org
Fri Mar 11 09:22:14 UTC 2016


Fantastic project. I use it all the time in my agile SDLC jobs and code
reviews. Invaluable!

Andrew

On Tue, Mar 8, 2016 at 1:45 PM, Matt Konda <matt.konda at owasp.org> wrote:

> Awesome work, Jeremy.
>
> Thank you!
> Matt
>
>
> On Sun, Mar 6, 2016 at 6:38 AM, Jeremy Long <jeremy.long at owasp.org> wrote:
>
>> The OWASP dependency-check team is pleased to announce the release of
>> version 1.3.5! Thanks to all those who have used the tool and provided
>> feedback via the discussion group and issues in github. A special thanks
>> goes out to those that have submitted pull requests!
>>
>> Please visit the documentation site
>> <http://jeremylong.github.io/DependencyCheck/> for information on
>> obtaining the new version (CLI
>> <http://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html>
>> , Maven Plugin
>> <http://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html>
>> , Ant Task
>> <http://jeremylong.github.io/DependencyCheck/dependency-check-ant/index.html>
>> , Gradle Plugin
>> <http://jeremylong.github.io/DependencyCheck/dependency-check-gradle/index.html>
>> , Jenkins Plugin
>> <https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin>
>> ).
>>
>> *Release Notes*
>>
>> In addition to the general minor bug fixes and false positive reductions
>> here are the release notes for 1.3.5 (and 1.3.4 - I forgot to post these
>> previously):
>>
>> Version 1.3.5
>>
>>    - False negative reduction - ore entries are being parsed from the
>>    manifest in JAR files. In some cases, this may appear to cause false
>>    positives. However, these extra entries generally represent code that was
>>    copied from another project (possibly via shading) and as such, the
>>    vulnerability may also exist in the combined JAR.
>>    - The aggregate goal for the Maven plugin is still problematic
>>    <http://jeremylong.github.io/DependencyCheck/dependency-check-maven/configuration.html>;
>>    changes have been made to try and resolve some of the issues. However, if
>>    the aggregate goal is used in site reporting a blank report will be
>>    produced for anything beyond site:site (i.e. site:stage and site:deploy
>>    will likely have blank reports for the aggregate goal).
>>    - If using a centralized database
>>    <http://jeremylong.github.io/DependencyCheck/data/database.html>,
>>    forward compatibility has been implemented. Previously, if you have many
>>    installations using the same database when you upgraded to a new version
>>    that made an update to the database schema all installations would need to
>>    be upgraded as well. With version 1.3.5 when a new version of
>>    dependency-check comes out that makes a change to the database schema 1.3.5
>>    will still be able to use the same centralized database.
>>    - The Maven plugin now supports the non-proxy hosts
>>    <https://maven.apache.org/settings.html#Proxies>, as configured in
>>    the settings.xml.
>>    - Resolved an issue that occurred in some CI environments that forked
>>    builds, which caused multiple threads to hit a non-threadsafe method. The
>>    method has now been marked synchronized.
>>    - Support for additional databases has been added when using a
>>    centralized database. Specifically, MySQL, Postgres, and Oracle are now
>>    possible.
>>
>>
>> Version 1.3.4
>>
>>    - The Maven plugin now supports encrypted passwords
>>    <http://maven.apache.org/guides/mini/guide-encryption.html>; useful
>>    when using a centralized database.
>>    - In the Maven plugin the autoupdate configuration was changed to
>>    autoUpdate. If you have set this to false and upgrade the autoupdate will
>>    likely default to true unless you fix the casing in the configuration.
>>
>>
>> Best Regards,
>>
>> The OWASP dependency-check team
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160311/4c72aa46/attachment.html>


More information about the OWASP-Leaders mailing list