Please see the dependency-check google group for the release notes on versions not listed below.
Version 3.3.1 (2018-08-06)
- Fixed error handling with regard to invalid manifest files contained within JAR files; see #1024.
- Fixed parsing of pom.xml files, in some cases a SAX Exception would be thrown; see #1400.
- Fixed bug that caused dependency-check to crash if the temporary directory and data directory were on different drives; see #1394.
- Fixed bug in dependency-check-maven where an aggregate analysis did not scan all files defined in the ScanSet; see #1421.
- Fixed NPE in dependency-check-gradle that occurred when artifacts where included using
implementation files("./lib/some.jar"); see #91.
- An Nuget Packages.config Analyzer was added; see #1412.
Version 3.3.0 (2018-07-22)
- The dependency-check-gradle plugin can now analyze multi-project android builds. See PR #09 for more information.
- In some cases extremely large project may cause dependency-check to fail due to the analysis time. Previously, the analysis was capped at 10 minutes; the timeout was increased to 20 minutes and made configurable if this continues to be an issue for some users. See issue #936 for more information.
- Some pom.xml files could not be analyzed because they contained a doctype definition. The parser has been enhanced to strip the doctype definitions.
- Fixed issue where, in some cases, temporary files were not correctly cleaned up in Jenkins and gradle builds.
- Fixed issue where, in some cases, files were retrieved from Maven Central using HTTP instead of HTTPS. See issue #1325 for more information.
- Additionally, a retry count was added when attempting to download pom.xml files during analysis.
- Fixed issue where nodejs dependencies were not correctly analyzed. See issue #1355 for more information.
- Fixed issue where the CWE was not written to the CSV report.
- In addition, general bug fixes, code cleanup, and false positive/negatives updates were made.
- An Artifactory Analyzer was added that can be used to in-place of the Central Analyzer for organizations that use Artifactory.
- Note, for maven and gradle builds the Artifactory analyzer will not improve the analysis. The information gained by using the Central, Artifactory, or Nexus Analyzers is already obtained from the build system.
- An experimental Retire JS analyzer has been added to analyze client side JavaScript.
- This utilizes information from the RetireJS repo on github. If you have a proxy that prevents access you will either need to have access granted to https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json or host the file internally, update the environment variable
analyzer.retirejs.repo.js.ur, and periodically update the file. - This analyzer is considered experimental, but the team expects this to be promoted quickly.
- This utilizes information from the RetireJS repo on github. If you have a proxy that prevents access you will either need to have access granted to https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json or host the file internally, update the environment variable
- NuGet dependencies contained in MSBuild files are now included in the scan. See Issue #1131 for more details.
- Cocoapod's Podfile.lock is now analyzed when present. See PR #1324 for more information.
Version 3.2.1 (2018-05-28)
- In some cases when using the Maven or Gradle plugins the GAV coordinates were not being added as an Identifier causing suppression rules to fail; this has been resolved (#1298)
- Documentation Update (SCM links in the maven site were broken) (#1297)
- False positive reduction (#1290)
- Enhanced logging output for TLS failures to better assist with debugging (#1269)
- Resolved a Null Pointer Exception (#1296)
Version 3.2.0 (2018-05-21)
- Unsafe unzip operations (zip slip), as reported by the Snyk Security Research Team, have been corrected. CVE-2018-12036 allows attackers to write to arbitrary files via a crafted archive that holds directory traversal filenames.
- The dependency-check-maven plugin no longer uses the Central Analyzer by default
- Updated dependency-check-maven so that it will not fail when your multi-module build has dependencies that have not yet been built in the reactor (See #740)
- Note if the required dependency has not yet been built in the reactor and the dependency is available in a configured repository dependency-check-maven, as expected, would pull the dependency from the repository for analysis.
- Minor documentation updates
- False positive reduction
- Fixed the Gradle Plugin and Ant Task so that the temp directory is properly cleaned up after execution
- Removed TLSv1 from the list of protocols used by default (See #1237)
- Excess white space has been removed from the XML and HTML reports; the JSON report is still pretty printed (a future release will convert this to a configurable option)
- Better error reporting
- Changed to use commons-text instead of commons-lang3 as a portion of commons-lang3 was moved to commonts-text
- Added more flexible suppression rules with the introduction of the
untilattribute (see #1145 and dependency-suppression.1.2.xsd
Version 3.1.2 (2018-04-02)
- Updated the NVD URLs
- Updated documentation
- Add project references to the JSON and XML report; in aggregate scans using Maven or Gradle the dependencies will include a reference to the project/module where they were found
- The configuration option
versionCheckEnabledwas added to Maven to allow users to disable the check for new versions of dependency-check; this will be added to gradle plugin, Ant Task, and the CLI in a future release - The XML and JSON reports were fixed so that the correct version number is displayed see issue #1109
- The initial database creation time for H2 databases was improved
- Changes made to decrease false positive and false negatives
Version 3.1.1 (2018-01-29)
- Fixed the Central Analyzer to use the updated SHA1 query syntax.
- Reverted change that broke Maven 3.1.0 compatability; Maven 3.1.0 and beyond is once again supported.
- False positive reduction.
- Minor documentation cleanup.
Version 3.1.0 (2018-01-02)
- Major enhancements to the Node and NSP analyzer - the analyzers are now considered production ready and should be used in combination.
- Added a shutdown hook so that if the update process is interrupted while using an H2 database the lock files will be properly removed allowing future executions of ODC to succeed.
- UNC paths can now be scanned using the CLI.
- Batch updates are now used which may help with the update speed when using some DBMS instead of the embedded H2.
- Upgrade Lucene to 5.5.5, the highest version that will allow us to maintain Java 7 support
- Fixed the CSV report output to correctly list all fields.
- Invalid suppression files will now break the build instead of causing ODC to skip the usage of the suppression analyzer.
- Fixed bug in Lucene query where LARGE entries in the pom.xml or manifest caused the query to break.
- General cleanup, false positive, and false negative reduction.
Version 3.0.2 (2017-11-13)
- Updated the query format for the CentralAnalyzer; the old format caused the CentralAnalyzer to fail
Version 3.0.1 (2017-10-20)
- Fixed a database connection issue that affected some usages.
Version 3.0.0 (2017-10-16)
- Several bug fixes and false positive reduction
- The 2.x branch introduced several new false positives – but also reduced the false negatives
- Java 9 compatibility update
- Stability issues with the Central Analyzer resolved
- This comes at a cost of a longer analysis time
- The CSV report now includes the GAV and CPE
- The Hint Analyzer now supports regular expressions
- If show summary is disabled and vulnerable libraries are found that fail the build details are no longer displayed in the console – only that vulnerable libraries were identified
- Resolved issues with threading and multiple connections to the embedded H2 database
- This allows the Jenkins pipeline, Maven Plugin, etc. to safely run parallel executions of dependency-check