Skip to content

Releases: albuch/sbt-dependency-check

v5.1.0

05 Mar 11:31
Compare
Choose a tag to compare

Upgraded dependency-check-core to v.8.1.2. See release notes for DependencyCheck from v8.1.1 to v8.1.2 for details.

Noteworthy Changes

  • new setting dependencyCheckHostedSuppressionsEnabled to disabled the use of the hosted suppression file

Bugfixes

  • New settings introduced with release v5.0.0 were not applied

v5.0.0

26 Feb 16:17
Compare
Choose a tag to compare

Updated dependency-check-core to v.8.1.0. See release notes for DependencyCheck from v8.0.0 to v8.1.0 for details.

Breaking Changes

The database schema was updated - if using an external database the update/initialization scripts must be run!

Noteworthy changes

  • New settings dependencyCheckHostedSuppressionsUrl, dependencyCheckHostedSuppressionsForceUpdate and dependencyCheckHostedSuppressionsValidForHours for a hosted suppression file to allow for faster remediation of reported false-positives. Defaults to a file maintained by the DependencyCheck project team.
  • New analyzer settings related to CISA Known Exploited Vulnerability Catalog: dependencyCheckKnownExploitedEnabled, dependencyCheckKnownExploitedUrl and dependencyCheckKnownExploitedValidForHours
  • New Settings to set authentication credentials for the RetireJS Analyzer data feed: dependencyCheckRetireJsAnalyzerRepoUser, dependencyCheckRetireJsAnalyzerRepoPassword
  • New schema for the XML report was added to support some of the above additions
  • Pipefile.lock files are now supported

v4.3.0

08 Jan 16:46
Compare
Choose a tag to compare

Update dependency-check-core to v7.4.4. See release notes for DependencyCheck from v7.3.1 to v7.4.4 for details.

Noteworthy changes

  • New setting key dependencyCheckPoetryAnalyzerEnabled for experimental Python Poetry Analyzer
  • Added a vanilla HTML report for use in Jenkins
  • Resolved issue processing NVD CVE data due to column width (#282)

v4.2.0

05 Nov 13:29
Compare
Choose a tag to compare

Update dependency-check-core to v7.3.0. See release notes for DependencyCheck from v7.2.0 to v7.3.0 for details.

Noteworthy changes

  • Added a setting key for an experimental Dart Analyzer: dependencyCheckDartAnalyzerEnabled
  • Added a setting key for URL connection read timeouts: dependencyCheckConnectionReadTimeout
  • Added a setting key for an analzyer for Bazel's pinned maven_install.json: dependencyCheckMavenInstallAnalyzerEnabled
  • Added a setting key to force Uupdate RetireJS data feed regardless the dependencyCheckAutoUpdate setting: dependencyCheckRetireJSForceUpdate

v4.1.0

01 May 08:10
Compare
Choose a tag to compare

Update dependency-check-core to v7.1.0. See release notes for DependencyCheck v7.1.0 for details

v4.0.0

09 Mar 22:19
Compare
Choose a tag to compare

Updated dependency-check-core to v7.0.0. See release notes of DependencyCheck of v7.0.0 for details

Breaking changes

  • The H2 database version has been upgraded to a new major version. If you use the dependencyCheckDataDirectory setting you will need to run dependencyCheckPurge after upgrading.
  • Upgraded to dotnet core 6.0. If analyzing dotnet assemblies the system will need to have the dotnet core 6.0.x runtime available.

Noteworthy changes

  • The Sarif report format has been fixed and can now be imported into GitHub if desired.
  • When analyzing Scala projects ODC now includes data from the developers section.

v3.4.1

05 Mar 09:03
Compare
Choose a tag to compare
  • Fixed an regression issue with the plugin not working for projects with sbt v1.2.8 or lower for all releases since v3.2.0 of sbt-dependency-check (#238)

v3.4.0

18 Jan 20:53
Compare
Choose a tag to compare
  • Updated dependency-check-core to v6.5.3. See release notes of DependencyCheck for v6.5.0 to v6.5.3 for full details.

Noteworthy changes

  • new setting dependencyCheckPNPMAuditAnalayzerEnabled and dependencyCheckPathToPNPMfor the new pnpm analyzer.

v3.3.0

07 Nov 10:18
Compare
Choose a tag to compare
  • Updated dependency-check-core to v6.4.1 (#213 ). See release notes of DependencyCheck for v6.3.2 to v6.4.1 for details.

Notworthy changes

  • New setting dependencyCheckCveWaitTime for the time in milliseconds to wait between downloads from the NVD.
  • New setting dependencyCheckCveStartYear for the first year of NVD CVE data to download from the NVD.
  • Several changes to reduce risk of NVD rate limiting
    • Reduced chance of rate limiting when download files from NVD
    • The NVD CVE data files are now being cached for up to 4 hours in case a download fails, re-running the plugin will use the cached version.
    • Added download attempts with increasing wait time for CVE meta files from the NVD to prevent rate limiting issues

v3.2.0

04 Sep 14:14
Compare
Choose a tag to compare
  • Updated dependency-check-core to v6.3.1 (#207). See release notes of DependencyCheck for v6.2.0 to v6.3.1 for details.
  • Update sbt to v1.5.5

Notheworthy changes

  • New setting dependencyCheckCpanFileAnalyzerEnabled for Perl CPAN File Analyzer
  • New setting dependencyCheckNodePackageSkipDevDependencies to disable checking dev dependencies for Node.js Analyzer
  • New Setting dependencyCheckSwiftPackageResolvedAnalyzerEnabled for Swift Package Resolved Analyzer