Releases: albuch/sbt-dependency-check
Releases · albuch/sbt-dependency-check
v1.3.0
Updated dependency-check-core to v5.2.1. See release notes of v5.2.1 for more details.
v1.2.0
v1.1.0
Updated dependency-check-core to v5.1.0 (#77 ). See Release notes of dependency-check v5.1.0 for more details and bugfixes.
Noteworthy changes
- New experimental Golang Dependency and Module analyzers with new setting keys:
dependencyCheckGolangDepEnabled,dependencyCheckGolangModEnabledanddependencyCheckPathToGo - Optional settings to add credentials for OSS Index Analyzer:
dependencyCheckOSSIndexAnalyzerUsernameanddependencyCheckOSSIndexAnalyzerPassword - Suppression Schema now supports suppressing RetireJS, NSP and OSS Index vulnerabilities. See https://jeremylong.github.io/DependencyCheck/general/suppression.html for examples.
v1.0.0
Updated dependency-check-core to v5.0.0 (#72). See Release notes of dependency-check v5.0.0-m1, v5.0.0-M2, v5.0.0-M3 and v5.0.0 for details.
Breaking changes
- The NVD CVE data import now uses the JSON data feeds instead of the XML data feeds.
- The setting key names have changed if you are mirroring the data feeds locally.
- sbt-dependency-check now uses the NVD Meta files in addition to the *.json.gz files. If you have a local mirror of the NVD you must now mirror the meta data files. The nist-data-mirror has been updated to include these files.
- dotnet core must be installed to analyze .NET assemblies
- The retire.js analyzer is no longer considered experimental and is enabled by default.
- All of the report formats have been updated to include the additional data from the NVD CVE JSON data feeds.
Noteworthy changes
- Multiple report formats can be specified with the new setting
dependencyCheckFormats; if you wanted just two of the reports you no longer need to use ALL.
v0.2.10
Updated dependency-check-core to v4.0.2 (#66). See Release notes of dependency-check v4.0.0, v4.0.1 and v4.0.2 for details.
Noteworthy changes
- Guava updated to v27.0.1-jre to fix CVE-2018-10237
- New settings for authenticated access to Nexus Repository:
dependencyCheckNexusUseranddependencyCheckNexusPassword
v0.2.9
Updated dependency-check-core to v3.3.4, PR #60 by @Philippus. See release notes of v3.3.3 and v.3.3.4 for details.
Breaking Changes
- NSP Analyzer was migrated to use NPM Audit Analyzer. The following settings were renamed:
dependencyCheckNSPAnalyzerEnabledchanged todependencyCheckNodeAuditAnalyzerEnableddependencyCheckNSPAnalyzerUrlchanged todependencyCheckNodeAuditAnalyzerUrl
Noteworthy Changes
- Several false negative fixes
- Several false positive fixes
- Updated the suppress buttons in the HTML report to generate the XML using the latest suppression schema
- Added documentation how to configure
sbt-dependency-checkto use as a global plugin #61
v0.2.8
v0.2.7
Updated dependency-check-core to v3.3.0. See release notes for details.
Noteworthy changes
- New JFrog Artifactory analyzer. Note: This analyzer doesn't bring any benefits for the sbt-dependency-check plugin, as all provided information by the analyzer is already available via the plugin itself.
- New experimental RetireJS analyzer
- New setting
dependencyCheckEnableRetired - New setting
dependencyCheckAnalysisTimeout
v0.2.6
v0.2.5
Updated dependency-check-core to v3.2.0. See release notes for details.
Breaking Change
dependencyCheckJarAnalyzersetting key was renamed todependencyCheckJarAnalyzerEnabledto follow naming conventions
Noteworthy changes
- Security Fix: Unsafe unzip operations, as reported by the Snyk Security Research Team, have been corrected. If an archive (zip, jar, war, etc.) contained a name field with path traversal characters the file may have been extracted outside of the temp directory; resulting in an arbitrary file write
dependencyCheckCentralAnalyzerEnablednow defaults tofalseto not use Central Analyzer by default (#39)- Added more flexible suppression rules with the introduction of the
untilattribute (see jeremylong/DependencyCheck#1145 and dependency-suppression.1.2.xsd)