DependencyCheck v3.2.0 Release Notes
Release Date: 2018-05-21 // almost 6 years ago-
๐ Security Fix
- ๐ Unsafe unzip operations (zip slip), as reported by the Snyk Security Research Team, have been corrected. CVE-2018-12036 allows attackers to write to arbitrary files via a crafted archive that holds directory traversal filenames.
๐ Bug Fixes
- 0๏ธโฃ The dependency-check-maven plugin no longer uses the Central Analyzer by default
- โก๏ธ Updated dependency-check-maven so that it will not fail when your multi-module build has dependencies that have not yet been built in the reactor (See #740)
- Note if the required dependency has not yet been built in the reactor and the dependency is available in a configured repository dependency-check-maven, as expected, would pull the dependency from the repository for analysis.
- ๐ Minor documentation updates
- False positive reduction
- ๐ Fixed the Gradle Plugin and Ant Task so that the temp directory is properly cleaned up after execution
- โ Removed TLSv1 from the list of protocols used by default (See #1237)
โจ Enhancements
- ๐ Excess white space has been removed from the XML and HTML reports; the JSON report is still pretty printed (a future release will convert this to a configurable option)
- ๐ Better error reporting
- ๐ Changed to use commons-text instead of commons-lang3 as a portion of commons-lang3 was moved to commonts-text
- โ Added more flexible suppression rules with the introduction of the
until
attribute (see #1145 and dependency-suppression.1.2.xsd