All Versions
67
Latest Version
Avg Release Cycle
23 days
Latest Release
539 days ago
Changelog History
Page 7
Changelog History
Page 7
-
v3.2.0 Changes
May 21, 2018🔒 Security Fix
- 🔒 Unsafe unzip operations (zip slip), as reported by the Snyk Security Research Team, have been corrected. CVE-2018-12036 allows attackers to write to arbitrary files via a crafted archive that holds directory traversal filenames.
🐛 Bug Fixes
- 0️⃣ The dependency-check-maven plugin no longer uses the Central Analyzer by default
- ⚡️ Updated dependency-check-maven so that it will not fail when your multi-module build has dependencies that have not yet been built in the reactor (See #740)
- Note if the required dependency has not yet been built in the reactor and the dependency is available in a configured repository dependency-check-maven, as expected, would pull the dependency from the repository for analysis.
- 📚 Minor documentation updates
- False positive reduction
- 🛠 Fixed the Gradle Plugin and Ant Task so that the temp directory is properly cleaned up after execution
- ✂ Removed TLSv1 from the list of protocols used by default (See #1237)
✨ Enhancements
- 🚀 Excess white space has been removed from the XML and HTML reports; the JSON report is still pretty printed (a future release will convert this to a configurable option)
- 👍 Better error reporting
- 🔄 Changed to use commons-text instead of commons-lang3 as a portion of commons-lang3 was moved to commonts-text
- ➕ Added more flexible suppression rules with the introduction of the
until
attribute (see #1145 and dependency-suppression.1.2.xsd
-
v3.1.2 Changes
April 02, 2018🐛 Bug fixes
- ⚡️ Updated the NVD URLs
- 📚 Updated documentation
- ➕ Add project references to the JSON and XML report; in aggregate scans using Maven or Gradle the dependencies will include a reference to the project/module where they were found
- 🔧 The configuration option
versionCheckEnabled
was added to Maven to allow users to disable the check for new versions of dependency-check; this will be added to gradle plugin, Ant Task, and the CLI in a future release - 👀 The XML and JSON reports were fixed so that the correct version number is displayed see issue #1109
- The initial database creation time for H2 databases was improved
- 🔄 Changes made to decrease false positive and false negatives
-
v3.1.1 Changes
January 29, 2018🐛 Bug fixes
- 🛠 Fixed the Central Analyzer to use the updated SHA1 query syntax.
- ⏪ Reverted change that broke Maven 3.1.0 compatability; Maven 3.1.0 and beyond is once again supported.
- False positive reduction.
- 📚 Minor documentation cleanup.
-
v3.1.0 Changes
January 02, 2018✨ Enhancements
- Major enhancements to the Node and NSP analyzer - the analyzers are now considered production ready and should be used in combination.
- ➕ Added a shutdown hook so that if the update process is interrupted while using an H2 database the lock files will be properly removed allowing future executions of ODC to succeed.
- UNC paths can now be scanned using the CLI.
- ⚡️ Batch updates are now used which may help with the update speed when using some DBMS instead of the embedded H2.
- ⬆️ Upgrade Lucene to 5.5.5, the highest version that will allow us to maintain Java 7 support
🐛 Bug fixes
- 🛠 Fixed the CSV report output to correctly list all fields.
- 🏗 Invalid suppression files will now break the build instead of causing ODC to skip the usage of the suppression analyzer.
- 🛠 Fixed bug in Lucene query where LARGE entries in the pom.xml or manifest caused the query to break.
- General cleanup, false positive, and false negative reduction.
-
v3.0.2 Changes
November 13, 2017🐛 Bug fixes
- ⚡️ Updated the query format for the CentralAnalyzer; the old format caused the CentralAnalyzer to fail
-
v3.0.1 Changes
October 20, 2017🐛 Bug fixes
- 🛠 Fixed a database connection issue that affected some usages.
-
v3.0.0 Changes
October 16, 2017- 🛠 Several bug fixes and false positive reduction
- The 2.x branch introduced several new false positives – but also reduced the false negatives
- ⚡️ Java 9 compatibility update
- Stability issues with the Central Analyzer resolved
- This comes at a cost of a longer analysis time
- The CSV report now includes the GAV and CPE
- 👍 The Hint Analyzer now supports regular expressions
- 🏗 If show summary is disabled and vulnerable libraries are found that fail the build details are no longer displayed in the console – only that vulnerable libraries were identified
- Resolved issues with threading and multiple connections to the embedded H2 database
- This allows the Jenkins pipeline, Maven Plugin, etc. to safely run parallel executions of dependency-check
- 🛠 Several bug fixes and false positive reduction