Releases: jeremylong/DependencyCheck
Releases · jeremylong/DependencyCheck
Version 8.4.0
Added
- feat: Add support for Nexus v3 to NexusAnalyzer (#5849)
Fixed
- fix: Hint Analyzer should run before VersionFilter Analyzer (#5818)
- chore: switch to sha1-pinning as suggested by Semgrep
- fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter (#5845)
- fix: use curl with -L to follow github redirect (#5808)
- fix: use curl with -L to follow github redirect
- fix: #5671 out of memory error (#5789)
- fix: #5671 Exit method as soon as we detect a loop to prevent an infinite loop leading to an OutOfMemoryError
Version 8.3.1
Re-release of 8.3.0 as 8.3.1.
v8.3.0
Added
- Add LibmanAnalyzer (#5652)
- Update HTML report Dependencies header based on display settings (#5619)
- Add link to suppressed vulnerabilities header in HTML report (#5620)
- Enable local proxy configuration in maven plugin configuration (#5696)
Fixed
- Fix npm alias present in requires of dependencies (#5703)
- Make Central URL configurable via CLI (#5667)
- Ensure support of CVSSv3.1 (#5602)
See the full listing of changes.
Version 8.2.1
Version 8.2.0
Added
- Support msbuild Directory.build.props (#5475)
- better display of NPM audit references
- Add CVSS V3 results from NPM Audit results
Fixed
- Fix several issues on NPM Audit reporting (#5546)
- Case issue in SQL (#5557)
- Fix CWE(s) extraction for NPM Audit advisories
- Use the stable github_advisory_id instead of the now unstable id in NPM audit results
See the full listing of changes.
Version 8.1.2
Fixed
- Fix
NullPointerException
in the Jar Analyzer introduced in 8.1.1 (#5512)
Version 8.1.1
Fixed
- allow hosted suppressions file to be disabled (#5509)
- Several FPs not suitable for our automation (#5504)
- Fix incorrect defaults for nexus and central-analyzer in gradle plugin documentation (#5503)
- Erroneous error-log for deprecated CLI flag usage when using properyfile based disablement of Node Audit Analyzer (#5487)
- Prefer pom.properties G/A/V over pom.xml G/A/V to resolve GAV interpolation issues (#5473)
- Node package dependencies ending up as related dependency of the wrong version of the package (#5479)
- do not throw error if pyproject.toml is in node_modules (#5470)
See the full listing of changes.
Version 8.1.0
Added
Pipefile.lock
files are now supported (#5404).- Python projects with only a
pyproject.toml
but no lock file or requirements will report an error as ODC is unable to analyze the project (#5409).
Fixed
- Some maven projects caused false positives due to bad string interpolation (#5421).
- Error message from Assembly Analyzer has been updated to emphasize dotnet 6 is required for analysis (#5408).
- Correct issue where database defrag occurs even when no updates were performed (#5441).
- Fixed several False Positives and one False Negative.
- Fixed the
format
configuration more flexible in the gradle plugin (dependency-check-gradle/#324).
See the full listing of changes.
Version 8.0.2
Fixed
- Resolved bug causing an issue with some Maven Extensions (#5366).
- ArchiveAnalyzer will now correctly throw an exception if it cannot open an Archive (#5371).
- Updated CSV report so that it no longer has a duplicate
description
column (#5364). - Moved several logging statements to trace which should drastically reduce the log size (#5350).
- Fixed bug with RetireJS'
--retirejsFilterNonVulnerable
and--retirejsFilter
when used with the CLI (#5351). - Fixed the
sarif
report format and added validation (#5345 and (#5363) - Fixed
MalformedPackageException
in the gradle plugin (dependency-check-gradle/#320). - Fixed
MissingMethodException
in the gradle plugin (dependency-check-gradle/#316).
See the full listing of changes.
Version 8.0.1
Fixed
- Fixed Stack Overflow Exception in the gradle plugin (dependency-check-gradle/#308).
- Fixed No Signature of Method Exception in the gradle plugin (dependency-check-gradle/#305).
- Updated DB initialization scripts for externally hosted DBs (#5314 and #5317).
- Postgres users will need to use the updated init script and 8.0.1.
- Resolved NPE in the NodePackageAnalyzer (#5339).
See the full listing of changes.