Version 8.0.0

Added

• Utilize the hosted suppression file to allow for faster remediation of reported False Positives (#4723).
• Include the CISA Known Exploited Vulnerability Catalog (#4878).
• The gradle and maven plugins now have the capability to scan the build plugins (#4035).
• The gradle and maven plugins, for transitive dependencies, will report the root dependency in the project that included the transitive dependency (#5001).
• Added properties.security-severity to SARIF report for better integration with GitHub Security Code scanning (#5277).
• Allow for HTTP auth settings for Retire JS respository (#5209).
• New schema for the XML report was added to support some of the above additions (#5296).
• Added missing gradle option to only warn on remote errors from the OSS Index Analyzer (gradle #303).

Changed

• Breaking: the database schema updated - if using an external database the update scripts must be run!
• The exit codes from the CLI have been changed to be in the range from 0-255 (#4511.
• The OSS Index Analyzer will automatically disable itself if a transport error occurs - preventing copious errors from being reported (#5300).

Fixed

• Added an additional check for rejected CVEs to reduce FP (#5268).
• Corrected the analysis of node_modules to prevent NPEs (#5266).
• Fixed error when scanning node packages with local dependencies (#5235).
• Fixed NPE in the MSBuild Analyzer (#5293).
• Several False Positives have been resolved.

See the full listing of changes.

Version 7.4.4

Fixed

• Resolved issue processing NVD CVE data due to column width (#5229)

See the full listing of changes.

Version 7.4.3

Fixed

• Fixed NPE when analyzing version ranges in NPM (#5158 & #5190)
• Resolved several FP (#5191)

See the full listing of changes.

Version 7.4.2

Fixed

• Fixes maven 3.1 compatibility issue (#5152)
• Fixed issue with invalid node_module paths in some scans (#5135)
• Fixed missing option to disable the Poetry Analyzer in the CLI (#5160)
• Fixed missing option to configure the OSS Index URL in the CLI (#5180)
• Fixed NPE when analyzing version ranges in NPM (#5158)
• Fixed issue with non-proxy host in the gradle plugin (dependency-check/dependency-check-gradle#298)
• Resolved several FP

See the full listing of changes.

Version 7.4.1

Fixed

• Fixed bug when setting the proxy port in gradle (#5123)
• Fixed issue with invalid node_module paths in some scans (#5127)
• Resolved several FP

See the full listing of changes.

Version 7.4.0

Added

• Add support for npm package lock v2 and v3 (#5078)
• Added experimental support for Python Poetry (#5025)
• Added a vanilla HTML report for use in Jenkins (#5053)

Changed

• Renamed RELEASE_NOTES.md to CHANGELOG.md to be more conventional
• Optimized checksum calculation to improve performance (#5112)
• Added support for scanning .NET assemblies when only the dotnet runtime is installed (#5087)
• Bumped several dependencies

Fixed

• Fixed bug when setting the proxy port (#5076)
• Resolved several FP and FN

See the full listing of changes.

Version 7.3.2

Changes

• Automated release of 7.3.1 failed and only published to Central; 7.3.2 is a re-release of 7.3.1.
• Resolved several false positives and false negatives.
• Use Jackson Afterburner if still on Java 8 (#4966).
• Exclude node_modules from the Maven plugin's scan path (#4974).
• See the full listing of changes.

Version 7.3.0

Changes

• Fixed issue with the Maven plugin that caused concurrent modification exceptions (#4935).
• Migrated from Jackson Afterburner to Blackbird (#4905).
• Added an experimental Dart analyzer (#4869).
• See the full listing of changes.

Version 7.2.1

Changes

• Fixed logging issue (#4846).
• See the full listing of changes.

Version 7.2.0

Changes

• Add support for Bazel's pinned maven_install.json (#4772).
• Fixed bug preventing the use of custom report templates (#4800).
• Updated several dependencies including upgrades for dependencies with CVEs.
• Several bug fixes made and suppression rules were added.
• See the full listing of changes.