Upgraded dependency-check-core to v.8.1.2. See release notes for DependencyCheck from v8.1.1 to v8.1.2 for details.

Noteworthy Changes

• new setting dependencyCheckHostedSuppressionsEnabled to disabled the use of the hosted suppression file

Bugfixes

• New settings introduced with release v5.0.0 were not applied

Updated dependency-check-core to v.8.1.0. See release notes for DependencyCheck from v8.0.0 to v8.1.0 for details.

Breaking Changes

The database schema was updated - if using an external database the update/initialization scripts must be run!

Noteworthy changes

• New settings dependencyCheckHostedSuppressionsUrl, dependencyCheckHostedSuppressionsForceUpdate and dependencyCheckHostedSuppressionsValidForHours for a hosted suppression file to allow for faster remediation of reported false-positives. Defaults to a file maintained by the DependencyCheck project team.
• New analyzer settings related to CISA Known Exploited Vulnerability Catalog: dependencyCheckKnownExploitedEnabled, dependencyCheckKnownExploitedUrl and dependencyCheckKnownExploitedValidForHours
• New Settings to set authentication credentials for the RetireJS Analyzer data feed: dependencyCheckRetireJsAnalyzerRepoUser, dependencyCheckRetireJsAnalyzerRepoPassword
• New schema for the XML report was added to support some of the above additions
• Pipefile.lock files are now supported

Update dependency-check-core to v7.4.4. See release notes for DependencyCheck from v7.3.1 to v7.4.4 for details.

Noteworthy changes

• New setting key dependencyCheckPoetryAnalyzerEnabled for experimental Python Poetry Analyzer
• Added a vanilla HTML report for use in Jenkins
• Resolved issue processing NVD CVE data due to column width (#282)

Update dependency-check-core to v7.3.0. See release notes for DependencyCheck from v7.2.0 to v7.3.0 for details.

Noteworthy changes

• Added a setting key for an experimental Dart Analyzer: dependencyCheckDartAnalyzerEnabled
• Added a setting key for URL connection read timeouts: dependencyCheckConnectionReadTimeout
• Added a setting key for an analzyer for Bazel's pinned maven_install.json: dependencyCheckMavenInstallAnalyzerEnabled
• Added a setting key to force Uupdate RetireJS data feed regardless the dependencyCheckAutoUpdate setting: dependencyCheckRetireJSForceUpdate

Update dependency-check-core to v7.1.0. See release notes for DependencyCheck v7.1.0 for details

Updated dependency-check-core to v7.0.0. See release notes of DependencyCheck of v7.0.0 for details

Breaking changes

• The H2 database version has been upgraded to a new major version. If you use the dependencyCheckDataDirectory setting you will need to run dependencyCheckPurge after upgrading.
• Upgraded to dotnet core 6.0. If analyzing dotnet assemblies the system will need to have the dotnet core 6.0.x runtime available.

Noteworthy changes

• The Sarif report format has been fixed and can now be imported into GitHub if desired.
• When analyzing Scala projects ODC now includes data from the developers section.
  • This will likely cause false positives on things like Apache James, please report the FP upstream at https://github.com/jeremylong/DependencyCheck and they will fix these quickly.

• Fixed an regression issue with the plugin not working for projects with sbt v1.2.8 or lower for all releases since v3.2.0 of sbt-dependency-check (#238)

• Updated dependency-check-core to v6.5.3. See release notes of DependencyCheck for v6.5.0 to v6.5.3 for full details.

Noteworthy changes

• new setting dependencyCheckPNPMAuditAnalayzerEnabled and dependencyCheckPathToPNPMfor the new pnpm analyzer.

• Updated dependency-check-core to v6.4.1 (#213 ). See release notes of DependencyCheck for v6.3.2 to v6.4.1 for details.

Notworthy changes

• New setting dependencyCheckCveWaitTime for the time in milliseconds to wait between downloads from the NVD.
• New setting dependencyCheckCveStartYear for the first year of NVD CVE data to download from the NVD.
• Several changes to reduce risk of NVD rate limiting
  • Reduced chance of rate limiting when download files from NVD
  • The NVD CVE data files are now being cached for up to 4 hours in case a download fails, re-running the plugin will use the cached version.
  • Added download attempts with increasing wait time for CVE meta files from the NVD to prevent rate limiting issues

• Updated dependency-check-core to v6.3.1 (https://github.com/albuch/sbt-dependency-check/pull/207). See release notes of DependencyCheck for v6.2.0 to v6.3.1 for details.
• Update sbt to v1.5.5

Notheworthy changes

• New setting dependencyCheckCpanFileAnalyzerEnabled for Perl CPAN File Analyzer
• New setting dependencyCheckNodePackageSkipDevDependencies to disable checking dev dependencies for Node.js Analyzer
• New Setting dependencyCheckSwiftPackageResolvedAnalyzerEnabled for Swift Package Resolved Analyzer