• Updated dependency-check-core to v6.1.6. See release notes of DependencyCheck v6.1.6 for details

• Updated dependency-check-core to v6.1.5 (#170, #176, #178, #184). See release notes of DependencyCheck v6.1.1 - v6.1.5 for details.

Noteworthy changes

• Added missing setting keys dependencyCheckPathToYarn and dependencyCheckMSBuildAnalyzerEnabled from a previous update of dependency-check-core

Bugfixes

• Fixed dependencyCheckYarnAuditAnalyzerEnabled setting not having any effect and dependencyCheckListSettings task not printing correct value for dependencyCheckYarnAuditAnalyzerEnabled setting #163

• Updated dependency-check-core to v6.1.0 (#160). See release notes of DependencyCheck v6.0.4 - v6.1.0 for details.

Noteworthy changes

• New Yarn analyzer that can be enabled/disabled with dependencyCheckYarnAuditAnalyzerEnabled
• New report file format SARIF

Breaking Changes

• Dropped sbt v0.13.x support. It's time to upgrade to sbt v1.x if you haven't done already.
• If upgrading from sbt-dependency-check v2.0.0 or earlier make sure to run dependencyCheckPurge once before running any other task as there are incompatible database changes.

Noteworthy Changes

• You can now define allmost all settings with Global or ThisBuild to set up your own defaults for all your projects in your build. See #100 and the updated Multi-Project Setup section in the README.

Bugfixes

• Fixed an issue for dependencyCheckPurge task which was using an outdated hard-coded value for the database filename and therefore never deleting the database. This was additionally causing users issues when uprading to sbt-dependency-check v2.1.0 as it was a required step in the upgrade path. See #145
• Fixed an issue where sbt-dependency-check was throwing an error for projects that have JvmPlugin disabled. #122
• Fixed an error in the docs for dependencyCheckFormat. #148

Updated dependency-check-core to v6.0.3 (#140). See release notes of DependencyCheck v5.3.1 - v6.0.3

Noteworthy changes

• After upgrading run dependencyCheckPurge to clean your database
• Users mirroring the NVD feeds - sbt-dependency-check now requires the use of the version 1.1 data feeds - please ensure you are using 1.1 not the 1.0 data feed.
• Added an experimental PE Analyzer that reads the PE headers of DLL and EXE files that can be activated with dependencyCheckPEAnalyzerEnabled
• Added experimental Analyzers for pip and Pipfile that can be activated with dependencyCheckPipAnalyzerEnabled , dependencyCheckPipfileAnalyzerEnabled,
• Added an experimental Analyzer for Mix Audit to scan Elixir dependencies that can be activated with dependencyCheckMixAuditAnalyzerEnabled. Configure dependencyCheckMixAuditPath to point to the mix_audit binary
• Added dependencyCheckCveUser and dependencyCheckCvePassword settings to support NVD feed mirrors with Basic Authentication

Updated dependency-check-core to v5.3.0 (#118). See release notes of DependencyCheck v5.3.0

Breaking Changes

• dependencyCheckAggregate previously scanned all projects and now only scans project aggregates and dependents. Use the new task dependencyCheckAnyProject to scan all projects.

Noteworthy Changes

• new experimental Analyzer that can be activated with dependencyCheckNPMCPEAnalyzerEnabled
• new Setting dependencyCheckNodeAuditSkipDevDependencies
• Removed noisy log entries from JCS (#114)

• Updated sbt-dependency-check build to sbt 1.3.2
• Updated several plugins
• Fixed regression introduced with v1.3.1 that caused an exception for users of the plugin on a version of sbt 1.x before sbt 1.3.0 (See issue #87)

• Fixed a regression introduced in v1.3.2 in cross build for sbt 0.13.18 where slf4j was not declared as a dependency any more causing warnings for plugin users and missing logging messages

Updated dependency-check-core to v5.2.2. See release notes of v5.2.2 for more details.

Added better logging of exception collections.