All Versions
Latest Version
Avg Release Cycle
69 days
Latest Release
1306 days ago

Changelog History
Page 1

  • v3.0.0 Changes

    November 14, 2020

    💥 Breaking Changes

    • ⬆️ Dropped sbt v0.13.x support. It's time to upgrade to sbt v1.x if you haven't done already.
    • ⬆️ If upgrading from sbt-dependency-check v2.0.0 or earlier make sure to run dependencyCheckPurge once before running any other task as there are incompatible database changes.

    Noteworthy Changes

    • ⚡️ You can now define allmost all settings with Global or ThisBuild to set up your own defaults for all your projects in your build. See #100 and the updated Multi-Project Setup section in the README.

    🛠 Bugfixes

    • 🛠 Fixed an issue for dependencyCheckPurge task which was using an outdated hard-coded value for the database filename and therefore never deleting the database. This was additionally causing users issues when uprading to sbt-dependency-check v2.1.0 as it was a required step in the upgrade path. See #145
    • 🛠 Fixed an issue where sbt-dependency-check was throwing an error for projects that have JvmPlugin disabled. #122
    • 🛠 Fixed an error in the docs for dependencyCheckFormat. #148
  • v2.1.0 Changes

    November 04, 2020

    🚀 Updated dependency-check-core to v6.0.3 (#140). See release notes of DependencyCheck v5.3.1 - v6.0.3

    Noteworthy changes

    • ⬆️ After upgrading run dependencyCheckPurge to clean your database
    • 👉 Users mirroring the NVD feeds - sbt-dependency-check now requires the use of the version 1.1 data feeds - please ensure you are using 1.1 not the 1.0 data feed.
    • ➕ Added an experimental PE Analyzer that reads the PE headers of DLL and EXE files that can be activated with dependencyCheckPEAnalyzerEnabled
    • ➕ Added experimental Analyzers for pip and Pipfile that can be activated with dependencyCheckPipAnalyzerEnabled, dependencyCheckPipfileAnalyzerEnabled,
    • ➕ Added an experimental Analyzer for Mix Audit to scan Elixir dependencies that can be activated with dependencyCheckMixAuditAnalyzerEnabled. Configure dependencyCheckMixAuditPath to point to the mix_audit binary
    • ➕ Added dependencyCheckCveUser and dependencyCheckCvePassword settings to support NVD feed mirrors with Basic Authentication
  • v2.0.0 Changes

    February 15, 2020

    🚀 Updated dependency-check-core to v5.3.0 (#118). See release notes of DependencyCheck v5.3.0

    💥 Breaking Changes

    • dependencyCheckAggregate previously scanned all projects and now only scans project aggregates and dependents. Use the new task dependencyCheckAnyProject to scan all projects.

    Noteworthy changes

    • 🆕 new experimental Analyzer that can be activated with dependencyCheckNPMCPEAnalyzerEnabled
    • 🆕 new Setting dependencyCheckNodeAuditSkipDevDependencies
    • ✂ Removed noisy log entries from JCS (#114)
  • v1.3.3 Changes

    October 06, 2019
    • 🛠 Fixed a regression introduced in v1.3.2 in cross build for sbt 0.13.18 where slf4j was not declared as a dependency any more causing warnings for plugin users and missing logging messages
  • v1.3.2 Changes

    October 06, 2019
    • ⚡️ Updated sbt-dependency-check build to sbt 1.3.2
    • ⚡️ Updated several plugins
    • 🛠 Fixed regression introduced with v1.3.1 that caused an exception for users of the plugin on a version of sbt 1.x before sbt 1.3.0 (Se issue #87)
  • v1.3.1 Changes

    September 30, 2019

    🚀 Updated dependency-check-core to v5.2.2. See release notes of v5.2.2 for more details.

    ➕ Added better logging of exception collections.

  • v1.3.0 Changes

    August 10, 2019

    🚀 Updated dependency-check-core to v5.2.1. See release notes of v5.2.1 for more details.

  • v1.2.0 Changes

    July 29, 2019

    🚀 Updated dependency-check-core to v5.2.0 (thanks @sullis for PR #80). See the release notes of v5.2.0 and v5.1.1 for details.

    Noteworthy changes

    • 🆕 New Setting Key dependencyCheckBundleAuditWorkingDirectory
    • 🛠 Fixes of several false-positives
  • v1.1.0 Changes

    July 06, 2019

    🛠 Updated dependency-check-core to v5.1.0 (#77 ). See Release notes of dependency-check v5.1.0 for more details and bugfixes.

    Noteworthy changes

    • 🆕 New experimental Golang Dependency and Module analyzers with new setting keys: dependencyCheckGolangDepEnabled, dependencyCheckGolangModEnabled and dependencyCheckPathToGo
    • Optional settings to add credentials for OSS Index Analyzer: dependencyCheckOSSIndexAnalyzerUsername and dependencyCheckOSSIndexAnalyzerPassword
    • 👀 Suppression Schema now supports suppressing RetireJS, NSP and OSS Index vulnerabilities. See for examples.
  • v1.0.0 Changes

    June 13, 2019

    🚀 Updated dependency-check-core to v5.0.0 (#72). See Release notes of dependency-check v5.0.0-m1, v5.0.0-M2, v5.0.0-M3 and v5.0.0 for details.

    💥 Breaking changes

    • The NVD CVE data import now uses the JSON data feeds instead of the XML data feeds.
      • The setting key names have changed if you are mirroring the data feeds locally.
    • sbt-dependency-check now uses the NVD Meta files in addition to the *.json.gz files. If you have a local mirror of the NVD you must now mirror the meta data files. The nist-data-mirror has been updated to include these files.
    • dotnet core must be installed to analyze .NET assemblies
    • 0️⃣ The retire.js analyzer is no longer considered experimental and is enabled by default.
    • ⚡️ All of the report formats have been updated to include the additional data from the NVD CVE JSON data feeds.

    Noteworthy changes

    • Multiple report formats can be specified with the new setting dependencyCheckFormats; if you wanted just two of the reports you no longer need to use ALL.