All Versions
13
Latest Version
Avg Release Cycle
69 days
Latest Release
1551 days ago
Changelog History
Page 1
Changelog History
Page 1
-
v3.0.0 Changes
November 14, 2020๐ฅ Breaking Changes
- โฌ๏ธ Dropped sbt
v0.13.x
support. It's time to upgrade to sbtv1.x
if you haven't done already. - โฌ๏ธ If upgrading from sbt-dependency-check
v2.0.0
or earlier make sure to rundependencyCheckPurge
once before running any other task as there are incompatible database changes.
Noteworthy Changes
- โก๏ธ You can now define allmost all settings with
Global
orThisBuild
to set up your own defaults for all your projects in your build. See #100 and the updated Multi-Project Setup section in the README.
๐ Bugfixes
- ๐ Fixed an issue for
dependencyCheckPurge
task which was using an outdated hard-coded value for the database filename and therefore never deleting the database. This was additionally causing users issues when uprading to sbt-dependency-checkv2.1.0
as it was a required step in the upgrade path. See #145 - ๐ Fixed an issue where sbt-dependency-check was throwing an error for projects that have
JvmPlugin
disabled. #122 - ๐ Fixed an error in the docs for
dependencyCheckFormat
. #148
- โฌ๏ธ Dropped sbt
-
v2.1.0 Changes
November 04, 2020๐ Updated dependency-check-core to v6.0.3 (#140). See release notes of DependencyCheck v5.3.1 - v6.0.3
Noteworthy changes
- โฌ๏ธ After upgrading run
dependencyCheckPurge
to clean your database - ๐ Users mirroring the NVD feeds - sbt-dependency-check now requires the use of the version 1.1 data feeds - please ensure you are using 1.1 not the 1.0 data feed.
- โ Added an experimental PE Analyzer that reads the PE headers of DLL and EXE files that can be activated with
dependencyCheckPEAnalyzerEnabled
- โ Added experimental Analyzers for pip and Pipfile that can be activated with
dependencyCheckPipAnalyzerEnabled
,dependencyCheckPipfileAnalyzerEnabled
, - โ Added an experimental Analyzer for Mix Audit to scan Elixir dependencies that can be activated with
dependencyCheckMixAuditAnalyzerEnabled
. ConfiguredependencyCheckMixAuditPath
to point to the mix_audit binary - โ Added
dependencyCheckCveUser
anddependencyCheckCvePassword
settings to support NVD feed mirrors with Basic Authentication
- โฌ๏ธ After upgrading run
-
v2.0.0 Changes
February 15, 2020๐ Updated dependency-check-core to v5.3.0 (#118). See release notes of DependencyCheck v5.3.0
๐ฅ Breaking Changes
dependencyCheckAggregate
previously scanned all projects and now only scans project aggregates and dependents. Use the new taskdependencyCheckAnyProject
to scan all projects.
Noteworthy changes
- ๐ new experimental Analyzer that can be activated with
dependencyCheckNPMCPEAnalyzerEnabled
- ๐ new Setting
dependencyCheckNodeAuditSkipDevDependencies
- โ Removed noisy log entries from JCS (#114)
-
v1.3.3 Changes
October 06, 2019- ๐ Fixed a regression introduced in v1.3.2 in cross build for sbt 0.13.18 where slf4j was not declared as a dependency any more causing warnings for plugin users and missing logging messages
-
v1.3.2 Changes
October 06, 2019- โก๏ธ Updated sbt-dependency-check build to sbt 1.3.2
- โก๏ธ Updated several plugins
- ๐ Fixed regression introduced with v1.3.1 that caused an exception for users of the plugin on a version of sbt 1.x before sbt 1.3.0 (Se issue #87)
-
v1.3.1 Changes
September 30, 2019๐ Updated dependency-check-core to v5.2.2. See release notes of v5.2.2 for more details.
โ Added better logging of exception collections.
-
v1.3.0 Changes
August 10, 2019๐ Updated dependency-check-core to v5.2.1. See release notes of v5.2.1 for more details.
-
v1.2.0 Changes
July 29, 2019 -
v1.1.0 Changes
July 06, 2019๐ Updated dependency-check-core to v5.1.0 (#77 ). See Release notes of dependency-check v5.1.0 for more details and bugfixes.
Noteworthy changes
- ๐ New experimental Golang Dependency and Module analyzers with new setting keys:
dependencyCheckGolangDepEnabled
,dependencyCheckGolangModEnabled
anddependencyCheckPathToGo
- Optional settings to add credentials for OSS Index Analyzer:
dependencyCheckOSSIndexAnalyzerUsername
anddependencyCheckOSSIndexAnalyzerPassword
- ๐ Suppression Schema now supports suppressing RetireJS, NSP and OSS Index vulnerabilities. See https://jeremylong.github.io/DependencyCheck/general/suppression.html for examples.
- ๐ New experimental Golang Dependency and Module analyzers with new setting keys:
-
v1.0.0 Changes
June 13, 2019๐ Updated dependency-check-core to v5.0.0 (#72). See Release notes of dependency-check v5.0.0-m1, v5.0.0-M2, v5.0.0-M3 and v5.0.0 for details.
๐ฅ Breaking changes
- The NVD CVE data import now uses the JSON data feeds instead of the XML data feeds.
- The setting key names have changed if you are mirroring the data feeds locally.
- sbt-dependency-check now uses the NVD Meta files in addition to the *.json.gz files. If you have a local mirror of the NVD you must now mirror the meta data files. The nist-data-mirror has been updated to include these files.
- dotnet core must be installed to analyze .NET assemblies
- 0๏ธโฃ The retire.js analyzer is no longer considered experimental and is enabled by default.
- โก๏ธ All of the report formats have been updated to include the additional data from the NVD CVE JSON data feeds.
Noteworthy changes
- Multiple report formats can be specified with the new setting
dependencyCheckFormats
; if you wanted just two of the reports you no longer need to use ALL.
- The NVD CVE data import now uses the JSON data feeds instead of the XML data feeds.