All Versions
Latest Version
Avg Release Cycle
69 days
Latest Release
588 days ago

Changelog History
Page 1

  • v3.0.0 Changes

    November 14, 2020

    ๐Ÿ’ฅ Breaking Changes

    • โฌ†๏ธ Dropped sbt v0.13.x support. It's time to upgrade to sbt v1.x if you haven't done already.
    • โฌ†๏ธ If upgrading from sbt-dependency-check v2.0.0 or earlier make sure to run dependencyCheckPurge once before running any other task as there are incompatible database changes.

    Noteworthy Changes

    • โšก๏ธ You can now define allmost all settings with Global or ThisBuild to set up your own defaults for all your projects in your build. See #100 and the updated Multi-Project Setup section in the README.

    ๐Ÿ›  Bugfixes

    • ๐Ÿ›  Fixed an issue for dependencyCheckPurge task which was using an outdated hard-coded value for the database filename and therefore never deleting the database. This was additionally causing users issues when uprading to sbt-dependency-check v2.1.0 as it was a required step in the upgrade path. See #145
    • ๐Ÿ›  Fixed an issue where sbt-dependency-check was throwing an error for projects that have JvmPlugin disabled. #122
    • ๐Ÿ›  Fixed an error in the docs for dependencyCheckFormat. #148
  • v2.1.0 Changes

    November 04, 2020

    ๐Ÿš€ Updated dependency-check-core to v6.0.3 (#140). See release notes of DependencyCheck v5.3.1 - v6.0.3

    Noteworthy changes

    • โฌ†๏ธ After upgrading run dependencyCheckPurge to clean your database
    • ๐Ÿ‘‰ Users mirroring the NVD feeds - sbt-dependency-check now requires the use of the version 1.1 data feeds - please ensure you are using 1.1 not the 1.0 data feed.
    • โž• Added an experimental PE Analyzer that reads the PE headers of DLL and EXE files that can be activated with dependencyCheckPEAnalyzerEnabled
    • โž• Added experimental Analyzers for pip and Pipfile that can be activated with dependencyCheckPipAnalyzerEnabled, dependencyCheckPipfileAnalyzerEnabled,
    • โž• Added an experimental Analyzer for Mix Audit to scan Elixir dependencies that can be activated with dependencyCheckMixAuditAnalyzerEnabled. Configure dependencyCheckMixAuditPath to point to the mix_audit binary
    • โž• Added dependencyCheckCveUser and dependencyCheckCvePassword settings to support NVD feed mirrors with Basic Authentication
  • v2.0.0 Changes

    February 15, 2020

    ๐Ÿš€ Updated dependency-check-core to v5.3.0 (#118). See release notes of DependencyCheck v5.3.0

    ๐Ÿ’ฅ Breaking Changes

    • dependencyCheckAggregate previously scanned all projects and now only scans project aggregates and dependents. Use the new task dependencyCheckAnyProject to scan all projects.

    Noteworthy changes

    • ๐Ÿ†• new experimental Analyzer that can be activated with dependencyCheckNPMCPEAnalyzerEnabled
    • ๐Ÿ†• new Setting dependencyCheckNodeAuditSkipDevDependencies
    • โœ‚ Removed noisy log entries from JCS (#114)
  • v1.3.3 Changes

    October 06, 2019
    • ๐Ÿ›  Fixed a regression introduced in v1.3.2 in cross build for sbt 0.13.18 where slf4j was not declared as a dependency any more causing warnings for plugin users and missing logging messages
  • v1.3.2 Changes

    October 06, 2019
    • โšก๏ธ Updated sbt-dependency-check build to sbt 1.3.2
    • โšก๏ธ Updated several plugins
    • ๐Ÿ›  Fixed regression introduced with v1.3.1 that caused an exception for users of the plugin on a version of sbt 1.x before sbt 1.3.0 (Se issue #87)
  • v1.3.1 Changes

    September 30, 2019

    ๐Ÿš€ Updated dependency-check-core to v5.2.2. See release notes of v5.2.2 for more details.

    โž• Added better logging of exception collections.

  • v1.3.0 Changes

    August 10, 2019

    ๐Ÿš€ Updated dependency-check-core to v5.2.1. See release notes of v5.2.1 for more details.

  • v1.2.0 Changes

    July 29, 2019

    ๐Ÿš€ Updated dependency-check-core to v5.2.0 (thanks @sullis for PR #80). See the release notes of v5.2.0 and v5.1.1 for details.

    Noteworthy changes

    • ๐Ÿ†• New Setting Key dependencyCheckBundleAuditWorkingDirectory
    • ๐Ÿ›  Fixes of several false-positives
  • v1.1.0 Changes

    July 06, 2019

    ๐Ÿ›  Updated dependency-check-core to v5.1.0 (#77 ). See Release notes of dependency-check v5.1.0 for more details and bugfixes.

    Noteworthy changes

    • ๐Ÿ†• New experimental Golang Dependency and Module analyzers with new setting keys: dependencyCheckGolangDepEnabled, dependencyCheckGolangModEnabled and dependencyCheckPathToGo
    • Optional settings to add credentials for OSS Index Analyzer: dependencyCheckOSSIndexAnalyzerUsername and dependencyCheckOSSIndexAnalyzerPassword
    • ๐Ÿ‘€ Suppression Schema now supports suppressing RetireJS, NSP and OSS Index vulnerabilities. See for examples.
  • v1.0.0 Changes

    June 13, 2019

    ๐Ÿš€ Updated dependency-check-core to v5.0.0 (#72). See Release notes of dependency-check v5.0.0-m1, v5.0.0-M2, v5.0.0-M3 and v5.0.0 for details.

    ๐Ÿ’ฅ Breaking changes

    • The NVD CVE data import now uses the JSON data feeds instead of the XML data feeds.
      • The setting key names have changed if you are mirroring the data feeds locally.
    • sbt-dependency-check now uses the NVD Meta files in addition to the *.json.gz files. If you have a local mirror of the NVD you must now mirror the meta data files. The nist-data-mirror has been updated to include these files.
    • dotnet core must be installed to analyze .NET assemblies
    • 0๏ธโƒฃ The retire.js analyzer is no longer considered experimental and is enabled by default.
    • โšก๏ธ All of the report formats have been updated to include the additional data from the NVD CVE JSON data feeds.

    Noteworthy changes

    • Multiple report formats can be specified with the new setting dependencyCheckFormats; if you wanted just two of the reports you no longer need to use ALL.