My first post about this OWASP project can be found here. This post discusses the changes made to the open source software composition analysis utility in the latest release yesterday. This is the OWASP Dependency-Check 2.0.1!
What is OWASP Dependency-Check?
OWASP Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently Java and .NET are supported. Experimental analyzers include Python, Ruby, PHP (composer), and Node.js applications; these are experimental due to the possible false positive and false negative rates. To use the experimental analyzers they must be specifically enabled via the appropriate experimental configuration. In addition, dependency-check has experimental analyzers that can be used to scan some C/C++ source code, including OpenSSL source code and projects that use Autoconf or CMake.
OWASP Dependency-Check 2.0.1 changelog:
In addition to general bug fixes and false positive reductions the following enhancements were made:
- Fixed issues when used with a proxy
- Fixed issue with .NET Assembly Analyzer
For gradle users, when upgrading from 1.x to 2.x the
dependencyCheck task was renamed to
Special thanks to everyone that submitted a pull request & kudos to the OWASP Dependency-Check team!
Download OWASP Dependency-Check 2.0.1:
Download DependencyCheck-2.0.1.zip and other related plugins here.