My first post about this open source OWASP project was about an older version. This post discusses the changes made to the open source software composition analysis utility in the latest release yesterday. This is the OWASP Dependency-Check 2.1.0! What I like about this release is that the patch-level verification for Ruby Bundler has been proven conclusive and is now fully implemented.
What is OWASP Dependency-Check?
OWASP Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently Java and .NET are supported. Experimental analyzers include Python, Ruby, PHP (composer), and Node.js applications; these are experimental due to the possible false positive and false negative rates. To use the experimental analyzers they must be specifically enabled via the appropriate experimental configuration. In addition, dependency-check has experimental analyzers that can be used to scan some C/C++ source code, including OpenSSL source code and projects that use Autoconf or CMake.
OWASP Dependency-Check 2.1.0 changelog:
- General bug fixes and false positive reduction
- For developers building integrations with dependency-check, the core engine has introduced execution mode: Evidence Collection, Evidence Processing, and Standard (default). See PR #798 for more information.
- Fixed bug that prevented the use of Postgres and Oracle databases with dependency-check.
- Ruby Bundle-Audit Analyzer has been promoted and is no longer considered experimental.
- Maven Plugin – the aggregate goal now correctly fails the build if an error occurs running dependency-check
- Ant Task – in order to better support multiple suppression files a change was made to the configuration. Please see the README.md for details on the change.
- Gradle Plugin – the dependencyCheckAggregate task was introduced to better support multi-project builds.
- Maven Plugin – now scans standard maven directories for dependencies. This can be updated by configuring the ScanSet property.
Download OWASP Dependency-Check 2.1.0:
Download OWASP Dependency-Check 2.1.0 (DependencyCheck-2.1.0.zip) and other related plugins here.