My first post about this open source OWASP project was about an older version. Some days back, a new version was released. This post discusses the changes made to the open source software composition analysis utility in the latest release yesterday. This is the OWASP Dependency-Check 5.1.0, which includes a lot of bug fixes and enhancements.
What is OWASP Dependency-Check?
OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies. It can currently be used to scan Java and .NET applications to identify the use of known vulnerable components with experimental analyzers for Python, Ruby, PHP (composer), and Node.js applications. Additionally, OWASP Dependency-Check has experimental analyzers that can be used to scan some C/C++ source code, including OpenSSL source code and projects that use Autoconf or CMake.
The OWASP Dependency-Check 5.1.0 release is a major release with the following breaking changes:
- Added two experimental analyzers to support Golang.
- Updated the suppression schema to support suppressing OSS Index, RetireJS, NSP vulnerabilities, etc.
- The HTML report now uses the 1.3 suppression schema by default to generate suppression rules.
- See the updated examples on https://jeremylong.github.io/DependencyCheck/general/suppression.html.
- Added optional configuration to add credentials to the OSS Index analysis.
- Resolved issues when Oracle or MySQL were used as a centralized database in 5.0.0.
- The following issues were resolved:
- Error when try to use Dependency Check offline (Dependency Check version 5.0.0)
- Bug in sleep time between retries causes maven plugin to appear to hang
- ossIndex Suppression Doesn’t Quite Work w/ Maven plugin for 5.0.0
- False Positive on simpleclient_hotspot-0.6.0.jar (Dependency Check: 5.0.0)
- Broken link in Dependency Check Maven – Source Code Management documentation
- Oracle: failure to update the DB using version 5.0.0
- Sonatype OSS scan request fails if dependency does not have a version
- Unsuppressable vulnerability: BREACH attack possible in CSRF tokens
- Success returned even though there’s an error
- MySQL 5.6 on AWS RDS Database Query Errors
- Cannot suppress OSSINDEX findings
- Possible to suppress JavaScript pkg findings?
- Suppress NPM vulnerabilities
- Dependency Check for Golang
- Maven plugin: unable to configure scanset from the command line
- Support suppression for NPM (and NSP) findings
Download OWASP Dependency-Check 5.1.0:
Download OWASP Dependency-Check 5.1.0 (DependencyCheck-5.1.0.zip/DependencyCheck-5.1.0.tar.gz) and other related plugins here.
