UPDATE: OWASP Dependency-Check 3.0.0

2017-10-17T21:23:52
ID PENTESTIT:5F52F062C44ADB60F77903F6AA8D9AB7
Type pentestit
Reporter Black
Modified 2017-10-17T21:23:52

Description

PenTestIT RSS Feed

My first post about this open source OWASP project was about an older version. This post discusses the changes made to the open source software composition analysis utility in the latest release yesterday. This is the OWASP Dependency-Check 3.0.0! This release comes with Java 9 compatibility and regular expression support for the Hint Analyzer.

OWASP Dependency-Check 3.0.0

What is OWASP Dependency-Check?

> OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies. It can currently be used to scan Java and .NET applications to identify the use of known vulnerable components with experimental analyzers for Python, Ruby, PHP (composer), and Node.js applications. Additionally, OWASP Dependency-Check has experimental analyzers that can be used to scan some C/C++ source code, including OpenSSL source code and projects that use Autoconf or CMake.

OWASP Dependency-Check 3.0.0 Changelog:

  • Several bug fixes and false positive reduction
    • The 2.x branch introduced several new false positives – but also reduced the false negatives
  • Java 9 compatibility update
  • Stability issues with the Central Analyzer resolved
    • This comes at a cost of a longer analysis time
  • The CSV report now includes the GAV and CPE
  • The Hint Analyzer now supports regular expressions
  • If show summary is disabled and vulnerable libraries are found that fail the build details are no longer displayed in the console – only that vulnerable libraries were identified
  • Resolved issues with threading and multiple connections to the embedded H2 database
    • This allows the Jenkins pipeline, Maven Plugin, etc. to safely run parallel executions of dependency-check

Download OWASP Dependency-Check 3.0.0:

Download OWASP Dependency-Check 3.0.0 (DependencyCheck-3.0.0.zip/DependencyCheck-3.0.0.tar.gz) and other related plugins here.

The post UPDATE: OWASP Dependency-Check 3.0.0 appeared first on PenTestIT.