Version 6.1.3

Changes in this Release

• Modified the new CPE matching strategy to be more performant (#3207)
• Upgraded a vulnerable dependency (velocity-engine-core/CVE-2020-13936) (#3205)
• See the full listing of changes.

Version 6.1.2

Changes in this Release

• Fixed a bug in the Sarif report generation.
• Fixed a bug with the Ant task not being able to read the dependency-check properties file in 6.1.1.
• Added a new CPE matching strategy to reduce false negatives.
• CLI and Ant task will no longer be published to bintray.
• Several minor bug fixes.
• See the full listing of changes.

Version 6.1.1

Changes in this Release

• Added missing configuration options for yarn and msbuild.
• Several bug fixes.
• See the full listing of changes.

Version 6.1.0

Changes in this Release

• Added SARIF file format per #3081.
• Added support for Yarn per #3063.
• False positive reduction and minor bug fixes.
• See the full listing of changes.

Version 6.0.5

Changes in this Release

• Added missing command line arguments per #3028 and #3035.
• False positive reduction and minor bug fixes.
• See the full listing of changes.

Version 6.0.4

Changes in this Release

• Minor bug fixes and reduction of false positives.
• See the full listing of changes.

v6.0.3

• Added a bash command completion script (see #2916); to add completion to your shell
  completion-for-dependency-check.sh can be found in the bin directory of the CLI:

  $ source completion-for-dependency-check.sh

• An experimental PIP File Analyzer was added (see #2877).
• Analysis of Node JS produced several false positives (see #2796); the analysis has
  been updated to reduce the number of false positives.
  • If analyzing Node JS projects it is highly recommended to disable the Node JS Analyzer
    and solely rely on the Node Audit Analyzer. There are plans to rework Node JS analysis
    in a future release.
• Support for external Oracle databases has been add for the 6.x releases (see #2899)
• Resolved several reported false positives.
• Several other bug fixes have been implemented; see the full listing of
  changes.

v6.0.2

• The project is migrating from hosting the release archives on Bintray and moving them to Github under the assets for each release
  • Please update any automation you have to point to the new location.
• Npm Audit Analyzer now correctly skips dev dependencies (--nodeAuditSkipDevDependencies); see #2482.
• GoLang Analyzer now scans transitive dependencies; see #2680.
• Several bug fixes found in 6.0.1.

6.0.1

• Improved error messages when upgrading from 5.x to 6.x; due to breaking database changes if the old
  database schema is detected an error message is produced indicating that the old database should be purged.

• Fixed the database path for the Ant and Gradle plugins.

• Added locking around the RetireJS updates to resolve read/write conflicts in CI environments.

• Full listing of changes.

v6.0.0

• Updated database schema; this is a breaking change and anyone using an external database or those whom
  specify the data directory will need recreate the database (including users of the docker image). The schema
  changes were made to:

  • Improve the CVSS data, when available, per #2547
  • Improve the way that ecosystems are determined
  • Improve the update performance of external databases

• Users with an external Oracle database will not be able to upgrade as #2755 has not been resolved - as such, version 6.0.0 does not support Oracle.

• Users mirroring the NVD - ODC 6.0.0 requires the use of the version 1.1 data feeds -
  please ensure you are using 1.1 not the 1.0 data feed.

• Full listing of changes.