Version 7.0.3

Changes

• Update to jackson-databind (see #4285).
• See the full listing of changes.

Version 7.0.2

Changes

• General project maintenance, bug fixes, and false positive and false negative reductions.
• See the full listing of changes.

Version 7.0.1

Changes

• General project maintenance, bug fixes, and false positive reductions.
• See the full listing of changes.

Version 7.0.0

Breaking Changes

• The H2 database version has been upgraded.
  • if you use the dataDirectory option you will need to run a purge after upgrading.
• Upgraded to dotnet core 6.0. If analyzing dotnet assemblies the system will need to have the dotnet core 6.0.x runtime available.

Changes

• The Sarif report format has been fixed and can now be imported into GitHub if desired (See #3993).
• Introduced IssueOps for False Positive reports to assist the team in evaluating FP reports.
  • Create New FP Report Issue.
• When analyzing Java projects ODC now includes data from the developers section.
  • This will likely cause false positives on things like Apache James, please report the FP and we will fix these quickly.
• General project maintenance, bug fixes, and false positive reductions.
• See the full listing of changes.

Version 6.5.3

Changes in this Release

• Performance improvements for some Maven projects (see #3923 and #3931).
• Fixed bug in npm version handling introduced in 6.5.2 (see #3956).
• Improved the node package analyzer to correctly report the origin of a dependency (see #3970).
• General code maintenance and false positive reductions.
• See the full listing of changes.

Version 6.5.2

Changes in this Release

• Fixed false positives around log4j-api and Log4j-web (#3910 & #3937).
• Bug fix when processing NPM lock files (#3893).
• Added missing pnpm argmument to the CLI (#3916).
• General code maintenance and false positive reductions.
• See the full listing of changes.

Version 6.5.1

Changes in this Release

• Updated the dependency-check-maven plugin to correctly support SNAPSHOT version when a classifier is specified (#3787).
• Improved the analysis of Swift package manager (package.resolved - see #3813).
• General code maintenance and false positive reductions.
• See the full listing of changes.

Version 6.5.0

Changes in this Release

• Updated build configuration to create reproducible builds.
• Updated automated release process to work with branch protection.
• Resolved several false positives in the Java ecosystem.
• Enabled the Swift Resolved analyzer per #3735
• Improved iOS support per #3168 and #3765
• Added the a new pnpm Analyzer
• Fixed issue with some npm and yarn analysis failing due to large audit output
• See the full listing of changes.

Version 6.4.1

Changes in this Release

• Added download attempts with increasing wait time for CVE meta files from the NVD to prevent rate limiting issues (see #3725).
• See the full listing of changes.

Version 6.4.0

Changes in this Release

• Increased timeout between downloads from the NVD to prevent rate limiting issues (see #3722).
  • cveStartYear is now configurable and can be set to any year from 2002 to present.
  • cveWaitTime is a new configuration option to define how many milliseconds to wait between NVD downloads; default is 4000 ms (see #3690).
  • The NVD CVE data files are now being cached for up to 4 hours in case a download fails, re-running ODC will use the cached version.
• Fixed NPE in the ODC maven plugin (see #3702.
• See the full listing of changes.