Updated dependency-check-core to v5.0.0 (#72). See Release notes of dependency-check v5.0.0-m1, v5.0.0-M2, v5.0.0-M3 and v5.0.0 for details.
Breaking changes
- The NVD CVE data import now uses the JSON data feeds instead of the XML data feeds.
- The setting key names have changed if you are mirroring the data feeds locally.
- sbt-dependency-check now uses the NVD Meta files in addition to the *.json.gz files. If you have a local mirror of the NVD you must now mirror the meta data files. The nist-data-mirror has been updated to include these files.
- dotnet core must be installed to analyze .NET assemblies
- The retire.js analyzer is no longer considered experimental and is enabled by default.
- All of the report formats have been updated to include the additional data from the NVD CVE JSON data feeds.
Noteworthy changes
- Multiple report formats can be specified with the new setting
dependencyCheckFormats
; if you wanted just two of the reports you no longer need to use ALL.