Added
- Utilize the hosted suppression file to allow for faster remediation of reported False Positives (#4723).
- Include the CISA Known Exploited Vulnerability Catalog (#4878).
- The
gradleandmavenplugins now have the capability to scan the build plugins (#4035). - The
gradleandmavenplugins, for transitive dependencies, will report the root dependency in the project that included the transitive dependency (#5001). - Added
properties.security-severityto SARIF report for better integration with GitHub Security Code scanning (#5277). - Allow for HTTP auth settings for Retire JS respository (#5209).
- New schema for the XML report was added to support some of the above additions (#5296).
- Added missing gradle option to only warn on remote errors from the OSS Index Analyzer (gradle #303).
Changed
- Breaking: the database schema updated - if using an external database the update scripts must be run!
- The exit codes from the CLI have been changed to be in the range from 0-255 (#4511.
- The OSS Index Analyzer will automatically disable itself if a transport error occurs - preventing copious errors from being reported (#5300).
Fixed
- Added an additional check for rejected CVEs to reduce FP (#5268.
- Corrected the analysis of
node_modulesto prevent NPEs (#5266). - Fixed error when scanning node packages with local dependencies (#5235).
- Fixed NPE in the MSBuild Analyzer (#5293).
- Several False Positives have been resolved.
See the full listing of changes.