UPDATE: OWASP Dependency-Check 5.0.0

My first post about this open source OWASP project was about an older version. About 18 hours ago, a new version was released. This post discusses the changes made to the open source software composition analysis utility in the latest release yesterday. This is the OWASP Dependency-Check 5.0.0, which includes a lot of bug fixes and enhancements.

OWASP Dependency-Check 5.0.0

What is OWASP Dependency-Check?

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies. It can currently be used to scan Java and .NET applications to identify the use of known vulnerable components with experimental analyzers for Python, Ruby, PHP (composer), and Node.js applications. Additionally, OWASP Dependency-Check has experimental analyzers that can be used to scan some C/C++ source code, including OpenSSL source code and projects that use Autoconf or CMake.

The OWASP Dependency-Check 5.0.0 release is a major release with many breaking changes; 

  • Updated to use the NVD JSON data feeds
  • OSS Index Integration
  • .NET analysis now requires dotnet core
  • Add caching of OSS-Index, Central Analyzer, and Node Audit analysis results.
  • General bug fixes identified in the previous milestone releases; such as:
    • False Positive on spring-boot-starter-security 2.1.5 – CPE for spring_security:2.1.5
    • Documentation of <until> feature is missing
    • CPEAnalyzer fails to identify products with “-” in product name
    • HTML Report uses vulnerable jquery version
    • Add support for suppressionURL (with default)
    • False Positive on micrometer-registry-prometheus
    • False Positive on auth0/jwks-rsa-java
    • False Positive on spring-boot
    • False Positive on [mysql-connector-java] – server vulnerabilities listed
    • False Positive on hazelcast-kubernetes
    • Maybe false negatives [CVE-2015-1796, CVE-2016-4977, CVE-2017-7536]
    • Implement Package URL into all standard reports

Download OWASP Dependency-Check 5.0.0:

Download OWASP Dependency-Check 5.0.0 ( and other related plugins here.

Kali Linux 2019.2, the latest and the greatest Kali Linux release is now officially available! This is the second 2019 release, which comes after Kali Linux 2019.1, that was made available in the month of February. This new release majorly focuses on Kali Linux NetHunter updates including 13 new images and added device support along with

You Might Also Like

Leave a Reply