Closed dengelkecap closed 3 months ago
FWIW I use npm run check:owasp -- --odc-version v9.0.9
as a workaround
Here is the PR for it. https://github.com/etnetera/owasp-dependency-check/pull/24
FWIW I use
npm run check:owasp -- --odc-version v9.0.9
as a workaround
Note that the --odc-version parameter was added since the last release version (0.0.21) so this workaround only works if you're using it from source.
FWIW I use
npm run check:owasp -- --odc-version v9.0.9
as a workaroundNote that the --odc-version parameter was added since the last release version (0.0.21) so this workaround only works if you're using it from source.
Absolutely, I had to replace "owasp-dependency-check": "0.0.21"
with "owasp-dependency-check": "etnetera/owasp-dependency-check"
in package.json in order to use this new option.
Please is it possible to get the PR merged and a version published to NPM? We really should be using a published version which includes the fix. Linking compliance jobs in CI to a branch on GitHub that can change at any time, then passing a flag to prevent the dependency checker from being updated, none of this is really in the spirit of what the tool is trying to achieve!
This is such a handy little package, getting the update published would really extend its lifespan.
Version 9.1.0 of dependency-check has been released, we should be able to use latest version with master branch again (at least until 9.1.10 or 10.0.0).
Version 10.0.0 of the core dependency check binaries were just release, this package is not going to work again now until this issue is resolved.
Since PR#23 merge (05/26/2024) and still using "owasp-dependency-check": "etnetera/owasp-dependency-check"
in package.json, I was able to switch back to latest version of dependency-check with npm run check:owasp
. Just be sure to update package properly using npm update owasp-dependency-check
(changes commit hash in package-lock.json).
Still waiting for NPM release though!
Agreed. I have made it work by pointing directly at GitHub, but for a dependency checking tool, there really should be a versioned and released package! Especially given the news recently about using the tool chain as an attack vector - I know this is a much simpler case, but the principle applies I think.
PR #25 is merged and version 0.22 is out. The new RE should work with multidigit versions of the binary.
Since dependency-check cli release 9.0.10 (https://github.com/jeremylong/DependencyCheck/releases/tag/v9.0.10) the automatic download of the latest version does not work anymore.
This might be due to an incompatible regular expression to determine the download URL:
const NAME_RE = /^dependency\-check\-\d\.\d\.\d\-release\.zip$/;
This regex will only recognize single digit release numbers
This could be fixed by enhancing the regex to
/^dependency\-check\-\d+\.\d+\.\d+\-release\.zip$/