Update dependency org.owasp:dependency-check-maven from v5.3.2 to v11 #70

renovate · 2024-10-28T01:07:44Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.owasp:dependency-check-maven (source)	`5.3.2` -> `11.1.1`

Release Notes

jeremylong/DependencyCheck (org.owasp:dependency-check-maven)

`v11.1.1`

Compare Source

fix: re-enable issue locking (#7220)
fix: add username/password properties to be able to authenticate for central.content.url and analyzer.central.url again (#7169)
fix: rework replaceOrAddVulnerability (#7177)
fix: do not log loading of JDBC driver (#7155)
fix: expose flag to disable version check (#7147)
fix: Gracefully handle CVEs with bad configuration nodes missing CPE match expressions (#7125)
chore: cleanup base suppression (#7138)
docs: update gradle configuration documentation (#7176)
docs: update documentation for Gradle plugin (#7143)
docs: improve false positive issue templat (#7130)

See the full listing of changes.

`v11.1.0`

Compare Source

feat: PHP Composer Analyzer now scans packages-dev by default (#7114)
- Users can configure if packages-dev should be skipped
fix(regression): re-add h2 database driver name (#7115)
fix(regression): Make the Downloader honour the proxy.nonproxyhosts ODC Setting (#7077)
fix: do not set legacy proxy from maven or env (#7072) (#7074)
docs: add missing documentation for the MS Build Analyzer (#7113)
docs: Document the breaking change for Maven plugin as reporting plugin (#7079)

See the full listing of changes.

`v11.0.0`

Compare Source

breaking change: Switch from JMockit to Mockito & build target to Java 11 (#6922)
- dependency-check now requires a minimum of Java 11.0 to run
breaking change: bump com.h2database:h2 from 2.1.214 to 2.3.232 (#6132)
- H2 databases generated with an older version of ODC will not work with ODC 11.0.0; a new H2 db must be generated
breaking change: Maven plugin updated to Doxia 2.x reporting stack
- Users of the Maven plugin that configure it as a reporting plugin will need to use maven-site-plugin 3.20.0 or later (#6959)
feat: Replace old Downloader by an Apache HTTPClient based downloader
feat: Use Apache HTTPClient for downloads of public resources (#6949)
feat: Also make NodeAuditSearch usr our HTTPClient based connections
feat: Also make OSSIndexAnalyzer use our HTTPClient based connections
feat: Migrate CentralSearch to use Apache HTTP-client via Downloader
feat: Extend apache HTTP-client usage to EngineVersionCheck
feat: Remove the need to specify dbDriver for external databases using JDBCv4 ServiceLoader supporting JDBC drivers (#6938)
fix: use latest generated suppressions (#7064)
fix: Fixup parameter sequence for Dowloader credentials (#7033)
fix: Fixup the missing addition of NVD API Datafeed credentials (if configured)
fix: Fixup broken proxy authentication in first attempt; extend to include KEV downloads
fix: store timestamps locally for local resources (#6936)
build: Remove the animal-sniffer, propagate java version to plugin-archetype (#6950)
build: Update Checkstyle configuration and Suppression DTD references (#6951)
chore: Update test db schema (#7036)
chore: remove old, unneeded database upgrade script
docs: reformat javadoc (#7009)
docs: Fixup javadoc warnings (#6995)
chore: Replace use of several deprecated methods/classes by their successors (#6933)

See the full listing of changes.

`v10.0.4`

Compare Source

build(deps): exclude unused dependency (#6916)
fix: improve regex (#6917)
fix: correctly handle null values in cpeMatch (#6915)
fix(site): Update Fluido skin to resolve broken fork-me-on-github image (#6914)
fix: do not report over 100% download complete (#6899)
fix: Correct spelling of occurring in NvdApiDataSource.java (#6883)
fix: skip blank lines in requirements.txt (#6867)
fix: correct percentage calculation (#6868)
docs: remove old recommendation (#6860)

See the full listing of changes.

`v10.0.3`

Compare Source

feat: Enable configuration of a lower resultsPerPage on NVD API (#6843)
build(deps): bump open-vulnerability-clients from 6.1.6 to 6.1.7 (#6848)
build(deps): bump JamesIves/github-pages-deploy-action from 4.6.1 to 4.6.3 (#6814)
build(deps): bump org.codehaus.mojo:versions-maven-plugin from 2.16.2 to 2.17.0 (#6762)
build(deps): bump org.apache.maven.plugins:maven-checkstyle-plugin from 3.3.1 to 3.4.0 (#6815)
build(deps): bump golang from 1.22.4-alpine to 1.22.5-alpine (#6805)

See the full listing of changes.

`v10.0.2`

Compare Source

Mandatory Upgrade - due to older versions of dependency-check causing numerous, spurious requests that end in processing failures, this upgrade is mandatory so that the NVD can differentiate valid requests and block the old clients.

build(deps): bump open-vulnerability-clients (#6810)
fix(db): #6788 removing redundant db index "idxVulnerability" on "vulnerability.cve" (#6807)
docs: Further improve formatting and docs of H2 database caching strats (#6804)
fix: update_vulnerability in dbStatements_oracle.properties (#6803)
fix: fix NPE (#6778)
fix: add hint to resolve false negative (#6802)
chore: update configure (#6794)

See the full listing of changes.

`v10.0.1`

Compare Source

build(deps): bump open-vulnerability-client (#6772)
fix: remove debug logging (#6770)
fix: postgresql column count error (#6773)
fix: mssql column name and version (#6761)
docs: update supported versions (#6771)

See the full listing of changes.

`v10.0.0`

Compare Source

breaking change: upgrade to dotnet 8.0 (#6580)
- Users of the AssemblyAnalyzer must upgrade/utilize dotnet 8 to analyze assemblies
feat: fix the NVD API related errors by adding cvssV4 support (#6756)
- breaking changes: anyone utilizing a centralized database will need to upgrade the schema; see changes in PR #6756
fix: avoid escaping unnecessary chars in HTML report suppression regexes (#6749)
fix: #6688 Trim version number when parsin POM (#6705)
fix: change request if lockfile is file v3 (#6690)
fix: skip pyproject.toml unless it contains tool.poetry before ensuring lockfiles (#6681)

See the full listing of changes.

`v9.2.0`

Compare Source

docs: update logo per intellj (#6660)
feat: Carthage analyzer (#6614)
fix: Ensure valid JSON output for gitlab report (#6630)
feat: Support Package.swift version 3 Specification (#6578)
chore: Update the packaged suppressions to include new hosted suppressions (#6567)

See the full listing of changes.

`v9.1.0`

Compare Source

feat: Add v2 support for maven_install.json (#6528)
build(deps): bump open-vulnerability-client (#6554)
- resolves update issues due to CVSS Metrics 4.0
build(deps): bump jackson.version from 2.16.0 to 2.16.1 (#6353)
build(deps): bump org.jsoup:jsoup from 1.16.2 to 1.17.2 (#6362)
build(deps): bump golang from 1.21.5-alpine to 1.22.1-alpine (#6506)

See the full listing of changes.

`v9.0.10`

Compare Source

fix: #4321 Suppress redis server CVEs for client libraries (#4321) (#6489)
fix: bump commons-compress from 1.25.0 to 1.26.0 to fix CVE-2024-25710 and CVE-2024-26308 (#6492)
feat: Allow to pass NVD API key via environment variable (#6454)
fix: issue 5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies - adding synchronized block (#6501)
docs: document the default data directory (#6484)
fix: prevent NPE in bundler audit (#6462)
fix: #6441 Improve suppression rule to not restrict to a single version (#6442)

See the full listing of changes.

`v9.0.9`

Compare Source

fix: for #6374 to delete non-empty directories (#6375)
fix: NoSuchMethodError closeQuietly(java.io.Closeable[]) (#6377)
chore: close stream to prevent possible resource leak (#6382)
docs: Document default for CLI --data (#6359)
docs: document gradle build (#6371)

See the full listing of changes.

`v9.0.8`

Compare Source

fix: favor stability over performance (#6349)
chore: replace commons-io with core java calls (#6343)
fix: improve error reporting for invalid H2 database (#6339)
fix: rework fix for closing input streams on errors correctly (#6338)
fix: reduce chance NVD API block updates due to rate limit (#6333)
fix: ensure open handles will not leak on errors (#6326)
fix: improve error reporting (#6324)

See the full listing of changes.

`v9.0.7`

Compare Source

docs: document insecure configuration for GHSA-qqhq-8r2c-c3f5 (#6315)
fix: improve memory usage on NVD update (#6321)
fix: skip pyproject.toml unless it contains tool.poetry (#6316)
fix: resolve build error that may cause an issue on some JDK versions (#6312)

See the full listing of changes.

`v9.0.6`

Compare Source

build: bump [email protected] (#6308)
fix: mask nvd.api.key in logs; see GHSA-qqhq-8r2c-c3f5 (#6307)
fix: update java version check (#6297)
fix: more efficient memory usage (#6299)
fix: stream NVD data via Jackson to reduce memory footprint (#6275)
docs: document github action caching (#6301)

See the full listing of changes.

`v9.0.5`

Compare Source

fix: make NVD API endpoint configurable (#6287)
fix: synch last modified timestamp for NVD API (#6281)
fix: read NVD cache meta files if cache.properties does not exist (#6282)
fix: correct property for nonProxyHosts (#6285)
fix: reduce apache http logging (#6280)
fix: store last modified timestamp for RetireJS and the Hosted Suppression File in db (#6271)
build: bump golang in the docker image (#6274)
fix: use temporary files to reduce memory usage during the NVD Update (#6270)
fix: use BIT for Oracle DB instead of Boolean when calling prepared statements (#6264)
fix: showing all reference tags in reports (#6259)

See the full listing of changes.

`v9.0.4`

Compare Source

fix: utilize maven proxy if present (#6255)
fix: allow api key in cli to be quoted (#6253)
fix: use correct maven plugin reporting plugin (#6244)
fix: correct trailing comma in JSON report (#6245)

See the full listing of changes.

`v9.0.3`

Compare Source

fix: use Java properties for proxy configuration (#6238)
docs: update proxy configuration documentation (#6237)
docs: add documentation on caching (#6204)
docs: Clarify H2 database caching strategy (#6220)
docs: Update list of supported report formats (#6224)
docs: example 5 with new nvdDatafeedUrl parameter (#6215)
fix: prevent NPEs (#6232 and #6206)
fix: check valid for hours for NVD API (#6225)
fix: correct NVD cache last checked logic (#6218)
fix: nvd datafeed should process current year (#6213)
fix: correct references to cvssv2 and cvssv3 fields in json and xml reports (#6212)
fix: correct name on reference links in report (#6205)
fix: flaws int the gitlab report (#6193)

See the full listing of changes.

`v9.0.2`

Compare Source

fix: remove virtual match string on NVD API Request (#6177)
fix: correct meta data in report after switching the NVD API (#6154)
fix: retry HTTP connections to NVD on 502 and 504 errors (#6151)
fix: Gitlab report format needs severity capitalized (#6182)
fix: improve JDK update version parsing (#6163)
fix: mute JCS logging (again) (#6153)

See the full listing of changes.

`v9.0.1`

Compare Source

fix: #4321 Suppress redis server CVEs for client libraries (#4321) (#6489)
fix: bump commons-compress from 1.25.0 to 1.26.0 to fix CVE-2024-25710 and CVE-2024-26308 (#6492)
feat: Allow to pass NVD API key via environment variable (#6454)
fix: issue 5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies - adding synchronized block (#6501)
docs: document the default data directory (#6484)
fix: prevent NPE in bundler audit (#6462)
fix: #6441 Improve suppression rule to not restrict to a single version (#6442)

See the full listing of changes.

`v9.0.0`

Compare Source

breaking changes: See the upgrade notice

feat: Utilize NVD API (#5978)
feat: gitlab dependency scanner report format #5919 (#5920)
fix: Use ASCII apostrophe for console message (#6076)

See the full listing of changes.

`v8.4.3`

Compare Source

fix: bump jcs3 (#6047)
docs: Corrected docs on hostedSuppressions (#6035)

See the full listing of changes.

`v8.4.2`

Compare Source

fix: correct log configuration in cli (#6002)

See the full listing of changes.

`v8.4.1`

Compare Source

Fixed

fix: upgrade to JCS3 (#5114)
fix: Support ~= version specifier in requirements.txt and pipfile (#5902)
fix: Version of dependency no longer ignored when CPE product has a 'java' suffix in a product name (#5901)
fix: Do not filter out evidences added by hints (#5900)
fix: fixes FP #5925 (#5927)

See the full listing of changes.

`v8.4.0`

Compare Source

Added

feat: Add support for Nexus v3 to NexusAnalyzer (#5849)

Fixed

fix: Hint Analyzer should run before VersionFilter Analyzer (#5818)
chore: switch to sha1-pinning as suggested by Semgrep
fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter (#5845)
fix: use curl with -L to follow github redirect (#5808)
fix: use curl with -L to follow github redirect
fix: #5671 out of memory error (#5789)
fix: #5671 Exit method as soon as we detect a loop to prevent an infinite loop leading to an OutOfMemoryError

See the full listing of changes.

`v8.3.1`

Compare Source

Re-release of 8.3.0 as 8.3.1.

`v8.3.0`

Compare Source

Added

Add LibmanAnalyzer (#5652)
Update HTML report Dependencies header based on display settings (#5619)
Add link to suppressed vulnerabilities header in HTML report (#5620)
Enable local proxy configuration in maven plugin configuration (#5696)

Fixed

Fix npm alias present in requires of dependencies (#5703)
Make Central URL configurable via CLI (#5667)
Ensure support of CVSSv3.1 (#5602)

See the full listing of changes.

`v8.2.1`

Compare Source

Fixed

NullPointerException in MSBuildAnalyzer (#5589)
SQL Syntax for Oracle (#5590)
Use https:// URLs in report templates (#5582)

See the full listing of changes.

`v8.2.0`

Compare Source

Added

Support msbuild Directory.build.props (#5475)
better display of NPM audit references
Add CVSS V3 results from NPM Audit results

Fixed

Fix several issues on NPM Audit reporting (#5546)
Case issue in SQL (#5557)
Fix CWE(s) extraction for NPM Audit advisories
Use the stable github_advisory_id instead of the now unstable id in NPM audit results

See the full listing of changes.

`v8.1.2`

Compare Source

Fixed

Fix NullPointerException in the Jar Analyzer introduced in 8.1.1 (#5512)

See the full listing of changes.

`v8.1.1`

Compare Source

Fixed

allow hosted suppressions file to be disabled (#5509)
Several FPs not suitable for our automation (#5504)
Fix incorrect defaults for nexus and central-analyzer in gradle plugin documentation (#5503)
Erroneous error-log for deprecated CLI flag usage when using properyfile based disablement of Node Audit Analyzer (#5487)
Prefer pom.properties G/A/V over pom.xml G/A/V to resolve GAV interpolation issues (#5473)
Node package dependencies ending up as related dependency of the wrong version of the package (#5479)
do not throw error if pyproject.toml is in node_modules (#5470)

See the full listing of changes.

`v8.1.0`

Compare Source

Added

Pipefile.lock files are now supported (#5404).
Python projects with only a pyproject.toml but no lock file or requirements will report an error as ODC is unable to analyze the project (#5409).

Fixed

Some maven projects caused false positives due to bad string interpolation (#5421).
Error message from Assembly Analyzer has been updated to emphasize dotnet 6 is required for analysis (#5408).
Correct issue where database defrag occurs even when no updates were performed (#5441).
Fixed several False Positives and one False Negative.
Fixed the format configuration more flexible in the gradle plugin (dependency-check-gradle/#324).

See the full listing of changes.

`v8.0.2`

Compare Source

Fixed

Resolved bug causing an issue with some Maven Extensions (#5366).
ArchiveAnalyzer will now correctly throw an exception if it cannot open an Archive (#5371).
Updated CSV report so that it no longer has a duplicate description column (#5364).
Moved several logging statements to trace which should drastically reduce the log size (#5350).
Fixed bug with RetireJS' --retirejsFilterNonVulnerable and --retirejsFilter when used with the CLI (#5351).
Fixed the sarif report format and added validation (#5345 and (#5363)
Fixed MalformedPackageException in the gradle plugin (dependency-check-gradle/#320).
Fixed MissingMethodException in the gradle plugin (dependency-check-gradle/#316).

See the full listing of changes.

`v8.0.1`

Compare Source

Fixed

Fixed Stack Overflow Exception in the gradle plugin (dependency-check-gradle/#308).
Fixed No Signature of Method Exception in the gradle plugin (dependency-check-gradle/#305).
Updated DB initialization scripts for externally hosted DBs (#5314 and #5317).
- Postgres users will need to use the updated init script and 8.0.1.
Resolved NPE in the NodePackageAnalyzer (#5339).

See the full listing of changes.

`v8.0.0`

Compare Source

Added

Utilize the hosted suppression file to allow for faster remediation of reported False Positives (#4723).
Include the CISA Known Exploited Vulnerability Catalog (#4878).
The gradle and maven plugins now have the capability to scan the build plugins (#4035).
The gradle and maven plugins, for transitive dependencies, will report the root dependency in the project that included the transitive dependency (#5001).
Added properties.security-severity to SARIF report for better integration with GitHub Security Code scanning (#5277).
Allow for HTTP auth settings for Retire JS repository (#5209).
New schema for the XML report was added to support some of the above additions (#5296).
Added missing gradle option to only warn on remote errors from the OSS Index Analyzer (gradle #303).

Changed

Breaking: the database schema updated - if using an external database the update scripts must be run!
The exit codes from the CLI have been changed to be in the range from 0-255 (#4511.
The OSS Index Analyzer will automatically disable itself if a transport error occurs - preventing copious errors from being reported (#5300).

Fixed

Added an additional check for rejected CVEs to reduce FP (#5268.
Corrected the analysis of node_modules to prevent NPEs (#5266).
Fixed error when scanning node packages with local dependencies (#5235).
Fixed NPE in the MSBuild Analyzer (#5293).
Several False Positives have been resolved.

See the full listing of changes.

`v7.4.4`

Compare Source

Fixed

Resolved issue processing NVD CVE data due to column width (#5229)

See the full listing of changes.

`v7.4.3`

Compare Source

Fixed

Fixed NPE when analyzing version ranges in NPM (#5158 & #5190)
Resolved several FP (#5191)

See the full listing of changes.

`v7.4.2`

Compare Source

Fixed

Fixes maven 3.1 compatibility issue (#5152)
Fixed issue with invalid node_module paths in some scans (#5135)
Fixed missing option to disable the Poetry Analyzer in the CLI (#5160)
Fixed missing option to configure the OSS Index URL in the CLI (#5180)
Fixed NPE when analyzing version ranges in NPM (#5158)
Fixed issue with non-proxy host in the gradle plugin (https://github.com/dependency-check/dependency-check-gradle/pull/298)
Resolved several FP

See the full listing of changes.

`v7.4.1`

Compare Source

Fixed

Fixed bug when setting the proxy port in gradle (#5123)
Fixed issue with invalid node_module paths in some scans (#5127)
Resolved several FP

See the full listing of changes.

`v7.4.0`

Compare Source

Added

Add support for npm package lock v2 and v3 (#5078)
Added experimental support for Python Poetry (#5025)
Added a vanilla HTML report for use in Jenkins (#5053)

Changed

Renamed RELEASE_NOTES.md to CHANGELOG.md to be more conventional
Optimized checksum calculation to improve performance (#5112)
Added support for scanning .NET assemblies when only the dotnet runtime is installed (#5087)
Bumped several dependencies

Fixed

Fixed bug when setting the proxy port (#5076)
Resolved several FP and FN

See the full listing of changes.

`v7.3.2`

Compare Source

Changed

Automated release of 7.3.1 failed and only published to Central; 7.3.2 is a re-release of 7.3.1.
Resolved several false positives and false negatives.
Use Jackson Afterburner if still on Java 8 (#4966).
Exclude node_modules from the Maven plugin's scan path (#4974).

See the full listing of changes.

`v7.3.1`

Compare Source

Changed

Resolved several false positives and false negatives.
Use Jackson Afterburner if still on Java 8 (#4966).
Exclude node_modules from the Maven plugin's scan path (#4974).

See the full listing of changes.

`v7.3.0`

Compare Source

Added

Added an experimental Dart analyzer (#4869).

Changed

Migrated from Jackson Afterburner to Blackbird (#4905).

Fixed

Fixed issue with the Maven plugin that caused concurrent modification exceptions (#4935).

See the full listing of changes.

`v7.2.1`

Compare Source

Fixed

Fixed logging issue (#4846).

See the full listing of changes.

`v7.2.0`

Compare Source

Changed

Add support for Bazel's pinned maven_install.json (#4772).
Fixed bug preventing the use of custom report templates (#4800).
Updated several dependencies including upgrades for dependencies with CVEs.
Several bug fixes made and suppression rules were added.

See the full listing of changes.

`v7.1.2`

Compare Source

Changed

The maven plugin now includes pnpm and yarn lock files in the scan by default (#4753).
If a suppression rule is no longer used a log entry will be written (#4685).
Several bug fixes made and suppression rules added.

See the full listing of changes.