Update dependency org.owasp:dependency-check-maven to v8

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.owasp:dependency-check-maven (source)	6.0.2 -> 8.4.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

jeremylong/DependencyCheck (org.owasp:dependency-check-maven)

v8.4.2

Compare Source

• fix: correct log configuration in cli (#​6002)

See the full listing of changes.

v8.4.1

Compare Source

Fixed

• fix: upgrade to JCS3 (#​5114)
• fix: Support ~= version specifier in requirements.txt and pipfile (#​5902)
• fix: Version of dependency no longer ignored when CPE product has a 'java' suffix in a product name (#​5901)
• fix: Do not filter out evidences added by hints (#​5900)
• fix: fixes FP #​5925 (#​5927)

See the full listing of changes.

v8.4.0

Compare Source

Added

• feat: Add support for Nexus v3 to NexusAnalyzer (#​5849)

Fixed

• fix: Hint Analyzer should run before VersionFilter Analyzer (#​5818)
• chore: switch to sha1-pinning as suggested by Semgrep
• fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter (#​5845)
• fix: use curl with -L to follow github redirect (#​5808)
• fix: use curl with -L to follow github redirect
• fix: #​5671 out of memory error (#​5789)
• fix: #​5671 Exit method as soon as we detect a loop to prevent an infinite loop leading to an OutOfMemoryError

See the full listing of changes.

v8.3.1

Compare Source

Re-release of 8.3.0 as 8.3.1.

v8.3.0

Compare Source

Added

• Add LibmanAnalyzer (#​5652)
• Update HTML report Dependencies header based on display settings (#​5619)
• Add link to suppressed vulnerabilities header in HTML report (#​5620)
• Enable local proxy configuration in maven plugin configuration (#​5696)

Fixed

• Fix npm alias present in requires of dependencies (#​5703)
• Make Central URL configurable via CLI (#​5667)
• Ensure support of CVSSv3.1 (#​5602)

See the full listing of changes.

v8.2.1

Compare Source

Fixed

• NullPointerException in MSBuildAnalyzer (#​5589)
• SQL Syntax for Oracle (#​5590)
• Use https:// URLs in report templates (#​5582)

See the full listing of changes.

v8.2.0

Compare Source

Added

• Support msbuild Directory.build.props (#​5475)
• better display of NPM audit references
• Add CVSS V3 results from NPM Audit results

Fixed

• Fix several issues on NPM Audit reporting (#​5546)
• Case issue in SQL (#​5557)
• Fix CWE(s) extraction for NPM Audit advisories
• Use the stable github_advisory_id instead of the now unstable id in NPM audit results

See the full listing of changes.

v8.1.2

Compare Source

Fixed

• Fix NullPointerException in the Jar Analyzer introduced in 8.1.1 (#​5512)

See the full listing of changes.

v8.1.1

Compare Source

Fixed

• allow hosted suppressions file to be disabled (#​5509)
• Several FPs not suitable for our automation (#​5504)
• Fix incorrect defaults for nexus and central-analyzer in gradle plugin documentation (#​5503)
• Erroneous error-log for deprecated CLI flag usage when using properyfile based disablement of Node Audit Analyzer (#​5487)
• Prefer pom.properties G/A/V over pom.xml G/A/V to resolve GAV interpolation issues (#​5473)
• Node package dependencies ending up as related dependency of the wrong version of the package (#​5479)
• do not throw error if pyproject.toml is in node_modules (#​5470)

See the full listing of changes.

v8.1.0

Compare Source

Added

• Pipefile.lock files are now supported (#​5404).
• Python projects with only a pyproject.toml but no lock file or requirements will report an error as ODC is unable to analyze the project (#​5409).

Fixed

• Some maven projects caused false positives due to bad string interpolation (#​5421).
• Error message from Assembly Analyzer has been updated to emphasize dotnet 6 is required for analysis (#​5408).
• Correct issue where database defrag occurs even when no updates were performed (#​5441).
• Fixed several False Positives and one False Negative.
• Fixed the format configuration more flexible in the gradle plugin (dependency-check-gradle/#​324).

See the full listing of changes.

v8.0.2

Compare Source

Fixed

• Resolved bug causing an issue with some Maven Extensions (#​5366).
• ArchiveAnalyzer will now correctly throw an exception if it cannot open an Archive (#​5371).
• Updated CSV report so that it no longer has a duplicate description column (#​5364).
• Moved several logging statements to trace which should drastically reduce the log size (#​5350).
• Fixed bug with RetireJS' --retirejsFilterNonVulnerable and --retirejsFilter when used with the CLI (#​5351).
• Fixed the sarif report format and added validation (#​5345 and (#​5363)
• Fixed MalformedPackageException in the gradle plugin (dependency-check-gradle/#​320).
• Fixed MissingMethodException in the gradle plugin (dependency-check-gradle/#​316).

See the full listing of changes.

v8.0.1

Compare Source

Fixed

• Fixed Stack Overflow Exception in the gradle plugin (dependency-check-gradle/#​308).
• Fixed No Signature of Method Exception in the gradle plugin (dependency-check-gradle/#​305).
• Updated DB initialization scripts for externally hosted DBs (#​5314 and #​5317).
  • Postgres users will need to use the updated init script and 8.0.1.
• Resolved NPE in the NodePackageAnalyzer (#​5339).

See the full listing of changes.

v8.0.0

Compare Source

Added

• Utilize the hosted suppression file to allow for faster remediation of reported False Positives (#​4723).
• Include the CISA Known Exploited Vulnerability Catalog (#​4878).
• The gradle and maven plugins now have the capability to scan the build plugins (#​4035).
• The gradle and maven plugins, for transitive dependencies, will report the root dependency in the project that included the transitive dependency (#​5001).
• Added properties.security-severity to SARIF report for better integration with GitHub Security Code scanning (#​5277).
• Allow for HTTP auth settings for Retire JS respository (#​5209).
• New schema for the XML report was added to support some of the above additions (#​5296).
• Added missing gradle option to only warn on remote errors from the OSS Index Analyzer (gradle #​303).

Changed

• Breaking: the database schema updated - if using an external database the update scripts must be run!
• The exit codes from the CLI have been changed to be in the range from 0-255 (#​4511.
• The OSS Index Analyzer will automatically disable itself if a transport error occurs - preventing copious errors from being reported (#​5300).

Fixed

• Added an additional check for rejected CVEs to reduce FP (#​5268.
• Corrected the analysis of node_modules to prevent NPEs (#​5266).
• Fixed error when scanning node packages with local dependencies (#​5235).
• Fixed NPE in the MSBuild Analyzer (#​5293).
• Several False Positives have been resolved.

See the full listing of changes.

v7.4.4

Compare Source

Fixed

• Resolved issue processing NVD CVE data due to column width (#​5229)

See the full listing of changes.

v7.4.3

Compare Source

Fixed

• Fixed NPE when analyzing version ranges in NPM (#​5158 & #​5190)
• Resolved several FP (#​5191)

See the full listing of changes.

v7.4.2

Compare Source

Fixed

• Fixes maven 3.1 compatibility issue (#​5152)
• Fixed issue with invalid node_module paths in some scans (#​5135)
• Fixed missing option to disable the Poetry Analyzer in the CLI (#​5160)
• Fixed missing option to configure the OSS Index URL in the CLI (#​5180)
• Fixed NPE when analyzing version ranges in NPM (#​5158)
• Fixed issue with non-proxy host in the gradle plugin (https://github.com/dependency-check/dependency-check-gradle/pull/298)
• Resolved several FP

See the full listing of changes.

v7.4.1

Compare Source

Fixed

• Fixed bug when setting the proxy port in gradle (#​5123)
• Fixed issue with invalid node_module paths in some scans (#​5127)
• Resolved several FP

See the full listing of changes.

v7.4.0

Compare Source

Added

• Add support for npm package lock v2 and v3 (#​5078)
• Added experimental support for Python Poetry (#​5025)
• Added a vanilla HTML report for use in Jenkins (#​5053)

Changed

• Renamed RELEASE_NOTES.md to CHANGELOG.md to be more conventional
• Optimized checksum calculation to improve performance (#​5112)
• Added support for scanning .NET assemblies when only the dotnet runtime is installed (#​5087)
• Bumped several dependencies

Fixed

• Fixed bug when setting the proxy port (#​5076)
• Resolved several FP and FN

See the full listing of changes.

v7.3.2

Compare Source

Changed

• Automated release of 7.3.1 failed and only published to Central; 7.3.2 is a re-release of 7.3.1.
• Resolved several false positives and false negatives.
• Use Jackson Afterburner if still on Java 8 (#​4966).
• Exclude node_modules from the Maven plugin's scan path (#​4974).

See the full listing of changes.

v7.3.1

Compare Source

Changed

• Resolved several false positives and false negatives.
• Use Jackson Afterburner if still on Java 8 (#​4966).
• Exclude node_modules from the Maven plugin's scan path (#​4974).

See the full listing of changes.

v7.3.0

Compare Source

Added

• Added an experimental Dart analyzer (#​4869).

Changed

• Migrated from Jackson Afterburner to Blackbird (#​4905).

Fixed

• Fixed issue with the Maven plugin that caused concurrent modification exceptions (#​4935).

See the full listing of changes.

v7.2.1

Compare Source

Fixed

• Fixed logging issue (#​4846).

See the full listing of changes.

v7.2.0

Compare Source

Changed

• Add support for Bazel's pinned maven_install.json (#​4772).
• Fixed bug preventing the use of custom report templates (#​4800).
• Updated several dependencies including upgrades for dependencies with CVEs.
• Several bug fixes made and suppression rules were added.

See the full listing of changes.

v7.1.2

Compare Source

Changed

• The maven plugin now includes pnpm and yarn lock files in the scan by default (#​4753).
• If a suppression rule is no longer used a log entry will be written (#​4685).
• Several bug fixes made and suppression rules added.

See the full listing of changes.

v7.1.1

Compare Source

Fixed

• Minor bug fixes.
• Resolved several false positives.

See the full listing of changes.

v7.1.0

Compare Source

Changed

• Improved sorting in the HTML report (see #​4112).
• Improved support for Swift (see #​4265).
• Resolved several false positives.

See the full listing of changes.

v7.0.4

Compare Source

Changed

• Update to jackson-databind (see #​4285).

See the full listing of changes.

v7.0.3

Compare Source

Changed

• Update to jackson-databind (see #​4285).

See the full listing of changes.

v7.0.2

Compare Source

Changed

• General project maintenance, bug fixes, and false positive and false negative reductions.

See the full listing of changes.

v7.0.1

Compare Source

Changed

• General project maintenance, bug fixes, and false positive reductions.

See the full listing of changes.

v7.0.0

Compare Source

Changed

• Breaking: The H2 database version has been upgraded.
  • if you use the dataDirectory option you will need to run a purge after upgrading.
• Breaking: Upgraded to dotnet core 6.0. If analyzing dotnet assemblies the system will need to have the dotnet core 6.0.x runtime available.
• The Sarif report format has been fixed and can now be imported into GitHub if desired (See #​3993).
• Introduced IssueOps for False Positive reports to assist the team in evaluating FP reports.
  • Create New FP Report Issue.
• When analyzing Java projects ODC now includes data from the developers section.
  • This will likely cause false positives on things like Apache James, please report the FP and we will fix these quickly.
• General project maintenance, bug fixes, and false positive reductions.

See the full listing of changes.

v6.5.3

Compare Source

Changed

• Performance improvements for some Maven projects (see #​3923 and #​3931).
• Fixed bug in npm version handling introduced in 6.5.2 (see #​3956).
• Improved the node package analyzer to correctly report the origin of a dependency (see #​3970).
• General code maintenance and false positive reductions.

See the full listing of changes.

v6.5.2

Compare Source

Changed

• Fixed false positives around log4j-api and Log4j-web (#​3910 & #​3937).
• Bug fix when processing NPM lock files (#​3893).
• Added missing pnpm argmument to the CLI (#​3916).
• General code maintenance and false positive reductions.

See the full listing of changes.

v6.5.1

Compare Source

Changed

• Updated the dependency-check-maven plugin to correctly support SNAPSHOT version when a classifier is specified (#​3787).
• Improved the analysis of Swift package manager (package.resolved - see #​3813).
• General code maintenance and false positive reductions.

See the full listing of changes.

v6.5.0

Compare Source

Changed

• Updated build configuration to create reproducible builds.
• Updated automated release process to work with branch protection.
• Resolved several false positives in the Java ecosystem.
• Enabled the Swift Resolved analyzer per #​3735
• Improved iOS support per #​3168 and #​3765
• Added the a new pnpm Analyzer
• Fixed issue with some npm and yarn analysis failing due to large audit output

See the full listing of changes.

v6.4.1

Compare Source

Added

• Added download attempts with increasing wait time for CVE meta files from the NVD to prevent rate limiting issues (see #​3725).

See the full listing of changes.

v6.4.0

Compare Source

Changed

• Increased timeout between downloads from the NVD to prevent rate limiting issues (see #​3722).
  • cveStartYear is now configurable and can be set to any year from 2002 to present.
  • cveWaitTime is a new configuration option to define how many milliseconds to wait between NVD downloads; default is 4000 ms (see #​3690).
  • The NVD CVE data files are now being cached for up to 4 hours in case a download fails, re-running ODC will use the cached version.
• Fixed NPE in the ODC maven plugin (see #​3702.

See the full listing of changes.

v6.3.2

Compare Source

Changed

• Reduced chance of rate limiting when download files from NVD (see #​2670).
• Fixed bug causing some transitive dependencies being skipped in the odc-maven-plugin (see #​3627).

See the full listing of changes.

v6.3.1

Compare Source

Fixed

• Fixed ConcurrentModificationException

See the full listing of changes.

v6.3.0

Compare Source

Changed

• Many updates were made to improve performance on large scans, reduce false positives, and other bug fixes.
• Increased the width of four columns in the database; if you use a an external database you should also update the width (see upgrade_5.1.sql).

See the full listing of changes.

v6.2.2

Compare Source

Fixed

• Resolved issue with database connections introduced in 6.2.0 (see https://github.com/jeremylong/DependencyCheck/issues/3432).

See the full listing of changes.

v6.2.1

Compare Source

Fixed

• Resolved issue with database connections introduced in 6.2.0 (see https://github.com/jeremylong/DependencyCheck/issues/3416).

See the full listing of changes.

v6.2.0

Compare Source

Changed

• Added an experimental Perl CPAN analyzer #​3378
  • Note that the full DSL of the CPAN is not yet supported so any required dependency is analyzed (i.e. there is no way to exclude development requirements)
• Improved database performance #​3206
• The archive analyzer now extracts files from RPM archives #​3226
• Ensure ordered output in reports #​3243
• Several minor bug fixes and updates to reduce false positives

See the full listing of changes.

v6.1.6

Compare Source

Fixed

• Resolved issue with Sarif report (#​3243)
• Resolved issue with Ruby Bundle Audit (#​3256)
• Several minor bug fixes and updates to reduce false positives

See the full listing of changes.

v6.1.5

Compare Source

Fixed

• Fixed a second NPE introduced in 6.1.3 (see #​3246)

See the full listing of changes.

v6.1.4

Compare Source

Changed

• Fixed an NPE introduced in 6.1.3 (see #​3212)

See the full listing of changes.

v6.1.3

Compare Source

Changed

• Modified the new CPE matching strategy to be more performant (#​3207)
• Upgraded a vulnerable dependency (velocity-engine-core/CVE-2020-13936) (#​3205)

See the full listing of changes.

v6.1.2

Compare Source

Changed

• Fixed a bug in the Sarif report generation.
• Fixed a bug with the Ant task not being able to read the dependency-check properties file in 6.1.1.
• Added a new CPE matching strategy to reduce false negatives.
• CLI and Ant task will no longer be published to bintray.
• Several minor bug fixes.

See the full listing of changes.

v6.1.1

Compare Source

Changed

• Added missing configuration options for yarn and msbuild.
• Several bug fixes.

See the full listing of changes.

v6.1.0

Compare Source

Changed

• Added SARIF file format per #​3081.
• Added support for Yarn per #​3063.
• False positive reduction and minor bug fixes.

See the full listing of changes.

v6.0.5

Compare Source

Changed

• Added missing command line arguments per #​3028 and #​3035.
• False positive reduction and minor bug fixes.

See the full listing of changes.

v6.0.4

Compare Source

Changed

• Minor bug fixes and reduction of false positives.

See the full listing of changes.

v6.0.3

Compare Source

Changed

• Added a bash command completion script (see #​2916); to add completion to your shell
  completion-for-dependency-check.sh can be found in the bin directory of the CLI:

  $ source completion-for-dependency-check.sh

• An experimental PIP File Analyzer was added (see #​2877).

• Analysis of Node JS produced several false positives (see #​2796); the analysis has
  been updated to reduce the number of false positives.

  • If analyzing Node JS projects it is highly recommended to disable the Node JS Analyzer
    and solely rely on the Node Audit Analyzer. There are plans to rework Node JS analysis
    in a future release.

• Support for external Oracle databases has been add for the 6.x releases (see #​2899)

• Resolved several reported false positives.

See the full listing of changes.

---

Configuration

📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[changelogg]

Hey! Changelogs info seems to be missing or might be in incorrect format.
Please use the below template in PR description to ensure Changelogg can detect your changes:
- (tag) changelog_text
or
- tag: changelog_text
OR
You can add tag in PR header or while doing a commit too
(tag) PR header
or
tag: PR header
Valid tags: added / feat, changed, deprecated, fixed / fix, removed, security, build, ci, chore, docs, perf, refactor, revert, style, test
Thanks!
For more info, check out changelogg docs

[viezly]

Pull request by bot. No need to analyze

[github-actions]

Stale pull request message

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 8.x releases. But if you manually upgrade to 8.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.