Update dependency org.owasp:dependency-check-maven to v6.5.3

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.owasp:dependency-check-maven (source)	6.0.2 -> 6.5.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

jeremylong/DependencyCheck (org.owasp:dependency-check-maven)

v6.5.3

Compare Source

Changed

• Performance improvements for some Maven projects (see #​3923 and #​3931).
• Fixed bug in npm version handling introduced in 6.5.2 (see #​3956).
• Improved the node package analyzer to correctly report the origin of a dependency (see #​3970).
• General code maintenance and false positive reductions.

See the full listing of changes.

v6.5.2

Compare Source

Changed

• Fixed false positives around log4j-api and Log4j-web (#​3910 & #​3937).
• Bug fix when processing NPM lock files (#​3893).
• Added missing pnpm argmument to the CLI (#​3916).
• General code maintenance and false positive reductions.

See the full listing of changes.

v6.5.1

Compare Source

Changed

• Updated the dependency-check-maven plugin to correctly support SNAPSHOT version when a classifier is specified (#​3787).
• Improved the analysis of Swift package manager (package.resolved - see #​3813).
• General code maintenance and false positive reductions.

See the full listing of changes.

v6.5.0

Compare Source

Changed

• Updated build configuration to create reproducible builds.
• Updated automated release process to work with branch protection.
• Resolved several false positives in the Java ecosystem.
• Enabled the Swift Resolved analyzer per #​3735
• Improved iOS support per #​3168 and #​3765
• Added the a new pnpm Analyzer
• Fixed issue with some npm and yarn analysis failing due to large audit output

See the full listing of changes.

v6.4.1

Compare Source

Added

• Added download attempts with increasing wait time for CVE meta files from the NVD to prevent rate limiting issues (see #​3725).

See the full listing of changes.

v6.4.0

Compare Source

Changed

• Increased timeout between downloads from the NVD to prevent rate limiting issues (see #​3722).
  • cveStartYear is now configurable and can be set to any year from 2002 to present.
  • cveWaitTime is a new configuration option to define how many milliseconds to wait between NVD downloads; default is 4000 ms (see #​3690).
  • The NVD CVE data files are now being cached for up to 4 hours in case a download fails, re-running ODC will use the cached version.
• Fixed NPE in the ODC maven plugin (see #​3702.

See the full listing of changes.

v6.3.2

Compare Source

Changed

• Reduced chance of rate limiting when download files from NVD (see #​2670).
• Fixed bug causing some transitive dependencies being skipped in the odc-maven-plugin (see #​3627).

See the full listing of changes.

v6.3.1

Compare Source

Fixed

• Fixed ConcurrentModificationException

See the full listing of changes.

v6.3.0

Compare Source

Changed

• Many updates were made to improve performance on large scans, reduce false positives, and other bug fixes.
• Increased the width of four columns in the database; if you use a an external database you should also update the width (see upgrade_5.1.sql).

See the full listing of changes.

v6.2.2

Compare Source

Fixed

• Resolved issue with database connections introduced in 6.2.0 (see https://github.com/jeremylong/DependencyCheck/issues/3432).

See the full listing of changes.

v6.2.1

Compare Source

Fixed

• Resolved issue with database connections introduced in 6.2.0 (see https://github.com/jeremylong/DependencyCheck/issues/3416).

See the full listing of changes.

v6.2.0

Compare Source

Changed

• Added an experimental Perl CPAN analyzer #​3378
  • Note that the full DSL of the CPAN is not yet supported so any required dependency is analyzed (i.e. there is no way to exclude development requirements)
• Improved database performance #​3206
• The archive analyzer now extracts files from RPM archives #​3226
• Ensure ordered output in reports #​3243
• Several minor bug fixes and updates to reduce false positives

See the full listing of changes.

v6.1.6

Compare Source

Fixed

• Resolved issue with Sarif report (#​3243)
• Resolved issue with Ruby Bundle Audit (#​3256)
• Several minor bug fixes and updates to reduce false positives

See the full listing of changes.

v6.1.5

Compare Source

Fixed

• Fixed a second NPE introduced in 6.1.3 (see #​3246)

See the full listing of changes.

v6.1.4

Compare Source

Changed

• Fixed an NPE introduced in 6.1.3 (see #​3212)

See the full listing of changes.

v6.1.3

Compare Source

Changed

• Modified the new CPE matching strategy to be more performant (#​3207)
• Upgraded a vulnerable dependency (velocity-engine-core/CVE-2020-13936) (#​3205)

See the full listing of changes.

v6.1.2

Compare Source

Changed

• Fixed a bug in the Sarif report generation.
• Fixed a bug with the Ant task not being able to read the dependency-check properties file in 6.1.1.
• Added a new CPE matching strategy to reduce false negatives.
• CLI and Ant task will no longer be published to bintray.
• Several minor bug fixes.

See the full listing of changes.

v6.1.1

Compare Source

Changed

• Added missing configuration options for yarn and msbuild.
• Several bug fixes.

See the full listing of changes.

v6.1.0

Compare Source

Changed

• Added SARIF file format per #​3081.
• Added support for Yarn per #​3063.
• False positive reduction and minor bug fixes.

See the full listing of changes.

v6.0.5

Compare Source

Changed

• Added missing command line arguments per #​3028 and #​3035.
• False positive reduction and minor bug fixes.

See the full listing of changes.

v6.0.4

Compare Source

Changed

• Minor bug fixes and reduction of false positives.

See the full listing of changes.

v6.0.3

Compare Source

Changed

• Added a bash command completion script (see #​2916); to add completion to your shell
  completion-for-dependency-check.sh can be found in the bin directory of the CLI:

  $ source completion-for-dependency-check.sh

• An experimental PIP File Analyzer was added (see #​2877).

• Analysis of Node JS produced several false positives (see #​2796); the analysis has
  been updated to reduce the number of false positives.

  • If analyzing Node JS projects it is highly recommended to disable the Node JS Analyzer
    and solely rely on the Node Audit Analyzer. There are plans to rework Node JS analysis
    in a future release.

• Support for external Oracle databases has been add for the 6.x releases (see #​2899)

• Resolved several reported false positives.

See the full listing of changes.

---

Configuration

📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Branch automerge failure

This PR was configured for branch automerge, however this is not possible so it has been raised as a PR instead.

---

• Branch has one or more failed status checks

[viezly]

Pull request by bot. No need to analyze

[github-actions]

Stale pull request message

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (6.5.3). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.