Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency org.owasp:dependency-check-maven to v7 #44

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Update dependency org.owasp:dependency-check-maven to v7 #44

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Apr 12, 2022
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.owasp:dependency-check-maven 6.1.3 -> 7.1.1 age adoption passing confidence

Release Notes

jeremylong/DependencyCheck

v7.1.1

Compare Source

Changes

  • Minor bug fixes.
  • Resolved several false positives.
  • See the full listing of changes.

v7.1.0

Compare Source

Changes

  • Improved sorting in the HTML report (see #​4112).
  • Improved support for Swift (see #​4265).
  • Resolved several false positives.
  • See the full listing of changes.

v7.0.4

Compare Source

Changes

  • Update to jackson-databind (see #​4285).
  • See the full listing of changes.

v7.0.3

Compare Source

Changes

  • Update to jackson-databind (see #​4285).
  • See the full listing of changes.

v7.0.2

Compare Source

Changes

  • General project maintenance, bug fixes, and false positive and false negative reductions.
  • See the full listing of changes.

v7.0.1

Compare Source

Changes

  • General project maintenance, bug fixes, and false positive reductions.
  • See the full listing of changes.

v7.0.0

Compare Source

Breaking Changes

  • The H2 database version has been upgraded.
    • if you use the dataDirectory option you will need to run a purge after upgrading.
  • Upgraded to dotnet core 6.0. If analyzing dotnet assemblies the system will need to have the dotnet core 6.0.x runtime available.

Changes

  • The Sarif report format has been fixed and can now be imported into GitHub if desired (See #​3993).
  • Introduced IssueOps for False Positive reports to assist the team in evaluating FP reports.
  • When analyzing Java projects ODC now includes data from the developers section.
    • This will likely cause false positives on things like Apache James, please report the FP and we will fix these quickly.
  • General project maintenance, bug fixes, and false positive reductions.
  • See the full listing of changes.

v6.5.3

Compare Source

Changes

  • Performance improvements for some Maven projects (see #​3923 and #​3931).
  • Fixed bug in npm version handling introduced in 6.5.2 (see #​3956).
  • Improved the node package analyzer to correctly report the origin of a dependency (see #​3970).
  • General code maintenance and false positive reductions.
  • See the full listing of changes.

v6.5.2

Compare Source

Changes

  • Fixed false positives around log4j-api and Log4j-web (#​3910 & #​3937).
  • Bug fix when processing NPM lock files (#​3893).
  • Added missing pnpm argmument to the CLI (#​3916).
  • General code maintenance and false positive reductions.
  • See the full listing of changes.

v6.5.1

Compare Source

Changes

  • Updated the dependency-check-maven plugin to correctly support SNAPSHOT version when a classifier is specified (#​3787).
  • Improved the analysis of Swift package manager (package.resolved - see #​3813).
  • General code maintenance and false positive reductions.
  • See the full listing of changes.

v6.5.0

Compare Source

Changes

  • Updated build configuration to create reproducible builds.
  • Updated automated release process to work with branch protection.
  • Resolved several false positives in the Java ecosystem.
  • Enabled the Swift Resolved analyzer per #​3735
  • Improved iOS support per #​3168 and #​3765
  • Added the a new pnpm Analyzer
  • Fixed issue with some npm and yarn analysis failing due to large audit output
  • See the full listing of changes.

v6.4.1

Compare Source

Changes

  • Added download attempts with increasing wait time for CVE meta files from the NVD to prevent rate limiting issues (see #​3725).
  • See the full listing of changes.

v6.4.0

Compare Source

Changes

  • Increased timeout between downloads from the NVD to prevent rate limiting issues (see #​3722).
    • cveStartYear is now configurable and can be set to any year from 2002 to present.
    • cveWaitTime is a new configuration option to define how many milliseconds to wait between NVD downloads; default is 4000 ms (see #​3690).
    • The NVD CVE data files are now being cached for up to 4 hours in case a download fails, re-running ODC will use the cached version.
  • Fixed NPE in the ODC maven plugin (see #​3702.
  • See the full listing of changes.

v6.3.2

Compare Source

Changes

  • Reduced chance of rate limiting when download files from NVD (see #​2670).
  • Fixed bug causing some transitive dependencies being skipped in the odc-maven-plugin (see #​3627).
  • See the full listing of changes.

v6.3.1

Compare Source

Changes

v6.3.0

Compare Source

Changes

  • Many updates were made to improve performance on large scans, reduce false positives, and other bug fixes.
  • Increased the width of four columns in the database; if you use a an external database you should also update the width (see upgrade_5.1.sql).
  • See the full listing of changes.

v6.2.2

Compare Source

Changes

v6.2.1

Compare Source

Changes

v6.2.0

Compare Source

Changes

  • Added an experimental Perl CPAN analyzer #​3378
    • Note that the full DSL of the CPAN is not yet supported so any required dependency is analyzed (i.e. there is no way to exclude development requirements)
  • Improved database performance #​3206
  • The archive analyzer now extracts files from RPM archives #​3226
  • Ensure ordered output in reports #​3243
  • Several minor bug fixes and updates to reduce false positives
  • See the full listing of changes.

v6.1.6

Compare Source

Changes

  • Resolved issue with Sarif report (#​3243)
  • Resolved issue with Ruby Bundle Audit (#​3256)
  • Several minor bug fixes and updates to reduce false positives
  • See the full listing of changes.

v6.1.5

Compare Source

Changes

  • Fixed a second NPE introduced in 6.1.3 (see #​3246)
  • See the full listing of changes.

v6.1.4

Compare Source

Changes

  • Fixed an NPE introduced in 6.1.3 (see #​3212)
  • See the full listing of changes.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/org.owasp-dependency-check-maven-7.x branch from 9b16479 to be5a455 Compare April 23, 2022 11:24
@renovate renovate bot force-pushed the renovate/org.owasp-dependency-check-maven-7.x branch from be5a455 to d62d674 Compare May 10, 2022 13:48
@renovate renovate bot force-pushed the renovate/org.owasp-dependency-check-maven-7.x branch from d62d674 to ea0a35c Compare June 12, 2022 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@renovate-bot