Merge branch 'main' into pooling

.github/workflows/build.yml

@@ -21,27 +21,28 @@ jobs:
       - uses: actions/checkout@v2
       - name: Check Maven Cache
         id: maven-cache
-        uses: actions/cache@v2.1.4
+        uses: actions/cache@v2.1.5
         with:
           path: ~/.m2/repository/
           key: mvn-repo
       - name: Check Local Maven Cache
         id: maven-it-cache
-        uses: actions/cache@v2.1.4
+        uses: actions/cache@v2.1.5
         with:
           path: maven/target/local-repo
           key: mvn-it-repo
       - name: Check ODC Data Cache
         id: odc-data-cache
-        uses: actions/cache@v2.1.4
+        uses: actions/cache@v2.1.5
         with:
           path: core/target/data
           key: odc-data
       - name: Set up JDK 1.8
         id: jdk-8
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@v2
         with:
-          java-version: 1.8 
+          java-version: 8
+          distribution: 'zulu'
           server-id: ossrh
           server-username: ${{ secrets.OSSRH_USERNAME }}
           server-password: ${{ secrets.OSSRH_TOKEN }}
@@ -105,13 +106,13 @@ jobs:
     steps:
       - name: Check Maven Cache
         id: maven-cache
-        uses: actions/cache@v2.1.4
+        uses: actions/cache@v2.1.5
         with:
           path: ~/.m2/repository/
           key: mvn-repo
       - name: Check Docker ODC Cache
         id: docker-odc-cache
-        uses: actions/cache@v2.1.4
+        uses: actions/cache@v2.1.5
         with:
           path: ~/OWASP-Dependency-Check
           key: docker-repo

.github/workflows/coverity.yml

@@ -10,9 +10,10 @@ jobs:
       - uses: actions/checkout@v2
       - name: Set up JDK 1.8
         id: jdk-8
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@v2
         with:
-          java-version: 1.8 
+          java-version: 8
+          distribution: 'zulu'
       - name: Get coverity cli
         run: |
           wget https://scan.coverity.com/download/linux64 --no-verbose --post-data "token=${{ secrets.COVERITY_TOKEN }}&project=jeremylong%2FDependencyCheck" -O coverity_tool.tgz
@@ -30,4 +31,4 @@ jobs:
                --form file=@scan.tgz \
                --form version="main" \
                --form description="Weekly Scan" \
-               https://scan.coverity.com/builds?project=jeremylong%2FDependencyCheck
+               https://scan.coverity.com/builds?project=jeremylong%2FDependencyCheck

.github/workflows/pull_requests.yml

@@ -14,15 +14,16 @@ jobs:
       - uses: actions/checkout@v2
       - name: Check Maven Cache
         id: maven-cache
-        uses: actions/cache@v2.1.4
+        uses: actions/cache@v2.1.5
         with:
           path: ~/.m2/repository/
           key: mvn-repo
       - name: Set up JDK 1.8
         id: jdk-8
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@v2
         with:
-          java-version: 1.8 
+          java-version: 8
+          distribution: 'zulu'
       - name: Build with Maven
         id: build
         run: mvn -s settings.xml clean package verify -DreleaseTesting --no-transfer-progress --batch-mode

.github/workflows/release.yml

@@ -28,27 +28,28 @@ jobs:
       - uses: actions/checkout@v2
       - name: Check Maven Cache
         id: maven-cache
-        uses: actions/cache@v2.1.4
+        uses: actions/cache@v2.1.5
         with:
           path: ~/.m2/repository/
           key: mvn-repo
       - name: Check Local Maven Cache
         id: maven-it-cache
-        uses: actions/cache@v2.1.4
+        uses: actions/cache@v2.1.5
         with:
           path: maven/target/local-repo
           key: mvn-it-repo
       - name: Check ODC Data Cache
         id: odc-data-cache
-        uses: actions/cache@v2.1.4
+        uses: actions/cache@v2.1.5
         with:
           path: core/target/data
           key: odc-data
       - name: Set up JDK 1.8
         id: jdk-8
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@v2
         with:
-          java-version: 1.8 
+          java-version: 8
+          distribution: 'zulu'
           server-id: ossrh
           server-username: ${{ secrets.OSSRH_USERNAME }}
           server-password: ${{ secrets.OSSRH_TOKEN }}
@@ -63,7 +64,11 @@ jobs:
         run: |
           mvn -s settings.xml release:prepare --no-transfer-progress --batch-mode
           git reset --hard HEAD~1
-          git push origin release --tags
+          git push origin release
+          git fetch origin main
+          git checkout main
+          git merge release
+          git push origin main --tags
       - name: Get version
         run: |
           VERSION=$( mvn help:evaluate -Dexpression=project.version -q -DforceStdout )
@@ -136,13 +141,13 @@ jobs:
     steps:
       - name: Check Maven Cache
         id: maven-cache
-        uses: actions/cache@v2.1.4
+        uses: actions/cache@v2.1.5
         with:
           path: ~/.m2/repository/
           key: mvn-repo
       - name: Check Docker ODC Cache
         id: docker-odc-cache
-        uses: actions/cache@v2.1.4
+        uses: actions/cache@v2.1.5
         with:
           path: ~/OWASP-Dependency-Check
           key: docker-repo
@@ -193,12 +198,10 @@ jobs:
           release_name: Version ${{ env.VERSION }}
           body: |
             Changes in this Release
-            - Fixed a bug in the Sarif report generation.
-            - Fixed a bug with the Ant task not being able to read the dependency-check properties file in 6.1.1.
-            - Added a new CPE matching strategy to reduce false negatives.
-            - CLI and Ant task will no longer be published to bintray.
-            - Several minor bug fixes.
-            - See the full listing of [changes](https://github.com/jeremylong/DependencyCheck/milestone/22?closed=1).
+            - Resolved issue with Sarif report (#3243)
+            - Resolved issue with Ruby Bundle Audit (#3256)
+            - Several minor bug fixes and updates to reduce false positives
+            - See the full listing of [changes](https://github.com/jeremylong/DependencyCheck/milestone/26?closed=1).
           draft: false
           prerelease: false
       - name: Upload CLI
@@ -260,7 +263,7 @@ jobs:
         run: ls -R
         working-directory: target
       - name: Deploy gh-pages
-        uses: JamesIves/github-pages-deploy-action@4.1.0
+        uses: JamesIves/github-pages-deploy-action@4.1.1
         with:
           branch: gh-pages
           folder: target/staging
@@ -273,7 +276,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v2
         with:
-          ref: release
+          ref: main
       - name: Configure Git user
         run: |
           git config user.email "actions@github.com"
@@ -284,8 +287,5 @@ jobs:
         run: |
           mvn --batch-mode release:update-versions
           git commit -am 'snapshot version'
-          git fetch origin main
-          git checkout main
-          git merge release
           git push origin main
           git push origin --delete release

README.md

@@ -89,11 +89,11 @@ Development Prerequisites
 -------------
 
 For installation to pass, you must have the following components installed:
-* Java: `java --version` 1.8.0 and higher
-* Maven: `mvn --version` 3.5.0 and higher
+* Java: `java -version` 1.8
+* Maven: `mvn -version` 3.5.0 and higher
 
 Tests cases require:
-* dotnet core version 3.1 or higher
+* dotnet core version 3.1
 * Go: `go version` 1.12 and higher
 * Ruby [bundler-audit](https://github.com/rubysec/bundler-audit#install)
 * [Yarn](https://classic.yarnpkg.com/en/docs/install/)
@@ -203,7 +203,7 @@ docker run --rm ^
 
 Building From Source
 -------------
-To build dependency-check run the command:
+To build dependency-check (using Java 8) run the command:
 
 ```
 mvn -s settings.xml install
@@ -218,26 +218,14 @@ mvn -s settings.xml install
 ./build-docker.sh
 ```
 
-Mailing List
-------------
-
-Subscribe: [dependency-check+subscribe@googlegroups.com] [subscribe]
-
-Post: [dependency-check@googlegroups.com] [post]
-
-Archive: [google group](https://groups.google.com/forum/#!forum/dependency-check)
-
-Copyright & License
--
-
-Dependency-Check is Copyright (c) 2012-2020 Jeremy Long. All Rights Reserved.
+License
+-------
 
 Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
 
 Dependency-Check makes use of several other open source libraries. Please see the [NOTICE.txt][notices] file for more information.
 
+Copyright (c) 2012-2021 Jeremy Long. All Rights Reserved.
 
   [wiki]: https://github.com/jeremylong/DependencyCheck/wiki
-  [subscribe]: mailto:dependency-check+subscribe@googlegroups.com
-  [post]: mailto:dependency-check@googlegroups.com
   [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICE.txt

RELEASE_NOTES.md

@@ -1,6 +1,35 @@
 # Release Notes
 
-Please see the [dependency-check google group](https://groups.google.com/forum/#!forum/dependency-check) for the release notes on versions not listed below.
+## [Version 6.1.6](https://github.com/jeremylong/DependencyCheck/releases/tag/v6.1.6) (2021-04-29)
+
+### Changes
+
+- Resolved issue with Sarif report (#3243)
+- Resolved issue with Ruby Bundle Audit (#3256)
+- Several minor bug fixes and updates to reduce false positives
+- See the full listing of [changes](https://github.com/jeremylong/DependencyCheck/milestone/26?closed=1).
+
+## [Version 6.1.5](https://github.com/jeremylong/DependencyCheck/releases/tag/v6.1.5) (2021-03-31)
+
+### Changes
+
+- Fixed a second NPE introduced in 6.1.3 (see #3246)
+- See the full listing of [changes](https://github.com/jeremylong/DependencyCheck/milestone/25?closed=1).
+
+## [Version 6.1.4](https://github.com/jeremylong/DependencyCheck/releases/tag/v6.1.4) (2021-03-30)
+
+### Changes
+
+- Fixed an NPE introduced in 6.1.3 (see #3212)
+- See the full listing of [changes](https://github.com/jeremylong/DependencyCheck/milestone/24?closed=1).
+
+## [Version 6.1.3](https://github.com/jeremylong/DependencyCheck/releases/tag/v6.1.3) (2021-03-22)
+
+### Changes
+
+- Modified the new CPE matching strategy to be more performant (#3207)
+- Upgraded a vulnerable dependency (velocity-engine-core/CVE-2020-13936) (#3205)
+- See the full listing of [changes](https://github.com/jeremylong/DependencyCheck/milestone/23?closed=1).
 
 ## [Version 6.1.2](https://github.com/jeremylong/DependencyCheck/releases/tag/v6.1.2) (2021-03-08)
 
@@ -506,3 +535,4 @@ Please see the [dependency-check google group](https://groups.google.com/forum/#
 - If show summary is disabled and vulnerable libraries are found that fail the build details are no longer displayed in the console – only that vulnerable libraries were identified
 - Resolved issues with threading and multiple connections to the embedded H2 database
   - This allows the Jenkins pipeline, Maven Plugin, etc. to safely run parallel executions of dependency-check
+

SECURITY.md

@@ -2,14 +2,10 @@
 
 ## Supported Versions
 
-| Version | Supported          |
-| --------|--------------------|
-| 6.x.x   | :white_check_mark: |
-| 5.3.x   | :white_check_mark: |
-| 5.2.x   | :white_check_mark: |
-| 5.1.x   | :white_check_mark: |
-| 5.0.x   | :white_check_mark: |
-| < 5.0.0 | :x:                |
+| Version  | Supported          |
+| ---------|--------------------|
+| 6.1.6+   | :white_check_mark: |
+| <= 6.1.5 | :x:                |
 
 ## Reporting a Vulnerability
 

ant/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>6.1.3-SNAPSHOT</version>
+        <version>6.1.7-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/jeremylong/DependencyCheck.git</connection>
         <url>https://github.com/jeremylong/DependencyCheck/tree/master/ant</url>
         <developerConnection>scm:git:git@github.com:jeremylong/DependencyCheck.git</developerConnection>
-        <tag>v6.0.5</tag>
+        <tag>v6.1.6</tag>
     </scm>
     <build>
         <resources>

archetype/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>6.1.3-SNAPSHOT</version>
+        <version>6.1.7-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-plugin</artifactId>
     <name>Dependency-Check Plugin Archetype</name>
@@ -29,7 +29,7 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/jeremylong/DependencyCheck.git</connection>
         <url>https://github.com/jeremylong/DependencyCheck/tree/master/archetype</url>
         <developerConnection>scm:git:git@github.com:jeremylong/DependencyCheck.git</developerConnection>
-        <tag>v6.0.5</tag>
+        <tag>v6.1.6</tag>
     </scm>
     <build>
         <plugins>

cli/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>6.1.3-SNAPSHOT</version>
+        <version>6.1.7-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/jeremylong/DependencyCheck.git</connection>
         <url>https://github.com/jeremylong/DependencyCheck/tree/master/cli</url>
         <developerConnection>scm:git:git@github.com:jeremylong/DependencyCheck.git</developerConnection>
-        <tag>v6.0.5</tag>
+        <tag>v6.1.6</tag>
     </scm>
     <build>
         <finalName>dependency-check-${project.version}</finalName>

cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -46,6 +46,7 @@
 import ch.qos.logback.classic.spi.ILoggingEvent;
 import ch.qos.logback.classic.Level;
 import ch.qos.logback.classic.LoggerContext;
+import java.util.TreeSet;
 import org.owasp.dependencycheck.utils.SeverityUtil;
 
 /**
@@ -301,6 +302,7 @@ private int determineReturnCode(Engine engine, float cvssFailScore) {
                         || (v.getUnscoredSeverity() != null && SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) >= cvssFailScore)
                         || (cvssFailScore <= 0.0f)) { //safety net to fail on any if for some reason the above misses on 0
                     retCode = 1;
+                    break;
                 }
             }
         }
@@ -316,7 +318,7 @@ private int determineReturnCode(Engine engine, float cvssFailScore) {
      * @return returns the set of identified files
      */
     private Set<File> scanAntStylePaths(List<String> antStylePaths, int symLinkDepth, String[] excludes) {
-        final Set<File> paths = new HashSet<>();
+        final Set<File> paths = new TreeSet<>();
         for (String file : antStylePaths) {
             LOGGER.debug("Scanning {}", file);
             final DirectoryScanner scanner = new DirectoryScanner();