Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency org.owasp:dependency-check-maven to v6 #44

Merged
merged 1 commit into from
Jan 10, 2022
Merged

Update dependency org.owasp:dependency-check-maven to v6 #44

merged 1 commit into from
Jan 10, 2022

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Jan 10, 2022

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.owasp:dependency-check-maven 5.3.2 -> 6.5.2 age adoption passing confidence

Release Notes

jeremylong/DependencyCheck

v6.5.2

Compare Source

Changes
  • Fixed false positives around log4j-api and Log4j-web (#​3910 & #​3937).
  • Bug fix when processing NPM lock files (#​3893).
  • Added missing pnpm argmument to the CLI (#​3916).
  • General code maintenance and false positive reductions.
  • See the full listing of changes.

v6.5.1

Compare Source

Changes
  • Updated the dependency-check-maven plugin to correctly support SNAPSHOT version when a classifier is specified (#​3787).
  • Improved the analysis of Swift package manager (package.resolved - see #​3813).
  • General code maintenance and false positive reductions.
  • See the full listing of changes.

v6.5.0

Compare Source

Changes
  • Updated build configuration to create reproducible builds.
  • Updated automated release process to work with branch protection.
  • Resolved several false positives in the Java ecosystem.
  • Enabled the Swift Resolved analyzer per #​3735
  • Improved iOS support per #​3168 and #​3765
  • Added the a new pnpm Analyzer
  • Fixed issue with some npm and yarn analysis failing due to large audit output
  • See the full listing of changes.

v6.4.1

Compare Source

Changes
  • Added download attempts with increasing wait time for CVE meta files from the NVD to prevent rate limiting issues (see #​3725).
  • See the full listing of changes.

v6.4.0

Compare Source

Changes
  • Increased timeout between downloads from the NVD to prevent rate limiting issues (see #​3722).
    • cveStartYear is now configurable and can be set to any year from 2002 to present.
    • cveWaitTime is a new configuration option to define how many milliseconds to wait between NVD downloads; default is 4000 ms (see #​3690).
    • The NVD CVE data files are now being cached for up to 4 hours in case a download fails, re-running ODC will use the cached version.
  • Fixed NPE in the ODC maven plugin (see #​3702.
  • See the full listing of changes.

v6.3.2

Compare Source

Changes
  • Reduced chance of rate limiting when download files from NVD (see #​2670).
  • Fixed bug causing some transitive dependencies being skipped in the odc-maven-plugin (see #​3627).
  • See the full listing of changes.

v6.3.1

Compare Source

Changes

v6.3.0

Compare Source

Changes
  • Many updates were made to improve performance on large scans, reduce false positives, and other bug fixes.
  • Increased the width of four columns in the database; if you use a an external database you should also update the width (see upgrade_5.1.sql).
  • See the full listing of changes.

v6.2.2

Compare Source

Changes

v6.2.1

Compare Source

Changes

v6.2.0

Compare Source

Changes
  • Added an experimental Perl CPAN analyzer #​3378
    • Note that the full DSL of the CPAN is not yet supported so any required dependency is analyzed (i.e. there is no way to exclude development requirements)
  • Improved database performance #​3206
  • The archive analyzer now extracts files from RPM archives #​3226
  • Ensure ordered output in reports #​3243
  • Several minor bug fixes and updates to reduce false positives
  • See the full listing of changes.

v6.1.6

Compare Source

Changes
  • Resolved issue with Sarif report (#​3243)
  • Resolved issue with Ruby Bundle Audit (#​3256)
  • Several minor bug fixes and updates to reduce false positives
  • See the full listing of changes.

v6.1.5

Compare Source

Changes
  • Fixed a second NPE introduced in 6.1.3 (see #​3246)
  • See the full listing of changes.

v6.1.4

Compare Source

Changes
  • Fixed an NPE introduced in 6.1.3 (see #​3212)
  • See the full listing of changes.

v6.1.3

Compare Source

Changes
  • Modified the new CPE matching strategy to be more performant (#​3207)
  • Upgraded a vulnerable dependency (velocity-engine-core/CVE-2020-13936) (#​3205)
  • See the full listing of changes.

v6.1.2

Compare Source

Changes
  • Fixed a bug in the Sarif report generation.
  • Fixed a bug with the Ant task not being able to read the dependency-check properties file in 6.1.1.
  • Added a new CPE matching strategy to reduce false negatives.
  • CLI and Ant task will no longer be published to bintray.
  • Several minor bug fixes.
  • See the full listing of changes.

v6.1.1

Compare Source

Changes
  • Added missing configuration options for yarn and msbuild.
  • Several bug fixes.
  • See the full listing of changes.

v6.1.0

Compare Source

Changes
  • Added SARIF file format per #​3081.
  • Added support for Yarn per #​3063.
  • False positive reduction and minor bug fixes.
  • See the full listing of changes.

v6.0.5

Compare Source

Changes
  • Added missing command line arguments per #​3028 and #​3035.
  • False positive reduction and minor bug fixes.
  • See the full listing of changes.

v6.0.4

Compare Source

Changes
  • Minor bug fixes and reduction of false positives.
  • See the full listing of changes.

v6.0.3

Compare Source

Changes
  • Added a bash command completion script (see #​2916); to add completion to your shell
    completion-for-dependency-check.sh can be found in the bin directory of the CLI: 
    $ source completion-for-dependency-check.sh
  • An experimental PIP File Analyzer was added (see #​2877).
  • Analysis of Node JS produced several false positives (see #​2796); the analysis has
    been updated to reduce the number of false positives.
    • If analyzing Node JS projects it is highly recommended to disable the Node JS Analyzer
      and solely rely on the Node Audit Analyzer. There are plans to rework Node JS analysis
      in a future release.
  • Support for external Oracle databases has been add for the 6.x releases (see #​2899)
  • Resolved several reported false positives.
  • Several other bug fixes have been implemented; see the full listing of changes.

v6.0.2

Compare Source

Changes

  • The project is migrating from hosting the release archives on Bintray and moving them to Github under the assets for each release

    • Please update any automation you have to point to the new location.

  • Npm Audit Analyzer now correctly skips dev dependencies (--nodeAuditSkipDevDependencies); see #​2482.

  • GoLang Analyzer now scans transitive dependencies; see #​2680.

  • Several bug fixes found in 6.0.1.

  • Full listing of changes.

v6.0.1

Compare Source

Changes

  • Improved error messages when upgrading from 5.x to 6.x; due to breaking database changes if the old
    database schema is detected an error message is produced indicating that the old database should be purged.

  • Fixed the database path for the Ant and Gradle plugins.

  • Added locking around the RetireJS updates to resolve read/write conflicts in CI environments.

  • Full listing of changes.

v6.0.0

Compare Source

Changes
  • Updated database schema; this is a breaking change and anyone using an external database or those whom
    specify the data directory will need recreate the database (including users of the docker image). The schema
    changes were made to:
    • Improve the CVSS data, when available, per #​2547
    • Improve the way that ecosystems are determined
    • Improve the update performance of external databases
  • Users with an external Oracle database will not be able to upgrade as Help Requested: Oracle SQL jeremylong/DependencyCheck#2755
    has not been resolved - as such, version 6.0.0 does not support Oracle.
  • Users mirroring the NVD - ODC 6.0.0 requires the use of the version 1.1 data feeds
    • please ensure you are using 1.1 not the 1.0 data feed.
  • Full listing of changes.

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/org.owasp-dependency-check-maven-6.x branch from 1a3a159 to 3db2f4f Compare January 10, 2022 11:46
@nilshoffmann nilshoffmann merged commit 4184dd5 into master Jan 10, 2022
@renovate renovate bot deleted the renovate/org.owasp-dependency-check-maven-6.x branch January 10, 2022 11:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@nilshoffmann @renovate-bot