Upgrade DependencyCheck

.github/ISSUE_TEMPLATE/bug.yml

@@ -48,8 +48,8 @@ body:
       label: Installation compliance
       description: 
       options:
-        - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v3.0.1#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v3.0.1#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v3.0.1#clojure-cli-tool)).
+        - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v3.1.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v3.1.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v3.1.0#clojure-cli-tool)).
           required: true
-        - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v3.0.1#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
+        - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v3.1.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
           required: false
 

.github/ISSUE_TEMPLATE/issue.yml

@@ -32,8 +32,8 @@ body:
       label: Installation compliance
       description: 
       options:
-        - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v3.0.1#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v3.0.1#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v3.0.1#clojure-cli-tool)).
+        - label: I have read again and made sure that I'm following **exactly** the instructions for my tool of choice ([Leiningen](https://github.com/rm-hull/nvd-clojure/tree/v3.1.0#leiningen), [Clojure CLI](https://github.com/rm-hull/nvd-clojure/tree/v3.1.0#clojure-cli), [Clojure CLI Tool](https://github.com/rm-hull/nvd-clojure/tree/v3.1.0#clojure-cli-tool)).
           required: true
-        - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v3.0.1#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
+        - label: I understand that false positives [can be skipped locally](https://github.com/rm-hull/nvd-clojure/tree/v3.1.0#configuration-options) and should be reported to [DependencyCheck](https://github.com/jeremylong/DependencyCheck).
           required: false
 

.github/dogfooding_suppressions.xml

@@ -6,7 +6,7 @@
     <cve>CVE-2021-23463</cve>
   </suppress>
   <suppress>
-    <filePath regex="true">.*\bh2-2\.1\.210\.jar</filePath>
+    <filePath regex="true">.*\bh2-2\.1\.214\.jar</filePath>
     <cve>CVE-2018-14335</cve>
   </suppress>
   <suppress>
@@ -21,4 +21,8 @@
     <filePath regex="true">.*\bsnakeyaml-1\.33\.jar</filePath>
     <cve>CVE-2022-1471</cve>
   </suppress>
+  <suppress>
+    <filePath regex="true">.*\bguava-31\.1-jre\.jar</filePath>
+    <cve>CVE-2020-8908</cve>
+  </suppress>
 </suppressions>

CHANGELOG.md

@@ -7,7 +7,7 @@
 
 * Introduce .edn configuration format.
   * .json files will remain working as-is indefinitely.
-  * If you wish to migrate to the .edn format, doing so is easy - please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v3.0.1/FAQ.md).
+  * If you wish to migrate to the .edn format, doing so is easy - please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v3.1.0/FAQ.md#how-do-i-migrate-from-the-json-config-format-to-edn).
   * If you specify the blank string as the config file to be used, a useful, sample .edn file will be generated.
 * Automatically create a .xml suppression file when a `:suppression-file` is specified and no such file exists
   * In practice, this means that on the first run, if you specify the blank string as the config file to be used, two files will be created for you:

FAQ.md

@@ -10,6 +10,14 @@ So breaking API changes aren't drastically different from the other changes that
 
 With that said, there is active effort to avoid superflous API changes. We do intend to keep whatever can be reasonably kept.
 
+### What is classpath interference?
+
+nvd-clojure has some Java dependencies, which in turn can have CVEs themselves.
+
+Likewise, a given project's dependencies can overlap and therefore affect nvd-clojure's, leading it to incorrect functioning.
+
+For these reasons, it is strongly advised to follow the provided installation/usage instructions carefully, so that the classpath that nvd-clojure itself uses is fully decoupled from the classpath being analysed.
+
 ### How do I migrate from the .json config format to .edn?
 
 The .json config file format is considered legacy now, although it will remain supported.

Makefile

@@ -2,7 +2,7 @@
 
 # Example usage:
 # copy a one-off Clojars token to your clipboard
-# GIT_TAG=v3.0.0 CLOJARS_USERNAME=$USER CLOJARS_PASSWORD=$(pbpaste) make deploy
+# GIT_TAG=v3.1.0 CLOJARS_USERNAME=$USER CLOJARS_PASSWORD=$(pbpaste) make deploy
 
 deploy: check-env
 	lein clean

README.md

@@ -18,18 +18,18 @@ will be checked for known security vulnerabilities. `nvd-clojure` passes them to
 
 ### Installation and basic usage
 
-> _Please see also:_ [Avoiding classpath interference](#avoiding-classpath-interference)
+> _Please see also:_ [Avoiding classpath interference](https://github.com/rm-hull/nvd-clojure/blob/v3.1.0/FAQ.md#what-is-classpath-interference)
 
 #### Leiningen
 
 <details>
 
-Please create a separate project consisting of `[nvd-clojure/nvd-clojure "3.0.1"]`. Said project can be located inside the targeted repo's Git repository.
+Please create a separate project consisting of `[nvd-clojure/nvd-clojure "3.1.0"]`. Said project can be located inside the targeted repo's Git repository.
 
 ```clj
 (defproject nvd-helper "local"
   :description "nvd-clojure helper project"
-  :dependencies [[nvd-clojure "3.0.1"]
+  :dependencies [[nvd-clojure "3.1.0"]
                  [org.clojure/clojure "1.11.1"]]
   :jvm-opts ["-Dclojure.main.report=stderr"])
 ```
@@ -54,7 +54,7 @@ If you are using a multi-modules solution (e.g. `lein-monolith`), you should ens
 
 <details>
 
-Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "3.0.1"}`. Said project can be located inside the targeted repo's Git repository.
+Please create a separate project consisting exclusively of `nvd-clojure/nvd-clojure {:mvn/version "3.1.0"}`. Said project can be located inside the targeted repo's Git repository.
 
 Please do not add nvd-clojure as a dependency in the deps.edn of the project to be analysed.
 
@@ -155,7 +155,7 @@ dependency relationships are:
 dependencies, and suggest upgraded versions, and can optionally be configured
 to update the project file.
 
-(Note that that is only one of the multiple ways of remediating a given vulnerability, please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v3.0.1/FAQ.md))
+(Note that that is only one of the multiple ways of remediating a given vulnerability, please see [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v3.1.0/FAQ.md#how-to-remediate-a-cve-is-it-a-good-idea-to-automate-remediation))
 
 ## Configuration
 
@@ -209,15 +209,7 @@ You can also set logging properties directly through Java system properties (the
 clojure -J-Dclojure.main.report=stderr -J-Dorg.slf4j.simpleLogger.log.org.apache.commons=error -Tnvd nvd.task/check # ...
 ```
 
-## [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v3.0.1/FAQ.md)
-
-## Avoiding classpath interference
-
-nvd-clojure has some Java dependencies, which in turn can have CVEs themselves.
-
-Likewise, a given project's dependencies can overlap and therefore affect nvd-clojure's, leading it to incorrect functioning.
-
-For these reasons, it is strongly advised to follow the provided installation/usage instructions carefully.
+## [FAQ](https://github.com/rm-hull/nvd-clojure/blob/v3.1.0/FAQ.md)
 
 ## Attribution
 

deps.edn

@@ -4,7 +4,7 @@
         clansi/clansi {:mvn/version "1.0.0"}
         org.clojure/data.json {:mvn/version "2.4.0"}
         org.slf4j/slf4j-simple {:mvn/version "2.0.6"}
-        org.owasp/dependency-check-core {:mvn/version "8.1.0"}
+        org.owasp/dependency-check-core {:mvn/version "8.1.2"}
         rm-hull/table {:mvn/version "0.7.1"}
         trptcolin/versioneer {:mvn/version "0.2.0"}}
  :mvn/repos {"central" {:url "https://repo1.maven.org/maven2/"}

project.clj

@@ -1,4 +1,4 @@
-(defproject nvd-clojure "3.0.1"
+(defproject nvd-clojure "3.1.0"
   :description "National Vulnerability Database dependency checker"
   :url "https://github.com/rm-hull/nvd-clojure"
   :license {:name "The MIT License (MIT)"
@@ -7,7 +7,7 @@
                  [clansi "1.0.0"]
                  [org.clojure/data.json "2.4.0"]
                  [org.slf4j/slf4j-simple "2.0.6"]
-                 [org.owasp/dependency-check-core "8.1.0"]
+                 [org.owasp/dependency-check-core "8.1.2"]
                  [rm-hull/table "0.7.1"]
                  [trptcolin/versioneer "0.2.0"]
                  ;; Explicitly depend on a certain Jackson, consistently.
@@ -16,16 +16,16 @@
                  [com.fasterxml.jackson.core/jackson-annotations "2.14.2"]
                  [com.fasterxml.jackson.core/jackson-core "2.14.2"]
                  [com.fasterxml.jackson.module/jackson-module-afterburner "2.14.2"]
-                 [org.apache.maven.resolver/maven-resolver-transport-http "1.9.4" #_"Fixes a CVE"]
-                 [org.yaml/snakeyaml "1.33" #_"Fixes a CVE"]
+                 [org.apache.maven.resolver/maven-resolver-transport-http "1.9.6" #_"Fixes a CVE"]
+                 [org.yaml/snakeyaml "2.0" #_"Fixes a CVE"]
                  [org.apache.maven/maven-core "3.9.0" #_"Fixes a CVE"]
-                 [org.eclipse.jetty/jetty-client "12.0.0.alpha3" #_"Fixes a CVE" :exclusions [org.slf4j/slf4j-api]]
-                 [org.apache.maven.resolver/maven-resolver-spi "1.9.4" #_"Satisfies :pedantic?"]
-                 [org.apache.maven.resolver/maven-resolver-api "1.9.4" #_"Satisfies :pedantic?"]
-                 [org.apache.maven.resolver/maven-resolver-util "1.9.4" #_"Satisfies :pedantic?"]
-                 [org.apache.maven.resolver/maven-resolver-impl "1.9.4" #_"Satisfies :pedantic?"]
+                 [org.eclipse.jetty/jetty-client "12.0.0.beta0" #_"Fixes a CVE" :exclusions [org.slf4j/slf4j-api]]
+                 [org.apache.maven.resolver/maven-resolver-spi "1.9.6" #_"Satisfies :pedantic?"]
+                 [org.apache.maven.resolver/maven-resolver-api "1.9.6" #_"Satisfies :pedantic?"]
+                 [org.apache.maven.resolver/maven-resolver-util "1.9.6" #_"Satisfies :pedantic?"]
+                 [org.apache.maven.resolver/maven-resolver-impl "1.9.6" #_"Satisfies :pedantic?"]
                  [org.apache.maven/maven-resolver-provider "3.9.0" #_"Satisfies :pedantic?"]
-                 [org.codehaus.plexus/plexus-utils "3.5.0" #_"Satisfies :pedantic?"]]
+                 [org.codehaus.plexus/plexus-utils "3.5.1" #_"Satisfies :pedantic?"]]
   :managed-dependencies [[com.google.code.gson/gson "2.10.1"]]
   :scm {:url "git@github.com:rm-hull/nvd-clojure.git"}
   :source-paths ["src"]

resources/nvd_clojure/default_config_content.edn

@@ -6,7 +6,7 @@
 
 ;; Feel free to tweak it, version-control it and remove any comment.
 
-;; Configuration reference: https://github.com/rm-hull/nvd-clojure/tree/v3.0.1#configuration-options
+;; Configuration reference: https://github.com/rm-hull/nvd-clojure/tree/v3.1.0#configuration-options
 
 {;; You can use the `:suppression-file` in order to silence false positives.
  ;; This file will be automatically created, with whatever filename is specified here, if it didn't exist already.