Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency org.owasp:dependency-check-maven to v6 #13

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency org.owasp:dependency-check-maven to v6 #13

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Feb 8, 2021
edited
Loading

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.owasp:dependency-check-maven 5.3.0 -> 6.2.2 age adoption passing confidence

Release Notes

jeremylong/DependencyCheck

v6.2.2

Compare Source

Changes

v6.2.1

Compare Source

Changes

v6.2.0

Compare Source

Changes
  • Added an experimental Perl CPAN analyzer #​3378
    • Note that the full DSL of the CPAN is not yet supported so any required dependency is analyzed (i.e. there is no way to exclude development requirements)
  • Improved database performance #​3206
  • The archive analyzer now extracts files from RPM archives #​3226
  • Ensure ordered output in reports #​3243
  • Several minor bug fixes and updates to reduce false positives
  • See the full listing of changes.

v6.1.6

Compare Source

Changes
  • Resolved issue with Sarif report (#​3243)
  • Resolved issue with Ruby Bundle Audit (#​3256)
  • Several minor bug fixes and updates to reduce false positives
  • See the full listing of changes.

v6.1.5

Compare Source

Changes
  • Fixed a second NPE introduced in 6.1.3 (see #​3246)
  • See the full listing of changes.

v6.1.4

Compare Source

Changes
  • Fixed an NPE introduced in 6.1.3 (see #​3212)
  • See the full listing of changes.

v6.1.3

Compare Source

Changes
  • Modified the new CPE matching strategy to be more performant (#​3207)
  • Upgraded a vulnerable dependency (velocity-engine-core/CVE-2020-13936) (#​3205)
  • See the full listing of changes.

v6.1.2

Compare Source

Changes
  • Fixed a bug in the Sarif report generation.
  • Fixed a bug with the Ant task not being able to read the dependency-check properties file in 6.1.1.
  • Added a new CPE matching strategy to reduce false negatives.
  • CLI and Ant task will no longer be published to bintray.
  • Several minor bug fixes.
  • See the full listing of changes.

v6.1.1

Compare Source

Changes
  • Added missing configuration options for yarn and msbuild.
  • Several bug fixes.
  • See the full listing of changes.

v6.1.0

Compare Source

Changes
  • Added SARIF file format per #​3081.
  • Added support for Yarn per #​3063.
  • False positive reduction and minor bug fixes.
  • See the full listing of changes.

v6.0.5

Compare Source

Changes
  • Added missing command line arguments per #​3028 and #​3035.
  • False positive reduction and minor bug fixes.
  • See the full listing of changes.

v6.0.4

Compare Source

Changes
  • Minor bug fixes and reduction of false positives.
  • See the full listing of changes.

v6.0.3

Compare Source

Changes
  • Added a bash command completion script (see #​2916); to add completion to your shell
    completion-for-dependency-check.sh can be found in the bin directory of the CLI: 
    $ source completion-for-dependency-check.sh
  • An experimental PIP File Analyzer was added (see #​2877).
  • Analysis of Node JS produced several false positives (see #​2796); the analysis has
    been updated to reduce the number of false positives.
    • If analyzing Node JS projects it is highly recommended to disable the Node JS Analyzer
      and solely rely on the Node Audit Analyzer. There are plans to rework Node JS analysis
      in a future release.
  • Support for external Oracle databases has been add for the 6.x releases (see #​2899)
  • Resolved several reported false positives.
  • Several other bug fixes have been implemented; see the full listing of changes.

v6.0.2

Compare Source

Changes

  • The project is migrating from hosting the release archives on Bintray and moving them to Github under the assets for each release

    • Please update any automation you have to point to the new location.

  • Npm Audit Analyzer now correctly skips dev dependencies (--nodeAuditSkipDevDependencies); see #​2482.

  • GoLang Analyzer now scans transitive dependencies; see #​2680.

  • Several bug fixes found in 6.0.1.

  • Full listing of changes.

v6.0.1

Compare Source

Changes

  • Improved error messages when upgrading from 5.x to 6.x; due to breaking database changes if the old
    database schema is detected an error message is produced indicating that the old database should be purged.

  • Fixed the database path for the Ant and Gradle plugins.

  • Added locking around the RetireJS updates to resolve read/write conflicts in CI environments.

  • Full listing of changes.

v6.0.0

Compare Source

Changes
  • Updated database schema; this is a breaking change and anyone using an external database or those whom
    specify the data directory will need recreate the database (including users of the docker image). The schema
    changes were made to:
    • Improve the CVSS data, when available, per #​2547
    • Improve the way that ecosystems are determined
    • Improve the update performance of external databases
  • Users with an external Oracle database will not be able to upgrade as Help Requested: Oracle SQL jeremylong/DependencyCheck#2755
    has not been resolved - as such, version 6.0.0 does not support Oracle.
  • Users mirroring the NVD - ODC 6.0.0 requires the use of the version 1.1 data feeds
    • please ensure you are using 1.1 not the 1.0 data feed.
  • Full listing of changes.

v5.3.2

Compare Source

Changes
  • Several bug fixes
  • Full listing of changes.

v5.3.1

Compare Source

Changes
  • Added an experimental PE Analyzer that reads the PE headers of DLL and EXE files; see #​2448 and #​2446.
  • Lots of bug fixes and updates to false positives and false negatives
    • You may see a large one time performance hit when updating the database after updating to 5.3.1
  • Full listing of changes.

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/major-owasp-dependency-check.version branch from 112bd67 to 3e9df19 Compare February 13, 2021 13:51
@renovate renovate bot force-pushed the renovate/major-owasp-dependency-check.version branch from 3e9df19 to 2e30046 Compare March 8, 2021 13:58
@renovate renovate bot force-pushed the renovate/major-owasp-dependency-check.version branch from 2e30046 to 068ccb7 Compare March 22, 2021 13:50
@renovate renovate bot force-pushed the renovate/major-owasp-dependency-check.version branch 2 times, most recently from 6611841 to b799fff Compare March 31, 2021 12:32
@renovate renovate bot force-pushed the renovate/major-owasp-dependency-check.version branch from b799fff to 24465e7 Compare May 9, 2021 23:16
@renovate renovate bot force-pushed the renovate/major-owasp-dependency-check.version branch from 24465e7 to af16470 Compare June 6, 2021 21:00
@renovate renovate bot force-pushed the renovate/major-owasp-dependency-check.version branch from af16470 to cca4698 Compare June 12, 2021 15:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@renovate-bot