jeremylong/DependencyCheck (org.owasp:dependency-check-maven)
### [`v9.2.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-920-2024-05-15)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.1.0...v9.2.0)
- docs: update logo per intellj ([#6660](https://togithub.com/jeremylong/DependencyCheck/issues/6660))
- feat: Carthage analyzer ([#6614](https://togithub.com/jeremylong/DependencyCheck/issues/6614))
- fix: Ensure valid JSON output for gitlab report ([#6630](https://togithub.com/jeremylong/DependencyCheck/issues/6630))
- feat: Support Package.swift version 3 Specification ([#6578](https://togithub.com/jeremylong/DependencyCheck/issues/6578))
- chore: Update the packaged suppressions to include new hosted suppressions ([#6567](https://togithub.com/jeremylong/DependencyCheck/issues/6567))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/82?closed=1).
### [`v9.1.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-910-2024-03-31)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.0.10...v9.1.0)
- feat: Add v2 support for maven_install.json ([#6528](https://togithub.com/jeremylong/DependencyCheck/issues/6528))
- build(deps): bump open-vulnerability-client ([#6554](https://togithub.com/jeremylong/DependencyCheck/issues/6554))
- resolves update issues due to CVSS Metrics 4.0
- build(deps): bump jackson.version from 2.16.0 to 2.16.1 ([#6353](https://togithub.com/jeremylong/DependencyCheck/issues/6353))
- build(deps): bump org.jsoup:jsoup from 1.16.2 to 1.17.2 ([#6362](https://togithub.com/jeremylong/DependencyCheck/issues/6362))
- build(deps): bump golang from 1.21.5-alpine to 1.22.1-alpine ([#6506](https://togithub.com/jeremylong/DependencyCheck/issues/6506))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/81?closed=1).
### [`v9.0.10`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-9010-2024-03-15)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.0.9...v9.0.10)
- fix: [#4321](https://togithub.com/jeremylong/DependencyCheck/issues/4321) Suppress redis server CVEs for client libraries ([#4321](https://togithub.com/jeremylong/DependencyCheck/issues/4321)) ([#6489](https://togithub.com/jeremylong/DependencyCheck/issues/6489))
- fix: bump commons-compress from 1.25.0 to 1.26.0 to fix CVE-2024-25710 and CVE-2024-26308 ([#6492](https://togithub.com/jeremylong/DependencyCheck/issues/6492))
- feat: Allow to pass NVD API key via environment variable ([#6454](https://togithub.com/jeremylong/DependencyCheck/issues/6454))
- fix: issue 5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies - adding synchronized block ([#6501](https://togithub.com/jeremylong/DependencyCheck/issues/6501))
- docs: document the default data directory ([#6484](https://togithub.com/jeremylong/DependencyCheck/issues/6484))
- fix: prevent NPE in bundler audit ([#6462](https://togithub.com/jeremylong/DependencyCheck/issues/6462))
- fix: [#6441](https://togithub.com/jeremylong/DependencyCheck/issues/6441) Improve suppression rule to not restrict to a single version ([#6442](https://togithub.com/jeremylong/DependencyCheck/issues/6442))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/80?closed=1).
### [`v9.0.9`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-909-2024-01-17)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.0.8...v9.0.9)
- fix: for [#6374](https://togithub.com/jeremylong/DependencyCheck/issues/6374) to delete non-empty directories ([#6375](https://togithub.com/jeremylong/DependencyCheck/issues/6375))
- fix: NoSuchMethodError closeQuietly(java.io.Closeable\[]) ([#6377](https://togithub.com/jeremylong/DependencyCheck/issues/6377))
- chore: close stream to prevent possible resource leak ([#6382](https://togithub.com/jeremylong/DependencyCheck/issues/6382))
- docs: Document default for CLI --data ([#6359](https://togithub.com/jeremylong/DependencyCheck/issues/6359))
- docs: document gradle build ([#6371](https://togithub.com/jeremylong/DependencyCheck/issues/6371))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/79?closed=1).
### [`v9.0.8`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-908-2024-01-06)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.0.7...v9.0.8)
- fix: favor stability over performance ([#6349](https://togithub.com/jeremylong/DependencyCheck/issues/6349))
- chore: replace commons-io with core java calls ([#6343](https://togithub.com/jeremylong/DependencyCheck/issues/6343))
- fix: improve error reporting for invalid H2 database ([#6339](https://togithub.com/jeremylong/DependencyCheck/issues/6339))
- fix: rework fix for closing input streams on errors correctly ([#6338](https://togithub.com/jeremylong/DependencyCheck/issues/6338))
- fix: reduce chance NVD API block updates due to rate limit ([#6333](https://togithub.com/jeremylong/DependencyCheck/issues/6333))
- fix: ensure open handles will not leak on errors ([#6326](https://togithub.com/jeremylong/DependencyCheck/issues/6326))
- fix: improve error reporting ([#6324](https://togithub.com/jeremylong/DependencyCheck/issues/6324))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/78?closed=1).
### [`v9.0.7`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-907-2023-12-18)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.0.6...v9.0.7)
- docs: document insecure configuration for GHSA-qqhq-8r2c-c3f5 ([#6315](https://togithub.com/jeremylong/DependencyCheck/issues/6315))
- fix: improve memory usage on NVD update ([#6321](https://togithub.com/jeremylong/DependencyCheck/issues/6321))
- fix: skip pyproject.toml unless it contains `tool.poetry` ([#6316](https://togithub.com/jeremylong/DependencyCheck/issues/6316))
- fix: resolve build error that may cause an issue on some JDK versions ([#6312](https://togithub.com/jeremylong/DependencyCheck/issues/6312))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/77?closed=1).
### [`v9.0.6`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-906-2023-12-15)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.0.5...v9.0.6)
- build: bump open-vulnerability-clients@5.1.1 ([#6308](https://togithub.com/jeremylong/DependencyCheck/issues/6308))
- fix: mask nvd.api.key in logs; see GHSA-qqhq-8r2c-c3f5 ([#6307](https://togithub.com/jeremylong/DependencyCheck/issues/6307))
- fix: update java version check ([#6297](https://togithub.com/jeremylong/DependencyCheck/issues/6297))
- fix: more efficient memory usage ([#6299](https://togithub.com/jeremylong/DependencyCheck/issues/6299))
- fix: stream NVD data via Jackson to reduce memory footprint ([#6275](https://togithub.com/jeremylong/DependencyCheck/issues/6275))
- docs: document github action caching ([#6301](https://togithub.com/jeremylong/DependencyCheck/issues/6301))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/76?closed=1).
### [`v9.0.5`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-905-2023-12-13)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.0.4...v9.0.5)
- fix: make NVD API endpoint configurable ([#6287](https://togithub.com/jeremylong/DependencyCheck/issues/6287))
- fix: synch last modified timestamp for NVD API ([#6281](https://togithub.com/jeremylong/DependencyCheck/issues/6281))
- fix: read NVD cache meta files if cache.properties does not exist ([#6282](https://togithub.com/jeremylong/DependencyCheck/issues/6282))
- fix: correct property for nonProxyHosts ([#6285](https://togithub.com/jeremylong/DependencyCheck/issues/6285))
- fix: reduce apache http logging ([#6280](https://togithub.com/jeremylong/DependencyCheck/issues/6280))
- fix: store last modified timestamp for RetireJS and the Hosted Suppression File in db ([#6271](https://togithub.com/jeremylong/DependencyCheck/issues/6271))
- build: bump golang in the docker image ([#6274](https://togithub.com/jeremylong/DependencyCheck/issues/6274))
- fix: use temporary files to reduce memory usage during the NVD Update ([#6270](https://togithub.com/jeremylong/DependencyCheck/issues/6270))
- fix: use BIT for Oracle DB instead of Boolean when calling prepared statements ([#6264](https://togithub.com/jeremylong/DependencyCheck/issues/6264))
- fix: showing all reference tags in reports ([#6259](https://togithub.com/jeremylong/DependencyCheck/issues/6259))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/75?closed=1).
### [`v9.0.4`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-904-2023-12-08)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.0.3...v9.0.4)
- fix: utilize maven proxy if present ([#6255](https://togithub.com/jeremylong/DependencyCheck/issues/6255))
- fix: allow api key in cli to be quoted ([#6253](https://togithub.com/jeremylong/DependencyCheck/issues/6253))
- fix: use correct maven plugin reporting plugin ([#6244](https://togithub.com/jeremylong/DependencyCheck/issues/6244))
- fix: correct trailing comma in JSON report ([#6245](https://togithub.com/jeremylong/DependencyCheck/issues/6245))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/74?closed=1).
### [`v9.0.3`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-903-2023-12-06)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.0.2...v9.0.3)
- fix: use Java properties for proxy configuration ([#6238](https://togithub.com/jeremylong/DependencyCheck/issues/6238))
- docs: update proxy configuration documentation ([#6237](https://togithub.com/jeremylong/DependencyCheck/issues/6237))
- docs: add documentation on caching ([#6204](https://togithub.com/jeremylong/DependencyCheck/issues/6204))
- docs: Clarify H2 database caching strategy ([#6220](https://togithub.com/jeremylong/DependencyCheck/issues/6220))
- docs: Update list of supported report formats ([#6224](https://togithub.com/jeremylong/DependencyCheck/issues/6224))
- docs: example 5 with new nvdDatafeedUrl parameter ([#6215](https://togithub.com/jeremylong/DependencyCheck/issues/6215))
- fix: prevent NPEs ([#6232](https://togithub.com/jeremylong/DependencyCheck/issues/6232) and [#6206](https://togithub.com/jeremylong/DependencyCheck/issues/6206))
- fix: check valid for hours for NVD API ([#6225](https://togithub.com/jeremylong/DependencyCheck/issues/6225))
- fix: correct NVD cache last checked logic ([#6218](https://togithub.com/jeremylong/DependencyCheck/issues/6218))
- fix: nvd datafeed should process current year ([#6213](https://togithub.com/jeremylong/DependencyCheck/issues/6213))
- fix: correct references to cvssv2 and cvssv3 fields in json and xml reports ([#6212](https://togithub.com/jeremylong/DependencyCheck/issues/6212))
- fix: correct name on reference links in report ([#6205](https://togithub.com/jeremylong/DependencyCheck/issues/6205))
- fix: flaws int the gitlab report ([#6193](https://togithub.com/jeremylong/DependencyCheck/issues/6193))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/73?closed=1).
### [`v9.0.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-902-2023-12-01)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.0.1...v9.0.2)
- fix: remove virtual match string on NVD API Request ([#6177](https://togithub.com/jeremylong/DependencyCheck/issues/6177))
- fix: correct meta data in report after switching the NVD API ([#6154](https://togithub.com/jeremylong/DependencyCheck/issues/6154))
- fix: retry HTTP connections to NVD on 502 and 504 errors ([#6151](https://togithub.com/jeremylong/DependencyCheck/issues/6151))
- fix: Gitlab report format needs severity capitalized ([#6182](https://togithub.com/jeremylong/DependencyCheck/issues/6182))
- fix: improve JDK update version parsing ([#6163](https://togithub.com/jeremylong/DependencyCheck/issues/6163))
- fix: mute JCS logging (again) ([#6153](https://togithub.com/jeremylong/DependencyCheck/issues/6153))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/72?closed=1).
### [`v9.0.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-9010-2024-03-15)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.0.0...v9.0.1)
- fix: [#4321](https://togithub.com/jeremylong/DependencyCheck/issues/4321) Suppress redis server CVEs for client libraries ([#4321](https://togithub.com/jeremylong/DependencyCheck/issues/4321)) ([#6489](https://togithub.com/jeremylong/DependencyCheck/issues/6489))
- fix: bump commons-compress from 1.25.0 to 1.26.0 to fix CVE-2024-25710 and CVE-2024-26308 ([#6492](https://togithub.com/jeremylong/DependencyCheck/issues/6492))
- feat: Allow to pass NVD API key via environment variable ([#6454](https://togithub.com/jeremylong/DependencyCheck/issues/6454))
- fix: issue 5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies - adding synchronized block ([#6501](https://togithub.com/jeremylong/DependencyCheck/issues/6501))
- docs: document the default data directory ([#6484](https://togithub.com/jeremylong/DependencyCheck/issues/6484))
- fix: prevent NPE in bundler audit ([#6462](https://togithub.com/jeremylong/DependencyCheck/issues/6462))
- fix: [#6441](https://togithub.com/jeremylong/DependencyCheck/issues/6441) Improve suppression rule to not restrict to a single version ([#6442](https://togithub.com/jeremylong/DependencyCheck/issues/6442))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/80?closed=1).
### [`v9.0.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-900-2023-11-22)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.4.3...v9.0.0)
**breaking changes**: See the [upgrade notice](https://togithub.com/jeremylong/DependencyCheck#900-upgrade-notice)
- feat: Utilize NVD API ([#5978](https://togithub.com/jeremylong/DependencyCheck/issues/5978))
- feat: gitlab dependency scanner report format [#5919](https://togithub.com/jeremylong/DependencyCheck/issues/5919) ([#5920](https://togithub.com/jeremylong/DependencyCheck/issues/5920))
- fix: Use ASCII apostrophe for console message ([#6076](https://togithub.com/jeremylong/DependencyCheck/issues/6076))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/68?closed=1).
### [`v8.4.3`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-843-2023-11-15)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.4.2...v8.4.3)
- fix: bump jcs3 ([#6047](https://togithub.com/jeremylong/DependencyCheck/issues/6047))
- docs: Corrected docs on hostedSuppressions ([#6035](https://togithub.com/jeremylong/DependencyCheck/issues/6035))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/70?closed=1).
### [`v8.4.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-842-2023-10-22)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.4.1...v8.4.2)
- fix: correct log configuration in cli ([#6002](https://togithub.com/jeremylong/DependencyCheck/issues/6002))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/69?closed=1).
### [`v8.4.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-841-2023-10-21)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.4.0...v8.4.1)
##### Fixed
- fix: upgrade to JCS3 ([#5114](https://togithub.com/jeremylong/DependencyCheck/issues/5114))
- fix: Support ~= version specifier in requirements.txt and pipfile ([#5902](https://togithub.com/jeremylong/DependencyCheck/issues/5902))
- fix: Version of dependency no longer ignored when CPE product has a 'java' suffix in a product name ([#5901](https://togithub.com/jeremylong/DependencyCheck/issues/5901))
- fix: Do not filter out evidences added by hints ([#5900](https://togithub.com/jeremylong/DependencyCheck/issues/5900))
- fix: fixes FP [#5925](https://togithub.com/jeremylong/DependencyCheck/issues/5925) ([#5927](https://togithub.com/jeremylong/DependencyCheck/issues/5927))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/67?closed=1).
### [`v8.4.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-840-2023-08-19)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.3.1...v8.4.0)
##### Added
- feat: Add support for Nexus v3 to NexusAnalyzer ([#5849](https://togithub.com/jeremylong/DependencyCheck/issues/5849))
##### Fixed
- fix: Hint Analyzer should run before VersionFilter Analyzer ([#5818](https://togithub.com/jeremylong/DependencyCheck/issues/5818))
- chore: switch to sha1-pinning as suggested by Semgrep
- fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter ([#5845](https://togithub.com/jeremylong/DependencyCheck/issues/5845))
- fix: use curl with -L to follow github redirect ([#5808](https://togithub.com/jeremylong/DependencyCheck/issues/5808))
- fix: use curl with -L to follow github redirect
- fix: [#5671](https://togithub.com/jeremylong/DependencyCheck/issues/5671) out of memory error ([#5789](https://togithub.com/jeremylong/DependencyCheck/issues/5789))
- fix: [#5671](https://togithub.com/jeremylong/DependencyCheck/issues/5671) Exit method as soon as we detect a loop to prevent an infinite loop leading to an OutOfMemoryError
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/66?closed=1).
### [`v8.3.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-831-2023-06-12)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.3.0...v8.3.1)
Re-release of 8.3.0 as 8.3.1.
### [`v8.3.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-830-2023-06-12)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.2.1...v8.3.0)
##### Added
- Add LibmanAnalyzer ([#5652](https://togithub.com/jeremylong/DependencyCheck/issues/5652))
- Update HTML report Dependencies header based on display settings ([#5619](https://togithub.com/jeremylong/DependencyCheck/issues/5619))
- Add link to suppressed vulnerabilities header in HTML report ([#5620](https://togithub.com/jeremylong/DependencyCheck/issues/5620))
- Enable local proxy configuration in maven plugin configuration ([#5696](https://togithub.com/jeremylong/DependencyCheck/issues/5696))
##### Fixed
- Fix npm alias present in requires of dependencies ([#5703](https://togithub.com/jeremylong/DependencyCheck/issues/5703))
- Make Central URL configurable via CLI ([#5667](https://togithub.com/jeremylong/DependencyCheck/issues/5667))
- Ensure support of CVSSv3.1 ([#5602](https://togithub.com/jeremylong/DependencyCheck/issues/5602))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/65?closed=1).
### [`v8.2.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-821-2023-03-23)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.2.0...v8.2.1)
##### Fixed
- NullPointerException in MSBuildAnalyzer ([#5589](https://togithub.com/jeremylong/DependencyCheck/issues/5589))
- SQL Syntax for Oracle ([#5590](https://togithub.com/jeremylong/DependencyCheck/issues/5590))
- Use `https://` URLs in report templates ([#5582](https://togithub.com/jeremylong/DependencyCheck/issues/5582))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/64?closed=1).
### [`v8.2.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-820-2023-03-22)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.1.2...v8.2.0)
##### Added
- Support msbuild Directory.build.props ([#5475](https://togithub.com/jeremylong/DependencyCheck/issues/5475))
- better display of NPM audit references
- Add CVSS V3 results from NPM Audit results
##### Fixed
- Fix several issues on NPM Audit reporting ([#5546](https://togithub.com/jeremylong/DependencyCheck/issues/5546))
- Case issue in SQL ([#5557](https://togithub.com/jeremylong/DependencyCheck/issues/5557))
- Fix CWE(s) extraction for NPM Audit advisories
- Use the stable github_advisory_id instead of the now unstable id in NPM audit results
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/63?closed=1).
### [`v8.1.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-812-2023-02-28)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.1.1...v8.1.2)
##### Fixed
- Fix `NullPointerException` in the Jar Analyzer introduced in 8.1.1 ([#5512](https://togithub.com/jeremylong/DependencyCheck/issues/5512))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/62?closed=1).
### [`v8.1.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-811-2023-02-27)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.1.0...v8.1.1)
##### Fixed
- allow hosted suppressions file to be disabled ([#5509](https://togithub.com/jeremylong/DependencyCheck/issues/5509))
- Several FPs not suitable for our automation ([#5504](https://togithub.com/jeremylong/DependencyCheck/issues/5504))
- Fix incorrect defaults for nexus and central-analyzer in gradle plugin documentation ([#5503](https://togithub.com/jeremylong/DependencyCheck/issues/5503))
- Erroneous error-log for deprecated CLI flag usage when using properyfile based disablement of Node Audit Analyzer ([#5487](https://togithub.com/jeremylong/DependencyCheck/issues/5487))
- Prefer pom.properties G/A/V over pom.xml G/A/V to resolve GAV interpolation issues ([#5473](https://togithub.com/jeremylong/DependencyCheck/issues/5473))
- Node package dependencies ending up as related dependency of the wrong version of the package ([#5479](https://togithub.com/jeremylong/DependencyCheck/issues/5479))
- do not throw error if pyproject.toml is in node_modules ([#5470](https://togithub.com/jeremylong/DependencyCheck/issues/5470))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/61?closed=1).
### [`v8.1.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-810-2023-01-26)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.0.2...v8.1.0)
##### Added
- `Pipefile.lock` files are now supported ([#5404](https://togithub.com/jeremylong/DependencyCheck/pull/5404)).
- Python projects with only a `pyproject.toml` but no lock file or requirements will report an error as ODC is unable to analyze the project ([#5409](https://togithub.com/jeremylong/DependencyCheck/pull/5409)).
##### Fixed
- Some maven projects caused false positives due to bad string interpolation ([#5421](https://togithub.com/jeremylong/DependencyCheck/pull/5421)).
- Error message from Assembly Analyzer has been updated to emphasize dotnet 6 is required for analysis ([#5408](https://togithub.com/jeremylong/DependencyCheck/pull/5408)).
- Correct issue where database defrag occurs even when no updates were performed ([#5441](https://togithub.com/jeremylong/DependencyCheck/pull/5441)).
- Fixed several False Positives and one False Negative.
- Fixed the `format` configuration more flexible in the gradle plugin ([dependency-check-gradle/#324](https://togithub.com/dependency-check/dependency-check-gradle/pull/324)).
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/60?closed=1).
### [`v8.0.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-802-2023-01-26)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.0.1...v8.0.2)
##### Fixed
- Resolved bug causing an issue with some Maven Extensions ([#5366](https://togithub.com/jeremylong/DependencyCheck/pull/5366)).
- ArchiveAnalyzer will now correctly throw an exception if it cannot open an Archive ([#5371](https://togithub.com/jeremylong/DependencyCheck/pull/5371)).
- Updated CSV report so that it no longer has a duplicate `description` column ([#5364](https://togithub.com/jeremylong/DependencyCheck/pull/5364)).
- Moved several logging statements to trace which should drastically reduce the log size ([#5350](https://togithub.com/jeremylong/DependencyCheck/pull/5350)).
- Fixed bug with RetireJS' `--retirejsFilterNonVulnerable` and `--retirejsFilter` when used with the CLI ([#5351](https://togithub.com/jeremylong/DependencyCheck/pull/5351)).
- Fixed the `sarif` report format and added validation ([#5345](https://togithub.com/jeremylong/DependencyCheck/pull/5345) and ([#5363](https://togithub.com/jeremylong/DependencyCheck/pull/5363))
- Fixed `MalformedPackageException` in the gradle plugin ([dependency-check-gradle/#320](https://togithub.com/dependency-check/dependency-check-gradle/pull/320)).
- Fixed `MissingMethodException` in the gradle plugin ([dependency-check-gradle/#316](https://togithub.com/dependency-check/dependency-check-gradle/pull/316)).
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/59?closed=1).
### [`v8.0.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-801-2023-01-18)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.0.0...v8.0.1)
##### Fixed
- Fixed Stack Overflow Exception in the gradle plugin ([dependency-check-gradle/#308](https://togithub.com/dependency-check/dependency-check-gradle/pull/308)).
- Fixed No Signature of Method Exception in the gradle plugin ([dependency-check-gradle/#305](https://togithub.com/dependency-check/dependency-check-gradle/pull/305)).
- Updated DB initialization scripts for externally hosted DBs ([#5314](https://togithub.com/jeremylong/DependencyCheck/pull/5314) and [#5317](https://togithub.com/jeremylong/DependencyCheck/pull/5317)).
- Postgres users will need to use the updated init script and 8.0.1.
- Resolved NPE in the NodePackageAnalyzer ([#5339](https://togithub.com/jeremylong/DependencyCheck/pull/5339)).
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/58?closed=1).
### [`v8.0.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-800-2023-01-15)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.4.4...v8.0.0)
##### Added
- Utilize the hosted suppression file to allow for faster remediation of reported False Positives ([#4723](https://togithub.com/jeremylong/DependencyCheck/issues/4723)).
- Include the [CISA Known Exploited Vulnerability Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) ([#4878](https://togithub.com/jeremylong/DependencyCheck/issues/4878)).
- The `gradle` and `maven` plugins now have the capability to scan the build plugins ([#4035](https://togithub.com/jeremylong/DependencyCheck/issues/4035)).
- The `gradle` and `maven` plugins, for transitive dependencies, will report the root dependency in the project that included the transitive dependency ([#5001](https://togithub.com/jeremylong/DependencyCheck/pull/5001)).
- Added `properties.security-severity` to SARIF report for better integration with GitHub Security Code scanning ([#5277](https://togithub.com/jeremylong/DependencyCheck/pull/5227)).
- Allow for HTTP auth settings for Retire JS repository ([#5209](https://togithub.com/jeremylong/DependencyCheck/pull/5209)).
- New schema for the XML report was added to support some of the above additions ([#5296](https://togithub.com/jeremylong/DependencyCheck/pull/5296)).
- Added missing gradle option to only warn on remote errors from the OSS Index Analyzer ([gradle #303](https://togithub.com/dependency-check/dependency-check-gradle/pull/303)).
##### Changed
- **Breaking:** the database schema updated - if using an external database the update scripts must be run!
- The [exit codes](https://tldp.org/LDP/abs/html/exit-status.html) from the CLI have been changed to be in the range from 0-255 ([#4511](https://togithub.com/jeremylong/DependencyCheck/pull/4511).
- The OSS Index Analyzer will automatically disable itself if a transport error occurs - preventing copious errors from being reported ([#5300](https://togithub.com/jeremylong/DependencyCheck/pull/5300])).
##### Fixed
- Added an additional check for rejected CVEs to reduce FP ([#5268](https://togithub.com/jeremylong/DependencyCheck/pull/5268).
- Corrected the analysis of `node_modules` to prevent NPEs ([#5266](https://togithub.com/jeremylong/DependencyCheck/pull/5266)).
- Fixed error when scanning node packages with local dependencies ([#5235](https://togithub.com/jeremylong/DependencyCheck/pull/5235)).
- Fixed NPE in the MSBuild Analyzer ([#5293](https://togithub.com/jeremylong/DependencyCheck/pull/5293)).
- Several False Positives have been resolved.
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/46?closed=1).
### [`v7.4.4`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-744-2023-01-06)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.4.3...v7.4.4)
##### Fixed
- Resolved issue processing NVD CVE data due to column width ([#5229](https://togithub.com/jeremylong/DependencyCheck/issues/5229))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/56?closed=1).
### [`v7.4.3`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-743-2022-12-29)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.4.2...v7.4.3)
##### Fixed
- Fixed NPE when analyzing version ranges in NPM ([#5158](https://togithub.com/jeremylong/DependencyCheck/issues/5158) & [#5190](https://togithub.com/jeremylong/DependencyCheck/issues/5190))
- Resolved several FP ([#5191](https://togithub.com/jeremylong/DependencyCheck/issues/5191))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/55?closed=1).
### [`v7.4.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-742-2022-12-28)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.4.1...v7.4.2)
##### Fixed
- Fixes maven 3.1 compatibility issue ([#5152](https://togithub.com/jeremylong/DependencyCheck/issues/5152))
- Fixed issue with invalid `node_module` paths in some scans ([#5135](https://togithub.com/jeremylong/DependencyCheck/issues/5135))
- Fixed missing option to disable the Poetry Analyzer in the CLI ([#5160](https://togithub.com/jeremylong/DependencyCheck/issues/5160))
- Fixed missing option to configure the OSS Index URL in the CLI ([#5180](https://togithub.com/jeremylong/DependencyCheck/issues/5180))
- Fixed NPE when analyzing version ranges in NPM ([#5158](https://togithub.com/jeremylong/DependencyCheck/issues/5158))
- Fixed issue with non-proxy host in the gradle plugin ([https://github.com/dependency-check/dependency-check-gradle/pull/298](https://togithub.com/dependency-check/dependency-check-gradle/pull/298))
- Resolved several FP
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/54?closed=1).
### [`v7.4.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-741-2022-12-09)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.4.0...v7.4.1)
##### Fixed
- Fixed bug when setting the proxy port in gradle ([#5123](https://togithub.com/jeremylong/DependencyCheck/issues/5123))
- Fixed issue with invalid `node_module` paths in some scans ([#5127](https://togithub.com/jeremylong/DependencyCheck/issues/5127))
- Resolved several FP
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/53?closed=1).
### [`v7.4.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-740-2022-12-04)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.3.2...v7.4.0)
##### Added
- Add support for npm package lock v2 and v3 ([#5078](https://togithub.com/jeremylong/DependencyCheck/issues/5078))
- Added experimental support for Python Poetry ([#5025](https://togithub.com/jeremylong/DependencyCheck/issues/5025))
- Added a vanilla HTML report for use in Jenkins ([#5053](https://togithub.com/jeremylong/DependencyCheck/issues/5053))
##### Changed
- Renamed `RELEASE_NOTES.md` to `CHANGELOG.md` to be more conventional
- Optimized checksum calculation to improve performance ([#5112](https://togithub.com/jeremylong/DependencyCheck/issues/5112))
- Added support for scanning .NET assemblies when only the dotnet runtime is installed ([#5087](https://togithub.com/jeremylong/DependencyCheck/issues/5087))
- Bumped several dependencies
##### Fixed
- Fixed bug when setting the proxy port ([#5076](https://togithub.com/jeremylong/DependencyCheck/issues/5076))
- Resolved several FP and FN
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/52?closed=1).
### [`v7.3.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-732-2022-11-18)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.3.1...v7.3.2)
##### Changed
- Automated release of 7.3.1 failed and only published to Central; 7.3.2 is a re-release of 7.3.1.
- Resolved several false positives and false negatives.
- Use Jackson Afterburner if still on Java 8 ([#4966](https://togithub.com/jeremylong/DependencyCheck/issues/4966)).
- Exclude `node_modules` from the Maven plugin's scan path ([#4974](https://togithub.com/jeremylong/DependencyCheck/issues/4974)).
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/51?closed=1).
### [`v7.3.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-731-2022-11-16)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.3.0...v7.3.1)
##### Changed
- Resolved several false positives and false negatives.
- Use Jackson Afterburner if still on Java 8 ([#4966](https://togithub.com/jeremylong/DependencyCheck/issues/4966)).
- Exclude `node_modules` from the Maven plugin's scan path ([#4974](https://togithub.com/jeremylong/DependencyCheck/issues/4974)).
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/51?closed=1).
### [`v7.3.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-730-2022-10-19)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.2.1...v7.3.0)
##### Added
- Added an experimental Dart analyzer ([#4869](https://togithub.com/jeremylong/DependencyCheck/issues/4869)).
##### Changed
- Migrated from Jackson Afterburner to Blackbird ([#4905](https://togithub.com/jeremylong/DependencyCheck/issues/4905)).
##### Fixed
- Fixed issue with the Maven plugin that caused concurrent modification exceptions ([#4935](https://togithub.com/jeremylong/DependencyCheck/issues/4935)).
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/50?closed=1).
### [`v7.2.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-721-2022-09-20)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.2.0...v7.2.1)
##### Fixed
- Fixed logging issue ([#4846](https://togithub.com/jeremylong/DependencyCheck/issues/4846)).
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/49?closed=1).
### [`v7.2.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-720-2022-09-14)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.1.2...v7.2.0)
##### Changed
- Add support for Bazel's pinned `maven_install.json` ([#4772](https://togithub.com/jeremylong/DependencyCheck/issues/4772)).
- Fixed bug preventing the use of custom report templates ([#4800](https://togithub.com/jeremylong/DependencyCheck/issues/4800)).
- Updated several dependencies including upgrades for dependencies with CVEs.
- Several bug fixes made and suppression rules were added.
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/48?closed=1).
### [`v7.1.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-712-2022-08-20)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.1.1...v7.1.2)
##### Changed
- The maven plugin now includes pnpm and yarn lock files in the scan by default ([#4753](https://togithub.com/jeremylong/DependencyCheck/issues/4753)).
- If a suppression rule is no longer used a log entry will be written ([#4685](https://togithub.com/jeremylong/DependencyCheck/issues/4685)).
- Several bug fixes made and suppression rules added.
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/47?closed=1).
### [`v7.1.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-711-2022-06-12)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.1.0...v7.1.1)
##### Fixed
- Minor bug fixes.
- Resolved several false positives.
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/45?closed=1).
### [`v7.1.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-710-2022-04-23)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.0.4...v7.1.0)
##### Changed
- Improved sorting in the HTML report ([see #4112](https://togithub.com/jeremylong/DependencyCheck/issues/4112)).
- Improved support for Swift ([see #4265](https://togithub.com/jeremylong/DependencyCheck/pull/4265)).
- Resolved several false positives.
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/45?closed=1).
### [`v7.0.4`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-704-2022-03-30)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.0.3...v7.0.4)
##### Changed
- Update to `jackson-databind` (see [#4285](https://togithub.com/jeremylong/DependencyCheck/issues/4285)).
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/43?closed=1).
### [`v7.0.3`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-703-2022-03-29)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.0.2...v7.0.3)
##### Changed
- Update to `jackson-databind` (see [#4285](https://togithub.com/jeremylong/DependencyCheck/issues/4285)).
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/42?closed=1).
### [`v7.0.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-702-2022-03-28)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.0.1...v7.0.2)
##### Changed
- General project maintenance, bug fixes, and false positive and false negative reductions.
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/41?closed=1).
### [`v7.0.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-701-2022-03-23)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.0.0...v7.0.1)
##### Changed
- General project maintenance, bug fixes, and false positive reductions.
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/40?closed=1).
### [`v7.0.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-700-2022-02-28)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.5.3...v7.0.0)
##### Changed
- **Breaking:** The H2 database version has been upgraded.
- if you use the `dataDirectory` option you will need to run a purge after upgrading.
- **Breaking:** Upgraded to dotnet core 6.0. If analyzing dotnet assemblies the system will need to have the dotnet core 6.0.x runtime available.
- The Sarif report format has been fixed and can now be imported into GitHub if desired (See [#3993](https://togithub.com/jeremylong/DependencyCheck/issues/3993)).
- Introduced IssueOps for False Positive reports to assist the team in evaluating FP reports.
- [Create New FP Report Issue](https://togithub.com/jeremylong/DependencyCheck/issues/new?assignees=\&labels=FP+Report\&template=false-positive-report.yml\&title=%5BFP%5D%3A+).
- When analyzing Java projects ODC now includes data from the developers section.
- This will likely cause false positives on things like Apache James, please report the FP and we will fix these quickly.
- General project maintenance, bug fixes, and false positive reductions.
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/28?closed=1).
### [`v6.5.3`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-653-2022-01-12)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.5.2...v6.5.3)
##### Changed
- Performance improvements for some Maven projects (see [#3923](https://togithub.com/jeremylong/DependencyCheck/issues/3923) and [#3931](https://togithub.com/jeremylong/DependencyCheck/issues/3931)).
- Fixed bug in npm version handling introduced in 6.5.2 (see [#3956](https://togithub.com/jeremylong/DependencyCheck/issues/3956)).
- Improved the node package analyzer to correctly report the origin of a dependency (see [#3970](https://togithub.com/jeremylong/DependencyCheck/issues/3970)).
- General code maintenance and false positive reductions.
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/39?closed=1).
### [`v6.5.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-652-2022-01-03)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.5.1...v6.5.2)
##### Changed
- Fixed false positives around log4j-api and Log4j-web ([#3910](https://togithub.com/jeremylong/DependencyCheck/issues/3910) & [#3937](https://togithub.com/jeremylong/DependencyCheck/issues/3937)).
- Bug fix when processing NPM lock files ([#3893](https://togithub.com/jeremylong/DependencyCheck/issues/3893)).
- Added missing `pnpm` argmument to the CLI ([#3916](https://togithub.com/jeremylong/DependencyCheck/issues/3916)).
- General code maintenance and false positive reductions.
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/38?closed=1).
### [`v6.5.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-651-2021-12-17)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.5.0...v6.5.1)
##### Changed
- Updated the dependency-check-maven plugin to correctly support SNAPSHOT version when a classifier is specified ([#3787](https://togithub.com/jeremylong/DependencyCheck/issues/3787)).
- Improved the analysis of Swift package manager (package.resolved - see [#3813](https://togithub.com/jeremylong/DependencyCheck/issues/3813)).
- General code maintenance and false positive reductions.
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/37?closed=1).
### [`v6.5.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-650-2021-11-08)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.4.1...v6.5.0)
##### Changed
- Updated build configuration to create [reproducible builds](https://reproducible-builds.org/).
- Updated automated release process to work with branch protection.
- Resolved several false positives in the Java ecosystem.
- Enabled the Swift Resolved analyzer per [#3735](https://togithub.com/jeremylong/DependencyCheck/issues/3735)
- Improved iOS support per [#3168](https://togithub.com/jeremylong/DependencyCheck/issues/3168) and [#3765](https://togithub.com/jeremylong/DependencyCheck/issues/3765)
- Added the a new pnpm Analyzer
- Fixed issue with some npm and yarn analysis failing due to large audit output
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/36?closed=1).
### [`v6.4.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-641-2021-10-11)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.4.0...v6.4.1)
##### Added
- Added download attempts with increasing wait time for `CVE meta` files from the NVD to prevent rate limiting issues (see [#3725](https://togithub.com/jeremylong/DependencyCheck/pull/3725)).
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/35?closed=1).
### [`v6.4.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-640-2021-10-11)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.3.2...v6.4.0)
##### Changed
- Increased timeout between downloads from the NVD to prevent rate limiting issues (see [#3722](https://togithub.com/jeremylong/DependencyCheck/pull/3722)).
- `cveStartYear` is now configurable and can be set to any year from 2002 to present.
- `cveWaitTime` is a new configuration option to define how many milliseconds to wait between NVD downloads; default is 4000 ms (see [#3690](https://togithub.com/jeremylong/DependencyCheck/pull/3690)).
- The NVD CVE data files are now being cached for up to 4 hours in case a download fails, re-running ODC will use the cached version.
- Fixed NPE in the ODC maven plugin (see [#3702](https://togithub.com/jeremylong/DependencyCheck/pull/3702).
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/34?closed=1).
### [`v6.3.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-632-2021-09-29)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.3.1...v6.3.2)
##### Changed
- Reduced chance of rate limiting when download files from NVD (see [#2670](https://togithub.com/jeremylong/DependencyCheck/pull/3670)).
- Fixed bug causing some transitive dependencies being skipped in the odc-maven-plugin (see [#3627](https://togithub.com/jeremylong/DependencyCheck/pull/3627)).
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/33?closed=1).
### [`v6.3.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-631-2021-09-01)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.3.0...v6.3.1)
##### Fixed
- Fixed [ConcurrentModificationException](https://togithub.com/jeremylong/DependencyCheck/issues/3618)
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/32?closed=1).
### [`v6.3.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-630-2021-08-31)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.2.2...v6.3.0)
##### Changed
- Many updates were made to improve performance on large scans, reduce false positives, and other bug fixes.
- Increased the width of four columns in the database; if you use a an external database you should also update the width (see [upgrade\_5.1.sql](https://togithub.com/jeremylong/DependencyCheck/blob/main/core/src/main/resources/data/upgrade\_5.1.sql)).
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/31?closed=1).
### [`v6.2.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-622-2021-06-10)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.2.1...v6.2.2)
##### Fixed
- Resolved issue with database connections introduced in 6.2.0 (see [https://github.com/jeremylong/DependencyCheck/issues/3432](https://togithub.com/jeremylong/DependencyCheck/issues/3432)).
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/30?closed=1).
### [`v6.2.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-621-2021-06-08)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.2.0...v6.2.1)
##### Fixed
- Resolved issue with database connections introduced in 6.2.0 (see [https://github.com/jeremylong/DependencyCheck/issues/3416](https://togithub.com/jeremylong/DependencyCheck/issues/3416)).
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/29?closed=1).
### [`v6.2.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-620-2021-05-29)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.1.6...v6.2.0)
##### Changed
- Added an experimental Perl CPAN analyzer [#3378](https://togithub.com/jeremylong/DependencyCheck/pull/3378)
- Note that the full DSL of the CPAN is not yet supported so any required dependency is analyzed (i.e. there is no way to exclude development requirements)
- Improved database performance [#3206](https://togithub.com/jeremylong/DependencyCheck/pull/3206)
- The archive analyzer now extracts files from RPM archives [#3226](https://togithub.com/jeremylong/DependencyCheck/pull/3226)
- Ensure ordered output in reports [#3243](https://togithub.com/jeremylong/DependencyCheck/pull/3343)
- Several minor bug fixes and updates to reduce false positives
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/27?closed=1).
### [`v6.1.6`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-616-2021-04-29)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.1.5...v6.1.6)
##### Fixed
- Resolved issue with Sarif report ([#3243](https://togithub.com/jeremylong/DependencyCheck/issues/3243))
- Resolved issue with Ruby Bundle Audit ([#3256](https://togithub.com/jeremylong/DependencyCheck/issues/3256))
- Several minor bug fixes and updates to reduce false positives
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/26?closed=1).
### [`v6.1.5`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-615-2021-03-31)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.1.4...v6.1.5)
##### Fixed
- Fixed a second NPE introduced in 6.1.3 (see [#3246](https://togithub.com/jeremylong/DependencyCheck/issues/3246))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/25?closed=1).
### [`v6.1.4`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-614-2021-03-30)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.1.3...v6.1.4)
##### Changed
- Fixed an NPE introduced in 6.1.3 (see [#3212](https://togithub.com/jeremylong/DependencyCheck/issues/3212))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/24?closed=1).
### [`v6.1.3`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-613-2021-03-22)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.1.2...v6.1.3)
##### Changed
- Modified the new CPE matching strategy to be more performant ([#3207](https://togithub.com/jeremylong/DependencyCheck/issues/3207))
- Upgraded a vulnerable dependency (velocity-engine-core/CVE-2020-13936) ([#3205](https://togithub.com/jeremylong/DependencyCheck/issues/3205))
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/23?closed=1).
### [`v6.1.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-612-2021-03-08)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.1.1...v6.1.2)
##### Changed
- Fixed a bug in the Sarif report generation.
- Fixed a bug with the Ant task not being able to read the dependency-check properties file in 6.1.1.
- Added a new CPE matching strategy to reduce false negatives.
- CLI and Ant task will no longer be published to bintray.
- Several minor bug fixes.
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/22?closed=1).
### [`v6.1.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-611-2021-02-13)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.1.0...v6.1.1)
##### Changed
- Added missing configuration options for yarn and msbuild.
- Several bug fixes.
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/21?closed=1).
### [`v6.1.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-610-2021-01-27)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.0.5...v6.1.0)
##### Changed
- Added SARIF file format per [#3081](https://togithub.com/jeremylong/DependencyCheck/issues/3081).
- Added support for Yarn per [#3063](https://togithub.com/jeremylong/DependencyCheck/pull/3063).
- False positive reduction and minor bug fixes.
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/20?closed=1).
### [`v6.0.5`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-605-2021-01-07)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.0.4...v6.0.5)
##### Changed
- Added missing command line arguments per [#3028](https://togithub.com/jeremylong/DependencyCheck/issues/3028) and [#3035](https://togithub.com/jeremylong/DependencyCheck/issues/3035).
- False positive reduction and minor bug fixes.
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/19?closed=1).
### [`v6.0.4`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-604-2020-12-31)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.0.3...v6.0.4)
##### Changed
- Minor bug fixes and reduction of false positives.
See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/18?closed=1).
### [`v6.0.3`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-603-2020-11-03)
[Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.0.2...v6.0.3)
##### Changed
- Added a bash command completion script (see [#2916](https://togithub.com/jeremylong/DependencyCheck/issues/2916)); to add completion to your shell
`completion-for-dependency-check.sh` can be found in the bin directory of the CLI:
```bash
$ source completion-for-dependency-check.sh
```
- An experimental PIP File Analyzer was added (see [#2877](https://togithub.com/jeremylong/DependencyCheck/issues/2877)).
- Analysis of Node JS produced several false positives (see [#2796](https://togithub.com/jeremylong/DependencyCheck/issues/2796)); the analysis has
bee
Configuration
📅 Schedule: Branch creation - "before 4am on Monday" in timezone Europe/Oslo, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
5.3.2
->9.2.0
Release Notes
jeremylong/DependencyCheck (org.owasp:dependency-check-maven)
### [`v9.2.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-920-2024-05-15) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.1.0...v9.2.0) - docs: update logo per intellj ([#6660](https://togithub.com/jeremylong/DependencyCheck/issues/6660)) - feat: Carthage analyzer ([#6614](https://togithub.com/jeremylong/DependencyCheck/issues/6614)) - fix: Ensure valid JSON output for gitlab report ([#6630](https://togithub.com/jeremylong/DependencyCheck/issues/6630)) - feat: Support Package.swift version 3 Specification ([#6578](https://togithub.com/jeremylong/DependencyCheck/issues/6578)) - chore: Update the packaged suppressions to include new hosted suppressions ([#6567](https://togithub.com/jeremylong/DependencyCheck/issues/6567)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/82?closed=1). ### [`v9.1.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-910-2024-03-31) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.0.10...v9.1.0) - feat: Add v2 support for maven_install.json ([#6528](https://togithub.com/jeremylong/DependencyCheck/issues/6528)) - build(deps): bump open-vulnerability-client ([#6554](https://togithub.com/jeremylong/DependencyCheck/issues/6554)) - resolves update issues due to CVSS Metrics 4.0 - build(deps): bump jackson.version from 2.16.0 to 2.16.1 ([#6353](https://togithub.com/jeremylong/DependencyCheck/issues/6353)) - build(deps): bump org.jsoup:jsoup from 1.16.2 to 1.17.2 ([#6362](https://togithub.com/jeremylong/DependencyCheck/issues/6362)) - build(deps): bump golang from 1.21.5-alpine to 1.22.1-alpine ([#6506](https://togithub.com/jeremylong/DependencyCheck/issues/6506)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/81?closed=1). ### [`v9.0.10`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-9010-2024-03-15) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.0.9...v9.0.10) - fix: [#4321](https://togithub.com/jeremylong/DependencyCheck/issues/4321) Suppress redis server CVEs for client libraries ([#4321](https://togithub.com/jeremylong/DependencyCheck/issues/4321)) ([#6489](https://togithub.com/jeremylong/DependencyCheck/issues/6489)) - fix: bump commons-compress from 1.25.0 to 1.26.0 to fix CVE-2024-25710 and CVE-2024-26308 ([#6492](https://togithub.com/jeremylong/DependencyCheck/issues/6492)) - feat: Allow to pass NVD API key via environment variable ([#6454](https://togithub.com/jeremylong/DependencyCheck/issues/6454)) - fix: issue 5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies - adding synchronized block ([#6501](https://togithub.com/jeremylong/DependencyCheck/issues/6501)) - docs: document the default data directory ([#6484](https://togithub.com/jeremylong/DependencyCheck/issues/6484)) - fix: prevent NPE in bundler audit ([#6462](https://togithub.com/jeremylong/DependencyCheck/issues/6462)) - fix: [#6441](https://togithub.com/jeremylong/DependencyCheck/issues/6441) Improve suppression rule to not restrict to a single version ([#6442](https://togithub.com/jeremylong/DependencyCheck/issues/6442)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/80?closed=1). ### [`v9.0.9`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-909-2024-01-17) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.0.8...v9.0.9) - fix: for [#6374](https://togithub.com/jeremylong/DependencyCheck/issues/6374) to delete non-empty directories ([#6375](https://togithub.com/jeremylong/DependencyCheck/issues/6375)) - fix: NoSuchMethodError closeQuietly(java.io.Closeable\[]) ([#6377](https://togithub.com/jeremylong/DependencyCheck/issues/6377)) - chore: close stream to prevent possible resource leak ([#6382](https://togithub.com/jeremylong/DependencyCheck/issues/6382)) - docs: Document default for CLI --data ([#6359](https://togithub.com/jeremylong/DependencyCheck/issues/6359)) - docs: document gradle build ([#6371](https://togithub.com/jeremylong/DependencyCheck/issues/6371)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/79?closed=1). ### [`v9.0.8`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-908-2024-01-06) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.0.7...v9.0.8) - fix: favor stability over performance ([#6349](https://togithub.com/jeremylong/DependencyCheck/issues/6349)) - chore: replace commons-io with core java calls ([#6343](https://togithub.com/jeremylong/DependencyCheck/issues/6343)) - fix: improve error reporting for invalid H2 database ([#6339](https://togithub.com/jeremylong/DependencyCheck/issues/6339)) - fix: rework fix for closing input streams on errors correctly ([#6338](https://togithub.com/jeremylong/DependencyCheck/issues/6338)) - fix: reduce chance NVD API block updates due to rate limit ([#6333](https://togithub.com/jeremylong/DependencyCheck/issues/6333)) - fix: ensure open handles will not leak on errors ([#6326](https://togithub.com/jeremylong/DependencyCheck/issues/6326)) - fix: improve error reporting ([#6324](https://togithub.com/jeremylong/DependencyCheck/issues/6324)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/78?closed=1). ### [`v9.0.7`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-907-2023-12-18) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.0.6...v9.0.7) - docs: document insecure configuration for GHSA-qqhq-8r2c-c3f5 ([#6315](https://togithub.com/jeremylong/DependencyCheck/issues/6315)) - fix: improve memory usage on NVD update ([#6321](https://togithub.com/jeremylong/DependencyCheck/issues/6321)) - fix: skip pyproject.toml unless it contains `tool.poetry` ([#6316](https://togithub.com/jeremylong/DependencyCheck/issues/6316)) - fix: resolve build error that may cause an issue on some JDK versions ([#6312](https://togithub.com/jeremylong/DependencyCheck/issues/6312)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/77?closed=1). ### [`v9.0.6`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-906-2023-12-15) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.0.5...v9.0.6) - build: bump open-vulnerability-clients@5.1.1 ([#6308](https://togithub.com/jeremylong/DependencyCheck/issues/6308)) - fix: mask nvd.api.key in logs; see GHSA-qqhq-8r2c-c3f5 ([#6307](https://togithub.com/jeremylong/DependencyCheck/issues/6307)) - fix: update java version check ([#6297](https://togithub.com/jeremylong/DependencyCheck/issues/6297)) - fix: more efficient memory usage ([#6299](https://togithub.com/jeremylong/DependencyCheck/issues/6299)) - fix: stream NVD data via Jackson to reduce memory footprint ([#6275](https://togithub.com/jeremylong/DependencyCheck/issues/6275)) - docs: document github action caching ([#6301](https://togithub.com/jeremylong/DependencyCheck/issues/6301)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/76?closed=1). ### [`v9.0.5`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-905-2023-12-13) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.0.4...v9.0.5) - fix: make NVD API endpoint configurable ([#6287](https://togithub.com/jeremylong/DependencyCheck/issues/6287)) - fix: synch last modified timestamp for NVD API ([#6281](https://togithub.com/jeremylong/DependencyCheck/issues/6281)) - fix: read NVD cache meta files if cache.properties does not exist ([#6282](https://togithub.com/jeremylong/DependencyCheck/issues/6282)) - fix: correct property for nonProxyHosts ([#6285](https://togithub.com/jeremylong/DependencyCheck/issues/6285)) - fix: reduce apache http logging ([#6280](https://togithub.com/jeremylong/DependencyCheck/issues/6280)) - fix: store last modified timestamp for RetireJS and the Hosted Suppression File in db ([#6271](https://togithub.com/jeremylong/DependencyCheck/issues/6271)) - build: bump golang in the docker image ([#6274](https://togithub.com/jeremylong/DependencyCheck/issues/6274)) - fix: use temporary files to reduce memory usage during the NVD Update ([#6270](https://togithub.com/jeremylong/DependencyCheck/issues/6270)) - fix: use BIT for Oracle DB instead of Boolean when calling prepared statements ([#6264](https://togithub.com/jeremylong/DependencyCheck/issues/6264)) - fix: showing all reference tags in reports ([#6259](https://togithub.com/jeremylong/DependencyCheck/issues/6259)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/75?closed=1). ### [`v9.0.4`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-904-2023-12-08) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.0.3...v9.0.4) - fix: utilize maven proxy if present ([#6255](https://togithub.com/jeremylong/DependencyCheck/issues/6255)) - fix: allow api key in cli to be quoted ([#6253](https://togithub.com/jeremylong/DependencyCheck/issues/6253)) - fix: use correct maven plugin reporting plugin ([#6244](https://togithub.com/jeremylong/DependencyCheck/issues/6244)) - fix: correct trailing comma in JSON report ([#6245](https://togithub.com/jeremylong/DependencyCheck/issues/6245)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/74?closed=1). ### [`v9.0.3`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-903-2023-12-06) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.0.2...v9.0.3) - fix: use Java properties for proxy configuration ([#6238](https://togithub.com/jeremylong/DependencyCheck/issues/6238)) - docs: update proxy configuration documentation ([#6237](https://togithub.com/jeremylong/DependencyCheck/issues/6237)) - docs: add documentation on caching ([#6204](https://togithub.com/jeremylong/DependencyCheck/issues/6204)) - docs: Clarify H2 database caching strategy ([#6220](https://togithub.com/jeremylong/DependencyCheck/issues/6220)) - docs: Update list of supported report formats ([#6224](https://togithub.com/jeremylong/DependencyCheck/issues/6224)) - docs: example 5 with new nvdDatafeedUrl parameter ([#6215](https://togithub.com/jeremylong/DependencyCheck/issues/6215)) - fix: prevent NPEs ([#6232](https://togithub.com/jeremylong/DependencyCheck/issues/6232) and [#6206](https://togithub.com/jeremylong/DependencyCheck/issues/6206)) - fix: check valid for hours for NVD API ([#6225](https://togithub.com/jeremylong/DependencyCheck/issues/6225)) - fix: correct NVD cache last checked logic ([#6218](https://togithub.com/jeremylong/DependencyCheck/issues/6218)) - fix: nvd datafeed should process current year ([#6213](https://togithub.com/jeremylong/DependencyCheck/issues/6213)) - fix: correct references to cvssv2 and cvssv3 fields in json and xml reports ([#6212](https://togithub.com/jeremylong/DependencyCheck/issues/6212)) - fix: correct name on reference links in report ([#6205](https://togithub.com/jeremylong/DependencyCheck/issues/6205)) - fix: flaws int the gitlab report ([#6193](https://togithub.com/jeremylong/DependencyCheck/issues/6193)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/73?closed=1). ### [`v9.0.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-902-2023-12-01) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.0.1...v9.0.2) - fix: remove virtual match string on NVD API Request ([#6177](https://togithub.com/jeremylong/DependencyCheck/issues/6177)) - fix: correct meta data in report after switching the NVD API ([#6154](https://togithub.com/jeremylong/DependencyCheck/issues/6154)) - fix: retry HTTP connections to NVD on 502 and 504 errors ([#6151](https://togithub.com/jeremylong/DependencyCheck/issues/6151)) - fix: Gitlab report format needs severity capitalized ([#6182](https://togithub.com/jeremylong/DependencyCheck/issues/6182)) - fix: improve JDK update version parsing ([#6163](https://togithub.com/jeremylong/DependencyCheck/issues/6163)) - fix: mute JCS logging (again) ([#6153](https://togithub.com/jeremylong/DependencyCheck/issues/6153)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/72?closed=1). ### [`v9.0.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-9010-2024-03-15) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v9.0.0...v9.0.1) - fix: [#4321](https://togithub.com/jeremylong/DependencyCheck/issues/4321) Suppress redis server CVEs for client libraries ([#4321](https://togithub.com/jeremylong/DependencyCheck/issues/4321)) ([#6489](https://togithub.com/jeremylong/DependencyCheck/issues/6489)) - fix: bump commons-compress from 1.25.0 to 1.26.0 to fix CVE-2024-25710 and CVE-2024-26308 ([#6492](https://togithub.com/jeremylong/DependencyCheck/issues/6492)) - feat: Allow to pass NVD API key via environment variable ([#6454](https://togithub.com/jeremylong/DependencyCheck/issues/6454)) - fix: issue 5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies - adding synchronized block ([#6501](https://togithub.com/jeremylong/DependencyCheck/issues/6501)) - docs: document the default data directory ([#6484](https://togithub.com/jeremylong/DependencyCheck/issues/6484)) - fix: prevent NPE in bundler audit ([#6462](https://togithub.com/jeremylong/DependencyCheck/issues/6462)) - fix: [#6441](https://togithub.com/jeremylong/DependencyCheck/issues/6441) Improve suppression rule to not restrict to a single version ([#6442](https://togithub.com/jeremylong/DependencyCheck/issues/6442)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/80?closed=1). ### [`v9.0.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-900-2023-11-22) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.4.3...v9.0.0) **breaking changes**: See the [upgrade notice](https://togithub.com/jeremylong/DependencyCheck#900-upgrade-notice) - feat: Utilize NVD API ([#5978](https://togithub.com/jeremylong/DependencyCheck/issues/5978)) - feat: gitlab dependency scanner report format [#5919](https://togithub.com/jeremylong/DependencyCheck/issues/5919) ([#5920](https://togithub.com/jeremylong/DependencyCheck/issues/5920)) - fix: Use ASCII apostrophe for console message ([#6076](https://togithub.com/jeremylong/DependencyCheck/issues/6076)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/68?closed=1). ### [`v8.4.3`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-843-2023-11-15) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.4.2...v8.4.3) - fix: bump jcs3 ([#6047](https://togithub.com/jeremylong/DependencyCheck/issues/6047)) - docs: Corrected docs on hostedSuppressions ([#6035](https://togithub.com/jeremylong/DependencyCheck/issues/6035)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/70?closed=1). ### [`v8.4.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-842-2023-10-22) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.4.1...v8.4.2) - fix: correct log configuration in cli ([#6002](https://togithub.com/jeremylong/DependencyCheck/issues/6002)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/69?closed=1). ### [`v8.4.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-841-2023-10-21) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.4.0...v8.4.1) ##### Fixed - fix: upgrade to JCS3 ([#5114](https://togithub.com/jeremylong/DependencyCheck/issues/5114)) - fix: Support ~= version specifier in requirements.txt and pipfile ([#5902](https://togithub.com/jeremylong/DependencyCheck/issues/5902)) - fix: Version of dependency no longer ignored when CPE product has a 'java' suffix in a product name ([#5901](https://togithub.com/jeremylong/DependencyCheck/issues/5901)) - fix: Do not filter out evidences added by hints ([#5900](https://togithub.com/jeremylong/DependencyCheck/issues/5900)) - fix: fixes FP [#5925](https://togithub.com/jeremylong/DependencyCheck/issues/5925) ([#5927](https://togithub.com/jeremylong/DependencyCheck/issues/5927)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/67?closed=1). ### [`v8.4.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-840-2023-08-19) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.3.1...v8.4.0) ##### Added - feat: Add support for Nexus v3 to NexusAnalyzer ([#5849](https://togithub.com/jeremylong/DependencyCheck/issues/5849)) ##### Fixed - fix: Hint Analyzer should run before VersionFilter Analyzer ([#5818](https://togithub.com/jeremylong/DependencyCheck/issues/5818)) - chore: switch to sha1-pinning as suggested by Semgrep - fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter ([#5845](https://togithub.com/jeremylong/DependencyCheck/issues/5845)) - fix: use curl with -L to follow github redirect ([#5808](https://togithub.com/jeremylong/DependencyCheck/issues/5808)) - fix: use curl with -L to follow github redirect - fix: [#5671](https://togithub.com/jeremylong/DependencyCheck/issues/5671) out of memory error ([#5789](https://togithub.com/jeremylong/DependencyCheck/issues/5789)) - fix: [#5671](https://togithub.com/jeremylong/DependencyCheck/issues/5671) Exit method as soon as we detect a loop to prevent an infinite loop leading to an OutOfMemoryError See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/66?closed=1). ### [`v8.3.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-831-2023-06-12) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.3.0...v8.3.1) Re-release of 8.3.0 as 8.3.1. ### [`v8.3.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-830-2023-06-12) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.2.1...v8.3.0) ##### Added - Add LibmanAnalyzer ([#5652](https://togithub.com/jeremylong/DependencyCheck/issues/5652)) - Update HTML report Dependencies header based on display settings ([#5619](https://togithub.com/jeremylong/DependencyCheck/issues/5619)) - Add link to suppressed vulnerabilities header in HTML report ([#5620](https://togithub.com/jeremylong/DependencyCheck/issues/5620)) - Enable local proxy configuration in maven plugin configuration ([#5696](https://togithub.com/jeremylong/DependencyCheck/issues/5696)) ##### Fixed - Fix npm alias present in requires of dependencies ([#5703](https://togithub.com/jeremylong/DependencyCheck/issues/5703)) - Make Central URL configurable via CLI ([#5667](https://togithub.com/jeremylong/DependencyCheck/issues/5667)) - Ensure support of CVSSv3.1 ([#5602](https://togithub.com/jeremylong/DependencyCheck/issues/5602)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/65?closed=1). ### [`v8.2.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-821-2023-03-23) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.2.0...v8.2.1) ##### Fixed - NullPointerException in MSBuildAnalyzer ([#5589](https://togithub.com/jeremylong/DependencyCheck/issues/5589)) - SQL Syntax for Oracle ([#5590](https://togithub.com/jeremylong/DependencyCheck/issues/5590)) - Use `https://` URLs in report templates ([#5582](https://togithub.com/jeremylong/DependencyCheck/issues/5582)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/64?closed=1). ### [`v8.2.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-820-2023-03-22) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.1.2...v8.2.0) ##### Added - Support msbuild Directory.build.props ([#5475](https://togithub.com/jeremylong/DependencyCheck/issues/5475)) - better display of NPM audit references - Add CVSS V3 results from NPM Audit results ##### Fixed - Fix several issues on NPM Audit reporting ([#5546](https://togithub.com/jeremylong/DependencyCheck/issues/5546)) - Case issue in SQL ([#5557](https://togithub.com/jeremylong/DependencyCheck/issues/5557)) - Fix CWE(s) extraction for NPM Audit advisories - Use the stable github_advisory_id instead of the now unstable id in NPM audit results See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/63?closed=1). ### [`v8.1.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-812-2023-02-28) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.1.1...v8.1.2) ##### Fixed - Fix `NullPointerException` in the Jar Analyzer introduced in 8.1.1 ([#5512](https://togithub.com/jeremylong/DependencyCheck/issues/5512)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/62?closed=1). ### [`v8.1.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-811-2023-02-27) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.1.0...v8.1.1) ##### Fixed - allow hosted suppressions file to be disabled ([#5509](https://togithub.com/jeremylong/DependencyCheck/issues/5509)) - Several FPs not suitable for our automation ([#5504](https://togithub.com/jeremylong/DependencyCheck/issues/5504)) - Fix incorrect defaults for nexus and central-analyzer in gradle plugin documentation ([#5503](https://togithub.com/jeremylong/DependencyCheck/issues/5503)) - Erroneous error-log for deprecated CLI flag usage when using properyfile based disablement of Node Audit Analyzer ([#5487](https://togithub.com/jeremylong/DependencyCheck/issues/5487)) - Prefer pom.properties G/A/V over pom.xml G/A/V to resolve GAV interpolation issues ([#5473](https://togithub.com/jeremylong/DependencyCheck/issues/5473)) - Node package dependencies ending up as related dependency of the wrong version of the package ([#5479](https://togithub.com/jeremylong/DependencyCheck/issues/5479)) - do not throw error if pyproject.toml is in node_modules ([#5470](https://togithub.com/jeremylong/DependencyCheck/issues/5470)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/61?closed=1). ### [`v8.1.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-810-2023-01-26) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.0.2...v8.1.0) ##### Added - `Pipefile.lock` files are now supported ([#5404](https://togithub.com/jeremylong/DependencyCheck/pull/5404)). - Python projects with only a `pyproject.toml` but no lock file or requirements will report an error as ODC is unable to analyze the project ([#5409](https://togithub.com/jeremylong/DependencyCheck/pull/5409)). ##### Fixed - Some maven projects caused false positives due to bad string interpolation ([#5421](https://togithub.com/jeremylong/DependencyCheck/pull/5421)). - Error message from Assembly Analyzer has been updated to emphasize dotnet 6 is required for analysis ([#5408](https://togithub.com/jeremylong/DependencyCheck/pull/5408)). - Correct issue where database defrag occurs even when no updates were performed ([#5441](https://togithub.com/jeremylong/DependencyCheck/pull/5441)). - Fixed several False Positives and one False Negative. - Fixed the `format` configuration more flexible in the gradle plugin ([dependency-check-gradle/#324](https://togithub.com/dependency-check/dependency-check-gradle/pull/324)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/60?closed=1). ### [`v8.0.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-802-2023-01-26) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.0.1...v8.0.2) ##### Fixed - Resolved bug causing an issue with some Maven Extensions ([#5366](https://togithub.com/jeremylong/DependencyCheck/pull/5366)). - ArchiveAnalyzer will now correctly throw an exception if it cannot open an Archive ([#5371](https://togithub.com/jeremylong/DependencyCheck/pull/5371)). - Updated CSV report so that it no longer has a duplicate `description` column ([#5364](https://togithub.com/jeremylong/DependencyCheck/pull/5364)). - Moved several logging statements to trace which should drastically reduce the log size ([#5350](https://togithub.com/jeremylong/DependencyCheck/pull/5350)). - Fixed bug with RetireJS' `--retirejsFilterNonVulnerable` and `--retirejsFilter` when used with the CLI ([#5351](https://togithub.com/jeremylong/DependencyCheck/pull/5351)). - Fixed the `sarif` report format and added validation ([#5345](https://togithub.com/jeremylong/DependencyCheck/pull/5345) and ([#5363](https://togithub.com/jeremylong/DependencyCheck/pull/5363)) - Fixed `MalformedPackageException` in the gradle plugin ([dependency-check-gradle/#320](https://togithub.com/dependency-check/dependency-check-gradle/pull/320)). - Fixed `MissingMethodException` in the gradle plugin ([dependency-check-gradle/#316](https://togithub.com/dependency-check/dependency-check-gradle/pull/316)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/59?closed=1). ### [`v8.0.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-801-2023-01-18) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.0.0...v8.0.1) ##### Fixed - Fixed Stack Overflow Exception in the gradle plugin ([dependency-check-gradle/#308](https://togithub.com/dependency-check/dependency-check-gradle/pull/308)). - Fixed No Signature of Method Exception in the gradle plugin ([dependency-check-gradle/#305](https://togithub.com/dependency-check/dependency-check-gradle/pull/305)). - Updated DB initialization scripts for externally hosted DBs ([#5314](https://togithub.com/jeremylong/DependencyCheck/pull/5314) and [#5317](https://togithub.com/jeremylong/DependencyCheck/pull/5317)). - Postgres users will need to use the updated init script and 8.0.1. - Resolved NPE in the NodePackageAnalyzer ([#5339](https://togithub.com/jeremylong/DependencyCheck/pull/5339)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/58?closed=1). ### [`v8.0.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-800-2023-01-15) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.4.4...v8.0.0) ##### Added - Utilize the hosted suppression file to allow for faster remediation of reported False Positives ([#4723](https://togithub.com/jeremylong/DependencyCheck/issues/4723)). - Include the [CISA Known Exploited Vulnerability Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) ([#4878](https://togithub.com/jeremylong/DependencyCheck/issues/4878)). - The `gradle` and `maven` plugins now have the capability to scan the build plugins ([#4035](https://togithub.com/jeremylong/DependencyCheck/issues/4035)). - The `gradle` and `maven` plugins, for transitive dependencies, will report the root dependency in the project that included the transitive dependency ([#5001](https://togithub.com/jeremylong/DependencyCheck/pull/5001)). - Added `properties.security-severity` to SARIF report for better integration with GitHub Security Code scanning ([#5277](https://togithub.com/jeremylong/DependencyCheck/pull/5227)). - Allow for HTTP auth settings for Retire JS repository ([#5209](https://togithub.com/jeremylong/DependencyCheck/pull/5209)). - New schema for the XML report was added to support some of the above additions ([#5296](https://togithub.com/jeremylong/DependencyCheck/pull/5296)). - Added missing gradle option to only warn on remote errors from the OSS Index Analyzer ([gradle #303](https://togithub.com/dependency-check/dependency-check-gradle/pull/303)). ##### Changed - **Breaking:** the database schema updated - if using an external database the update scripts must be run! - The [exit codes](https://tldp.org/LDP/abs/html/exit-status.html) from the CLI have been changed to be in the range from 0-255 ([#4511](https://togithub.com/jeremylong/DependencyCheck/pull/4511). - The OSS Index Analyzer will automatically disable itself if a transport error occurs - preventing copious errors from being reported ([#5300](https://togithub.com/jeremylong/DependencyCheck/pull/5300])). ##### Fixed - Added an additional check for rejected CVEs to reduce FP ([#5268](https://togithub.com/jeremylong/DependencyCheck/pull/5268). - Corrected the analysis of `node_modules` to prevent NPEs ([#5266](https://togithub.com/jeremylong/DependencyCheck/pull/5266)). - Fixed error when scanning node packages with local dependencies ([#5235](https://togithub.com/jeremylong/DependencyCheck/pull/5235)). - Fixed NPE in the MSBuild Analyzer ([#5293](https://togithub.com/jeremylong/DependencyCheck/pull/5293)). - Several False Positives have been resolved. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/46?closed=1). ### [`v7.4.4`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-744-2023-01-06) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.4.3...v7.4.4) ##### Fixed - Resolved issue processing NVD CVE data due to column width ([#5229](https://togithub.com/jeremylong/DependencyCheck/issues/5229)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/56?closed=1). ### [`v7.4.3`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-743-2022-12-29) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.4.2...v7.4.3) ##### Fixed - Fixed NPE when analyzing version ranges in NPM ([#5158](https://togithub.com/jeremylong/DependencyCheck/issues/5158) & [#5190](https://togithub.com/jeremylong/DependencyCheck/issues/5190)) - Resolved several FP ([#5191](https://togithub.com/jeremylong/DependencyCheck/issues/5191)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/55?closed=1). ### [`v7.4.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-742-2022-12-28) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.4.1...v7.4.2) ##### Fixed - Fixes maven 3.1 compatibility issue ([#5152](https://togithub.com/jeremylong/DependencyCheck/issues/5152)) - Fixed issue with invalid `node_module` paths in some scans ([#5135](https://togithub.com/jeremylong/DependencyCheck/issues/5135)) - Fixed missing option to disable the Poetry Analyzer in the CLI ([#5160](https://togithub.com/jeremylong/DependencyCheck/issues/5160)) - Fixed missing option to configure the OSS Index URL in the CLI ([#5180](https://togithub.com/jeremylong/DependencyCheck/issues/5180)) - Fixed NPE when analyzing version ranges in NPM ([#5158](https://togithub.com/jeremylong/DependencyCheck/issues/5158)) - Fixed issue with non-proxy host in the gradle plugin ([https://github.com/dependency-check/dependency-check-gradle/pull/298](https://togithub.com/dependency-check/dependency-check-gradle/pull/298)) - Resolved several FP See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/54?closed=1). ### [`v7.4.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-741-2022-12-09) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.4.0...v7.4.1) ##### Fixed - Fixed bug when setting the proxy port in gradle ([#5123](https://togithub.com/jeremylong/DependencyCheck/issues/5123)) - Fixed issue with invalid `node_module` paths in some scans ([#5127](https://togithub.com/jeremylong/DependencyCheck/issues/5127)) - Resolved several FP See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/53?closed=1). ### [`v7.4.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-740-2022-12-04) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.3.2...v7.4.0) ##### Added - Add support for npm package lock v2 and v3 ([#5078](https://togithub.com/jeremylong/DependencyCheck/issues/5078)) - Added experimental support for Python Poetry ([#5025](https://togithub.com/jeremylong/DependencyCheck/issues/5025)) - Added a vanilla HTML report for use in Jenkins ([#5053](https://togithub.com/jeremylong/DependencyCheck/issues/5053)) ##### Changed - Renamed `RELEASE_NOTES.md` to `CHANGELOG.md` to be more conventional - Optimized checksum calculation to improve performance ([#5112](https://togithub.com/jeremylong/DependencyCheck/issues/5112)) - Added support for scanning .NET assemblies when only the dotnet runtime is installed ([#5087](https://togithub.com/jeremylong/DependencyCheck/issues/5087)) - Bumped several dependencies ##### Fixed - Fixed bug when setting the proxy port ([#5076](https://togithub.com/jeremylong/DependencyCheck/issues/5076)) - Resolved several FP and FN See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/52?closed=1). ### [`v7.3.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-732-2022-11-18) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.3.1...v7.3.2) ##### Changed - Automated release of 7.3.1 failed and only published to Central; 7.3.2 is a re-release of 7.3.1. - Resolved several false positives and false negatives. - Use Jackson Afterburner if still on Java 8 ([#4966](https://togithub.com/jeremylong/DependencyCheck/issues/4966)). - Exclude `node_modules` from the Maven plugin's scan path ([#4974](https://togithub.com/jeremylong/DependencyCheck/issues/4974)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/51?closed=1). ### [`v7.3.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-731-2022-11-16) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.3.0...v7.3.1) ##### Changed - Resolved several false positives and false negatives. - Use Jackson Afterburner if still on Java 8 ([#4966](https://togithub.com/jeremylong/DependencyCheck/issues/4966)). - Exclude `node_modules` from the Maven plugin's scan path ([#4974](https://togithub.com/jeremylong/DependencyCheck/issues/4974)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/51?closed=1). ### [`v7.3.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-730-2022-10-19) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.2.1...v7.3.0) ##### Added - Added an experimental Dart analyzer ([#4869](https://togithub.com/jeremylong/DependencyCheck/issues/4869)). ##### Changed - Migrated from Jackson Afterburner to Blackbird ([#4905](https://togithub.com/jeremylong/DependencyCheck/issues/4905)). ##### Fixed - Fixed issue with the Maven plugin that caused concurrent modification exceptions ([#4935](https://togithub.com/jeremylong/DependencyCheck/issues/4935)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/50?closed=1). ### [`v7.2.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-721-2022-09-20) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.2.0...v7.2.1) ##### Fixed - Fixed logging issue ([#4846](https://togithub.com/jeremylong/DependencyCheck/issues/4846)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/49?closed=1). ### [`v7.2.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-720-2022-09-14) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.1.2...v7.2.0) ##### Changed - Add support for Bazel's pinned `maven_install.json` ([#4772](https://togithub.com/jeremylong/DependencyCheck/issues/4772)). - Fixed bug preventing the use of custom report templates ([#4800](https://togithub.com/jeremylong/DependencyCheck/issues/4800)). - Updated several dependencies including upgrades for dependencies with CVEs. - Several bug fixes made and suppression rules were added. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/48?closed=1). ### [`v7.1.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-712-2022-08-20) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.1.1...v7.1.2) ##### Changed - The maven plugin now includes pnpm and yarn lock files in the scan by default ([#4753](https://togithub.com/jeremylong/DependencyCheck/issues/4753)). - If a suppression rule is no longer used a log entry will be written ([#4685](https://togithub.com/jeremylong/DependencyCheck/issues/4685)). - Several bug fixes made and suppression rules added. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/47?closed=1). ### [`v7.1.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-711-2022-06-12) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.1.0...v7.1.1) ##### Fixed - Minor bug fixes. - Resolved several false positives. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/45?closed=1). ### [`v7.1.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-710-2022-04-23) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.0.4...v7.1.0) ##### Changed - Improved sorting in the HTML report ([see #4112](https://togithub.com/jeremylong/DependencyCheck/issues/4112)). - Improved support for Swift ([see #4265](https://togithub.com/jeremylong/DependencyCheck/pull/4265)). - Resolved several false positives. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/45?closed=1). ### [`v7.0.4`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-704-2022-03-30) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.0.3...v7.0.4) ##### Changed - Update to `jackson-databind` (see [#4285](https://togithub.com/jeremylong/DependencyCheck/issues/4285)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/43?closed=1). ### [`v7.0.3`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-703-2022-03-29) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.0.2...v7.0.3) ##### Changed - Update to `jackson-databind` (see [#4285](https://togithub.com/jeremylong/DependencyCheck/issues/4285)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/42?closed=1). ### [`v7.0.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-702-2022-03-28) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.0.1...v7.0.2) ##### Changed - General project maintenance, bug fixes, and false positive and false negative reductions. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/41?closed=1). ### [`v7.0.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-701-2022-03-23) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.0.0...v7.0.1) ##### Changed - General project maintenance, bug fixes, and false positive reductions. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/40?closed=1). ### [`v7.0.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-700-2022-02-28) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.5.3...v7.0.0) ##### Changed - **Breaking:** The H2 database version has been upgraded. - if you use the `dataDirectory` option you will need to run a purge after upgrading. - **Breaking:** Upgraded to dotnet core 6.0. If analyzing dotnet assemblies the system will need to have the dotnet core 6.0.x runtime available. - The Sarif report format has been fixed and can now be imported into GitHub if desired (See [#3993](https://togithub.com/jeremylong/DependencyCheck/issues/3993)). - Introduced IssueOps for False Positive reports to assist the team in evaluating FP reports. - [Create New FP Report Issue](https://togithub.com/jeremylong/DependencyCheck/issues/new?assignees=\&labels=FP+Report\&template=false-positive-report.yml\&title=%5BFP%5D%3A+). - When analyzing Java projects ODC now includes data from the developers section. - This will likely cause false positives on things like Apache James, please report the FP and we will fix these quickly. - General project maintenance, bug fixes, and false positive reductions. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/28?closed=1). ### [`v6.5.3`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-653-2022-01-12) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.5.2...v6.5.3) ##### Changed - Performance improvements for some Maven projects (see [#3923](https://togithub.com/jeremylong/DependencyCheck/issues/3923) and [#3931](https://togithub.com/jeremylong/DependencyCheck/issues/3931)). - Fixed bug in npm version handling introduced in 6.5.2 (see [#3956](https://togithub.com/jeremylong/DependencyCheck/issues/3956)). - Improved the node package analyzer to correctly report the origin of a dependency (see [#3970](https://togithub.com/jeremylong/DependencyCheck/issues/3970)). - General code maintenance and false positive reductions. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/39?closed=1). ### [`v6.5.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-652-2022-01-03) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.5.1...v6.5.2) ##### Changed - Fixed false positives around log4j-api and Log4j-web ([#3910](https://togithub.com/jeremylong/DependencyCheck/issues/3910) & [#3937](https://togithub.com/jeremylong/DependencyCheck/issues/3937)). - Bug fix when processing NPM lock files ([#3893](https://togithub.com/jeremylong/DependencyCheck/issues/3893)). - Added missing `pnpm` argmument to the CLI ([#3916](https://togithub.com/jeremylong/DependencyCheck/issues/3916)). - General code maintenance and false positive reductions. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/38?closed=1). ### [`v6.5.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-651-2021-12-17) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.5.0...v6.5.1) ##### Changed - Updated the dependency-check-maven plugin to correctly support SNAPSHOT version when a classifier is specified ([#3787](https://togithub.com/jeremylong/DependencyCheck/issues/3787)). - Improved the analysis of Swift package manager (package.resolved - see [#3813](https://togithub.com/jeremylong/DependencyCheck/issues/3813)). - General code maintenance and false positive reductions. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/37?closed=1). ### [`v6.5.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-650-2021-11-08) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.4.1...v6.5.0) ##### Changed - Updated build configuration to create [reproducible builds](https://reproducible-builds.org/). - Updated automated release process to work with branch protection. - Resolved several false positives in the Java ecosystem. - Enabled the Swift Resolved analyzer per [#3735](https://togithub.com/jeremylong/DependencyCheck/issues/3735) - Improved iOS support per [#3168](https://togithub.com/jeremylong/DependencyCheck/issues/3168) and [#3765](https://togithub.com/jeremylong/DependencyCheck/issues/3765) - Added the a new pnpm Analyzer - Fixed issue with some npm and yarn analysis failing due to large audit output See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/36?closed=1). ### [`v6.4.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-641-2021-10-11) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.4.0...v6.4.1) ##### Added - Added download attempts with increasing wait time for `CVE meta` files from the NVD to prevent rate limiting issues (see [#3725](https://togithub.com/jeremylong/DependencyCheck/pull/3725)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/35?closed=1). ### [`v6.4.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-640-2021-10-11) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.3.2...v6.4.0) ##### Changed - Increased timeout between downloads from the NVD to prevent rate limiting issues (see [#3722](https://togithub.com/jeremylong/DependencyCheck/pull/3722)). - `cveStartYear` is now configurable and can be set to any year from 2002 to present. - `cveWaitTime` is a new configuration option to define how many milliseconds to wait between NVD downloads; default is 4000 ms (see [#3690](https://togithub.com/jeremylong/DependencyCheck/pull/3690)). - The NVD CVE data files are now being cached for up to 4 hours in case a download fails, re-running ODC will use the cached version. - Fixed NPE in the ODC maven plugin (see [#3702](https://togithub.com/jeremylong/DependencyCheck/pull/3702). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/34?closed=1). ### [`v6.3.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-632-2021-09-29) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.3.1...v6.3.2) ##### Changed - Reduced chance of rate limiting when download files from NVD (see [#2670](https://togithub.com/jeremylong/DependencyCheck/pull/3670)). - Fixed bug causing some transitive dependencies being skipped in the odc-maven-plugin (see [#3627](https://togithub.com/jeremylong/DependencyCheck/pull/3627)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/33?closed=1). ### [`v6.3.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-631-2021-09-01) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.3.0...v6.3.1) ##### Fixed - Fixed [ConcurrentModificationException](https://togithub.com/jeremylong/DependencyCheck/issues/3618) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/32?closed=1). ### [`v6.3.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-630-2021-08-31) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.2.2...v6.3.0) ##### Changed - Many updates were made to improve performance on large scans, reduce false positives, and other bug fixes. - Increased the width of four columns in the database; if you use a an external database you should also update the width (see [upgrade\_5.1.sql](https://togithub.com/jeremylong/DependencyCheck/blob/main/core/src/main/resources/data/upgrade\_5.1.sql)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/31?closed=1). ### [`v6.2.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-622-2021-06-10) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.2.1...v6.2.2) ##### Fixed - Resolved issue with database connections introduced in 6.2.0 (see [https://github.com/jeremylong/DependencyCheck/issues/3432](https://togithub.com/jeremylong/DependencyCheck/issues/3432)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/30?closed=1). ### [`v6.2.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-621-2021-06-08) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.2.0...v6.2.1) ##### Fixed - Resolved issue with database connections introduced in 6.2.0 (see [https://github.com/jeremylong/DependencyCheck/issues/3416](https://togithub.com/jeremylong/DependencyCheck/issues/3416)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/29?closed=1). ### [`v6.2.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-620-2021-05-29) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.1.6...v6.2.0) ##### Changed - Added an experimental Perl CPAN analyzer [#3378](https://togithub.com/jeremylong/DependencyCheck/pull/3378) - Note that the full DSL of the CPAN is not yet supported so any required dependency is analyzed (i.e. there is no way to exclude development requirements) - Improved database performance [#3206](https://togithub.com/jeremylong/DependencyCheck/pull/3206) - The archive analyzer now extracts files from RPM archives [#3226](https://togithub.com/jeremylong/DependencyCheck/pull/3226) - Ensure ordered output in reports [#3243](https://togithub.com/jeremylong/DependencyCheck/pull/3343) - Several minor bug fixes and updates to reduce false positives See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/27?closed=1). ### [`v6.1.6`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-616-2021-04-29) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.1.5...v6.1.6) ##### Fixed - Resolved issue with Sarif report ([#3243](https://togithub.com/jeremylong/DependencyCheck/issues/3243)) - Resolved issue with Ruby Bundle Audit ([#3256](https://togithub.com/jeremylong/DependencyCheck/issues/3256)) - Several minor bug fixes and updates to reduce false positives See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/26?closed=1). ### [`v6.1.5`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-615-2021-03-31) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.1.4...v6.1.5) ##### Fixed - Fixed a second NPE introduced in 6.1.3 (see [#3246](https://togithub.com/jeremylong/DependencyCheck/issues/3246)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/25?closed=1). ### [`v6.1.4`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-614-2021-03-30) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.1.3...v6.1.4) ##### Changed - Fixed an NPE introduced in 6.1.3 (see [#3212](https://togithub.com/jeremylong/DependencyCheck/issues/3212)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/24?closed=1). ### [`v6.1.3`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-613-2021-03-22) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.1.2...v6.1.3) ##### Changed - Modified the new CPE matching strategy to be more performant ([#3207](https://togithub.com/jeremylong/DependencyCheck/issues/3207)) - Upgraded a vulnerable dependency (velocity-engine-core/CVE-2020-13936) ([#3205](https://togithub.com/jeremylong/DependencyCheck/issues/3205)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/23?closed=1). ### [`v6.1.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-612-2021-03-08) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.1.1...v6.1.2) ##### Changed - Fixed a bug in the Sarif report generation. - Fixed a bug with the Ant task not being able to read the dependency-check properties file in 6.1.1. - Added a new CPE matching strategy to reduce false negatives. - CLI and Ant task will no longer be published to bintray. - Several minor bug fixes. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/22?closed=1). ### [`v6.1.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-611-2021-02-13) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.1.0...v6.1.1) ##### Changed - Added missing configuration options for yarn and msbuild. - Several bug fixes. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/21?closed=1). ### [`v6.1.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-610-2021-01-27) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.0.5...v6.1.0) ##### Changed - Added SARIF file format per [#3081](https://togithub.com/jeremylong/DependencyCheck/issues/3081). - Added support for Yarn per [#3063](https://togithub.com/jeremylong/DependencyCheck/pull/3063). - False positive reduction and minor bug fixes. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/20?closed=1). ### [`v6.0.5`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-605-2021-01-07) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.0.4...v6.0.5) ##### Changed - Added missing command line arguments per [#3028](https://togithub.com/jeremylong/DependencyCheck/issues/3028) and [#3035](https://togithub.com/jeremylong/DependencyCheck/issues/3035). - False positive reduction and minor bug fixes. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/19?closed=1). ### [`v6.0.4`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-604-2020-12-31) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.0.3...v6.0.4) ##### Changed - Minor bug fixes and reduction of false positives. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/18?closed=1). ### [`v6.0.3`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-603-2020-11-03) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.0.2...v6.0.3) ##### Changed - Added a bash command completion script (see [#2916](https://togithub.com/jeremylong/DependencyCheck/issues/2916)); to add completion to your shell `completion-for-dependency-check.sh` can be found in the bin directory of the CLI: ```bash $ source completion-for-dependency-check.sh ``` - An experimental PIP File Analyzer was added (see [#2877](https://togithub.com/jeremylong/DependencyCheck/issues/2877)). - Analysis of Node JS produced several false positives (see [#2796](https://togithub.com/jeremylong/DependencyCheck/issues/2796)); the analysis has beeConfiguration
📅 Schedule: Branch creation - "before 4am on Monday" in timezone Europe/Oslo, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.