sonarcloud[bot]
commented
10 months ago Kudos, SonarCloud Quality Gate passed! 
0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells
No Coverage information
0.0% Duplication
Closed renovate[bot] closed 10 months ago
sonarcloud[bot]
commented
10 months ago Kudos, SonarCloud Quality Gate passed!
0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells
No Coverage information
0.0% Duplication
renovate[bot]
commented
10 months ago Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 8.x releases. But if you manually upgrade to 8.x then Renovate will re-enable minor and patch updates automatically.
If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.
This PR contains the following updates:
5.3.2->8.4.2Release Notes
jeremylong/DependencyCheck (org.owasp:dependency-check-maven)
### [`v8.4.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-842-2023-10-22) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.4.1...v8.4.2) - fix: correct log configuration in cli ([#6002](https://togithub.com/jeremylong/DependencyCheck/issues/6002)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/69?closed=1). ### [`v8.4.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-841-2023-10-21) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.4.0...v8.4.1) ##### Fixed - fix: upgrade to JCS3 ([#5114](https://togithub.com/jeremylong/DependencyCheck/issues/5114)) - fix: Support ~= version specifier in requirements.txt and pipfile ([#5902](https://togithub.com/jeremylong/DependencyCheck/issues/5902)) - fix: Version of dependency no longer ignored when CPE product has a 'java' suffix in a product name ([#5901](https://togithub.com/jeremylong/DependencyCheck/issues/5901)) - fix: Do not filter out evidences added by hints ([#5900](https://togithub.com/jeremylong/DependencyCheck/issues/5900)) - fix: fixes FP [#5925](https://togithub.com/jeremylong/DependencyCheck/issues/5925) ([#5927](https://togithub.com/jeremylong/DependencyCheck/issues/5927)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/67?closed=1). ### [`v8.4.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-840-2023-08-19) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.3.1...v8.4.0) ##### Added - feat: Add support for Nexus v3 to NexusAnalyzer ([#5849](https://togithub.com/jeremylong/DependencyCheck/issues/5849)) ##### Fixed - fix: Hint Analyzer should run before VersionFilter Analyzer ([#5818](https://togithub.com/jeremylong/DependencyCheck/issues/5818)) - chore: switch to sha1-pinning as suggested by Semgrep - fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter ([#5845](https://togithub.com/jeremylong/DependencyCheck/issues/5845)) - fix: use curl with -L to follow github redirect ([#5808](https://togithub.com/jeremylong/DependencyCheck/issues/5808)) - fix: use curl with -L to follow github redirect - fix: [#5671](https://togithub.com/jeremylong/DependencyCheck/issues/5671) out of memory error ([#5789](https://togithub.com/jeremylong/DependencyCheck/issues/5789)) - fix: [#5671](https://togithub.com/jeremylong/DependencyCheck/issues/5671) Exit method as soon as we detect a loop to prevent an infinite loop leading to an OutOfMemoryError See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/66?closed=1). ### [`v8.3.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-831-2023-06-12) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.3.0...v8.3.1) Re-release of 8.3.0 as 8.3.1. ### [`v8.3.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-830-2023-06-12) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.2.1...v8.3.0) ##### Added - Add LibmanAnalyzer ([#5652](https://togithub.com/jeremylong/DependencyCheck/issues/5652)) - Update HTML report Dependencies header based on display settings ([#5619](https://togithub.com/jeremylong/DependencyCheck/issues/5619)) - Add link to suppressed vulnerabilities header in HTML report ([#5620](https://togithub.com/jeremylong/DependencyCheck/issues/5620)) - Enable local proxy configuration in maven plugin configuration ([#5696](https://togithub.com/jeremylong/DependencyCheck/issues/5696)) ##### Fixed - Fix npm alias present in requires of dependencies ([#5703](https://togithub.com/jeremylong/DependencyCheck/issues/5703)) - Make Central URL configurable via CLI ([#5667](https://togithub.com/jeremylong/DependencyCheck/issues/5667)) - Ensure support of CVSSv3.1 ([#5602](https://togithub.com/jeremylong/DependencyCheck/issues/5602)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/65?closed=1). ### [`v8.2.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-821-2023-03-23) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.2.0...v8.2.1) ##### Fixed - NullPointerException in MSBuildAnalyzer ([#5589](https://togithub.com/jeremylong/DependencyCheck/issues/5589)) - SQL Syntax for Oracle ([#5590](https://togithub.com/jeremylong/DependencyCheck/issues/5590)) - Use `https://` URLs in report templates ([#5582](https://togithub.com/jeremylong/DependencyCheck/issues/5582)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/64?closed=1). ### [`v8.2.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-820-2023-03-22) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.1.2...v8.2.0) ##### Added - Support msbuild Directory.build.props ([#5475](https://togithub.com/jeremylong/DependencyCheck/issues/5475)) - better display of NPM audit references - Add CVSS V3 results from NPM Audit results ##### Fixed - Fix several issues on NPM Audit reporting ([#5546](https://togithub.com/jeremylong/DependencyCheck/issues/5546)) - Case issue in SQL ([#5557](https://togithub.com/jeremylong/DependencyCheck/issues/5557)) - Fix CWE(s) extraction for NPM Audit advisories - Use the stable github_advisory_id instead of the now unstable id in NPM audit results See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/63?closed=1). ### [`v8.1.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-812-2023-02-28) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.1.1...v8.1.2) ##### Fixed - Fix `NullPointerException` in the Jar Analyzer introduced in 8.1.1 ([#5512](https://togithub.com/jeremylong/DependencyCheck/issues/5512)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/62?closed=1). ### [`v8.1.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-811-2023-02-27) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.1.0...v8.1.1) ##### Fixed - allow hosted suppressions file to be disabled ([#5509](https://togithub.com/jeremylong/DependencyCheck/issues/5509)) - Several FPs not suitable for our automation ([#5504](https://togithub.com/jeremylong/DependencyCheck/issues/5504)) - Fix incorrect defaults for nexus and central-analyzer in gradle plugin documentation ([#5503](https://togithub.com/jeremylong/DependencyCheck/issues/5503)) - Erroneous error-log for deprecated CLI flag usage when using properyfile based disablement of Node Audit Analyzer ([#5487](https://togithub.com/jeremylong/DependencyCheck/issues/5487)) - Prefer pom.properties G/A/V over pom.xml G/A/V to resolve GAV interpolation issues ([#5473](https://togithub.com/jeremylong/DependencyCheck/issues/5473)) - Node package dependencies ending up as related dependency of the wrong version of the package ([#5479](https://togithub.com/jeremylong/DependencyCheck/issues/5479)) - do not throw error if pyproject.toml is in node_modules ([#5470](https://togithub.com/jeremylong/DependencyCheck/issues/5470)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/61?closed=1). ### [`v8.1.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-810-2023-01-26) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.0.2...v8.1.0) ##### Added - `Pipefile.lock` files are now supported ([#5404](https://togithub.com/jeremylong/DependencyCheck/pull/5404)). - Python projects with only a `pyproject.toml` but no lock file or requirements will report an error as ODC is unable to analyze the project ([#5409](https://togithub.com/jeremylong/DependencyCheck/pull/5409)). ##### Fixed - Some maven projects caused false positives due to bad string interpolation ([#5421](https://togithub.com/jeremylong/DependencyCheck/pull/5421)). - Error message from Assembly Analyzer has been updated to emphasize dotnet 6 is required for analysis ([#5408](https://togithub.com/jeremylong/DependencyCheck/pull/5408)). - Correct issue where database defrag occurs even when no updates were performed ([#5441](https://togithub.com/jeremylong/DependencyCheck/pull/5441)). - Fixed several False Positives and one False Negative. - Fixed the `format` configuration more flexible in the gradle plugin ([dependency-check-gradle/#324](https://togithub.com/dependency-check/dependency-check-gradle/pull/324)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/60?closed=1). ### [`v8.0.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-802-2023-01-26) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.0.1...v8.0.2) ##### Fixed - Resolved bug causing an issue with some Maven Extensions ([#5366](https://togithub.com/jeremylong/DependencyCheck/pull/5366)). - ArchiveAnalyzer will now correctly throw an exception if it cannot open an Archive ([#5371](https://togithub.com/jeremylong/DependencyCheck/pull/5371)). - Updated CSV report so that it no longer has a duplicate `description` column ([#5364](https://togithub.com/jeremylong/DependencyCheck/pull/5364)). - Moved several logging statements to trace which should drastically reduce the log size ([#5350](https://togithub.com/jeremylong/DependencyCheck/pull/5350)). - Fixed bug with RetireJS' `--retirejsFilterNonVulnerable` and `--retirejsFilter` when used with the CLI ([#5351](https://togithub.com/jeremylong/DependencyCheck/pull/5351)). - Fixed the `sarif` report format and added validation ([#5345](https://togithub.com/jeremylong/DependencyCheck/pull/5345) and ([#5363](https://togithub.com/jeremylong/DependencyCheck/pull/5363)) - Fixed `MalformedPackageException` in the gradle plugin ([dependency-check-gradle/#320](https://togithub.com/dependency-check/dependency-check-gradle/pull/320)). - Fixed `MissingMethodException` in the gradle plugin ([dependency-check-gradle/#316](https://togithub.com/dependency-check/dependency-check-gradle/pull/316)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/59?closed=1). ### [`v8.0.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-801-2023-01-18) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v8.0.0...v8.0.1) ##### Fixed - Fixed Stack Overflow Exception in the gradle plugin ([dependency-check-gradle/#308](https://togithub.com/dependency-check/dependency-check-gradle/pull/308)). - Fixed No Signature of Method Exception in the gradle plugin ([dependency-check-gradle/#305](https://togithub.com/dependency-check/dependency-check-gradle/pull/305)). - Updated DB initialization scripts for externally hosted DBs ([#5314](https://togithub.com/jeremylong/DependencyCheck/pull/5314) and [#5317](https://togithub.com/jeremylong/DependencyCheck/pull/5317)). - Postgres users will need to use the updated init script and 8.0.1. - Resolved NPE in the NodePackageAnalyzer ([#5339](https://togithub.com/jeremylong/DependencyCheck/pull/5339)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/58?closed=1). ### [`v8.0.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-800-2023-01-15) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.4.4...v8.0.0) ##### Added - Utilize the hosted suppression file to allow for faster remediation of reported False Positives ([#4723](https://togithub.com/jeremylong/DependencyCheck/issues/4723)). - Include the [CISA Known Exploited Vulnerability Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) ([#4878](https://togithub.com/jeremylong/DependencyCheck/issues/4878)). - The `gradle` and `maven` plugins now have the capability to scan the build plugins ([#4035](https://togithub.com/jeremylong/DependencyCheck/issues/4035)). - The `gradle` and `maven` plugins, for transitive dependencies, will report the root dependency in the project that included the transitive dependency ([#5001](https://togithub.com/jeremylong/DependencyCheck/pull/5001)). - Added `properties.security-severity` to SARIF report for better integration with GitHub Security Code scanning ([#5277](https://togithub.com/jeremylong/DependencyCheck/pull/5227)). - Allow for HTTP auth settings for Retire JS respository ([#5209](https://togithub.com/jeremylong/DependencyCheck/pull/5209)). - New schema for the XML report was added to support some of the above additions ([#5296](https://togithub.com/jeremylong/DependencyCheck/pull/5296)). - Added missing gradle option to only warn on remote errors from the OSS Index Analyzer ([gradle #303](https://togithub.com/dependency-check/dependency-check-gradle/pull/303)). ##### Changed - **Breaking:** the database schema updated - if using an external database the update scripts must be run! - The [exit codes](https://tldp.org/LDP/abs/html/exit-status.html) from the CLI have been changed to be in the range from 0-255 ([#4511](https://togithub.com/jeremylong/DependencyCheck/pull/4511). - The OSS Index Analyzer will automatically disable itself if a transport error occurs - preventing copious errors from being reported ([#5300](https://togithub.com/jeremylong/DependencyCheck/pull/5300])). ##### Fixed - Added an additional check for rejected CVEs to reduce FP ([#5268](https://togithub.com/jeremylong/DependencyCheck/pull/5268). - Corrected the analysis of `node_modules` to prevent NPEs ([#5266](https://togithub.com/jeremylong/DependencyCheck/pull/5266)). - Fixed error when scanning node packages with local dependencies ([#5235](https://togithub.com/jeremylong/DependencyCheck/pull/5235)). - Fixed NPE in the MSBuild Analyzer ([#5293](https://togithub.com/jeremylong/DependencyCheck/pull/5293)). - Several False Positives have been resolved. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/46?closed=1). ### [`v7.4.4`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-744-2023-01-06) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.4.3...v7.4.4) ##### Fixed - Resolved issue processing NVD CVE data due to column width ([#5229](https://togithub.com/jeremylong/DependencyCheck/issues/5229)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/56?closed=1). ### [`v7.4.3`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-743-2022-12-29) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.4.2...v7.4.3) ##### Fixed - Fixed NPE when analyzing version ranges in NPM ([#5158](https://togithub.com/jeremylong/DependencyCheck/issues/5158) & [#5190](https://togithub.com/jeremylong/DependencyCheck/issues/5190)) - Resolved several FP ([#5191](https://togithub.com/jeremylong/DependencyCheck/issues/5191)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/55?closed=1). ### [`v7.4.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-742-2022-12-28) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.4.1...v7.4.2) ##### Fixed - Fixes maven 3.1 compatibility issue ([#5152](https://togithub.com/jeremylong/DependencyCheck/issues/5152)) - Fixed issue with invalid `node_module` paths in some scans ([#5135](https://togithub.com/jeremylong/DependencyCheck/issues/5135)) - Fixed missing option to disable the Poetry Analyzer in the CLI ([#5160](https://togithub.com/jeremylong/DependencyCheck/issues/5160)) - Fixed missing option to configure the OSS Index URL in the CLI ([#5180](https://togithub.com/jeremylong/DependencyCheck/issues/5180)) - Fixed NPE when analyzing version ranges in NPM ([#5158](https://togithub.com/jeremylong/DependencyCheck/issues/5158)) - Fixed issue with non-proxy host in the gradle plugin ([https://github.com/dependency-check/dependency-check-gradle/pull/298](https://togithub.com/dependency-check/dependency-check-gradle/pull/298)) - Resolved several FP See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/54?closed=1). ### [`v7.4.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-741-2022-12-09) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.4.0...v7.4.1) ##### Fixed - Fixed bug when setting the proxy port in gradle ([#5123](https://togithub.com/jeremylong/DependencyCheck/issues/5123)) - Fixed issue with invalid `node_module` paths in some scans ([#5127](https://togithub.com/jeremylong/DependencyCheck/issues/5127)) - Resolved several FP See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/53?closed=1). ### [`v7.4.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-740-2022-12-04) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.3.2...v7.4.0) ##### Added - Add support for npm package lock v2 and v3 ([#5078](https://togithub.com/jeremylong/DependencyCheck/issues/5078)) - Added experimental support for Python Poetry ([#5025](https://togithub.com/jeremylong/DependencyCheck/issues/5025)) - Added a vanilla HTML report for use in Jenkins ([#5053](https://togithub.com/jeremylong/DependencyCheck/issues/5053)) ##### Changed - Renamed `RELEASE_NOTES.md` to `CHANGELOG.md` to be more conventional - Optimized checksum calculation to improve performance ([#5112](https://togithub.com/jeremylong/DependencyCheck/issues/5112)) - Added support for scanning .NET assemblies when only the dotnet runtime is installed ([#5087](https://togithub.com/jeremylong/DependencyCheck/issues/5087)) - Bumped several dependencies ##### Fixed - Fixed bug when setting the proxy port ([#5076](https://togithub.com/jeremylong/DependencyCheck/issues/5076)) - Resolved several FP and FN See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/52?closed=1). ### [`v7.3.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-732-2022-11-18) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.3.1...v7.3.2) ##### Changed - Automated release of 7.3.1 failed and only published to Central; 7.3.2 is a re-release of 7.3.1. - Resolved several false positives and false negatives. - Use Jackson Afterburner if still on Java 8 ([#4966](https://togithub.com/jeremylong/DependencyCheck/issues/4966)). - Exclude `node_modules` from the Maven plugin's scan path ([#4974](https://togithub.com/jeremylong/DependencyCheck/issues/4974)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/51?closed=1). ### [`v7.3.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-731-2022-11-16) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.3.0...v7.3.1) ##### Changed - Resolved several false positives and false negatives. - Use Jackson Afterburner if still on Java 8 ([#4966](https://togithub.com/jeremylong/DependencyCheck/issues/4966)). - Exclude `node_modules` from the Maven plugin's scan path ([#4974](https://togithub.com/jeremylong/DependencyCheck/issues/4974)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/51?closed=1). ### [`v7.3.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-730-2022-10-19) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.2.1...v7.3.0) ##### Added - Added an experimental Dart analyzer ([#4869](https://togithub.com/jeremylong/DependencyCheck/issues/4869)). ##### Changed - Migrated from Jackson Afterburner to Blackbird ([#4905](https://togithub.com/jeremylong/DependencyCheck/issues/4905)). ##### Fixed - Fixed issue with the Maven plugin that caused concurrent modification exceptions ([#4935](https://togithub.com/jeremylong/DependencyCheck/issues/4935)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/50?closed=1). ### [`v7.2.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-721-2022-09-20) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.2.0...v7.2.1) ##### Fixed - Fixed logging issue ([#4846](https://togithub.com/jeremylong/DependencyCheck/issues/4846)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/49?closed=1). ### [`v7.2.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-720-2022-09-14) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.1.2...v7.2.0) ##### Changed - Add support for Bazel's pinned `maven_install.json` ([#4772](https://togithub.com/jeremylong/DependencyCheck/issues/4772)). - Fixed bug preventing the use of custom report templates ([#4800](https://togithub.com/jeremylong/DependencyCheck/issues/4800)). - Updated several dependencies including upgrades for dependencies with CVEs. - Several bug fixes made and suppression rules were added. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/48?closed=1). ### [`v7.1.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-712-2022-08-20) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.1.1...v7.1.2) ##### Changed - The maven plugin now includes pnpm and yarn lock files in the scan by default ([#4753](https://togithub.com/jeremylong/DependencyCheck/issues/4753)). - If a suppression rule is no longer used a log entry will be written ([#4685](https://togithub.com/jeremylong/DependencyCheck/issues/4685)). - Several bug fixes made and suppression rules added. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/47?closed=1). ### [`v7.1.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-711-2022-06-12) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.1.0...v7.1.1) ##### Fixed - Minor bug fixes. - Resolved several false positives. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/45?closed=1). ### [`v7.1.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-710-2022-04-23) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.0.4...v7.1.0) ##### Changed - Improved sorting in the HTML report ([see #4112](https://togithub.com/jeremylong/DependencyCheck/issues/4112)). - Improved support for Swift ([see #4265](https://togithub.com/jeremylong/DependencyCheck/pull/4265)). - Resolved several false positives. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/45?closed=1). ### [`v7.0.4`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-704-2022-03-30) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.0.3...v7.0.4) ##### Changed - Update to `jackson-databind` (see [#4285](https://togithub.com/jeremylong/DependencyCheck/issues/4285)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/43?closed=1). ### [`v7.0.3`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-703-2022-03-29) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.0.2...v7.0.3) ##### Changed - Update to `jackson-databind` (see [#4285](https://togithub.com/jeremylong/DependencyCheck/issues/4285)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/42?closed=1). ### [`v7.0.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-702-2022-03-28) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.0.1...v7.0.2) ##### Changed - General project maintenance, bug fixes, and false positive and false negative reductions. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/41?closed=1). ### [`v7.0.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-701-2022-03-23) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v7.0.0...v7.0.1) ##### Changed - General project maintenance, bug fixes, and false positive reductions. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/40?closed=1). ### [`v7.0.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-700-2022-02-28) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.5.3...v7.0.0) ##### Changed - **Breaking:** The H2 database version has been upgraded. - if you use the `dataDirectory` option you will need to run a purge after upgrading. - **Breaking:** Upgraded to dotnet core 6.0. If analyzing dotnet assemblies the system will need to have the dotnet core 6.0.x runtime available. - The Sarif report format has been fixed and can now be imported into GitHub if desired (See [#3993](https://togithub.com/jeremylong/DependencyCheck/issues/3993)). - Introduced IssueOps for False Positive reports to assist the team in evaluating FP reports. - [Create New FP Report Issue](https://togithub.com/jeremylong/DependencyCheck/issues/new?assignees=\&labels=FP+Report\&template=false-positive-report.yml\&title=%5BFP%5D%3A+). - When analyzing Java projects ODC now includes data from the developers section. - This will likely cause false positives on things like Apache James, please report the FP and we will fix these quickly. - General project maintenance, bug fixes, and false positive reductions. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/28?closed=1). ### [`v6.5.3`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-653-2022-01-12) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.5.2...v6.5.3) ##### Changed - Performance improvements for some Maven projects (see [#3923](https://togithub.com/jeremylong/DependencyCheck/issues/3923) and [#3931](https://togithub.com/jeremylong/DependencyCheck/issues/3931)). - Fixed bug in npm version handling introduced in 6.5.2 (see [#3956](https://togithub.com/jeremylong/DependencyCheck/issues/3956)). - Improved the node package analyzer to correctly report the origin of a dependency (see [#3970](https://togithub.com/jeremylong/DependencyCheck/issues/3970)). - General code maintenance and false positive reductions. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/39?closed=1). ### [`v6.5.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-652-2022-01-03) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.5.1...v6.5.2) ##### Changed - Fixed false positives around log4j-api and Log4j-web ([#3910](https://togithub.com/jeremylong/DependencyCheck/issues/3910) & [#3937](https://togithub.com/jeremylong/DependencyCheck/issues/3937)). - Bug fix when processing NPM lock files ([#3893](https://togithub.com/jeremylong/DependencyCheck/issues/3893)). - Added missing `pnpm` argmument to the CLI ([#3916](https://togithub.com/jeremylong/DependencyCheck/issues/3916)). - General code maintenance and false positive reductions. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/38?closed=1). ### [`v6.5.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-651-2021-12-17) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.5.0...v6.5.1) ##### Changed - Updated the dependency-check-maven plugin to correctly support SNAPSHOT version when a classifier is specified ([#3787](https://togithub.com/jeremylong/DependencyCheck/issues/3787)). - Improved the analysis of Swift package manager (package.resolved - see [#3813](https://togithub.com/jeremylong/DependencyCheck/issues/3813)). - General code maintenance and false positive reductions. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/37?closed=1). ### [`v6.5.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-650-2021-11-08) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.4.1...v6.5.0) ##### Changed - Updated build configuration to create [reproducible builds](https://reproducible-builds.org/). - Updated automated release process to work with branch protection. - Resolved several false positives in the Java ecosystem. - Enabled the Swift Resolved analyzer per [#3735](https://togithub.com/jeremylong/DependencyCheck/issues/3735) - Improved iOS support per [#3168](https://togithub.com/jeremylong/DependencyCheck/issues/3168) and [#3765](https://togithub.com/jeremylong/DependencyCheck/issues/3765) - Added the a new pnpm Analyzer - Fixed issue with some npm and yarn analysis failing due to large audit output See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/36?closed=1). ### [`v6.4.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-641-2021-10-11) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.4.0...v6.4.1) ##### Added - Added download attempts with increasing wait time for `CVE meta` files from the NVD to prevent rate limiting issues (see [#3725](https://togithub.com/jeremylong/DependencyCheck/pull/3725)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/35?closed=1). ### [`v6.4.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-640-2021-10-11) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.3.2...v6.4.0) ##### Changed - Increased timeout between downloads from the NVD to prevent rate limiting issues (see [#3722](https://togithub.com/jeremylong/DependencyCheck/pull/3722)). - `cveStartYear` is now configurable and can be set to any year from 2002 to present. - `cveWaitTime` is a new configuration option to define how many milliseconds to wait between NVD downloads; default is 4000 ms (see [#3690](https://togithub.com/jeremylong/DependencyCheck/pull/3690)). - The NVD CVE data files are now being cached for up to 4 hours in case a download fails, re-running ODC will use the cached version. - Fixed NPE in the ODC maven plugin (see [#3702](https://togithub.com/jeremylong/DependencyCheck/pull/3702). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/34?closed=1). ### [`v6.3.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-632-2021-09-29) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.3.1...v6.3.2) ##### Changed - Reduced chance of rate limiting when download files from NVD (see [#2670](https://togithub.com/jeremylong/DependencyCheck/pull/3670)). - Fixed bug causing some transitive dependencies being skipped in the odc-maven-plugin (see [#3627](https://togithub.com/jeremylong/DependencyCheck/pull/3627)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/33?closed=1). ### [`v6.3.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-631-2021-09-01) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.3.0...v6.3.1) ##### Fixed - Fixed [ConcurrentModificationException](https://togithub.com/jeremylong/DependencyCheck/issues/3618) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/32?closed=1). ### [`v6.3.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-630-2021-08-31) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.2.2...v6.3.0) ##### Changed - Many updates were made to improve performance on large scans, reduce false positives, and other bug fixes. - Increased the width of four columns in the database; if you use a an external database you should also update the width (see [upgrade\_5.1.sql](https://togithub.com/jeremylong/DependencyCheck/blob/main/core/src/main/resources/data/upgrade\_5.1.sql)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/31?closed=1). ### [`v6.2.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-622-2021-06-10) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.2.1...v6.2.2) ##### Fixed - Resolved issue with database connections introduced in 6.2.0 (see [https://github.com/jeremylong/DependencyCheck/issues/3432](https://togithub.com/jeremylong/DependencyCheck/issues/3432)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/30?closed=1). ### [`v6.2.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-621-2021-06-08) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.2.0...v6.2.1) ##### Fixed - Resolved issue with database connections introduced in 6.2.0 (see [https://github.com/jeremylong/DependencyCheck/issues/3416](https://togithub.com/jeremylong/DependencyCheck/issues/3416)). See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/29?closed=1). ### [`v6.2.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-620-2021-05-29) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.1.6...v6.2.0) ##### Changed - Added an experimental Perl CPAN analyzer [#3378](https://togithub.com/jeremylong/DependencyCheck/pull/3378) - Note that the full DSL of the CPAN is not yet supported so any required dependency is analyzed (i.e. there is no way to exclude development requirements) - Improved database performance [#3206](https://togithub.com/jeremylong/DependencyCheck/pull/3206) - The archive analyzer now extracts files from RPM archives [#3226](https://togithub.com/jeremylong/DependencyCheck/pull/3226) - Ensure ordered output in reports [#3243](https://togithub.com/jeremylong/DependencyCheck/pull/3343) - Several minor bug fixes and updates to reduce false positives See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/27?closed=1). ### [`v6.1.6`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-616-2021-04-29) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.1.5...v6.1.6) ##### Fixed - Resolved issue with Sarif report ([#3243](https://togithub.com/jeremylong/DependencyCheck/issues/3243)) - Resolved issue with Ruby Bundle Audit ([#3256](https://togithub.com/jeremylong/DependencyCheck/issues/3256)) - Several minor bug fixes and updates to reduce false positives See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/26?closed=1). ### [`v6.1.5`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-615-2021-03-31) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.1.4...v6.1.5) ##### Fixed - Fixed a second NPE introduced in 6.1.3 (see [#3246](https://togithub.com/jeremylong/DependencyCheck/issues/3246)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/25?closed=1). ### [`v6.1.4`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-614-2021-03-30) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.1.3...v6.1.4) ##### Changed - Fixed an NPE introduced in 6.1.3 (see [#3212](https://togithub.com/jeremylong/DependencyCheck/issues/3212)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/24?closed=1). ### [`v6.1.3`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-613-2021-03-22) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.1.2...v6.1.3) ##### Changed - Modified the new CPE matching strategy to be more performant ([#3207](https://togithub.com/jeremylong/DependencyCheck/issues/3207)) - Upgraded a vulnerable dependency (velocity-engine-core/CVE-2020-13936) ([#3205](https://togithub.com/jeremylong/DependencyCheck/issues/3205)) See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/23?closed=1). ### [`v6.1.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-612-2021-03-08) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.1.1...v6.1.2) ##### Changed - Fixed a bug in the Sarif report generation. - Fixed a bug with the Ant task not being able to read the dependency-check properties file in 6.1.1. - Added a new CPE matching strategy to reduce false negatives. - CLI and Ant task will no longer be published to bintray. - Several minor bug fixes. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/22?closed=1). ### [`v6.1.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-611-2021-02-13) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.1.0...v6.1.1) ##### Changed - Added missing configuration options for yarn and msbuild. - Several bug fixes. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/21?closed=1). ### [`v6.1.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-610-2021-01-27) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.0.5...v6.1.0) ##### Changed - Added SARIF file format per [#3081](https://togithub.com/jeremylong/DependencyCheck/issues/3081). - Added support for Yarn per [#3063](https://togithub.com/jeremylong/DependencyCheck/pull/3063). - False positive reduction and minor bug fixes. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/20?closed=1). ### [`v6.0.5`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-605-2021-01-07) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.0.4...v6.0.5) ##### Changed - Added missing command line arguments per [#3028](https://togithub.com/jeremylong/DependencyCheck/issues/3028) and [#3035](https://togithub.com/jeremylong/DependencyCheck/issues/3035). - False positive reduction and minor bug fixes. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/19?closed=1). ### [`v6.0.4`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-604-2020-12-31) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.0.3...v6.0.4) ##### Changed - Minor bug fixes and reduction of false positives. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/18?closed=1). ### [`v6.0.3`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-603-2020-11-03) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.0.2...v6.0.3) ##### Changed - Added a bash command completion script (see [#2916](https://togithub.com/jeremylong/DependencyCheck/issues/2916)); to add completion to your shell `completion-for-dependency-check.sh` can be found in the bin directory of the CLI: ```bash $ source completion-for-dependency-check.sh ``` - An experimental PIP File Analyzer was added (see [#2877](https://togithub.com/jeremylong/DependencyCheck/issues/2877)). - Analysis of Node JS produced several false positives (see [#2796](https://togithub.com/jeremylong/DependencyCheck/issues/2796)); the analysis has been updated to reduce the number of false positives. - If analyzing Node JS projects it is highly recommended to disable the Node JS Analyzer and solely rely on the Node Audit Analyzer. There are plans to rework Node JS analysis in a future release. - Support for external Oracle databases has been add for the 6.x releases (see [#2899](https://togithub.com/jeremylong/DependencyCheck/issues/2899)) - Resolved several reported false positives. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/17?closed=1). ### [`v6.0.2`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-602-2020-09-27) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.0.1...v6.0.2) ##### Changed - The project is migrating from hosting the release archives on Bintray and moving them to Github under the assets for each [release](https://togithub.com/jeremylong/DependencyCheck/releases) - **Please update any automation you have to point to the new location.** - Npm Audit Analyzer now correctly skips dev dependencies (`--nodeAuditSkipDevDependencies`); see [#2482](https://togithub.com/jeremylong/DependencyCheck/issues/2482). - GoLang Analyzer now scans transitive dependencies; see [#2680](https://togithub.com/jeremylong/DependencyCheck/issues/2680). - Several bug fixes found in 6.0.1. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/16?closed=1). ### [`v6.0.1`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-601-2020-09-13) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v6.0.0...v6.0.1) ##### Changed - Improved error messages when upgrading from 5.x to 6.x; due to breaking database changes if the old database schema is detected an error message is produced indicating that the old database should be purged. - Fixed the database path for the Ant and Gradle plugins. - Added locking around the RetireJS updates to resolve read/write conflicts in CI environments. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/15?closed=1). ### [`v6.0.0`](https://togithub.com/jeremylong/DependencyCheck/blob/HEAD/CHANGELOG.md#Version-600-2020-09-07) [Compare Source](https://togithub.com/jeremylong/DependencyCheck/compare/v5.3.2...v6.0.0) ##### Changed - Updated database schema; this is a *breaking change* and anyone using an external database or those whom specify the data directory will need recreate the database (including users of the docker image). The schema changes were made to: - Improve the CVSS data, when available, per [#2547](https://togithub.com/jeremylong/DependencyCheck/issues/2547) - Improve the way that ecosystems are determined - Improve the update performance of external databases - Users with an **external Oracle** database will not be able to upgrade as [https://github.com/jeremylong/DependencyCheck/issues/2755](https://togithub.com/jeremylong/DependencyCheck/issues/2755) has not been resolved - as such, version 6.0.0 does not support Oracle. - Users mirroring the NVD - ODC 6.0.0 requires the use of the version 1.1 data feeds - please ensure you are using 1.1 not the 1.0 data feed. See the full listing of [changes](https://togithub.com/jeremylong/DependencyCheck/milestone/14?closed=1).Configuration
📅 Schedule: Branch creation - "before 4am on Monday" in timezone Europe/Oslo, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.