Skip to content
This repository has been archived by the owner on Feb 14, 2023. It is now read-only.

chore(deps): bump dependency-check-maven from 7.3.0 to 8.0.2 #509

Closed
wants to merge 1 commit into from
Closed

chore(deps): bump dependency-check-maven from 7.3.0 to 8.0.2 #509

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 30, 2023

Bumps dependency-check-maven from 7.3.0 to 8.0.2.

Release notes

Sourced from dependency-check-maven's releases.

Version 8.0.2

Fixed

  • Resolved bug causing an issue with some Maven Extensions (#5366).
  • ArchiveAnalyzer will now correctly throw an exception if it cannot open an Archive (#5371).
  • Updated CSV report so that it no longer has a duplicate description column (#5364).
  • Moved several logging statements to trace which should drastically reduce the log size (#5350).
  • Fixed bug with RetireJS' --retirejsFilterNonVulnerable and --retirejsFilter when used with the CLI (#5351).
  • Fixed the sarif report format and added validation (#5345 and (#5363)
  • Fixed MalformedPackageException in the gradle plugin ([dependency-check-gradle/#320](dependency-check/dependency-check-gradle#320)).
  • Fixed MissingMethodException in the gradle plugin ([dependency-check-gradle/#316](dependency-check/dependency-check-gradle#316)).

See the full listing of changes.

Version 8.0.1

Fixed

See the full listing of changes.

Version 8.0.0

Added

  • Utilize the hosted suppression file to allow for faster remediation of reported False Positives (#4723).
  • Include the CISA Known Exploited Vulnerability Catalog (#4878).
  • The gradle and maven plugins now have the capability to scan the build plugins (#4035).
  • The gradle and maven plugins, for transitive dependencies, will report the root dependency in the project that included the transitive dependency (#5001).
  • Added properties.security-severity to SARIF report for better integration with GitHub Security Code scanning (#5277).
  • Allow for HTTP auth settings for Retire JS respository (#5209).
  • New schema for the XML report was added to support some of the above additions (#5296).
  • Added missing gradle option to only warn on remote errors from the OSS Index Analyzer ([gradle #303](dependency-check/dependency-check-gradle#303)).

Changed

  • Breaking: the database schema updated - if using an external database the update scripts must be run!
  • The exit codes from the CLI have been changed to be in the range from 0-255 (#4511.
  • The OSS Index Analyzer will automatically disable itself if a transport error occurs - preventing copious errors from being reported (#5300).

Fixed

  • Added an additional check for rejected CVEs to reduce FP (#5268).
  • Corrected the analysis of node_modules to prevent NPEs (#5266).
  • Fixed error when scanning node packages with local dependencies (#5235).
  • Fixed NPE in the MSBuild Analyzer (#5293).

... (truncated)

Changelog

Sourced from dependency-check-maven's changelog.

Version 8.0.2 (2023-01-26)

Fixed

  • Resolved bug causing an issue with some Maven Extensions (#5366).
  • ArchiveAnalyzer will now correctly throw an exception if it cannot open an Archive (#5371).
  • Updated CSV report so that it no longer has a duplicate description column (#5364).
  • Moved several logging statements to trace which should drastically reduce the log size (#5350).
  • Fixed bug with RetireJS' --retirejsFilterNonVulnerable and --retirejsFilter when used with the CLI (#5351).
  • Fixed the sarif report format and added validation (#5345 and (#5363)
  • Fixed MalformedPackageException in the gradle plugin ([dependency-check-gradle/#320](dependency-check/dependency-check-gradle#320)).
  • Fixed MissingMethodException in the gradle plugin ([dependency-check-gradle/#316](dependency-check/dependency-check-gradle#316)).

See the full listing of changes.

Version 8.0.1 (2023-01-18)

Fixed

See the full listing of changes.

Version 8.0.0 (2023-01-15)

Added

  • Utilize the hosted suppression file to allow for faster remediation of reported False Positives (#4723).
  • Include the CISA Known Exploited Vulnerability Catalog (#4878).
  • The gradle and maven plugins now have the capability to scan the build plugins (#4035).
  • The gradle and maven plugins, for transitive dependencies, will report the root dependency in the project that included the transitive dependency (#5001).
  • Added properties.security-severity to SARIF report for better integration with GitHub Security Code scanning (#5277).
  • Allow for HTTP auth settings for Retire JS respository (#5209).
  • New schema for the XML report was added to support some of the above additions (#5296).
  • Added missing gradle option to only warn on remote errors from the OSS Index Analyzer ([gradle #303](dependency-check/dependency-check-gradle#303)).

Changed

  • Breaking: the database schema updated - if using an external database the update scripts must be run!
  • The exit codes from the CLI have been changed to be in the range from 0-255 (#4511.
  • The OSS Index Analyzer will automatically disable itself if a transport error occurs - preventing copious errors from being reported (#5300).

Fixed

  • Added an additional check for rejected CVEs to reduce FP (#5268.

... (truncated)

Commits
  • 6b238bc build:prepare release v8.0.2
  • b006972 docs: prepare release
  • 6d2aa31 build(deps): bump actions/github-script from 6.3.3 to 6.4.0 (#5391)
  • 11d6edb fix: npe (#5390)
  • bef8403 build(deps): bump actions/github-script from 6.3.3 to 6.4.0
  • 4acc6ae feat: upgrading to a newer alpine version (#5376)
  • ef93655 fix: Support maven extensions like Tycho adding system-scoped dependencies wi...
  • 219c4f3 fix: npe
  • a68e613 feat: upgrading to a newer alpine version
  • 496ffc6 fix: ArchiveAnalyzer should throw AnalysisException (#5371)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): bump dependency-check-maven from 7.3.0 to 8.0.2
0cdf4f9 
Bumps [dependency-check-maven](https://github.com/jeremylong/DependencyCheck) from 7.3.0 to 8.0.2.
- [Release notes](https://github.com/jeremylong/DependencyCheck/releases)
- [Changelog](https://github.com/jeremylong/DependencyCheck/blob/main/CHANGELOG.md)
- [Commits](jeremylong/DependencyCheck@v7.3.0...v8.0.2)

---
updated-dependencies:
- dependency-name: org.owasp:dependency-check-maven
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Jan 30, 2023
@dependabot dependabot bot mentioned this pull request Jan 30, 2023
Closed
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Feb 14, 2023

Superseded by #511.

@dependabot dependabot bot closed this Feb 14, 2023
@dependabot dependabot bot deleted the dependabot/maven/org.owasp-dependency-check-maven-8.0.2 branch February 14, 2023 07:01
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file java Pull requests that update Java code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants