chore(deps): update dependency org.owasp:dependency-check-maven from v5.3.2 to v9

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.owasp:dependency-check-maven (source)	5.3.2 -> 9.2.0

---

Release Notes

jeremylong/DependencyCheck (org.owasp:dependency-check-maven)

v9.2.0

Compare Source

• docs: update logo per intellj (#​6660)
• feat: Carthage analyzer (#​6614)
• fix: Ensure valid JSON output for gitlab report (#​6630)
• feat: Support Package.swift version 3 Specification (#​6578)
• chore: Update the packaged suppressions to include new hosted suppressions (#​6567)

See the full listing of changes.

v9.1.0

Compare Source

• feat: Add v2 support for maven_install.json (#​6528)
• build(deps): bump open-vulnerability-client (#​6554)
  • resolves update issues due to CVSS Metrics 4.0
• build(deps): bump jackson.version from 2.16.0 to 2.16.1 (#​6353)
• build(deps): bump org.jsoup:jsoup from 1.16.2 to 1.17.2 (#​6362)
• build(deps): bump golang from 1.21.5-alpine to 1.22.1-alpine (#​6506)

See the full listing of changes.

v9.0.10

Compare Source

• fix: #​4321 Suppress redis server CVEs for client libraries (#​4321) (#​6489)
• fix: bump commons-compress from 1.25.0 to 1.26.0 to fix CVE-2024-25710 and CVE-2024-26308 (#​6492)
• feat: Allow to pass NVD API key via environment variable (#​6454)
• fix: issue 5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies - adding synchronized block (#​6501)
• docs: document the default data directory (#​6484)
• fix: prevent NPE in bundler audit (#​6462)
• fix: #​6441 Improve suppression rule to not restrict to a single version (#​6442)

See the full listing of changes.

v9.0.9

Compare Source

• fix: for #​6374 to delete non-empty directories (#​6375)
• fix: NoSuchMethodError closeQuietly(java.io.Closeable[]) (#​6377)
• chore: close stream to prevent possible resource leak (#​6382)
• docs: Document default for CLI --data (#​6359)
• docs: document gradle build (#​6371)

See the full listing of changes.

v9.0.8

Compare Source

• fix: favor stability over performance (#​6349)
• chore: replace commons-io with core java calls (#​6343)
• fix: improve error reporting for invalid H2 database (#​6339)
• fix: rework fix for closing input streams on errors correctly (#​6338)
• fix: reduce chance NVD API block updates due to rate limit (#​6333)
• fix: ensure open handles will not leak on errors (#​6326)
• fix: improve error reporting (#​6324)

See the full listing of changes.

v9.0.7

Compare Source

• docs: document insecure configuration for GHSA-qqhq-8r2c-c3f5 (#​6315)
• fix: improve memory usage on NVD update (#​6321)
• fix: skip pyproject.toml unless it contains tool.poetry (#​6316)
• fix: resolve build error that may cause an issue on some JDK versions (#​6312)

See the full listing of changes.

v9.0.6

Compare Source

• build: bump open-vulnerability-clients@5.1.1 (#​6308)
• fix: mask nvd.api.key in logs; see GHSA-qqhq-8r2c-c3f5 (#​6307)
• fix: update java version check (#​6297)
• fix: more efficient memory usage (#​6299)
• fix: stream NVD data via Jackson to reduce memory footprint (#​6275)
• docs: document github action caching (#​6301)

See the full listing of changes.

v9.0.5

Compare Source

• fix: make NVD API endpoint configurable (#​6287)
• fix: synch last modified timestamp for NVD API (#​6281)
• fix: read NVD cache meta files if cache.properties does not exist (#​6282)
• fix: correct property for nonProxyHosts (#​6285)
• fix: reduce apache http logging (#​6280)
• fix: store last modified timestamp for RetireJS and the Hosted Suppression File in db (#​6271)
• build: bump golang in the docker image (#​6274)
• fix: use temporary files to reduce memory usage during the NVD Update (#​6270)
• fix: use BIT for Oracle DB instead of Boolean when calling prepared statements (#​6264)
• fix: showing all reference tags in reports (#​6259)

See the full listing of changes.

v9.0.4

Compare Source

• fix: utilize maven proxy if present (#​6255)
• fix: allow api key in cli to be quoted (#​6253)
• fix: use correct maven plugin reporting plugin (#​6244)
• fix: correct trailing comma in JSON report (#​6245)

See the full listing of changes.

v9.0.3

Compare Source

• fix: use Java properties for proxy configuration (#​6238)
• docs: update proxy configuration documentation (#​6237)
• docs: add documentation on caching (#​6204)
• docs: Clarify H2 database caching strategy (#​6220)
• docs: Update list of supported report formats (#​6224)
• docs: example 5 with new nvdDatafeedUrl parameter (#​6215)
• fix: prevent NPEs (#​6232 and #​6206)
• fix: check valid for hours for NVD API (#​6225)
• fix: correct NVD cache last checked logic (#​6218)
• fix: nvd datafeed should process current year (#​6213)
• fix: correct references to cvssv2 and cvssv3 fields in json and xml reports (#​6212)
• fix: correct name on reference links in report (#​6205)
• fix: flaws int the gitlab report (#​6193)

See the full listing of changes.

v9.0.2

Compare Source

• fix: remove virtual match string on NVD API Request (#​6177)
• fix: correct meta data in report after switching the NVD API (#​6154)
• fix: retry HTTP connections to NVD on 502 and 504 errors (#​6151)
• fix: Gitlab report format needs severity capitalized (#​6182)
• fix: improve JDK update version parsing (#​6163)
• fix: mute JCS logging (again) (#​6153)

See the full listing of changes.

v9.0.1

Compare Source

• fix: #​4321 Suppress redis server CVEs for client libraries (#​4321) (#​6489)
• fix: bump commons-compress from 1.25.0 to 1.26.0 to fix CVE-2024-25710 and CVE-2024-26308 (#​6492)
• feat: Allow to pass NVD API key via environment variable (#​6454)
• fix: issue 5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies - adding synchronized block (#​6501)
• docs: document the default data directory (#​6484)
• fix: prevent NPE in bundler audit (#​6462)
• fix: #​6441 Improve suppression rule to not restrict to a single version (#​6442)

See the full listing of changes.

v9.0.0

Compare Source

breaking changes: See the upgrade notice

• feat: Utilize NVD API (#​5978)
• feat: gitlab dependency scanner report format #​5919 (#​5920)
• fix: Use ASCII apostrophe for console message (#​6076)

See the full listing of changes.

v8.4.3

Compare Source

• fix: bump jcs3 (#​6047)
• docs: Corrected docs on hostedSuppressions (#​6035)

See the full listing of changes.

v8.4.2

Compare Source

• fix: correct log configuration in cli (#​6002)

See the full listing of changes.

v8.4.1

Compare Source

Fixed

• fix: upgrade to JCS3 (#​5114)
• fix: Support ~= version specifier in requirements.txt and pipfile (#​5902)
• fix: Version of dependency no longer ignored when CPE product has a 'java' suffix in a product name (#​5901)
• fix: Do not filter out evidences added by hints (#​5900)
• fix: fixes FP #​5925 (#​5927)

See the full listing of changes.

v8.4.0

Compare Source

Added

• feat: Add support for Nexus v3 to NexusAnalyzer (#​5849)

Fixed

• fix: Hint Analyzer should run before VersionFilter Analyzer (#​5818)
• chore: switch to sha1-pinning as suggested by Semgrep
• fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter (#​5845)
• fix: use curl with -L to follow github redirect (#​5808)
• fix: use curl with -L to follow github redirect
• fix: #​5671 out of memory error (#​5789)
• fix: #​5671 Exit method as soon as we detect a loop to prevent an infinite loop leading to an OutOfMemoryError

See the full listing of changes.

v8.3.1

Compare Source

Re-release of 8.3.0 as 8.3.1.

v8.3.0

Compare Source

Added

• Add LibmanAnalyzer (#​5652)
• Update HTML report Dependencies header based on display settings (#​5619)
• Add link to suppressed vulnerabilities header in HTML report (#​5620)
• Enable local proxy configuration in maven plugin configuration (#​5696)

Fixed

• Fix npm alias present in requires of dependencies (#​5703)
• Make Central URL configurable via CLI (#​5667)
• Ensure support of CVSSv3.1 (#​5602)

See the full listing of changes.

v8.2.1

Compare Source

Fixed

• NullPointerException in MSBuildAnalyzer (#​5589)
• SQL Syntax for Oracle (#​5590)
• Use https:// URLs in report templates (#​5582)

See the full listing of changes.

v8.2.0

Compare Source

Added

• Support msbuild Directory.build.props (#​5475)
• better display of NPM audit references
• Add CVSS V3 results from NPM Audit results

Fixed

• Fix several issues on NPM Audit reporting (#​5546)
• Case issue in SQL (#​5557)
• Fix CWE(s) extraction for NPM Audit advisories
• Use the stable github_advisory_id instead of the now unstable id in NPM audit results

See the full listing of changes.

v8.1.2

Compare Source

Fixed

• Fix NullPointerException in the Jar Analyzer introduced in 8.1.1 (#​5512)

See the full listing of changes.

v8.1.1

Compare Source

Fixed

• allow hosted suppressions file to be disabled (#​5509)
• Several FPs not suitable for our automation (#​5504)
• Fix incorrect defaults for nexus and central-analyzer in gradle plugin documentation (#​5503)
• Erroneous error-log for deprecated CLI flag usage when using properyfile based disablement of Node Audit Analyzer (#​5487)
• Prefer pom.properties G/A/V over pom.xml G/A/V to resolve GAV interpolation issues (#​5473)
• Node package dependencies ending up as related dependency of the wrong version of the package (#​5479)
• do not throw error if pyproject.toml is in node_modules (#​5470)

See the full listing of changes.

v8.1.0

Compare Source

Added

• Pipefile.lock files are now supported (#​5404).
• Python projects with only a pyproject.toml but no lock file or requirements will report an error as ODC is unable to analyze the project (#​5409).

Fixed

• Some maven projects caused false positives due to bad string interpolation (#​5421).
• Error message from Assembly Analyzer has been updated to emphasize dotnet 6 is required for analysis (#​5408).
• Correct issue where database defrag occurs even when no updates were performed (#​5441).
• Fixed several False Positives and one False Negative.
• Fixed the format configuration more flexible in the gradle plugin (dependency-check-gradle/#​324).

See the full listing of changes.

v8.0.2

Compare Source

Fixed

• Resolved bug causing an issue with some Maven Extensions (#​5366).
• ArchiveAnalyzer will now correctly throw an exception if it cannot open an Archive (#​5371).
• Updated CSV report so that it no longer has a duplicate description column (#​5364).
• Moved several logging statements to trace which should drastically reduce the log size (#​5350).
• Fixed bug with RetireJS' --retirejsFilterNonVulnerable and --retirejsFilter when used with the CLI (#​5351).
• Fixed the sarif report format and added validation (#​5345 and (#​5363)
• Fixed MalformedPackageException in the gradle plugin (dependency-check-gradle/#​320).
• Fixed MissingMethodException in the gradle plugin (dependency-check-gradle/#​316).

See the full listing of changes.

v8.0.1

Compare Source

Fixed

• Fixed Stack Overflow Exception in the gradle plugin (dependency-check-gradle/#​308).
• Fixed No Signature of Method Exception in the gradle plugin (dependency-check-gradle/#​305).
• Updated DB initialization scripts for externally hosted DBs (#​5314 and #​5317).
  • Postgres users will need to use the updated init script and 8.0.1.
• Resolved NPE in the NodePackageAnalyzer (#​5339).

See the full listing of changes.

v8.0.0

Compare Source

Added

• Utilize the hosted suppression file to allow for faster remediation of reported False Positives (#​4723).
• Include the CISA Known Exploited Vulnerability Catalog (#​4878).
• The gradle and maven plugins now have the capability to scan the build plugins (#​4035).
• The gradle and maven plugins, for transitive dependencies, will report the root dependency in the project that included the transitive dependency (#​5001).
• Added properties.security-severity to SARIF report for better integration with GitHub Security Code scanning (#​5277).
• Allow for HTTP auth settings for Retire JS repository (#​5209).
• New schema for the XML report was added to support some of the above additions (#​5296).
• Added missing gradle option to only warn on remote errors from the OSS Index Analyzer (gradle #​303).

Changed

• Breaking: the database schema updated - if using an external database the update scripts must be run!
• The exit codes from the CLI have been changed to be in the range from 0-255 (#​4511.
• The OSS Index Analyzer will automatically disable itself if a transport error occurs - preventing copious errors from being reported (#​5300).

Fixed

• Added an additional check for rejected CVEs to reduce FP (#​5268.
• Corrected the analysis of node_modules to prevent NPEs (#​5266).
• Fixed error when scanning node packages with local dependencies (#​5235).
• Fixed NPE in the MSBuild Analyzer (#​5293).
• Several False Positives have been resolved.

See the full listing of changes.

v7.4.4

Compare Source

Fixed

• Resolved issue processing NVD CVE data due to column width (#​5229)

See the full listing of changes.

v7.4.3

Compare Source

Fixed

• Fixed NPE when analyzing version ranges in NPM (#​5158 & #​5190)
• Resolved several FP (#​5191)

See the full listing of changes.

v7.4.2

Compare Source

Fixed

• Fixes maven 3.1 compatibility issue (#​5152)
• Fixed issue with invalid node_module paths in some scans (#​5135)
• Fixed missing option to disable the Poetry Analyzer in the CLI (#​5160)
• Fixed missing option to configure the OSS Index URL in the CLI (#​5180)
• Fixed NPE when analyzing version ranges in NPM (#​5158)
• Fixed issue with non-proxy host in the gradle plugin (https://github.com/dependency-check/dependency-check-gradle/pull/298)
• Resolved several FP

See the full listing of changes.

v7.4.1

Compare Source

Fixed

• Fixed bug when setting the proxy port in gradle (#​5123)
• Fixed issue with invalid node_module paths in some scans (#​5127)
• Resolved several FP

See the full listing of changes.

v7.4.0

Compare Source

Added

• Add support for npm package lock v2 and v3 (#​5078)
• Added experimental support for Python Poetry (#​5025)
• Added a vanilla HTML report for use in Jenkins (#​5053)

Changed

• Renamed RELEASE_NOTES.md to CHANGELOG.md to be more conventional
• Optimized checksum calculation to improve performance (#​5112)
• Added support for scanning .NET assemblies when only the dotnet runtime is installed (#​5087)
• Bumped several dependencies

Fixed

• Fixed bug when setting the proxy port (#​5076)
• Resolved several FP and FN

See the full listing of changes.

v7.3.2

Compare Source

Changed

• Automated release of 7.3.1 failed and only published to Central; 7.3.2 is a re-release of 7.3.1.
• Resolved several false positives and false negatives.
• Use Jackson Afterburner if still on Java 8 (#​4966).
• Exclude node_modules from the Maven plugin's scan path (#​4974).

See the full listing of changes.

v7.3.1

Compare Source

Changed

• Resolved several false positives and false negatives.
• Use Jackson Afterburner if still on Java 8 (#​4966).
• Exclude node_modules from the Maven plugin's scan path (#​4974).

See the full listing of changes.

v7.3.0

Compare Source

Added

• Added an experimental Dart analyzer (#​4869).

Changed

• Migrated from Jackson Afterburner to Blackbird (#​4905).

Fixed

• Fixed issue with the Maven plugin that caused concurrent modification exceptions (#​4935).

See the full listing of changes.

v7.2.1

Compare Source

Fixed

• Fixed logging issue (#​4846).

See the full listing of changes.

v7.2.0

Compare Source

Changed

• Add support for Bazel's pinned maven_install.json (#​4772).
• Fixed bug preventing the use of custom report templates (#​4800).
• Updated several dependencies including upgrades for dependencies with CVEs.
• Several bug fixes made and suppression rules were added.

See the full listing of changes.

v7.1.2

Compare Source

Changed

• The maven plugin now includes pnpm and yarn lock files in the scan by default (#​4753).
• If a suppression rule is no longer used a log entry will be written (#​4685).
• Several bug fixes made and suppression rules added.

See the full listing of changes.

v7.1.1

Compare Source

Fixed

• Minor bug fixes.
• Resolved several false positives.

See the full listing of changes.

v7.1.0

Compare Source

Changed

• Improved sorting in the HTML report (see #​4112).
• Improved support for Swift (see #​4265).
• Resolved several false positives.

See the full listing of changes.

v7.0.4

Compare Source

Changed

• Update to jackson-databind (see #​4285).

See the full listing of changes.

v7.0.3

Compare Source

Changed

• Update to jackson-databind (see #​4285).

See the full listing of changes.

v7.0.2

Compare Source

Changed

• General project maintenance, bug fixes, and false positive and false negative reductions.

See the full listing of changes.

v7.0.1

Compare Source

Changed

• General project maintenance, bug fixes, and false positive reductions.

See the full listing of changes.

v7.0.0

Compare Source

Changed

• Breaking: The H2 database version has been upgraded.
  • if you use the dataDirectory option you will need to run a purge after upgrading.
• Breaking: Upgraded to dotnet core 6.0. If analyzing dotnet assemblies the system will need to have the dotnet core 6.0.x runtime available.
• The Sarif report format has been fixed and can now be imported into GitHub if desired (See #​3993).
• Introduced IssueOps for False Positive reports to assist the team in evaluating FP reports.
  • Create New FP Report Issue.
• When analyzing Java projects ODC now includes data from the developers section.
  • This will likely cause false positives on things like Apache James, please report the FP and we will fix these quickly.
• General project maintenance, bug fixes, and false positive reductions.

See the full listing of changes.

v6.5.3

Compare Source

Changed

• Performance improvements for some Maven projects (see #​3923 and #​3931).
• Fixed bug in npm version handling introduced in 6.5.2 (see #​3956).
• Improved the node package analyzer to correctly report the origin of a dependency (see #​3970).
• General code maintenance and false positive reductions.

See the full listing of changes.

v6.5.2

Compare Source

Changed

• Fixed false positives around log4j-api and Log4j-web (#​3910 & #​3937).
• Bug fix when processing NPM lock files (#​3893).
• Added missing pnpm argmument to the CLI (#​3916).
• General code maintenance and false positive reductions.

See the full listing of changes.

v6.5.1

Compare Source

Changed

• Updated the dependency-check-maven plugin to correctly support SNAPSHOT version when a classifier is specified (#​3787).
• Improved the analysis of Swift package manager (package.resolved - see #​3813).
• General code maintenance and false positive reductions.

See the full listing of changes.

v6.5.0

Compare Source

Changed

• Updated build configuration to create reproducible builds.
• Updated automated release process to work with branch protection.
• Resolved several false positives in the Java ecosystem.
• Enabled the Swift Resolved analyzer per #​3735
• Improved iOS support per #​3168 and #​3765
• Added the a new pnpm Analyzer
• Fixed issue with some npm and yarn analysis failing due to large audit output

See the full listing of changes.

v6.4.1

Compare Source

Added

• Added download attempts with increasing wait time for CVE meta files from the NVD to prevent rate limiting issues (see #​3725).

See the full listing of changes.

v6.4.0

Compare Source

Changed

• Increased timeout between downloads from the NVD to prevent rate limiting issues (see #​3722).
  • cveStartYear is now configurable and can be set to any year from 2002 to present.
  • cveWaitTime is a new configuration option to define how many milliseconds to wait between NVD downloads; default is 4000 ms (see #​3690).
  • The NVD CVE data files are now being cached for up to 4 hours in case a download fails, re-running ODC will use the cached version.
• Fixed NPE in the ODC maven plugin (see #​3702.

See the full listing of changes.

v6.3.2

Compare Source

Changed

• Reduced chance of rate limiting when download files from NVD (see #​2670).
• Fixed bug causing some transitive dependencies being skipped in the odc-maven-plugin (see #​3627).

See the full listing of changes.

v6.3.1

Compare Source

Fixed

• Fixed ConcurrentModificationException

See the full listing of changes.

v6.3.0

Compare Source

Changed

• Many updates were made to improve performance on large scans, reduce false positives, and other bug fixes.
• Increased the width of four columns in the database; if you use a an external database you should also update the width (see upgrade_5.1.sql).

See the full listing of changes.

v6.2.2

Compare Source

Fixed

• Resolved issue with database connections introduced in 6.2.0 (see https://github.com/jeremylong/DependencyCheck/issues/3432).

See the full listing of changes.

v6.2.1

Compare Source

Fixed

• Resolved issue with database connections introduced in 6.2.0 (see https://github.com/jeremylong/DependencyCheck/issues/3416).

See the full listing of changes.

v6.2.0

Compare Source

Changed

• Added an experimental Perl CPAN analyzer #​3378
  • Note that the full DSL of the CPAN is not yet supported so any required dependency is analyzed (i.e. there is no way to exclude development requirements)
• Improved database performance #​3206
• The archive analyzer now extracts files from RPM archives #​3226
• Ensure ordered output in reports #​3243
• Several minor bug fixes and updates to reduce false positives

See the full listing of changes.

v6.1.6

Compare Source

Fixed

• Resolved issue with Sarif report (#​3243)
• Resolved issue with Ruby Bundle Audit (#​3256)
• Several minor bug fixes and updates to reduce false positives

See the full listing of changes.

v6.1.5

Compare Source

Fixed

• Fixed a second NPE introduced in 6.1.3 (see #​3246)

See the full listing of changes.

v6.1.4

Compare Source

Changed

• Fixed an NPE introduced in 6.1.3 (see #​3212)

See the full listing of changes.

v6.1.3

Compare Source

Changed

• Modified the new CPE matching strategy to be more performant (#​3207)
• Upgraded a vulnerable dependency (velocity-engine-core/CVE-2020-13936) (#​3205)

See the full listing of changes.

v6.1.2

Compare Source

Changed

• Fixed a bug in the Sarif report generation.
• Fixed a bug with the Ant task not being able to read the dependency-check properties file in 6.1.1.
• Added a new CPE matching strategy to reduce false negatives.
• CLI and Ant task will no longer be published to bintray.
• Several minor bug fixes.

See the full listing of changes.

v6.1.1

Compare Source

Changed

• Added missing configuration options for yarn and msbuild.
• Several bug fixes.

See the full listing of changes.

v6.1.0

Compare Source

Changed

• Added SARIF file format per #​3081.
• Added support for Yarn per #​3063.
• False positive reduction and minor bug fixes.

See the full listing of changes.

v6.0.5

Compare Source

Changed

• Added missing command line arguments per #​3028 and #​3035.
• False positive reduction and minor bug fixes.

See the full listing of changes.

v6.0.4

Compare Source

Changed

• Minor bug fixes and reduction of false positives.

See the full listing of changes.

v6.0.3

Compare Source

Changed

• Added a bash command completion script (see #​2916); to add completion to your shell
  completion-for-dependency-check.sh can be found in the bin directory of the CLI:

  $ source completion-for-dependency-check.sh

• An experimental PIP File Analyzer was added (see #​2877).

• Analysis of Node JS produced several false positives (see #​2796); the analysis has
  be

---

Configuration

📅 Schedule: Branch creation - "before 4am on Monday" in timezone Europe/Oslo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud