Update dependency org.owasp:dependency-check-maven from v5.3.2 to v11

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.owasp:dependency-check-maven (source)	5.3.2 -> 11.1.1

---

Release Notes

jeremylong/DependencyCheck (org.owasp:dependency-check-maven)

v11.1.1

Compare Source

• fix: re-enable issue locking (#​7220)
• fix: add username/password properties to be able to authenticate for central.content.url and analyzer.central.url again (#​7169)
• fix: rework replaceOrAddVulnerability (#​7177)
• fix: do not log loading of JDBC driver (#​7155)
• fix: expose flag to disable version check (#​7147)
• fix: Gracefully handle CVEs with bad configuration nodes missing CPE match expressions (#​7125)
• chore: cleanup base suppression (#​7138)
• docs: update gradle configuration documentation (#​7176)
• docs: update documentation for Gradle plugin (#​7143)
• docs: improve false positive issue templat (#​7130)

See the full listing of changes.

v11.1.0

Compare Source

• feat: PHP Composer Analyzer now scans packages-dev by default (#​7114)
  • Users can configure if packages-dev should be skipped
• fix(regression): re-add h2 database driver name (#​7115)
• fix(regression): Make the Downloader honour the proxy.nonproxyhosts ODC Setting (#​7077)
• fix: do not set legacy proxy from maven or env (#​7072) (#​7074)
• docs: add missing documentation for the MS Build Analyzer (#​7113)
• docs: Document the breaking change for Maven plugin as reporting plugin (#​7079)

See the full listing of changes.

v11.0.0

Compare Source

• breaking change: Switch from JMockit to Mockito & build target to Java 11 (#​6922)
  • dependency-check now requires a minimum of Java 11.0 to run
• breaking change: bump com.h2database:h2 from 2.1.214 to 2.3.232 (#​6132)
  • H2 databases generated with an older version of ODC will not work with ODC 11.0.0; a new H2 db must be generated
• breaking change: Maven plugin updated to Doxia 2.x reporting stack
  • Users of the Maven plugin that configure it as a reporting plugin will need to use maven-site-plugin 3.20.0 or later (#​6959)
• feat: Replace old Downloader by an Apache HTTPClient based downloader
• feat: Use Apache HTTPClient for downloads of public resources (#​6949)
• feat: Also make NodeAuditSearch usr our HTTPClient based connections
• feat: Also make OSSIndexAnalyzer use our HTTPClient based connections
• feat: Migrate CentralSearch to use Apache HTTP-client via Downloader
• feat: Extend apache HTTP-client usage to EngineVersionCheck
• feat: Remove the need to specify dbDriver for external databases using JDBCv4 ServiceLoader supporting JDBC drivers (#​6938)
• fix: use latest generated suppressions (#​7064)
• fix: Fixup parameter sequence for Dowloader credentials (#​7033)
• fix: Fixup the missing addition of NVD API Datafeed credentials (if configured)
• fix: Fixup broken proxy authentication in first attempt; extend to include KEV downloads
• fix: store timestamps locally for local resources (#​6936)
• build: Remove the animal-sniffer, propagate java version to plugin-archetype (#​6950)
• build: Update Checkstyle configuration and Suppression DTD references (#​6951)
• chore: Update test db schema (#​7036)
• chore: remove old, unneeded database upgrade script
• docs: reformat javadoc (#​7009)
• docs: Fixup javadoc warnings (#​6995)
• chore: Replace use of several deprecated methods/classes by their successors (#​6933)

See the full listing of changes.

v10.0.4

Compare Source

• build(deps): exclude unused dependency (#​6916)
• fix: improve regex (#​6917)
• fix: correctly handle null values in cpeMatch (#​6915)
• fix(site): Update Fluido skin to resolve broken fork-me-on-github image (#​6914)
• fix: do not report over 100% download complete (#​6899)
• fix: Correct spelling of occurring in NvdApiDataSource.java (#​6883)
• fix: skip blank lines in requirements.txt (#​6867)
• fix: correct percentage calculation (#​6868)
• docs: remove old recommendation (#​6860)

See the full listing of changes.

v10.0.3

Compare Source

• feat: Enable configuration of a lower resultsPerPage on NVD API (#​6843)
• build(deps): bump open-vulnerability-clients from 6.1.6 to 6.1.7 (#​6848)
• build(deps): bump JamesIves/github-pages-deploy-action from 4.6.1 to 4.6.3 (#​6814)
• build(deps): bump org.codehaus.mojo:versions-maven-plugin from 2.16.2 to 2.17.0 (#​6762)
• build(deps): bump org.apache.maven.plugins:maven-checkstyle-plugin from 3.3.1 to 3.4.0 (#​6815)
• build(deps): bump golang from 1.22.4-alpine to 1.22.5-alpine (#​6805)

See the full listing of changes.

v10.0.2

Compare Source

Mandatory Upgrade - due to older versions of dependency-check causing numerous, spurious requests that end in processing failures, this upgrade is mandatory so that the NVD can differentiate valid requests and block the old clients.

• build(deps): bump open-vulnerability-clients (#​6810)
• fix(db): #​6788 removing redundant db index "idxVulnerability" on "vulnerability.cve" (#​6807)
• docs: Further improve formatting and docs of H2 database caching strats (#​6804)
• fix: update_vulnerability in dbStatements_oracle.properties (#​6803)
• fix: fix NPE (#​6778)
• fix: add hint to resolve false negative (#​6802)
• chore: update configure (#​6794)

See the full listing of changes.

v10.0.1

Compare Source

• build(deps): bump open-vulnerability-client (#​6772)
• fix: remove debug logging (#​6770)
• fix: postgresql column count error (#​6773)
• fix: mssql column name and version (#​6761)
• docs: update supported versions (#​6771)

See the full listing of changes.

v10.0.0

Compare Source

• breaking change: upgrade to dotnet 8.0 (#​6580)
  • Users of the AssemblyAnalyzer must upgrade/utilize dotnet 8 to analyze assemblies
• feat: fix the NVD API related errors by adding cvssV4 support (#​6756)
  • breaking changes: anyone utilizing a centralized database will need to upgrade the schema; see changes in PR #​6756
• fix: avoid escaping unnecessary chars in HTML report suppression regexes (#​6749)
• fix: #​6688 Trim version number when parsin POM (#​6705)
• fix: change request if lockfile is file v3 (#​6690)
• fix: skip pyproject.toml unless it contains tool.poetry before ensuring lockfiles (#​6681)

See the full listing of changes.

v9.2.0

Compare Source

• docs: update logo per intellj (#​6660)
• feat: Carthage analyzer (#​6614)
• fix: Ensure valid JSON output for gitlab report (#​6630)
• feat: Support Package.swift version 3 Specification (#​6578)
• chore: Update the packaged suppressions to include new hosted suppressions (#​6567)

See the full listing of changes.

v9.1.0

Compare Source

• feat: Add v2 support for maven_install.json (#​6528)
• build(deps): bump open-vulnerability-client (#​6554)
  • resolves update issues due to CVSS Metrics 4.0
• build(deps): bump jackson.version from 2.16.0 to 2.16.1 (#​6353)
• build(deps): bump org.jsoup:jsoup from 1.16.2 to 1.17.2 (#​6362)
• build(deps): bump golang from 1.21.5-alpine to 1.22.1-alpine (#​6506)

See the full listing of changes.

v9.0.10

Compare Source

• fix: #​4321 Suppress redis server CVEs for client libraries (#​4321) (#​6489)
• fix: bump commons-compress from 1.25.0 to 1.26.0 to fix CVE-2024-25710 and CVE-2024-26308 (#​6492)
• feat: Allow to pass NVD API key via environment variable (#​6454)
• fix: issue 5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies - adding synchronized block (#​6501)
• docs: document the default data directory (#​6484)
• fix: prevent NPE in bundler audit (#​6462)
• fix: #​6441 Improve suppression rule to not restrict to a single version (#​6442)

See the full listing of changes.

v9.0.9

Compare Source

• fix: for #​6374 to delete non-empty directories (#​6375)
• fix: NoSuchMethodError closeQuietly(java.io.Closeable[]) (#​6377)
• chore: close stream to prevent possible resource leak (#​6382)
• docs: Document default for CLI --data (#​6359)
• docs: document gradle build (#​6371)

See the full listing of changes.

v9.0.8

Compare Source

• fix: favor stability over performance (#​6349)
• chore: replace commons-io with core java calls (#​6343)
• fix: improve error reporting for invalid H2 database (#​6339)
• fix: rework fix for closing input streams on errors correctly (#​6338)
• fix: reduce chance NVD API block updates due to rate limit (#​6333)
• fix: ensure open handles will not leak on errors (#​6326)
• fix: improve error reporting (#​6324)

See the full listing of changes.

v9.0.7

Compare Source

• docs: document insecure configuration for GHSA-qqhq-8r2c-c3f5 (#​6315)
• fix: improve memory usage on NVD update (#​6321)
• fix: skip pyproject.toml unless it contains tool.poetry (#​6316)
• fix: resolve build error that may cause an issue on some JDK versions (#​6312)

See the full listing of changes.

v9.0.6

Compare Source

• build: bump [email protected] (#​6308)
• fix: mask nvd.api.key in logs; see GHSA-qqhq-8r2c-c3f5 (#​6307)
• fix: update java version check (#​6297)
• fix: more efficient memory usage (#​6299)
• fix: stream NVD data via Jackson to reduce memory footprint (#​6275)
• docs: document github action caching (#​6301)

See the full listing of changes.

v9.0.5

Compare Source

• fix: make NVD API endpoint configurable (#​6287)
• fix: synch last modified timestamp for NVD API (#​6281)
• fix: read NVD cache meta files if cache.properties does not exist (#​6282)
• fix: correct property for nonProxyHosts (#​6285)
• fix: reduce apache http logging (#​6280)
• fix: store last modified timestamp for RetireJS and the Hosted Suppression File in db (#​6271)
• build: bump golang in the docker image (#​6274)
• fix: use temporary files to reduce memory usage during the NVD Update (#​6270)
• fix: use BIT for Oracle DB instead of Boolean when calling prepared statements (#​6264)
• fix: showing all reference tags in reports (#​6259)

See the full listing of changes.

v9.0.4

Compare Source

• fix: utilize maven proxy if present (#​6255)
• fix: allow api key in cli to be quoted (#​6253)
• fix: use correct maven plugin reporting plugin (#​6244)
• fix: correct trailing comma in JSON report (#​6245)

See the full listing of changes.

v9.0.3

Compare Source

• fix: use Java properties for proxy configuration (#​6238)
• docs: update proxy configuration documentation (#​6237)
• docs: add documentation on caching (#​6204)
• docs: Clarify H2 database caching strategy (#​6220)
• docs: Update list of supported report formats (#​6224)
• docs: example 5 with new nvdDatafeedUrl parameter (#​6215)
• fix: prevent NPEs (#​6232 and #​6206)
• fix: check valid for hours for NVD API (#​6225)
• fix: correct NVD cache last checked logic (#​6218)
• fix: nvd datafeed should process current year (#​6213)
• fix: correct references to cvssv2 and cvssv3 fields in json and xml reports (#​6212)
• fix: correct name on reference links in report (#​6205)
• fix: flaws int the gitlab report (#​6193)

See the full listing of changes.

v9.0.2

Compare Source

• fix: remove virtual match string on NVD API Request (#​6177)
• fix: correct meta data in report after switching the NVD API (#​6154)
• fix: retry HTTP connections to NVD on 502 and 504 errors (#​6151)
• fix: Gitlab report format needs severity capitalized (#​6182)
• fix: improve JDK update version parsing (#​6163)
• fix: mute JCS logging (again) (#​6153)

See the full listing of changes.

v9.0.1

Compare Source

• fix: #​4321 Suppress redis server CVEs for client libraries (#​4321) (#​6489)
• fix: bump commons-compress from 1.25.0 to 1.26.0 to fix CVE-2024-25710 and CVE-2024-26308 (#​6492)
• feat: Allow to pass NVD API key via environment variable (#​6454)
• fix: issue 5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies - adding synchronized block (#​6501)
• docs: document the default data directory (#​6484)
• fix: prevent NPE in bundler audit (#​6462)
• fix: #​6441 Improve suppression rule to not restrict to a single version (#​6442)

See the full listing of changes.

v9.0.0

Compare Source

breaking changes: See the upgrade notice

• feat: Utilize NVD API (#​5978)
• feat: gitlab dependency scanner report format #​5919 (#​5920)
• fix: Use ASCII apostrophe for console message (#​6076)

See the full listing of changes.

v8.4.3

Compare Source

• fix: bump jcs3 (#​6047)
• docs: Corrected docs on hostedSuppressions (#​6035)

See the full listing of changes.

v8.4.2

Compare Source

• fix: correct log configuration in cli (#​6002)

See the full listing of changes.

v8.4.1

Compare Source

Fixed

• fix: upgrade to JCS3 (#​5114)
• fix: Support ~= version specifier in requirements.txt and pipfile (#​5902)
• fix: Version of dependency no longer ignored when CPE product has a 'java' suffix in a product name (#​5901)
• fix: Do not filter out evidences added by hints (#​5900)
• fix: fixes FP #​5925 (#​5927)

See the full listing of changes.

v8.4.0

Compare Source

Added

• feat: Add support for Nexus v3 to NexusAnalyzer (#​5849)

Fixed

• fix: Hint Analyzer should run before VersionFilter Analyzer (#​5818)
• chore: switch to sha1-pinning as suggested by Semgrep
• fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter (#​5845)
• fix: use curl with -L to follow github redirect (#​5808)
• fix: use curl with -L to follow github redirect
• fix: #​5671 out of memory error (#​5789)
• fix: #​5671 Exit method as soon as we detect a loop to prevent an infinite loop leading to an OutOfMemoryError

See the full listing of changes.

v8.3.1

Compare Source

Re-release of 8.3.0 as 8.3.1.

v8.3.0

Compare Source

Added

• Add LibmanAnalyzer (#​5652)
• Update HTML report Dependencies header based on display settings (#​5619)
• Add link to suppressed vulnerabilities header in HTML report (#​5620)
• Enable local proxy configuration in maven plugin configuration (#​5696)

Fixed

• Fix npm alias present in requires of dependencies (#​5703)
• Make Central URL configurable via CLI (#​5667)
• Ensure support of CVSSv3.1 (#​5602)

See the full listing of changes.

v8.2.1

Compare Source

Fixed

• NullPointerException in MSBuildAnalyzer (#​5589)
• SQL Syntax for Oracle (#​5590)
• Use https:// URLs in report templates (#​5582)

See the full listing of changes.

v8.2.0

Compare Source

Added

• Support msbuild Directory.build.props (#​5475)
• better display of NPM audit references
• Add CVSS V3 results from NPM Audit results

Fixed

• Fix several issues on NPM Audit reporting (#​5546)
• Case issue in SQL (#​5557)
• Fix CWE(s) extraction for NPM Audit advisories
• Use the stable github_advisory_id instead of the now unstable id in NPM audit results

See the full listing of changes.

v8.1.2

Compare Source

Fixed

• Fix NullPointerException in the Jar Analyzer introduced in 8.1.1 (#​5512)

See the full listing of changes.

v8.1.1

Compare Source

Fixed

• allow hosted suppressions file to be disabled (#​5509)
• Several FPs not suitable for our automation (#​5504)
• Fix incorrect defaults for nexus and central-analyzer in gradle plugin documentation (#​5503)
• Erroneous error-log for deprecated CLI flag usage when using properyfile based disablement of Node Audit Analyzer (#​5487)
• Prefer pom.properties G/A/V over pom.xml G/A/V to resolve GAV interpolation issues (#​5473)
• Node package dependencies ending up as related dependency of the wrong version of the package (#​5479)
• do not throw error if pyproject.toml is in node_modules (#​5470)

See the full listing of changes.

v8.1.0

Compare Source

Added

• Pipefile.lock files are now supported (#​5404).
• Python projects with only a pyproject.toml but no lock file or requirements will report an error as ODC is unable to analyze the project (#​5409).

Fixed

• Some maven projects caused false positives due to bad string interpolation (#​5421).
• Error message from Assembly Analyzer has been updated to emphasize dotnet 6 is required for analysis (#​5408).
• Correct issue where database defrag occurs even when no updates were performed (#​5441).
• Fixed several False Positives and one False Negative.
• Fixed the format configuration more flexible in the gradle plugin (dependency-check-gradle/#​324).

See the full listing of changes.

v8.0.2

Compare Source

Fixed

• Resolved bug causing an issue with some Maven Extensions (#​5366).
• ArchiveAnalyzer will now correctly throw an exception if it cannot open an Archive (#​5371).
• Updated CSV report so that it no longer has a duplicate description column (#​5364).
• Moved several logging statements to trace which should drastically reduce the log size (#​5350).
• Fixed bug with RetireJS' --retirejsFilterNonVulnerable and --retirejsFilter when used with the CLI (#​5351).
• Fixed the sarif report format and added validation (#​5345 and (#​5363)
• Fixed MalformedPackageException in the gradle plugin (dependency-check-gradle/#​320).
• Fixed MissingMethodException in the gradle plugin (dependency-check-gradle/#​316).

See the full listing of changes.

v8.0.1

Compare Source

Fixed

• Fixed Stack Overflow Exception in the gradle plugin (dependency-check-gradle/#​308).
• Fixed No Signature of Method Exception in the gradle plugin (dependency-check-gradle/#​305).
• Updated DB initialization scripts for externally hosted DBs (#​5314 and #​5317).
  • Postgres users will need to use the updated init script and 8.0.1.
• Resolved NPE in the NodePackageAnalyzer (#​5339).

See the full listing of changes.

v8.0.0

Compare Source

Added

• Utilize the hosted suppression file to allow for faster remediation of reported False Positives (#​4723).
• Include the CISA Known Exploited Vulnerability Catalog (#​4878).
• The gradle and maven plugins now have the capability to scan the build plugins (#​4035).
• The gradle and maven plugins, for transitive dependencies, will report the root dependency in the project that included the transitive dependency (#​5001).
• Added properties.security-severity to SARIF report for better integration with GitHub Security Code scanning (#​5277).
• Allow for HTTP auth settings for Retire JS repository (#​5209).
• New schema for the XML report was added to support some of the above additions (#​5296).
• Added missing gradle option to only warn on remote errors from the OSS Index Analyzer (gradle #​303).

Changed

• Breaking: the database schema updated - if using an external database the update scripts must be run!
• The exit codes from the CLI have been changed to be in the range from 0-255 (#​4511.
• The OSS Index Analyzer will automatically disable itself if a transport error occurs - preventing copious errors from being reported (#​5300).

Fixed

• Added an additional check for rejected CVEs to reduce FP (#​5268.
• Corrected the analysis of node_modules to prevent NPEs (#​5266).
• Fixed error when scanning node packages with local dependencies (#​5235).
• Fixed NPE in the MSBuild Analyzer (#​5293).
• Several False Positives have been resolved.

See the full listing of changes.

v7.4.4

Compare Source

Fixed

• Resolved issue processing NVD CVE data due to column width (#​5229)

See the full listing of changes.

v7.4.3

Compare Source

Fixed

• Fixed NPE when analyzing version ranges in NPM (#​5158 & #​5190)
• Resolved several FP (#​5191)

See the full listing of changes.

v7.4.2

Compare Source

Fixed

• Fixes maven 3.1 compatibility issue (#​5152)
• Fixed issue with invalid node_module paths in some scans (#​5135)
• Fixed missing option to disable the Poetry Analyzer in the CLI (#​5160)
• Fixed missing option to configure the OSS Index URL in the CLI (#​5180)
• Fixed NPE when analyzing version ranges in NPM (#​5158)
• Fixed issue with non-proxy host in the gradle plugin (https://github.com/dependency-check/dependency-check-gradle/pull/298)
• Resolved several FP

See the full listing of changes.

v7.4.1

Compare Source

Fixed

• Fixed bug when setting the proxy port in gradle (#​5123)
• Fixed issue with invalid node_module paths in some scans (#​5127)
• Resolved several FP

See the full listing of changes.

v7.4.0

Compare Source

Added

• Add support for npm package lock v2 and v3 (#​5078)
• Added experimental support for Python Poetry (#​5025)
• Added a vanilla HTML report for use in Jenkins (#​5053)

Changed

• Renamed RELEASE_NOTES.md to CHANGELOG.md to be more conventional
• Optimized checksum calculation to improve performance (#​5112)
• Added support for scanning .NET assemblies when only the dotnet runtime is installed (#​5087)
• Bumped several dependencies

Fixed

• Fixed bug when setting the proxy port (#​5076)
• Resolved several FP and FN

See the full listing of changes.

v7.3.2

Compare Source

Changed

• Automated release of 7.3.1 failed and only published to Central; 7.3.2 is a re-release of 7.3.1.
• Resolved several false positives and false negatives.
• Use Jackson Afterburner if still on Java 8 (#​4966).
• Exclude node_modules from the Maven plugin's scan path (#​4974).

See the full listing of changes.

v7.3.1

Compare Source

Changed

• Resolved several false positives and false negatives.
• Use Jackson Afterburner if still on Java 8 (#​4966).
• Exclude node_modules from the Maven plugin's scan path (#​4974).

See the full listing of changes.

v7.3.0

Compare Source

Added

• Added an experimental Dart analyzer (#​4869).

Changed

• Migrated from Jackson Afterburner to Blackbird (#​4905).

Fixed

• Fixed issue with the Maven plugin that caused concurrent modification exceptions (#​4935).

See the full listing of changes.

v7.2.1

Compare Source

Fixed

• Fixed logging issue (#​4846).

See the full listing of changes.

v7.2.0

Compare Source

Changed

• Add support for Bazel's pinned maven_install.json (#​4772).
• Fixed bug preventing the use of custom report templates (#​4800).
• Updated several dependencies including upgrades for dependencies with CVEs.
• Several bug fixes made and suppression rules were added.

See the full listing of changes.

v7.1.2

Compare Source

Changed

• The maven plugin now includes pnpm and yarn lock files in the scan by default (#​4753).
• If a suppression rule is no longer used a log entry will be written (#​4685).
• Several bug fixes made and suppression rules added.

See the full listing of changes.

v7.1.1

Compare Source

Fixed

• Minor bug fixes.
• Resolved several false positives.

See the full listing of changes.

v7.1.0

Compare Source

Changed

• Improved sorting in the HTML report (see #​4112).
• Improved support for Swift (see #​4265).
• Resolved several false positives.

See the full listing of changes.

v7.0.4

Compare Source

Changed

• Update to jackson-databind (see #​4285).

See the full listing of changes.

v7.0.3

Compare Source

Changed

• Update to jackson-databind (see #​4285).

See the full listing of changes.

v7.0.2

Compare Source

Changed

• General project maintenance, bug fixes, and false positive and false negative reductions.

See the full listing of changes.

v7.0.1

Compare Source

Changed

• General project maintenance, bug fixes, and false positive reductions.

See the full listing of changes.

[v7.0.0](https://redirect.github.com/jeremylong/DependencyCheck/bl

---

Configuration

📅 Schedule: Branch creation - "* 0-3 * * 1" in timezone Europe/Oslo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud