diff --git a/.github/dependabot.yml b/.github/dependabot.yml index a260eecbe28..95c773197c9 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,9 +12,3 @@ updates: directory: "/" schedule: interval: "daily" - ignore: - # stay .net 3.1 - - dependency-name: "mcr.microsoft.com/dotnet/runtime" - versions: - - "5.x" - - "6.x" diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1e645c081f9..33b96517292 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -45,7 +45,7 @@ jobs: key: odc-data - uses: actions/setup-dotnet@v4.0.0 with: - dotnet-version: '6.0.x' + dotnet-version: '8.0.x' - name: Set up JDK 1.8 id: jdk-8 uses: actions/setup-java@v4 diff --git a/.github/workflows/false-positive-ops.yml b/.github/workflows/false-positive-ops.yml index b2dec9ccd46..fcbbca0eb92 100644 --- a/.github/workflows/false-positive-ops.yml +++ b/.github/workflows/false-positive-ops.yml @@ -113,7 +113,7 @@ jobs: if: ${{ fromJSON(steps.purl-parser.outputs.result).type == 'nuget' }} uses: actions/setup-dotnet@v4.0.0 with: - dotnet-version: '6.0.x' + dotnet-version: '8.0.x' - name: Setup dotnet fp-project if: ${{ fromJSON(steps.purl-parser.outputs.result).type == 'nuget' }} env: diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml index 679b0cf6185..c3c4b62b6d6 100644 --- a/.github/workflows/pull_requests.yml +++ b/.github/workflows/pull_requests.yml @@ -24,7 +24,7 @@ jobs: ${{ runner.os }}-maven- - uses: actions/setup-dotnet@v4.0.0 with: - dotnet-version: '6.0.x' + dotnet-version: '8.0.x' - name: Set up JDK 1.8 id: jdk-8 uses: actions/setup-java@v4 @@ -61,7 +61,7 @@ jobs: ${{ runner.os }}-maven- - uses: actions/setup-dotnet@v4.0.0 with: - dotnet-version: '6.0.x' + dotnet-version: '8.0.x' - name: Set up JDK 1.8 id: jdk-8 uses: actions/setup-java@v4 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e87822a9897..02f55dce5ea 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -47,7 +47,7 @@ jobs: key: odc-data - uses: actions/setup-dotnet@v4.0.0 with: - dotnet-version: '6.0.x' + dotnet-version: '8.0.x' - name: Set up JDK 1.8 id: jdk-8 uses: actions/setup-java@v4 diff --git a/Dockerfile b/Dockerfile index b1a76ee7c62..e4bc6892ad5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ FROM azul/zulu-openjdk-alpine:22 AS jlink RUN "$JAVA_HOME/bin/jlink" --compress=2 --module-path /opt/java/openjdk/jmods --add-modules java.base,java.compiler,java.datatransfer,jdk.crypto.ec,java.desktop,java.instrument,java.logging,java.management,java.naming,java.rmi,java.scripting,java.security.sasl,java.sql,java.transaction.xa,java.xml,jdk.unsupported --output /jlinked -FROM mcr.microsoft.com/dotnet/runtime:6.0-alpine3.16 +FROM mcr.microsoft.com/dotnet/runtime:8.0-alpine3.18 ARG VERSION ARG POSTGRES_DRIVER_VERSION=42.2.19 diff --git a/README.md b/README.md index 58faaf7a960..a01131c4208 100644 --- a/README.md +++ b/README.md @@ -80,8 +80,8 @@ In order to analyze some technology stacks dependency-check may require other development tools to be installed. Some of the analysis listed below may be experimental and require the experimental analyzers to be enabled. -1. To analyze .NET Assemblies the dotnet 6 run time or SDK must be installed. - - Assemblies targeting other run times can be analyzed - but 6 is required to run the analysis. +1. To analyze .NET Assemblies the dotnet 8 run time or SDK must be installed. + - Assemblies targeting other run times can be analyzed - but 8 is required to run the analysis. 2. If analyzing GoLang projects `go` must be installed. 3. The analysis of `Elixir` projects requires `mix_audit`. 4. The analysis of `npm`, `pnpm`, and `yarn` projects requires `npm`, `pnpm`, or `yarn` to be installed. @@ -171,7 +171,7 @@ For installation to pass, you must have the following components installed: * Maven: `mvn -version` 3.5.0 and higher Tests cases require: -* dotnet core version 6.0 +* dotnet core version 8.0 * Go: `go version` 1.12 and higher * Ruby [bundler-audit](https://github.com/rubysec/bundler-audit#install) * [Yarn](https://classic.yarnpkg.com/en/docs/install/) diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java index f3b2ec4c167..eac7a93587a 100644 --- a/core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java +++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java @@ -355,7 +355,7 @@ public void prepareFileTypeAnalyzer(Engine engine) throws InitializationExceptio + "'exe' or 'dll' was scanned. The 'dotnet' executable could not be found on " + "the path; either disable the Assembly Analyzer or add the path to dotnet " + "core in the configuration."); - LOGGER.error("The dotnet 6.0 core runtime or SDK is required to analyze assemblies"); + LOGGER.error("The dotnet 8.0 core runtime or SDK is required to analyze assemblies"); LOGGER.error("----------------------------------------------------"); return; } @@ -367,28 +367,28 @@ public void prepareFileTypeAnalyzer(Engine engine) throws InitializationExceptio final String error = processReader.getError(); if (p.exitValue() != 1 || !StringUtils.isBlank(error)) { LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer, please see the log for more details.\n" - + "dependency-check requires dotnet 6.0 core runtime or sdk to be installed to analyze assemblies."); + + "dependency-check requires dotnet 8.0 core runtime or sdk to be installed to analyze assemblies."); LOGGER.debug("GrokAssembly.dll is not working properly"); grokAssembly = null; setEnabled(false); - throw new InitializationException("Could not execute .NET AssemblyAnalyzer, is the dotnet 6.0 runtime or sdk installed?"); + throw new InitializationException("Could not execute .NET AssemblyAnalyzer, is the dotnet 8.0 runtime or sdk installed?"); } } } catch (InterruptedException e) { Thread.currentThread().interrupt(); LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n" - + "dependency-check requires dotnet 6.0 core runtime or sdk to be installed to analyze assemblies;\n" + + "dependency-check requires dotnet 8.0 core runtime or sdk to be installed to analyze assemblies;\n" + "this can be ignored unless you are scanning .NET DLLs. Please see the log for more details."); LOGGER.debug("Could not execute GrokAssembly {}", e.getMessage()); setEnabled(false); throw new InitializationException("An error occurred with the .NET AssemblyAnalyzer", e); } catch (IOException e) { LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n" - + "dependency-check requires dotnet 6.0 core to be installed to analyze assemblies;\n" + + "dependency-check requires dotnet 8.0 core to be installed to analyze assemblies;\n" + "this can be ignored unless you are scanning .NET DLLs. Please see the log for more details."); LOGGER.debug("Could not execute GrokAssembly {}", e.getMessage()); setEnabled(false); - throw new InitializationException("An error occurred with the .NET AssemblyAnalyzer, is the dotnet 6.0 runtime or sdk installed?", e); + throw new InitializationException("An error occurred with the .NET AssemblyAnalyzer, is the dotnet 8.0 runtime or sdk installed?", e); } } diff --git a/core/src/main/resources/GrokAssembly.zip b/core/src/main/resources/GrokAssembly.zip index 606d701bc69..2f6edd65b85 100644 Binary files a/core/src/main/resources/GrokAssembly.zip and b/core/src/main/resources/GrokAssembly.zip differ diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java index 3cc2ca8529b..3c405bfd5c1 100644 --- a/core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java +++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java @@ -163,7 +163,7 @@ public void testWithSettingMono() throws Exception { aanalyzer.prepare(null); fail("Expected an InitializationException"); } catch (InitializationException ae) { - assertEquals("An error occurred with the .NET AssemblyAnalyzer, is the dotnet 6.0 runtime or sdk installed?", ae.getMessage()); + assertEquals("An error occurred with the .NET AssemblyAnalyzer, is the dotnet 8.0 runtime or sdk installed?", ae.getMessage()); } finally { System.setProperty(LOG_KEY, oldProp); // Recover the logger diff --git a/src/site/markdown/analyzers/assembly-analyzer.md b/src/site/markdown/analyzers/assembly-analyzer.md index 16633dd1081..296d8bcd12b 100644 --- a/src/site/markdown/analyzers/assembly-analyzer.md +++ b/src/site/markdown/analyzers/assembly-analyzer.md @@ -7,6 +7,6 @@ is internally referred to as evidence and is grouped into vendor, product, and v buckets. Other analyzers later use this evidence to identify any Common Platform Enumeration (CPE) identifiers that apply. -.NET core 6.x needs to be installed for this analyzer to work. +.NET core 8.x needs to be installed for this analyzer to work. Files Types Scanned: EXE, DLL diff --git a/src/site/markdown/analyzers/index.md b/src/site/markdown/analyzers/index.md index 8fc0c4b3212..7ce82f45dc3 100644 --- a/src/site/markdown/analyzers/index.md +++ b/src/site/markdown/analyzers/index.md @@ -6,7 +6,7 @@ to extract identification information from the files analyzed. | Analyzer | File Types Scanned | Analysis Method | | -------- | ------------------ | --------------- | | [Archive](./archive-analyzer.html) | Zip archive format (\*.zip, \*.ear, \*.war, \*.jar, \*.sar, \*.apk, \*.nupkg); Tape Archive Format (\*.tar); Gzip format (\*.gz, \*.tgz); Bzip2 format (\*.bz2, \*.tbz2); RPM format (\*.rpm) | Extracts archive contents, then scans contents with all available analyzers. | -| [Assembly](./assembly-analyzer.html) | .NET Assemblies (\*.exe, \*.dll) | Uses [GrokAssembly.exe](https://github.com/colezlaw/GrokAssembly); requires the dotnet core 6.0 runtime to be installed. | +| [Assembly](./assembly-analyzer.html) | .NET Assemblies (\*.exe, \*.dll) | Uses [GrokAssembly.exe](https://github.com/colezlaw/GrokAssembly); requires the dotnet core 8.0 runtime to be installed. | | [Jar](./jar-analyzer.html) | Java archive files (\*.jar); Web application archive (\*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). | | [RetireJS](./retirejs-analyzer.html) | JavaScript files | Analyzes JavaScript files using the [RetireJS](https://github.com/RetireJS/retire.js) database. | | [Node.js](./nodejs.html) | NPM package specification files (package.json) | Parses the package.json to gather a bill-of-materials for a Node JS project. |