Update dependency org.owasp:dependency-check-maven to v8

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.owasp:dependency-check-maven (source)	7.4.4 -> 8.4.0

---

Release Notes

jeremylong/DependencyCheck (org.owasp:dependency-check-maven)

v8.4.0

Compare Source

Added

• feat: Add support for Nexus v3 to NexusAnalyzer (#​5849)

Fixed

• fix: Hint Analyzer should run before VersionFilter Analyzer (#​5818)
• chore: switch to sha1-pinning as suggested by Semgrep
• fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter (#​5845)
• fix: use curl with -L to follow github redirect (#​5808)
• fix: use curl with -L to follow github redirect
• fix: #​5671 out of memory error (#​5789)
• fix: #​5671 Exit method as soon as we detect a loop to prevent an infinite loop leading to an OutOfMemoryError

See the full listing of changes.

v8.3.1

Compare Source

Re-release of 8.3.0 as 8.3.1.

v8.3.0

Compare Source

Added

• Add LibmanAnalyzer (#​5652)
• Update HTML report Dependencies header based on display settings (#​5619)
• Add link to suppressed vulnerabilities header in HTML report (#​5620)
• Enable local proxy configuration in maven plugin configuration (#​5696)

Fixed

• Fix npm alias present in requires of dependencies (#​5703)
• Make Central URL configurable via CLI (#​5667)
• Ensure support of CVSSv3.1 (#​5602)

See the full listing of changes.

v8.2.1

Compare Source

Fixed

• NullPointerException in MSBuildAnalyzer (#​5589)
• SQL Syntax for Oracle (#​5590)
• Use https:// URLs in report templates (#​5582)

See the full listing of changes.

v8.2.0

Compare Source

Added

• Support msbuild Directory.build.props (#​5475)
• better display of NPM audit references
• Add CVSS V3 results from NPM Audit results

Fixed

• Fix several issues on NPM Audit reporting (#​5546)
• Case issue in SQL (#​5557)
• Fix CWE(s) extraction for NPM Audit advisories
• Use the stable github_advisory_id instead of the now unstable id in NPM audit results

See the full listing of changes.

v8.1.2

Compare Source

Fixed

• Fix NullPointerException in the Jar Analyzer introduced in 8.1.1 (#​5512)

See the full listing of changes.

v8.1.1

Compare Source

Fixed

• allow hosted suppressions file to be disabled (#​5509)
• Several FPs not suitable for our automation (#​5504)
• Fix incorrect defaults for nexus and central-analyzer in gradle plugin documentation (#​5503)
• Erroneous error-log for deprecated CLI flag usage when using properyfile based disablement of Node Audit Analyzer (#​5487)
• Prefer pom.properties G/A/V over pom.xml G/A/V to resolve GAV interpolation issues (#​5473)
• Node package dependencies ending up as related dependency of the wrong version of the package (#​5479)
• do not throw error if pyproject.toml is in node_modules (#​5470)

See the full listing of changes.

v8.1.0

Compare Source

Added

• Pipefile.lock files are now supported (#​5404).
• Python projects with only a pyproject.toml but no lock file or requirements will report an error as ODC is unable to analyze the project (#​5409).

Fixed

• Some maven projects caused false positives due to bad string interpolation (#​5421).
• Error message from Assembly Analyzer has been updated to emphasize dotnet 6 is required for analysis (#​5408).
• Correct issue where database defrag occurs even when no updates were performed (#​5441).
• Fixed several False Positives and one False Negative.
• Fixed the format configuration more flexible in the gradle plugin (dependency-check-gradle/#​324).

See the full listing of changes.

v8.0.2

Compare Source

Fixed

• Resolved bug causing an issue with some Maven Extensions (#​5366).
• ArchiveAnalyzer will now correctly throw an exception if it cannot open an Archive (#​5371).
• Updated CSV report so that it no longer has a duplicate description column (#​5364).
• Moved several logging statements to trace which should drastically reduce the log size (#​5350).
• Fixed bug with RetireJS' --retirejsFilterNonVulnerable and --retirejsFilter when used with the CLI (#​5351).
• Fixed the sarif report format and added validation (#​5345 and (#​5363)
• Fixed MalformedPackageException in the gradle plugin (dependency-check-gradle/#​320).
• Fixed MissingMethodException in the gradle plugin (dependency-check-gradle/#​316).

See the full listing of changes.

v8.0.1

Compare Source

Fixed

• Fixed Stack Overflow Exception in the gradle plugin (dependency-check-gradle/#​308).
• Fixed No Signature of Method Exception in the gradle plugin (dependency-check-gradle/#​305).
• Updated DB initialization scripts for externally hosted DBs (#​5314 and #​5317).
  • Postgres users will need to use the updated init script and 8.0.1.
• Resolved NPE in the NodePackageAnalyzer (#​5339).

See the full listing of changes.

v8.0.0

Compare Source

Added

• Utilize the hosted suppression file to allow for faster remediation of reported False Positives (#​4723).
• Include the CISA Known Exploited Vulnerability Catalog (#​4878).
• The gradle and maven plugins now have the capability to scan the build plugins (#​4035).
• The gradle and maven plugins, for transitive dependencies, will report the root dependency in the project that included the transitive dependency (#​5001).
• Added properties.security-severity to SARIF report for better integration with GitHub Security Code scanning (#​5277).
• Allow for HTTP auth settings for Retire JS respository (#​5209).
• New schema for the XML report was added to support some of the above additions (#​5296).
• Added missing gradle option to only warn on remote errors from the OSS Index Analyzer (gradle #​303).

Changed

• Breaking: the database schema updated - if using an external database the update scripts must be run!
• The exit codes from the CLI have been changed to be in the range from 0-255 (#​4511.
• The OSS Index Analyzer will automatically disable itself if a transport error occurs - preventing copious errors from being reported (#​5300).

Fixed

• Added an additional check for rejected CVEs to reduce FP (#​5268.
• Corrected the analysis of node_modules to prevent NPEs (#​5266).
• Fixed error when scanning node packages with local dependencies (#​5235).
• Fixed NPE in the MSBuild Analyzer (#​5293).
• Several False Positives have been resolved.

See the full listing of changes.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[codecov]

Codecov Report

Merging #963 (ef1d176) into main (aa248d0) will not change coverage.
Report is 1 commits behind head on main.
The diff coverage is n/a.

Additional details and impacted files

@@            Coverage Diff            @@
##               main     #963   +/-   ##
=========================================
  Coverage     84.48%   84.48%           
  Complexity       58       58           
=========================================
  Files            15       15           
  Lines           245      245           
  Branches         14       14           
=========================================
  Hits            207      207           
  Misses           29       29           
  Partials          9        9