Bump dependency-check-maven from 3.2.1 to 3.3.0

[dependabot-preview]

Bumps dependency-check-maven from 3.2.1 to 3.3.0.

Changelog

Sourced from dependency-check-maven's changelog.

Version 3.3.0 (2018-07-22)

Bug Fixes

• The dependency-check-gradle plugin can now analyze multi-project android builds. See [PR #09](https://github-redirect.dependabot.com/jeremylong/dependency-check-gradle/pull/90) for more information.
• In some cases extremely large project may cause dependency-check to fail due to the analysis time. Previously, the analysis was capped at 10 minutes; the timeout was increased to 20 minutes and made configurable if this continues to be an issue for some users. See [issue #936](https://github-redirect.dependabot.com/jeremylong/DependencyCheck/issues/936) for more information.
• Some pom.xml files could not be analyzed because they contained a doctype definition. The parser has been enhanced to strip the doctype definitions.
• Fixed issue where, in some cases, temporary files were not correctly cleaned up in Jenkins and gradle builds.
• Fixed issue where, in some cases, files were retrieved from Maven Central using HTTP instead of HTTPS. See [issue #1325](https://github-redirect.dependabot.com/jeremylong/DependencyCheck/issues/1325) for more information.
  • Additionally, a retry count was added when attempting to download pom.xml files during analysis.
• Fixed issue where nodejs dependencies were not correctly analyzed. See [issue #1355](https://github-redirect.dependabot.com/jeremylong/DependencyCheck/issues/1355) for more information,.
• Fixed issue where the CWE was not written to the CSV report.
• In addition, general bug fixes, code cleanup, and false positive/negatives updates were made.

Enhancements

• An Artifactory Analyzer was added that can be used to in-place of the Central Analyzer for organizations that use Artifactory.
  • Note, for maven and gradle builds the Artifactory analyzer will not improve the analysis. The information gained by using the Central, Artifactory, or Nexus Analyzers is already obtained from the build system.
• An experimental Retire JS analyzer has been added to analyze client side JavaScript.
  • This utilizes information from the RetireJS repo on github. If you have a proxy that prevents access you will either need to have access granted to https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json or host the file internally, update the environment variable analyzer.retirejs.repo.js.ur, and periodically update the file.
  • This analyzer is considered experimental, but the team expects this to be promoted quickly.
• NuGet dependencies contained in MSBuild files are now included in the scan. See [Issue #1131](https://github-redirect.dependabot.com/jeremylong/DependencyCheck/issues/1131) for more details.
• Cocoapod's Podfile.lock is now analyzed when present. See [PR #1324](https://github-redirect.dependabot.com/jeremylong/DependencyCheck/pull/1324) for more information.

Commits

• d6a074d Added 3.3.0 release notes
• c9bdbce checkstyle suggestions
• 1afd1f7 checkstyle/codacy suggestions
• 333a28f updated release version
• 528fc1c checkstyle, codacy, etc. suggested updates
• f82ac36 checkstyle, codacy, etc. suggested updates
• f7a0a6b patch for #1388
• 808a8d6 patch for #1392
• 8e023d5 additional updates to support android projects from gradle plugin
• 9e40106 Merge pull request #1385 from jeremylong/updateDefaultBehavior
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[whiskeysierra]

👍