chore(deps): update dependency org.owasp:dependency-check-maven from v5.3.2 to v12 #146

renovate · 2024-02-11T23:06:38Z

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
org.owasp:dependency-check-maven (source)	`5.3.2` → `12.2.0`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

dependency-check/DependencyCheck (org.owasp:dependency-check-maven)

feat: package and utilize generated suppression file (#8116)
feat: override pnpm audit registry parameter (#8158)
feat: support multiple cvssBelow thresholds per version (#2563) (#8024)
feat: usage telemetry via scarf (#8066)
feat: add new suppression xsd allowing grouping of suppressions (#7957)
fix(ant): resolve relative paths against basedir (#8202)
fix: add hint for Elastic APM Java agent CPE mapping (#8200)
fix: Allow NVD data feed metadata downloads to fail on 1st Jan while logging correct errors (#8205)
fix(ant): resolve paths relative to basedir for suppression and output
fix: correct XML/JSON report CVSS field & HTML report URL mappings (#8156)
fix: log GrokAssembly output when dotnet invocation fails (#8141)
fix: correct reliability of Central etc (JCS cache) analyzers on Java 25/Docker by making CLI classpath deterministic (#8117)
docs: Update & correct README (#8166)
docs: update suppression schema version (#8136)
docs: fix typos in some files (#8135)
chore: remove duplicate suppression rules from base that are in the generated branch (#8138)
chore: remove suppression rules that were deleted from the generatedSuppression branch (#8119)
build: transition dependency to org.eclipse.parsson groupId (#8128)
See the full listing of changes

fix: correct bundle audit gem in Dockerfile (#8121)
fix: normalization during comparisons (#8046)
docs: document multiple configurations for gradle (#8111)
docs: fix typos in some files (#8106)
docs: Update SBT plugin link; fix dead report link (#8086)
chore: Replace deprecated lucene methods (#8079)
docs: fix #8076 - Error in documentation "Suppressing False Positives" (#8077)
fix(fp): Improve false positive suppression for matches against golang web_project (#8059)
fix(fp): Consolidate/update icu4j suppressions for false positives (#8062)
fix(fp): Correct GRPC java suppressions for newer C/C++/native false positives (#8063)
fix(fp): Suppress false positive CPEs for protobuf-java per #7854 (#8064)

See the full listing of changes

fix: improve VulnerableSoftware comparison (#8031)
build: fix flaky central test (#8039)
docs: Improve Gradle docs wrt experimental analyzers, use of Central and Proxy configuration (#8036)
docs: add note about central analyzer for gradle (#8038)

See the full listing of changes

fix: disable central analyzer after failures (#7993)
fix: Suppress JVM warnings from Lucene within CLI (#8003)
fix: Clean up Apache Lucene logging via SLF4j redirect (#7979)
fix: Correct Archive Analyzer behaviour on certain tgz archives (#7986)
fix: Update NVD CPE search URLs in generated reports to match new search interface (#7970)
fix: improve OSS Index Error Reporting (#7977)
fix(fp): Consolidate false positive suppression for false positives on Redis client libs (#8017)
fix(fp): Fix more common false positives for popular PHP/composer frameworks with generic names (#7994)
docs: improve slack notification documentation (#8026)
docs: Documentation artifactory settings fix (#7999)
docs: Clarify Nexus Analyzer requirements and usage (#8000)
build: Build amd64 and arm64 multi-platform Docker image (#7952)

See the full listing of changes

fix: Disable OSS Index if its credentials are missing (#7963)
fix: Correct CVSSv4 parsing for low precision OSSIndex values (#7935)
fix(fp): Fix false positives for Redis Server against NPM/JS client libs (#7942)
docs: Fix legacy GitHub links within docs and CHANGELOG (#7944)
chore: fix version typo in security policy (#7936)

See the full listing of changes

fix: Update to support OSS Index Authentication Requirements (#7920)
- Note: OSS Index will require authentication starting 9/22/2025. Users must configure a free account to continue using the OSS Index Analyzer. See https://ossindex.sonatype.org/doc/auth-required.
fix: add CVSSv4 to suppressed entries in JSON report (#7900)
fix: correctly utilize CVSSv4 from ossindex (#7899)
fix: npe when processing cve with empty configuration (#7888)
fix: Return unsorted vulnerabilities in new HashSet, avoiding CoMod (#7848)
fix: Return unsorted vulnerabilities in new HashSet, avoiding CoMod
fix: class loading problem with fat jars (#7786) (#7787)
fix: Improve Artifactory handler log message (#7838)
fix: classloading problem with fat jars (#7786)
fix: Add null checking when parsing the license json in AbstractNpmAnalyzer. (#7784)
fix(fp): resolves several false positives related to CVE-2021-41033 (#7736)
docs: Clarify format of exclude patterns (#7879)
docs: Document poetry-based analysis behaviour in Python analyzer (#7855)
docs: request FP reporters use the latest version of ODC. (#7820)
docs: update development pre-reqs (#7792)
docs: fix minor typos in false positive issue template (#7763)

See the full listing of changes

See the full listing of changes

fix: Allow configuring OSS Index user/pw directly (#7640)
fix: remove vulnerable transitive dependency - beanutils (#7705)
fix: Simplify PHP framework suppression for Composer (#7693)
fix: update CPE pattern to remove FP (#7684)
fix(cli): Patch generated Windows shell script for JAVACMD installs with spaces (#7653)
fix: Resolve various WCAG accessibility / css issues in the HTML report (#7629)
fix: #7510 Display a dedicated message when receiving an HTTP 403 (#7575)
docs: Make Vulnerability Sources in Related Work clearer (#7691)
docs: #7610 add a reference to NVD mirroring in getting started documentation (#7611)

See the full listing of changes

fix: resolve NVD data Parse error com.fasterxml.jackson.core.JsonParseException: Unexpected character (']' (code 93))
- bump open-vulnerability-client from 7.3.1 to 7.3.2 (#7577)
fix: update links for repository move from jeremylong to the dependency-check organization (#7373)
fix: resolve NPE when processing CVE-2025-2682 (#7558)
fix: prevent rogue base suppression files (#7544)
fix: #6819 handle invalid toml file (#7548)
fix: Use unscored severity only in absence of any CVSS baseScore (#7530)
fix: protect against exotic version number of yarn (#7525)
fix: Ignore require-bundle MANIFEST.MF entry for evidence (#7523)
fix: avoid error on yarn berry audit when no vulnerability found (#7501)
fix: improve null checks in Downloader (#7493)
fix: improve null checks resolves dependency-check/dependency-check-gradle#441
fix: Avoid FPs when Composer product name has php (#7486)
fix: cli not honoring window paths correctly (#7470)
fix: Also apply muteNoisyLoggers to UpdateMojo (#7469)
fix: Make HC5 Downloader honor the connection- and readTimeout settings that the old URLConnectionFactory based downloads observed (#7437)
docs: sync the supported Maven version with the one stated in the system requirement section (#7570)
docs: update proxy config documentation (#7550)
docs: Remove copyright as requested by the Apache foundation
docs: drop redundant text in the Internet Access Required section (#7521)
docs: correct gradle documentation (#7511)

See the full listing of changes

build(deps): bump open-vulnerability-client to 7.2.2 (#7407)
- resolves issue with downloading data from the NVD (#7406)
fix: Improve thread safety issue #7338 alternative (#7367)
feat: Implement Yarn Berry Analyser (#7319)

See the full listing of changes