chore(deps): update dependency org.owasp:dependency-check-maven from v8.4.3 to v11

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.owasp:dependency-check-maven (source)	8.4.3 -> 11.0.0

---

Release Notes

jeremylong/DependencyCheck (org.owasp:dependency-check-maven)

v11.0.0

Compare Source

• breaking change: Switch from JMockit to Mockito & build target to Java 11 (#​6922)
  • dependency-check now requires a minimum of Java 11.0 to run
• breaking change: bump com.h2database:h2 from 2.1.214 to 2.3.232 (#​6132)
  • H2 databases generated with an older version of ODC will not work with ODC 11.0.0; a new H2 db must be generated
• feat: Replace old Downloader by an Apache HTTPClient based downloader
• feat: Use Apache HTTPClient for downloads of public resources (#​6949)
• feat: Also make NodeAuditSearch usr our HTTPClient based connections
• feat: Also make OSSIndexAnalyzer use our HTTPClient based connections
• feat: Migrate CentralSearch to use Apache HTTP-client via Downloader
• feat: Extend apache HTTP-client usage to EngineVersionCheck
• feat: Remove the need to specify dbDriver for external databases using JDBCv4 ServiceLoader supporting JDBC drivers (#​6938)
• fix: use latest generated suppressions (#​7064)
• fix: Fixup parameter sequence for Dowloader credentials (#​7033)
• fix: Fixup the missing addition of NVD API Datafeed credentials (if configured)
• fix: Fixup broken proxy authentication in first attempt; extend to include KEV downloads
• fix: store timestamps locally for local resources (#​6936)
• build: Remove the animal-sniffer, propagate java version to plugin-archetype (#​6950)
• build: Update Checkstyle configuration and Suppression DTD references (#​6951)
• chore: Update test db schema (#​7036)
• chore: remove old, unneeded database upgrade script
• docs: reformat javadoc (#​7009)
• docs: Fixup javadoc warnings (#​6995)
• chore: Replace use of several deprecated methods/classes by their successors (#​6933)

See the full listing of changes.

v10.0.4

Compare Source

• build(deps): exclude unused dependency (#​6916)
• fix: improve regex (#​6917)
• fix: correctly handle null values in cpeMatch (#​6915)
• fix(site): Update Fluido skin to resolve broken fork-me-on-github image (#​6914)
• fix: do not report over 100% download complete (#​6899)
• fix: Correct spelling of occurring in NvdApiDataSource.java (#​6883)
• fix: skip blank lines in requirements.txt (#​6867)
• fix: correct percentage calculation (#​6868)
• docs: remove old recommendation (#​6860)

See the full listing of changes.

v10.0.3

Compare Source

• feat: Enable configuration of a lower resultsPerPage on NVD API (#​6843)
• build(deps): bump open-vulnerability-clients from 6.1.6 to 6.1.7 (#​6848)
• build(deps): bump JamesIves/github-pages-deploy-action from 4.6.1 to 4.6.3 (#​6814)
• build(deps): bump org.codehaus.mojo:versions-maven-plugin from 2.16.2 to 2.17.0 (#​6762)
• build(deps): bump org.apache.maven.plugins:maven-checkstyle-plugin from 3.3.1 to 3.4.0 (#​6815)
• build(deps): bump golang from 1.22.4-alpine to 1.22.5-alpine (#​6805)

See the full listing of changes.

v10.0.2

Compare Source

Mandatory Upgrade - due to older versions of dependency-check causing numerous, spurious requests that end in processing failures, this upgrade is mandatory so that the NVD can differentiate valid requests and block the old clients.

• build(deps): bump open-vulnerability-clients (#​6810)
• fix(db): #​6788 removing redundant db index "idxVulnerability" on "vulnerability.cve" (#​6807)
• docs: Further improve formatting and docs of H2 database caching strats (#​6804)
• fix: update_vulnerability in dbStatements_oracle.properties (#​6803)
• fix: fix NPE (#​6778)
• fix: add hint to resolve false negative (#​6802)
• chore: update configure (#​6794)

See the full listing of changes.

v10.0.1

Compare Source

• build(deps): bump open-vulnerability-client (#​6772)
• fix: remove debug logging (#​6770)
• fix: postgresql column count error (#​6773)
• fix: mssql column name and version (#​6761)
• docs: update supported versions (#​6771)

See the full listing of changes.

v10.0.0

Compare Source

• breaking change: upgrade to dotnet 8.0 (#​6580)
  • Users of the AssemblyAnalyzer must upgrade/utilize dotnet 8 to analyze assemblies
• feat: fix the NVD API related errors by adding cvssV4 support (#​6756)
  • breaking changes: anyone utilizing a centralized database will need to upgrade the schema; see changes in PR #​6756
• fix: avoid escaping unnecessary chars in HTML report suppression regexes (#​6749)
• fix: #​6688 Trim version number when parsin POM (#​6705)
• fix: change request if lockfile is file v3 (#​6690)
• fix: skip pyproject.toml unless it contains tool.poetry before ensuring lockfiles (#​6681)

See the full listing of changes.

v9.2.0

Compare Source

• docs: update logo per intellj (#​6660)
• feat: Carthage analyzer (#​6614)
• fix: Ensure valid JSON output for gitlab report (#​6630)
• feat: Support Package.swift version 3 Specification (#​6578)
• chore: Update the packaged suppressions to include new hosted suppressions (#​6567)

See the full listing of changes.

v9.1.0

Compare Source

• feat: Add v2 support for maven_install.json (#​6528)
• build(deps): bump open-vulnerability-client (#​6554)
  • resolves update issues due to CVSS Metrics 4.0
• build(deps): bump jackson.version from 2.16.0 to 2.16.1 (#​6353)
• build(deps): bump org.jsoup:jsoup from 1.16.2 to 1.17.2 (#​6362)
• build(deps): bump golang from 1.21.5-alpine to 1.22.1-alpine (#​6506)

See the full listing of changes.

v9.0.10

Compare Source

• fix: #​4321 Suppress redis server CVEs for client libraries (#​4321) (#​6489)
• fix: bump commons-compress from 1.25.0 to 1.26.0 to fix CVE-2024-25710 and CVE-2024-26308 (#​6492)
• feat: Allow to pass NVD API key via environment variable (#​6454)
• fix: issue 5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies - adding synchronized block (#​6501)
• docs: document the default data directory (#​6484)
• fix: prevent NPE in bundler audit (#​6462)
• fix: #​6441 Improve suppression rule to not restrict to a single version (#​6442)

See the full listing of changes.

v9.0.9

Compare Source

• fix: for #​6374 to delete non-empty directories (#​6375)
• fix: NoSuchMethodError closeQuietly(java.io.Closeable[]) (#​6377)
• chore: close stream to prevent possible resource leak (#​6382)
• docs: Document default for CLI --data (#​6359)
• docs: document gradle build (#​6371)

See the full listing of changes.

v9.0.8

Compare Source

• fix: favor stability over performance (#​6349)
• chore: replace commons-io with core java calls (#​6343)
• fix: improve error reporting for invalid H2 database (#​6339)
• fix: rework fix for closing input streams on errors correctly (#​6338)
• fix: reduce chance NVD API block updates due to rate limit (#​6333)
• fix: ensure open handles will not leak on errors (#​6326)
• fix: improve error reporting (#​6324)

See the full listing of changes.

v9.0.7

Compare Source

• docs: document insecure configuration for GHSA-qqhq-8r2c-c3f5 (#​6315)
• fix: improve memory usage on NVD update (#​6321)
• fix: skip pyproject.toml unless it contains tool.poetry (#​6316)
• fix: resolve build error that may cause an issue on some JDK versions (#​6312)

See the full listing of changes.

v9.0.6

Compare Source

• build: bump [email protected] (#​6308)
• fix: mask nvd.api.key in logs; see GHSA-qqhq-8r2c-c3f5 (#​6307)
• fix: update java version check (#​6297)
• fix: more efficient memory usage (#​6299)
• fix: stream NVD data via Jackson to reduce memory footprint (#​6275)
• docs: document github action caching (#​6301)

See the full listing of changes.

v9.0.5

Compare Source

• fix: make NVD API endpoint configurable (#​6287)
• fix: synch last modified timestamp for NVD API (#​6281)
• fix: read NVD cache meta files if cache.properties does not exist (#​6282)
• fix: correct property for nonProxyHosts (#​6285)
• fix: reduce apache http logging (#​6280)
• fix: store last modified timestamp for RetireJS and the Hosted Suppression File in db (#​6271)
• build: bump golang in the docker image (#​6274)
• fix: use temporary files to reduce memory usage during the NVD Update (#​6270)
• fix: use BIT for Oracle DB instead of Boolean when calling prepared statements (#​6264)
• fix: showing all reference tags in reports (#​6259)

See the full listing of changes.

v9.0.4

Compare Source

• fix: utilize maven proxy if present (#​6255)
• fix: allow api key in cli to be quoted (#​6253)
• fix: use correct maven plugin reporting plugin (#​6244)
• fix: correct trailing comma in JSON report (#​6245)

See the full listing of changes.

v9.0.3

Compare Source

• fix: use Java properties for proxy configuration (#​6238)
• docs: update proxy configuration documentation (#​6237)
• docs: add documentation on caching (#​6204)
• docs: Clarify H2 database caching strategy (#​6220)
• docs: Update list of supported report formats (#​6224)
• docs: example 5 with new nvdDatafeedUrl parameter (#​6215)
• fix: prevent NPEs (#​6232 and #​6206)
• fix: check valid for hours for NVD API (#​6225)
• fix: correct NVD cache last checked logic (#​6218)
• fix: nvd datafeed should process current year (#​6213)
• fix: correct references to cvssv2 and cvssv3 fields in json and xml reports (#​6212)
• fix: correct name on reference links in report (#​6205)
• fix: flaws int the gitlab report (#​6193)

See the full listing of changes.

v9.0.2

Compare Source

• fix: remove virtual match string on NVD API Request (#​6177)
• fix: correct meta data in report after switching the NVD API (#​6154)
• fix: retry HTTP connections to NVD on 502 and 504 errors (#​6151)
• fix: Gitlab report format needs severity capitalized (#​6182)
• fix: improve JDK update version parsing (#​6163)
• fix: mute JCS logging (again) (#​6153)

See the full listing of changes.

v9.0.1

Compare Source

• fix: #​4321 Suppress redis server CVEs for client libraries (#​4321) (#​6489)
• fix: bump commons-compress from 1.25.0 to 1.26.0 to fix CVE-2024-25710 and CVE-2024-26308 (#​6492)
• feat: Allow to pass NVD API key via environment variable (#​6454)
• fix: issue 5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies - adding synchronized block (#​6501)
• docs: document the default data directory (#​6484)
• fix: prevent NPE in bundler audit (#​6462)
• fix: #​6441 Improve suppression rule to not restrict to a single version (#​6442)

See the full listing of changes.

v9.0.0

Compare Source

breaking changes: See the upgrade notice

• feat: Utilize NVD API (#​5978)
• feat: gitlab dependency scanner report format #​5919 (#​5920)
• fix: Use ASCII apostrophe for console message (#​6076)

See the full listing of changes.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarcloud]

Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud