From 17c5081e63c104cdc061dbcb0cb1105c6b2efe2f Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Sat, 19 Aug 2023 08:55:18 -0400 Subject: [PATCH] chore: prepare release (#5891) --- .github/workflows/release.yml | 14 +- CHANGELOG.md | 20 +- ant/pom.xml | 2 +- archetype/pom.xml | 2 +- cli/pom.xml | 2 +- core/pom.xml | 2 +- .../dependencycheck-base-suppression.xml | 579 ++++++++++++++++-- maven/pom.xml | 2 +- pom.xml | 2 +- utils/pom.xml | 2 +- 10 files changed, 567 insertions(+), 60 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 74aff3994dc..5d0bb1e16d7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -185,7 +185,19 @@ jobs: prerelease: false draft: false body: | - Re-release of 8.3.0 as 8.3.1. + ### Added + + - feat: Add support for Nexus v3 to NexusAnalyzer (#5849) + + ### Fixed + + - fix: Hint Analyzer should run before VersionFilter Analyzer (#5818) + - chore: switch to sha1-pinning as suggested by Semgrep + - fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter (#5845) + - fix: use curl with -L to follow github redirect (#5808) + - fix: use curl with -L to follow github redirect + - fix: #5671 out of memory error (#5789) + - fix: #5671 Exit method as soon as we detect a loop to prevent an infinite loop leading to an OutOfMemoryError - name: Upload CLI id: upload-release-cli diff --git a/CHANGELOG.md b/CHANGELOG.md index 7d691a69985..f280e31f733 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,27 @@ # Change Log +## [Version 8.4.0](https://github.com/jeremylong/DependencyCheck/releases/tag/v8.4.0) (2023-08-19) + +### Added + +- feat: Add support for Nexus v3 to NexusAnalyzer (#5849) + +### Fixed + +- fix: Hint Analyzer should run before VersionFilter Analyzer (#5818) +- chore: switch to sha1-pinning as suggested by Semgrep +- fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter (#5845) +- fix: use curl with -L to follow github redirect (#5808) +- fix: use curl with -L to follow github redirect +- fix: #5671 out of memory error (#5789) +- fix: #5671 Exit method as soon as we detect a loop to prevent an infinite loop leading to an OutOfMemoryError + +See the full listing of [changes](https://github.com/jeremylong/DependencyCheck/milestone/66?closed=1). + ## [Version 8.3.1](https://github.com/jeremylong/DependencyCheck/releases/tag/v8.3.1) (2023-06-12) Re-release of 8.3.0 as 8.3.1. -### Added - ## [Version 8.3.0](https://github.com/jeremylong/DependencyCheck/releases/tag/v8.3.0) (2023-06-12) ### Added diff --git a/ant/pom.xml b/ant/pom.xml index a926d5613a3..f2adfe0239b 100644 --- a/ant/pom.xml +++ b/ant/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.3.2-SNAPSHOT + 8.4.0-SNAPSHOT dependency-check-ant diff --git a/archetype/pom.xml b/archetype/pom.xml index f2cde125013..8d83d85dfae 100644 --- a/archetype/pom.xml +++ b/archetype/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.3.2-SNAPSHOT + 8.4.0-SNAPSHOT dependency-check-plugin Dependency-Check Plugin Archetype diff --git a/cli/pom.xml b/cli/pom.xml index b0b5bc84db3..26ce69d3e7d 100644 --- a/cli/pom.xml +++ b/cli/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.3.2-SNAPSHOT + 8.4.0-SNAPSHOT dependency-check-cli diff --git a/core/pom.xml b/core/pom.xml index 9ef676d825a..01c2106cc32 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.3.2-SNAPSHOT + 8.4.0-SNAPSHOT dependency-check-core diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml index 103a10ceed0..3d428a6fbc7 100644 --- a/core/src/main/resources/dependencycheck-base-suppression.xml +++ b/core/src/main/resources/dependencycheck-base-suppression.xml @@ -6213,177 +6213,656 @@ + FP per issue #5333 + ]]> ^pkg:maven/com\.graphql-java-kickstart/graphql-kickstart-spring-support@.*$ cpe:/a:graphql-java_project:graphql-java + FP per issue #5336 + ]]> ^pkg:maven/org\.openrewrite\.recipe/rewrite-jhipster@.*$ cpe:/a:jhipster:jhipster + FP per issue #5361 + ]]> ^pkg:maven/jakarta\.resource/jakarta\.resource-api@.*$ cpe:/a:payara:payara + FP per issue #5373 + ]]> ^pkg:maven/org\.locationtech\.spatial4j/spatial4j@.*$ cpe:/a:voyager_project:voyager + FP per issue #5372 + ]]> ^pkg:maven/org\.locationtech\.spatial4j/spatial4j@.*$ cpe:/a:smiley_project:smiley + FP per issue #5380 + ]]> ^pkg:maven/dev\.ludovic\.netlib/lapack@.*$ cpe:/a:lapack_project:lapack + FP per issue #5375 + ]]> ^pkg:maven/org\.eclipse\.microprofile\.jwt/microprofile-jwt-auth-api@.*$ cpe:/a:payara:payara + FP per issue #5368 + ]]> ^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop-shaded-protobuf_3_7@.*$ cpe:/a:apache:hadoop + FP per issue #5325 + ]]> ^pkg:maven/com\.enterprisedt/edtFTPj@.*$ cpe:/a:ftp_project:ftp + FP per issue #5436 + ]]> ^pkg:maven/org\.codehaus\.woodstox/stax2-api@.*$ cpe:/a:fasterxml:woodstox + FP per issue #5459 + ]]> ^pkg:maven/com\.oracle\.database\.nls/orai18n@.*$ cpe:/a:oracle:database + FP per issue #5460 + ]]> ^pkg:maven/com\.oracle\.database\.nls/orai18n@.*$ cpe:/a:oracle:oracle_database + FP per issue #5501 + ]]> ^pkg:maven/org\.jsonschema2pojo/jsonschema2pojo-jdk-annotation@.*$ cpe:/a:json-schema_project:json-schema + FP per issue #5500 + ]]> ^pkg:maven/org\.apache\.iceberg/iceberg-orc@.*$ cpe:/a:apache:orc + FP per issue #5499 + ]]> ^pkg:maven/org\.apache\.iceberg/iceberg-flink-1\.15@.*$ cpe:/a:apache:flink + FP per issue #5498 + ]]> ^pkg:maven/com\.googlecode\.javaewah/JavaEWAH@.*$ cpe:/a:google:google_search + FP per issue #5497 + ]]> ^pkg:maven/com\.google\.cloud/grpc-gcp@.*$ cpe:/a:grpc:grpc + FP per issue #5496 + ]]> ^pkg:maven/org\.apache\.flink/flink-s3-fs-hadoop@.*$ cpe:/a:apache:hadoop + FP per issue #5492 + ]]> ^pkg:maven/com\.microsoft\.azure/azure-cosmosdb-direct@.*$ cpe:/a:microsoft:platform_sdk + FP per issue #5491 + ]]> ^pkg:maven/com\.microsoft\.azure/azure-cosmosdb@.*$ cpe:/a:www-sql_project:www-sql + FP per issue #5490 + ]]> ^pkg:maven/com\.microsoft\.azure/azure-cosmosdb@.*$ cpe:/a:async_project:async + FP per issue #5471 + ]]> ^pkg:maven/org\.apache\.spark/spark-token-provider-kafka-0-10_2\.12@.*$ cpe:/a:apache:kafka + FP per issue #5462 + ]]> ^pkg:maven/org\.apache\.ws\.commons\.axiom/axiom-impl@.*$ cpe:/a:web_project:web + FP per issue #5461 + ]]> ^pkg:maven/com\.github\.luben/zstd-jni@.*$ cpe:/a:freebsd:freebsd + FP per issue #5506 + ]]> ^pkg:maven/io\.kamon/kamon-prometheus_2\.13@.*$ cpe:/a:prometheus:prometheus + + + + + ^pkg:maven/com\.github\.dasniko/testcontainers-keycloak@.*$ + cpe:/a:keycloak:keycloak + + + + ^pkg:maven/org\.apache\.kerby/zookeeper-backend@.*$ + cpe:/a:apache:zookeeper + + + + ^pkg:maven/org\.apache\.camel\.springboot/camel-ftp-starter@.*$ + cpe:/a:ftp_project:ftp + + + + ^pkg:maven/javax\.resource/connector@.*$ + cpe:/a:sun:j2ee + + + + ^pkg:maven/org\.springframework\.cloud/spring-cloud-sleuth-autoconfigure@.*$ + cpe:/a:vmware:spring_cloud_config + + + + ^pkg:maven/org\.jfrog\.artifactory\.client/artifactory-java-client-services@.*$ + cpe:/a:jfrog:artifactory + + + + ^pkg:maven/net\.minidev/accessors-smart@.*$ + cpe:/a:json-smart_project:json-smart + + + + ^pkg:maven/org\.springframework\.integration/spring-integration-ftp@.*$ + cpe:/a:vmware:spring_integration + + + + ^pkg:maven/com\.graphql-java/graphql-java-extended-scalars@.*$ + cpe:/a:graphql-java:graphql-java + + + + ^pkg:maven/com\.graphql-java-kickstart/graphql-java-tools@.*$ + cpe:/a:graphql-java:graphql-java + + + + ^pkg:maven/com\.graphql-java-kickstart/graphql-java-servlet@.*$ + cpe:/a:graphql-java:graphql-java + + + + ^pkg:maven/com\.graphql-java-kickstart/graphql-java-kickstart@.*$ + cpe:/a:graphql-java:graphql-java + + + + ^pkg:maven/com\.graphql-java-kickstart/graphql-kickstart-spring-support@.*$ + cpe:/a:graphql-java:graphql-java + + + + ^pkg:maven/org\.bouncycastle/bcpg-jdk15on@.*$ + cpe:/a:open_cas_project:open_cas + + + + ^pkg:maven/org\.jboss\.resteasy\.microprofile/microprofile-config@.*$ + cpe:/a:redhat:resteasy + + + + ^pkg:maven/org\.apache\.ignite/ignite-log4j2@.*$ + cpe:/a:apache:log4j + + + + ^pkg:maven/org\.apache\.directory\.api/api-ldap-net-mina@.*$ + cpe:/a:apache:mina + + + + ^pkg:maven/com\.graphql-java-kickstart/graphql-webclient@.*$ + cpe:/a:graphql-java:graphql-java + + + + ^pkg:maven/io\.quarkiverse\.openapi\.generator/quarkus-openapi-generator@.*$ + cpe:/a:openapi-generator:openapi_generator + + + + ^pkg:nuget/MagicFileEncoding@.*$ + cpe:/a:file_project:file + + + + ^pkg:nuget/FluentFTP@.*$ + cpe:/a:ftp:ftp + + + + ^pkg:nuget/KubernetesClient@.*$ + cpe:/a:kubernetes:kubernetes + + + + ^pkg:maven/org\.apache\.sling/org\.apache\.sling\.commons\.johnzon@.*$ + cpe:/a:apache:sling_commons_json + + + + ^pkg:nuget/AspNetCoreRateLimit\.Redis@.*$ + cpe:/a:asp-project:asp-project + + + + ^pkg:maven/io\.swagger\.parser\.v3/swagger-parser-safe-url-resolver@.*$ + cpe:/a:parse-url_project:2.1.14 + + + + ^pkg:maven/org\.jruby/jzlib@.*$ + cpe:/a:jruby:jruby + + + + ^pkg:maven/com\.bazaarvoice\.jolt/json-utils@.*$ + cpe:/a:utils_project:utils + + + + ^pkg:maven/org\.springframework\.integration/spring-integration-ftp@.*$ + cpe:/a:ftp_project:ftp + + + + ^pkg:maven/org\.mockftpserver/MockFtpServer@.*$ + cpe:/a:ftp_project:ftp + + + + ^pkg:maven/com\.sun\.xml\.bind\.jaxb/isorelax@.*$ + cpe:/a:xml_library_project:xml_library + + + + ^pkg:maven/org\.jboss\.resteasy\.microprofile/.*$ + cpe:/a:redhat:resteasy + + + + + ^pkg:maven/org\.jboss\.resteasy\.microprofile/microprofile-rest-client@.*$ + cpe:/a:redhat:resteasy + + + + ^pkg:maven/org\.apache\.sling/org\.apache\.sling\.commons\.osgi@.*$ + cpe:/a:apache:sling + + + + ^pkg:maven/cloud\.localstack/localstack-utils@.*$ + cpe:/a:utils_project:utils + + + + ^pkg:nuget/Minio\.AspNetCore@.*$ + cpe:/a:minio:minio + + + + ^pkg:maven/org\.apache\.thrift/libfb303@.*$ + cpe:/a:apache:thrift + + + + ^pkg:nuget/RazorEngine\.NetCore@.*$ + cpe:/a:razorengine_project:razorengine + + + + ^pkg:maven/io\.github\.graphql-java/graphql-java-annotations@.*$ + cpe:/a:graphql-java:graphql-java + + + + ^pkg:maven/com\.graphql-java-kickstart/graphql-spring-boot-starter@.*$ + cpe:/a:graphql-java:graphql-java + + + + ^pkg:maven/com\.graphql-java/java-dataloader@.*$ + cpe:/a:graphql-java:graphql-java + + + + ^pkg:maven/com\.apollographql\.federation/federation-graphql-java-support-api@.*$ + cpe:/a:graphql-java:graphql-java + + + + ^pkg:maven/com\.apollographql\.federation/federation-graphql-java-support@.*$ + cpe:/a:graphql-java:graphql-java + + + + ^pkg:maven/org\.apache\.cxf/cxf-rt-bindings-soap@.*$ + cpe:/a:apache:soap + + + + ^pkg:nuget/Microsoft\.Win32\.SystemEvents@.*$ + cpe:/a:events_project:events + + + + ^(?!pkg:maven/net\.pwall\.json/jsonutil).*$ + cpe:/a:jsonutil_project:jsonutil + + + + ^pkg:maven/com\.apollographql\.apollo3/.*$ + cpe:/a:apollo_project:apollo + + + + + ^pkg:maven/com\.apollographql\.apollo3/apollo-annotations-jvm@.*$ + cpe:/a:apollo_project:apollo + + + + ^pkg:maven/com\.itextpdf\.licensing/licensing-base@.*$ + cpe:/a:itextpdf:itext + + + + ^pkg:maven/com\.itextpdf\.licensing/licensing-remote@.*$ + cpe:/a:itextpdf:itext + + + + ^pkg:npm/wordwrap@.*$ + cpe:/a:word-wrap_project:word-wrap + + + + ^pkg:maven/com\.exactpro\.th2/netty-bytebuf-utils@.*$ + cpe:/a:utils_project:utils + + + + ^pkg:maven/io\.github\.detekt\.sarif4k/sarif4k-jvm@.*$ + cpe:/a:detekt:detekt + + + + ^pkg:maven/org\.apache\.avro/avro@.*$ + cpe:/a:avro_project:avro + + + + ^pkg:maven/commons-logging/commons-logging@.*$ + cpe:/a:morgan_project:morgan + + + + ^pkg:maven/com\.lightbend\.akka\.grpc/.*$ + cpe:/a:akka:akka + cpe:/a:lightbend:akka + cpe:/a:grpc:grpc + + + + ^pkg:maven/com\.lightbend\.akka/akka-persistence-r2dbc.*$ + cpe:/a:akka:akka + cpe:/a:lightbend:akka + + + + ^pkg:maven/com\.lightbend\.akka/akka-projection-.*$ + cpe:/a:akka:akka + cpe:/a:lightbend:akka + + + + ^pkg:maven/com\.lightbend\.akka/akka-projection-grpc.*$ + cpe:/a:grpc:grpc + + + + ^pkg:maven/org\.apache\.jackrabbit/oak-.*$ + cpe:/a:apache:jackrabbit + + + + ^pkg:maven/org\.apache\.jackrabbit/oak-core@.*$ + cpe:/a:apache:jackrabbit + + + + ^pkg:maven/com\.vaadin/vaadin-swing-kit-flow@.*$ + cpe:/a:vaadin:flow + + + + ^pkg:maven/org\.apache\.sling/org\.apache\.sling\.commons\.johnzon@.*$ + cpe:/a:apache:sling + + + + ^pkg:maven/io\.netty\.incubator/netty-incubator-codec-classes-quic@.*$ + cpe:/a:quic_project:quic + + + + ^pkg:maven/org\.apache\.geronimo\.specs/geronimo-saaj_1\.3_spec@.*$ + cpe:/a:apache:soap + + + + ^pkg:maven/org\.ops4j\.pax\.logging/pax-logging-log4j2@.*$ + cpe:/a:apache:log4j + + + + ^pkg:maven/software\.amazon\.awssdk\.crt/aws-crt@.*$ + cpe:/a:amazon:aws-sdk-java + + + diff --git a/maven/pom.xml b/maven/pom.xml index fd905920999..8175c85d367 100644 --- a/maven/pom.xml +++ b/maven/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.3.2-SNAPSHOT + 8.4.0-SNAPSHOT dependency-check-maven maven-plugin diff --git a/pom.xml b/pom.xml index 8a501ce99b5..f6e1a62ec5b 100644 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long org.owasp dependency-check-parent - 8.3.2-SNAPSHOT + 8.4.0-SNAPSHOT pom diff --git a/utils/pom.xml b/utils/pom.xml index 2350daa0d1a..2ac41b2d4af 100644 --- a/utils/pom.xml +++ b/utils/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 8.3.2-SNAPSHOT + 8.4.0-SNAPSHOT dependency-check-utils