From f92a725d5f071979e546739e91a3885b3f1213fd Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Mon, 12 Sep 2022 06:48:17 -0400 Subject: [PATCH 1/6] fix build --- core/pom.xml | 2 ++ pom.xml | 4 ++-- utils/pom.xml | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/core/pom.xml b/core/pom.xml index 46877193cf2..2331c452f61 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -268,10 +268,12 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. com.fasterxml.jackson.core jackson-databind + ${jackson.version} com.fasterxml.jackson.module jackson-module-afterburner + ${jackson.version} com.h3xstream.retirejs diff --git a/pom.xml b/pom.xml index 49259389ecd..504428fe194 100644 --- a/pom.xml +++ b/pom.xml @@ -165,7 +165,7 @@ Copyright (c) 2012 - Jeremy Long 2.4.21 1.13.1 3.0.3 - + 2.13.4 @@ -1096,7 +1096,7 @@ Copyright (c) 2012 - Jeremy Long com.fasterxml.jackson jackson-bom - 2.13.4 + ${jackson.version} pom import diff --git a/utils/pom.xml b/utils/pom.xml index c5e4b309826..c9f012481cb 100644 --- a/utils/pom.xml +++ b/utils/pom.xml @@ -52,6 +52,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. com.fasterxml.jackson.core jackson-databind + ${jackson.version} commons-codec From 3c918280919300f3120b857c6b5e039709d14aa4 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 14 Sep 2022 06:18:54 -0400 Subject: [PATCH 2/6] added suppressions for misidentified dependencies in odc --- .../dependencycheck-base-suppression.xml | 65 ++++++++++++++----- 1 file changed, 50 insertions(+), 15 deletions(-) diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml index 8600a016ffb..03fa310df14 100644 --- a/core/src/main/resources/dependencycheck-base-suppression.xml +++ b/core/src/main/resources/dependencycheck-base-suppression.xml @@ -1,5 +1,40 @@ + + + ^pkg:maven/commons\-cli/commons\-cli@.*$ + cpe:/a:spirit-project:spirit + + + + ^pkg:maven/javax\.xml\.bind/jaxb\-api@.*$ + cpe:/a:oracle:java_se + + + + ^pkg:maven/joda\-time/joda\-time@.*$ + cpe:/a:time_project:time + + + + ^pkg:maven/javax\.ws\.rs/javax\.ws\.rs\-api@.*$ + cpe:/a:oracle:web_services + + + + ^pkg:maven/org\.sonatype\.ossindex/ossindex\-service\-api@.*$ + cpe:/a:service_project:service + cpe:/a:oracle:projects - - ^pkg:maven/org\.aspectj/aspectj.*@.*$ - cpe:/a:vmware:tools + ^pkg:maven/org\.aspectj/aspectj.*@.*$ + cpe:/a:vmware:tools - - ^pkg:maven/org\.apache\.kafka/kafka-log4j-appender@.*$ - cpe:/a:apache:log4j - cpe:/a:apache:kafka + ^pkg:maven/org\.apache\.kafka/kafka-log4j-appender@.*$ + cpe:/a:apache:log4j + cpe:/a:apache:kafka - - ^pkg:maven/com\.lightbend\.akka\.management/akka-management-cluster-bootstrap_2\.13@.*$ - cpe:/a:akka:akka + ^pkg:maven/com\.lightbend\.akka\.management/akka-management-cluster-bootstrap_2\.13@.*$ + cpe:/a:akka:akka - - ^pkg:maven/io\.netty/netty-tcnative-boringssl-static@.*$ - cpe:/a:chromium:chromium + ^pkg:maven/io\.netty/netty-tcnative-boringssl-static@.*$ + cpe:/a:chromium:chromium - ^pkg:maven/.*async.*@.*$ - cpe:/a:async_project:async + ^pkg:maven/.*async.*@.*$ + cpe:/a:async_project:async Date: Wed, 14 Sep 2022 06:19:37 -0400 Subject: [PATCH 3/6] bumped minor version as a new analyzer was added --- ant/pom.xml | 2 +- archetype/pom.xml | 2 +- cli/pom.xml | 2 +- core/pom.xml | 2 +- maven/pom.xml | 2 +- pom.xml | 2 +- utils/pom.xml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ant/pom.xml b/ant/pom.xml index a4d77d1ef94..c0828899f3b 100644 --- a/ant/pom.xml +++ b/ant/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 7.1.3-SNAPSHOT + 7.2.0-SNAPSHOT dependency-check-ant diff --git a/archetype/pom.xml b/archetype/pom.xml index eeceba5affe..bb37e5fa711 100644 --- a/archetype/pom.xml +++ b/archetype/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 7.1.3-SNAPSHOT + 7.2.0-SNAPSHOT dependency-check-plugin Dependency-Check Plugin Archetype diff --git a/cli/pom.xml b/cli/pom.xml index c185c5fd193..9bf8d79f6be 100644 --- a/cli/pom.xml +++ b/cli/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 7.1.3-SNAPSHOT + 7.2.0-SNAPSHOT dependency-check-cli diff --git a/core/pom.xml b/core/pom.xml index 2331c452f61..0fb89de4de2 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 7.1.3-SNAPSHOT + 7.2.0-SNAPSHOT dependency-check-core diff --git a/maven/pom.xml b/maven/pom.xml index 856d6650db4..2d9222c0488 100644 --- a/maven/pom.xml +++ b/maven/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 7.1.3-SNAPSHOT + 7.2.0-SNAPSHOT dependency-check-maven maven-plugin diff --git a/pom.xml b/pom.xml index 504428fe194..2b8e99375ca 100644 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long org.owasp dependency-check-parent - 7.1.3-SNAPSHOT + 7.2.0-SNAPSHOT pom diff --git a/utils/pom.xml b/utils/pom.xml index c9f012481cb..2f433ead46a 100644 --- a/utils/pom.xml +++ b/utils/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 7.1.3-SNAPSHOT + 7.2.0-SNAPSHOT dependency-check-utils From c6cf328797521739a6208b45ddbb388463af9d7c Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 14 Sep 2022 06:32:58 -0400 Subject: [PATCH 4/6] prepare release notes --- .github/workflows/release.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index da8434c32b6..00c39c7c5f0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -186,10 +186,11 @@ jobs: draft: false body: | ### Changes - - The maven plugin now includes pnpm and yarn lock files in the scan by default (#4753). - - If a suppression rule is no longer used a log entry will be written (#4685). - - Several bug fixes made and suppression rules added. - - See the full listing of [changes](https://github.com/jeremylong/DependencyCheck/milestone/47?closed=1). + - Add support for Bazel's pinned `maven_install.json` (#4772). + - Fixed bug preventing the use of custom report templates (#4800). + - Updated several dependencies including upgrades for dependencies with CVEs. + - Several bug fixes made and suppression rules were added. + - See the full listing of [changes](https://github.com/jeremylong/DependencyCheck/milestone/48?closed=1). - name: Upload CLI id: upload-release-cli From 2ed09cc9607bbe247f49a43cbcfe797f4693578a Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 14 Sep 2022 06:35:40 -0400 Subject: [PATCH 5/6] [maven-release-plugin] prepare release v7.2.0 --- ant/pom.xml | 4 ++-- archetype/pom.xml | 4 ++-- cli/pom.xml | 4 ++-- core/pom.xml | 4 ++-- maven/pom.xml | 4 ++-- pom.xml | 4 ++-- utils/pom.xml | 4 ++-- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/ant/pom.xml b/ant/pom.xml index c0828899f3b..4ff2ebe6b91 100644 --- a/ant/pom.xml +++ b/ant/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 7.2.0-SNAPSHOT + 7.2.0 dependency-check-ant @@ -32,7 +32,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/master/ant scm:git:git@github.com:jeremylong/DependencyCheck.git - v6.4.1 + v7.2.0 diff --git a/archetype/pom.xml b/archetype/pom.xml index bb37e5fa711..d9686e12ed0 100644 --- a/archetype/pom.xml +++ b/archetype/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 7.2.0-SNAPSHOT + 7.2.0 dependency-check-plugin Dependency-Check Plugin Archetype @@ -29,7 +29,7 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved. scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/master/archetype scm:git:git@github.com:jeremylong/DependencyCheck.git - v6.4.1 + v7.2.0 diff --git a/cli/pom.xml b/cli/pom.xml index 9bf8d79f6be..54ff8199ff3 100644 --- a/cli/pom.xml +++ b/cli/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 7.2.0-SNAPSHOT + 7.2.0 dependency-check-cli @@ -32,7 +32,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/master/cli scm:git:git@github.com:jeremylong/DependencyCheck.git - v6.4.1 + v7.2.0 dependency-check-${project.version} diff --git a/core/pom.xml b/core/pom.xml index 0fb89de4de2..96c568f1c9e 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 7.2.0-SNAPSHOT + 7.2.0 dependency-check-core @@ -32,7 +32,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/master/core scm:git:git@github.com:jeremylong/DependencyCheck.git - v6.4.1 + v7.2.0 diff --git a/maven/pom.xml b/maven/pom.xml index 2d9222c0488..b991d8b4bdb 100644 --- a/maven/pom.xml +++ b/maven/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 7.2.0-SNAPSHOT + 7.2.0 dependency-check-maven maven-plugin @@ -35,7 +35,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/master/maven scm:git:git@github.com:jeremylong/DependencyCheck.git - v6.4.1 + v7.2.0 ${maven.api.version} diff --git a/pom.xml b/pom.xml index 2b8e99375ca..904bc306317 100644 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long org.owasp dependency-check-parent - 7.2.0-SNAPSHOT + 7.2.0 pom @@ -94,7 +94,7 @@ Copyright (c) 2012 - Jeremy Long scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck scm:git:https://github.com/jeremylong/DependencyCheck.git - v6.4.1 + v7.2.0 github diff --git a/utils/pom.xml b/utils/pom.xml index 2f433ead46a..fc5f5cd8e37 100644 --- a/utils/pom.xml +++ b/utils/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 7.2.0-SNAPSHOT + 7.2.0 dependency-check-utils @@ -30,7 +30,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/master/utils scm:git:git@github.com:jeremylong/DependencyCheck.git - v6.4.1 + v7.2.0 org.owasp.dependencycheck.utils.* From dc2e1c921507d1666f5504c1f5026717c045e363 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 14 Sep 2022 06:35:40 -0400 Subject: [PATCH 6/6] [maven-release-plugin] prepare for next development iteration --- ant/pom.xml | 4 ++-- archetype/pom.xml | 4 ++-- cli/pom.xml | 4 ++-- core/pom.xml | 4 ++-- maven/pom.xml | 4 ++-- pom.xml | 4 ++-- utils/pom.xml | 4 ++-- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/ant/pom.xml b/ant/pom.xml index 4ff2ebe6b91..6f694af4f40 100644 --- a/ant/pom.xml +++ b/ant/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 7.2.0 + 7.2.1-SNAPSHOT dependency-check-ant @@ -32,7 +32,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/master/ant scm:git:git@github.com:jeremylong/DependencyCheck.git - v7.2.0 + v6.4.1 diff --git a/archetype/pom.xml b/archetype/pom.xml index d9686e12ed0..d06e1b29908 100644 --- a/archetype/pom.xml +++ b/archetype/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 7.2.0 + 7.2.1-SNAPSHOT dependency-check-plugin Dependency-Check Plugin Archetype @@ -29,7 +29,7 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved. scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/master/archetype scm:git:git@github.com:jeremylong/DependencyCheck.git - v7.2.0 + v6.4.1 diff --git a/cli/pom.xml b/cli/pom.xml index 54ff8199ff3..5ae7db0e316 100644 --- a/cli/pom.xml +++ b/cli/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 7.2.0 + 7.2.1-SNAPSHOT dependency-check-cli @@ -32,7 +32,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/master/cli scm:git:git@github.com:jeremylong/DependencyCheck.git - v7.2.0 + v6.4.1 dependency-check-${project.version} diff --git a/core/pom.xml b/core/pom.xml index 96c568f1c9e..0fbc34ba9d3 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 7.2.0 + 7.2.1-SNAPSHOT dependency-check-core @@ -32,7 +32,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/master/core scm:git:git@github.com:jeremylong/DependencyCheck.git - v7.2.0 + v6.4.1 diff --git a/maven/pom.xml b/maven/pom.xml index b991d8b4bdb..4bcfa00901a 100644 --- a/maven/pom.xml +++ b/maven/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 7.2.0 + 7.2.1-SNAPSHOT dependency-check-maven maven-plugin @@ -35,7 +35,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/master/maven scm:git:git@github.com:jeremylong/DependencyCheck.git - v7.2.0 + v6.4.1 ${maven.api.version} diff --git a/pom.xml b/pom.xml index 904bc306317..60a15eab96d 100644 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long org.owasp dependency-check-parent - 7.2.0 + 7.2.1-SNAPSHOT pom @@ -94,7 +94,7 @@ Copyright (c) 2012 - Jeremy Long scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck scm:git:https://github.com/jeremylong/DependencyCheck.git - v7.2.0 + v6.4.1 github diff --git a/utils/pom.xml b/utils/pom.xml index fc5f5cd8e37..9a9aa911993 100644 --- a/utils/pom.xml +++ b/utils/pom.xml @@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. org.owasp dependency-check-parent - 7.2.0 + 7.2.1-SNAPSHOT dependency-check-utils @@ -30,7 +30,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. scm:git:https://github.com/jeremylong/DependencyCheck.git https://github.com/jeremylong/DependencyCheck/tree/master/utils scm:git:git@github.com:jeremylong/DependencyCheck.git - v7.2.0 + v6.4.1 org.owasp.dependencycheck.utils.*