Skip to content

Bump dependency-check-maven from 7.1.2 to 8.1.2#307

Open
dependabot[bot] wants to merge 78 commits intomasterfrom
dependabot/maven/org.owasp-dependency-check-maven-8.1.2
Open

Bump dependency-check-maven from 7.1.2 to 8.1.2#307
dependabot[bot] wants to merge 78 commits intomasterfrom
dependabot/maven/org.owasp-dependency-check-maven-8.1.2

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 28, 2023

Bumps dependency-check-maven from 7.1.2 to 8.1.2.

Release notes

Sourced from dependency-check-maven's releases.

Version 8.1.2

Fixed

  • Fix NullPointerException in the Jar Analyzer introduced in 8.1.1 (#5512)

Version 8.1.1

Fixed

  • allow hosted suppressions file to be disabled (#5509)
  • Several FPs not suitable for our automation (#5504)
  • Fix incorrect defaults for nexus and central-analyzer in gradle plugin documentation (#5503)
  • Erroneous error-log for deprecated CLI flag usage when using properyfile based disablement of Node Audit Analyzer (#5487)
  • Prefer pom.properties G/A/V over pom.xml G/A/V to resolve GAV interpolation issues (#5473)
  • Node package dependencies ending up as related dependency of the wrong version of the package (#5479)
  • do not throw error if pyproject.toml is in node_modules (#5470)

See the full listing of changes.

Version 8.1.0

Added

  • Pipefile.lock files are now supported (#5404).
  • Python projects with only a pyproject.toml but no lock file or requirements will report an error as ODC is unable to analyze the project (#5409).

Fixed

  • Some maven projects caused false positives due to bad string interpolation (#5421).
  • Error message from Assembly Analyzer has been updated to emphasize dotnet 6 is required for analysis (#5408).
  • Correct issue where database defrag occurs even when no updates were performed (#5441).
  • Fixed several False Positives and one False Negative.
  • Fixed the format configuration more flexible in the gradle plugin ([dependency-check-gradle/#324](dependency-check/dependency-check-gradle#324)).

See the full listing of changes.

Version 8.0.2

Fixed

  • Resolved bug causing an issue with some Maven Extensions (#5366).
  • ArchiveAnalyzer will now correctly throw an exception if it cannot open an Archive (#5371).
  • Updated CSV report so that it no longer has a duplicate description column (#5364).
  • Moved several logging statements to trace which should drastically reduce the log size (#5350).
  • Fixed bug with RetireJS' --retirejsFilterNonVulnerable and --retirejsFilter when used with the CLI (#5351).
  • Fixed the sarif report format and added validation (#5345 and (#5363)
  • Fixed MalformedPackageException in the gradle plugin ([dependency-check-gradle/#320](dependency-check/dependency-check-gradle#320)).
  • Fixed MissingMethodException in the gradle plugin ([dependency-check-gradle/#316](dependency-check/dependency-check-gradle#316)).

See the full listing of changes.

Version 8.0.1

Fixed

... (truncated)

Changelog

Sourced from dependency-check-maven's changelog.

Version 8.1.2 (2023-02-28)

Fixed

  • Fix NullPointerException in the Jar Analyzer introduced in 8.1.1 (#5512)

See the full listing of changes.

Version 8.1.1 (2023-02-27)

Fixed

  • allow hosted suppressions file to be disabled (#5509)
  • Several FPs not suitable for our automation (#5504)
  • Fix incorrect defaults for nexus and central-analyzer in gradle plugin documentation (#5503)
  • Erroneous error-log for deprecated CLI flag usage when using properyfile based disablement of Node Audit Analyzer (#5487)
  • Prefer pom.properties G/A/V over pom.xml G/A/V to resolve GAV interpolation issues (#5473)
  • Node package dependencies ending up as related dependency of the wrong version of the package (#5479)
  • do not throw error if pyproject.toml is in node_modules (#5470)

See the full listing of changes.

Version 8.1.0 (2023-01-26)

Added

  • Pipefile.lock files are now supported (#5404).
  • Python projects with only a pyproject.toml but no lock file or requirements will report an error as ODC is unable to analyze the project (#5409).

Fixed

  • Some maven projects caused false positives due to bad string interpolation (#5421).
  • Error message from Assembly Analyzer has been updated to emphasize dotnet 6 is required for analysis (#5408).
  • Correct issue where database defrag occurs even when no updates were performed (#5441).
  • Fixed several False Positives and one False Negative.
  • Fixed the format configuration more flexible in the gradle plugin ([dependency-check-gradle/#324](dependency-check/dependency-check-gradle#324)).

See the full listing of changes.

Version 8.0.2 (2023-01-26)

Fixed

  • Resolved bug causing an issue with some Maven Extensions (#5366).
  • ArchiveAnalyzer will now correctly throw an exception if it cannot open an Archive (#5371).
  • Updated CSV report so that it no longer has a duplicate description column (#5364).
  • Moved several logging statements to trace which should drastically reduce the log size (#5350).
  • Fixed bug with RetireJS' --retirejsFilterNonVulnerable and --retirejsFilter when used with the CLI (#5351).
  • Fixed the sarif report format and added validation (#5345 and (#5363)
  • Fixed MalformedPackageException in the gradle plugin ([dependency-check-gradle/#320](dependency-check/dependency-check-gradle#320)).

... (truncated)

Commits
  • 3582a9d build:prepare release v8.1.2
  • afc6922 docs: prepare release
  • 7106a08 build(deps): bump maven-compiler-plugin from 3.10.1 to 3.11.0 (#5513)
  • 7bab876 build(deps): bump maven-plugin-plugin from 3.7.1 to 3.8.1 (#5514)
  • 6e080bd build(deps): bump maven-plugin-annotations from 3.7.1 to 3.8.1 (#5515)
  • 905f74f fix: Ensure retrievePomProperties always returns non-null (#5512)
  • c5a64d3 build(deps): bump maven-plugin-annotations from 3.7.1 to 3.8.1
  • f7dbe3f build(deps): bump maven-plugin-plugin from 3.7.1 to 3.8.1
  • 9556b19 build(deps): bump maven-compiler-plugin from 3.10.1 to 3.11.0
  • 7591497 style: Make checkstyle happy
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

stemlaur and others added 30 commits January 28, 2021 14:20
@stemlaur
Renomme les repositories pour enlever le terme Repository (#130)
e16cc4c 
Co-authored-by: Laurent Stemmer <laurent-externe.stemmer@edf.fr>
@stemlaur
Add adr directory and archunit (#134)
8cbb191 
* Add a directory doc/architecture/

* Add arch-unit and declare swagger URL

Co-authored-by: Laurent Stemmer <laurent-externe.stemmer@edf.fr>
Upgrade all dependencies
94bb15d
Remove rest module
ab96023
Update README.md
c17df68
Remove inmemorypersistence module
dfcabff
@stemlaur
Debt/refactor exceptions and value objects (#149)
1897981 
* Move catalog inner Exceptions to upper level

* Move study inner Exceptions to upper level

* Introduce DeckId

* Introduce DeckId

* Rename a test with a typo

* Optimise import

* Rename inner field to value

* Add a test for DeckTitle

* Declare DeckTitle invariants about length

* Rename Deck#id to Deck#idString

* Rename Deck#title to Deck#titleString

* Fix "Class path contains multiple SLF4J bindings" and update dependencies

Co-authored-by: Stemlaur <stemlaur@stemlaur.com>
Create API interfaces on catalog
7938dbb
Create API interface on study
4479cc2
Utilise l'API de study
994ee7e
Typo
1991441
Rename methods
38da5bb
Test hashcodes and equals
241929c
Test hashcodes and equals for Score and Session
7c707a2
@dependabot-preview @stemlaur
Upgrade to GitHub-native Dependabot (#143)
0d4f80f 
* Upgrade to GitHub-native Dependabot

* Store ignoring dependencies

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Laurent Stemmer <stemlaur@users.noreply.github.com>
Co-authored-by: Laurent Stemmer <laurent-externe.stemmer@edf.fr>
Use APIs interfaces instead of concrete DeckService
d985ce0
@dependabot @stemlaur
Bump spring-boot-maven-plugin from 2.2.4.RELEASE to 2.6.2 (#157)
f404aa7 
* Bump spring-boot-maven-plugin from 2.2.4.RELEASE to 2.6.2

Bumps [spring-boot-maven-plugin](https://github.com/spring-projects/spring-boot) from 2.2.4.RELEASE to 2.6.2.
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v2.2.4.RELEASE...v2.6.2)

---
updated-dependencies:
- dependency-name: org.springframework.boot:spring-boot-maven-plugin
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Use APIs interfaces instead of concrete DeckService

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Laurent Stemmer <stemlaur@users.noreply.github.com>
Co-authored-by: Laurent Stemmer <laurent-externe.stemmer@edf.fr>
@stemlaur
Update misc dependencies (#158)
6a1781e 
* Bumps maven-jar-plugin from 3.2.0 to 3.2.2

* Bumps maven-deploy-plugin from 3.0.0-M1 to 3.0.0-M2

* Bumps maven-failsafe-plugin from 3.0.0-M4 to 3.0.0-M5

* Bumps maven-assembly-plugin from 3.2.0 to 3.3.0

Co-authored-by: Laurent Stemmer <laurent-externe.stemmer@edf.fr>
@stemlaur
Bumps maven-assembly-plugin from 3.2.0 to 3.3.0 (#159)
1599a64 
Bumps maven-compiler-plugin from 3.8.1 to 3.9.0

Co-authored-by: Laurent Stemmer <laurent-externe.stemmer@edf.fr>
@dependabot @stemlaur
Bump maven-compiler-plugin from 3.8.1 to 3.9.0 (#155)
ade3793 
Bumps [maven-compiler-plugin](https://github.com/apache/maven-compiler-plugin) from 3.8.1 to 3.9.0.
- [Release notes](https://github.com/apache/maven-compiler-plugin/releases)
- [Commits](apache/maven-compiler-plugin@maven-compiler-plugin-3.8.1...maven-compiler-plugin-3.9.0)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-compiler-plugin
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Laurent Stemmer <stemlaur@users.noreply.github.com>
@dependabot-preview @stemlaur
Bump maven-assembly-plugin from 3.2.0 to 3.3.0 (#87)
dc0f445 
Bumps [maven-assembly-plugin](https://github.com/apache/maven-assembly-plugin) from 3.2.0 to 3.3.0.
- [Release notes](https://github.com/apache/maven-assembly-plugin/releases)
- [Commits](apache/maven-assembly-plugin@maven-assembly-plugin-3.2.0...maven-assembly-plugin-3.3.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Laurent Stemmer <stemlaur@users.noreply.github.com>
@dependabot @stemlaur
Bump cucumber.version from 7.1.0 to 7.2.2 (#150)
0381863 
Bumps `cucumber.version` from 7.1.0 to 7.2.2.

Updates `cucumber-junit-platform-engine` from 7.1.0 to 7.2.2
- [Release notes](https://github.com/cucumber/cucumber-jvm/releases)
- [Changelog](https://github.com/cucumber/cucumber-jvm/blob/main/CHANGELOG.md)
- [Commits](cucumber/cucumber-jvm@v7.1.0...v7.2.2)

Updates `cucumber-java` from 7.1.0 to 7.2.2
- [Release notes](https://github.com/cucumber/cucumber-jvm/releases)
- [Changelog](https://github.com/cucumber/cucumber-jvm/blob/main/CHANGELOG.md)
- [Commits](cucumber/cucumber-jvm@v7.1.0...v7.2.2)

Updates `cucumber-spring` from 7.1.0 to 7.2.2
- [Release notes](https://github.com/cucumber/cucumber-jvm/releases)
- [Changelog](https://github.com/cucumber/cucumber-jvm/blob/main/CHANGELOG.md)
- [Commits](cucumber/cucumber-jvm@v7.1.0...v7.2.2)

---
updated-dependencies:
- dependency-name: io.cucumber:cucumber-junit-platform-engine
  dependency-type: direct:development
  update-type: version-update:semver-minor
- dependency-name: io.cucumber:cucumber-java
  dependency-type: direct:development
  update-type: version-update:semver-minor
- dependency-name: io.cucumber:cucumber-spring
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Laurent Stemmer <stemlaur@users.noreply.github.com>
@stemlaur
Add jooq and liquibase to the project (not used yet) (#162)
5b05fc6 
* Add liquibase and jooq

* Move controllers and providers to application package

* Inspect code

* Create SQLDecks

Co-authored-by: Laurent Stemmer <laurent-externe.stemmer@edf.fr>
@stemlaur
Use jooq (#163)
3d8dc06 
* Déplace SQLDecks dans son propre package catalog

* Remove unecessary @componentscan

* Configure all provider beans

* Make swagger work again !

* Adapte les features pour utiliser les providers en mémoire

Co-authored-by: Laurent Stemmer <laurent-externe.stemmer@edf.fr>
Reorganise packages with 'spi'
ac6a5d7
Replace home-made Clock with java.time.Clock
16dc845
Create custom AbstractAnkiException
fbaf6f1
Create custom ExceptionHandlingController
db785e6
@stemlaur
Introduce events (#165)
64e191b 
* Move AbstractAnkiException in common package

* Publish first event DeckCreated

* Rename FakeDeckIdFactory.java into SimpleDeckIdFactory

* Remove mocks from DeckServiceShould

Co-authored-by: Laurent Stemmer <laurent-externe.stemmer@edf.fr>
@stemlaur
Use spring to forward events (#166)
6481e79 
* Enlève des imports non utilisés

* Use spring to forward domaian events using ApplicationEventPublisher

* Remove unused annotation @ExtendWith(MockitoExtension.class)

* Create a DeckStatsService to count the number of created decks

Co-authored-by: Laurent Stemmer <laurent-externe.stemmer@edf.fr>
stemlaur and others added 25 commits January 20, 2022 14:40
@stemlaur
Typo (#194)
ea66cc4
@stemlaur
An an action step to ensure all files are commited (#195)
e2baeaa
@stemlaur
Declare precise src folder to generate doc (#197)
2034953
@stemlaur
decouple study and catalog (#196)
2ef328e
Upgrade spring-boot-dependencies to 2.6.3
4baf24a
@dependabot
Bump spring-boot-dependencies from 2.6.2 to 2.6.3 (#199)
98ea243 
Bumps [spring-boot-dependencies](https://github.com/spring-projects/spring-boot) from 2.6.2 to 2.6.3.
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v2.6.2...v2.6.3)

---
updated-dependencies:
- dependency-name: org.springframework.boot:spring-boot-dependencies
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @stemlaur
Bump spring-boot-maven-plugin from 2.6.2 to 2.6.3 (#198)
0e1b50d 
Bumps [spring-boot-maven-plugin](https://github.com/spring-projects/spring-boot) from 2.6.2 to 2.6.3.
- [Release notes](https://github.com/spring-projects/spring-boot/releases)
- [Commits](spring-projects/spring-boot@v2.6.2...v2.6.3)

---
updated-dependencies:
- dependency-name: org.springframework.boot:spring-boot-maven-plugin
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Laurent Stemmer <stemlaur@users.noreply.github.com>
@stemlaur
Stop returning aggregate from FindDecks, and return snapshots instead (
96d4dbf 
…#200)
@stemlaur
Archunit api only dependencies (#201)
3dc7939 
* Enforce decoupling of different contexts from each other by introducing new archunit rules

* Fix a bug: living documentation were not parsing sub-packages

Co-authored-by: Laurent Stemmer <laurent-externe.stemmer@edf.fr>
@stemlaur
Try and cache m2 (#202)
b1d3875
@stemlaur
Configure sonar (#203)
70e8826
@stemlaur
Fix sonar issues (#204)
502a7ba
@stemlaur
End this switch case with an unconditional break, return or throw sta…
c361d11 
…tement. (#205)

Co-authored-by: Laurent Stemmer <laurent-externe.stemmer@edf.fr>
@stemlaur
Typo (#206)
f0dde2f 
Co-authored-by: Laurent Stemmer <laurent-externe.stemmer@edf.fr>
@stemlaur
Typo (#207)
df05b6b 
Co-authored-by: Laurent Stemmer <laurent-externe.stemmer@edf.fr>
@stemlaur
Add sonar-qube quality gate badge on README (#208)
1394150 
Co-authored-by: Laurent Stemmer <laurent-externe.stemmer@edf.fr>
@stemlaur
Improve glossary (#209)
0193447
@stemlaur
Add stats glossary (#210)
d1ba826
@stemlaur
Better exception assertions (#211)
738d144
@stemlaur
Update spring version (#253)
68a4a8e 
Co-authored-by: lstemmer <laurent-externe.stemmer@dalkia.fr>
@stemlaur
Feature/update plugins (#256)
5ee26fa 
* Update maven plugin versions

* Misc fixes
@stemlaur
Update maven plugin versions part 2 (#261)
e81f0d1 
Co-authored-by: lstemmer <laurent-externe.stemmer@dalkia.fr>
@stemlaur
Update maven plugin versions part 3 (#266)
a1dc29e
@stemlaur
JDK 17 (#268)
6f68ae1
@dependabot
Bump dependency-check-maven from 7.1.2 to 8.1.2
bf98026 
Bumps [dependency-check-maven](https://github.com/jeremylong/DependencyCheck) from 7.1.2 to 8.1.2.
- [Release notes](https://github.com/jeremylong/DependencyCheck/releases)
- [Changelog](https://github.com/jeremylong/DependencyCheck/blob/main/CHANGELOG.md)
- [Commits](jeremylong/DependencyCheck@v7.1.2...v8.1.2)

---
updated-dependencies:
- dependency-name: org.owasp:dependency-check-maven
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Feb 28, 2023
@dependabot dependabot bot mentioned this pull request Feb 28, 2023
Closed
@stemlaur stemlaur force-pushed the master branch 3 times, most recently from efd0d8f to 255ee31 Compare May 5, 2023 19:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stemlaur

Comments