Merge branch 'main' into dependabot/maven/com.h2database-h2-2.2.224

jeremylong · Jun 30, 2024 · 5e925b3 · 5e925b3
2 parents 4253012 + 9b42aed
commit 5e925b3
Show file tree

Hide file tree

Showing 48 changed files with 652 additions and 67 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -55,7 +55,7 @@ jobs:
           server-id: ossrh
           server-username: ${{ secrets.OSSRH_USERNAME }}
           server-password: ${{ secrets.OSSRH_TOKEN }}
-      - uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
+      - uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
         with:
           version: 6.0.2
       - name: Build Snapshot with Maven

diff --git a/.github/workflows/false-positive-approvals.yml b/.github/workflows/false-positive-approvals.yml
@@ -150,7 +150,7 @@ jobs:
             } 
       - name: Publish Updated Suppressions
         if: ${{ steps.fp-ops-commit.outputs.publish == 'true' }}
-        uses: JamesIves/github-pages-deploy-action@v4.5.0
+        uses: JamesIves/github-pages-deploy-action@v4.6.1
         with:
           branch: gh-pages
           folder: suppressions

diff --git a/.github/workflows/lint-pr.yml b/.github/workflows/lint-pr.yml
@@ -18,6 +18,6 @@ jobs:
       statuses: write
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v5.4.0
+      - uses: amannn/action-semantic-pull-request@v5.5.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml
@@ -31,7 +31,7 @@ jobs:
         with:
           java-version: 8
           distribution: 'zulu'
-      - uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
+      - uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
         with:
           version: 6.0.2
       - name: Test with Maven
@@ -68,7 +68,7 @@ jobs:
         with:
           java-version: 8
           distribution: 'zulu'
-      - uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
+      - uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
         with:
           version: 6.0.2
       - name: Regression Test Maven Plugin

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -57,7 +57,7 @@ jobs:
           server-id: ossrh
           server-username: ${{ secrets.OSSRH_USERNAME }}
           server-password: ${{ secrets.OSSRH_TOKEN }}
-      - uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
+      - uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
         with:
           version: 6.0.2
       - name: Configure Git user
@@ -255,7 +255,7 @@ jobs:
         run: ls -R
         working-directory: target
       - name: Deploy gh-pages
-        uses: JamesIves/github-pages-deploy-action@v4.5.0
+        uses: JamesIves/github-pages-deploy-action@v4.6.1
         with:
           branch: gh-pages
           folder: target/staging

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,15 @@
 # Change Log
 
+## [Version 9.2.0](https://github.com/jeremylong/DependencyCheck/releases/tag/v9.2.0) (2024-05-15)
+
+ - docs: update logo per intellj (#6660)
+ - feat: Carthage analyzer (#6614)
+ - fix: Ensure valid JSON output for gitlab report (#6630)
+ - feat: Support Package.swift version 3 Specification (#6578)
+ - chore: Update the packaged suppressions to include new hosted suppressions (#6567)
+
+See the full listing of [changes](https://github.com/jeremylong/DependencyCheck/milestone/82?closed=1). 
+
 ## [Version 9.1.0](https://github.com/jeremylong/DependencyCheck/releases/tag/v9.1.0) (2024-03-31)
 
 - feat: Add v2 support for maven_install.json (#6528)

diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
-FROM golang:1.22.2-alpine AS go
+FROM golang:1.22.4-alpine AS go
 
-FROM azul/zulu-openjdk-alpine:17 AS jlink
+FROM azul/zulu-openjdk-alpine:22 AS jlink
 
 RUN "$JAVA_HOME/bin/jlink" --compress=2 --module-path /opt/java/openjdk/jmods --add-modules java.base,java.compiler,java.datatransfer,jdk.crypto.ec,java.desktop,java.instrument,java.logging,java.management,java.naming,java.rmi,java.scripting,java.security.sasl,java.sql,java.transaction.xa,java.xml,jdk.unsupported --output /jlinked
 

diff --git a/ant/pom.xml b/ant/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>9.2.0-SNAPSHOT</version>
+        <version>9.2.1-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>

diff --git a/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java b/ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java
@@ -356,6 +356,10 @@ public class Check extends Update {
      * Whether or not the CocoaPods Analyzer is enabled.
      */
     private Boolean cocoapodsAnalyzerEnabled;
+    /**
+     * Whether or not the Carthage Analyzer is enabled.
+     */
+    private Boolean carthageAnalyzerEnabled;
 
     /**
      * Whether or not the Swift package Analyzer is enabled.
@@ -1105,6 +1109,24 @@ public void setCocoapodsAnalyzerEnabled(Boolean cocoapodsAnalyzerEnabled) {
         this.cocoapodsAnalyzerEnabled = cocoapodsAnalyzerEnabled;
     }
 
+    /**
+     * Returns if the Carthage analyzer is enabled.
+     *
+     * @return if the Carthage analyzer is enabled
+     */
+    public boolean isCarthageAnalyzerEnabled() {
+        return carthageAnalyzerEnabled;
+    }
+
+    /**
+     * Sets whether or not the Carthage analyzer is enabled.
+     *
+     * @param carthageAnalyzerEnabled the state of the Carthage analyzer
+     */
+    public void setCarthageAnalyzerEnabled(Boolean carthageAnalyzerEnabled) {
+        this.carthageAnalyzerEnabled = carthageAnalyzerEnabled;
+    }
+
     /**
      * Returns whether or not the Swift package Analyzer is enabled.
      *
@@ -2144,6 +2166,7 @@ protected void populateSettings() throws BuildException {
         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, swiftPackageManagerAnalyzerEnabled);
         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_RESOLVED_ENABLED, swiftPackageResolvedAnalyzerEnabled);
         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, cocoapodsAnalyzerEnabled);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CARTHAGE_ENABLED, carthageAnalyzerEnabled);
         getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, bundleAuditAnalyzerEnabled);
         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, bundleAuditPath);
         getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_WORKING_DIRECTORY, bundleAuditWorkingDirectory);

diff --git a/ant/src/site/markdown/configuration.md b/ant/src/site/markdown/configuration.md
@@ -124,6 +124,7 @@ nuspecAnalyzerEnabled               | Sets whether the .NET Nuget Nuspec Analyze
 nugetconfAnalyzerEnabled            | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. `enableExperimental` must be set to true. | true
 libmanAnalyzerEnabled               | Sets whether the Libman Analyzer will be used.                                                             | true
 cocoapodsAnalyzerEnabled            | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. `enableExperimental` must be set to true. | true
+carthageAnalyzerEnabled             | Sets whether the [experimental](../analyzers/index.html) Carthage Analyzer should be used. `enableExperimental` must be set to true. | true
 mixAuditAnalyzerEnabled             | Sets whether the [experimental](../analyzers/index.html) Mix Audit Analyzer should be used. `enableExperimental` must be set to true. | true
 mixAuditPath                        | Sets the path to the mix_audit executable; only used if mix audit analyzer is enabled and experimental analyzers are enabled.  | &nbsp;
 bundleAuditAnalyzerEnabled          | Sets whether the [experimental](../analyzers/index.html) Bundle Audit Analyzer should be used. `enableExperimental` must be set to true. | true

diff --git a/archetype/pom.xml b/archetype/pom.xml
@@ -20,14 +20,14 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>9.2.0-SNAPSHOT</version>
+        <version>9.2.1-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-plugin</artifactId>
     <name>Dependency-Check Plugin Archetype</name>
     <packaging>jar</packaging>
     <properties>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2024-03-31T11:36:57Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2024-05-15T09:29:26Z</project.build.outputTimestamp>
     </properties>
     <scm>
         <connection>scm:git:https://github.com/jeremylong/DependencyCheck.git</connection>

diff --git a/cli/pom.xml b/cli/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>9.2.0-SNAPSHOT</version>
+        <version>9.2.1-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>

diff --git a/cli/src/main/java/org/owasp/dependencycheck/App.java b/cli/src/main/java/org/owasp/dependencycheck/App.java
@@ -575,6 +575,8 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException {
                 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_SWIFT_RESOLVED, Settings.KEYS.ANALYZER_SWIFT_PACKAGE_RESOLVED_ENABLED));
         settings.setBoolean(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED,
                 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_COCOAPODS, Settings.KEYS.ANALYZER_COCOAPODS_ENABLED));
+        settings.setBoolean(Settings.KEYS.ANALYZER_CARTHAGE_ENABLED,
+                !cli.isDisabled(CliParser.ARGUMENT.DISABLE_CARTHAGE, Settings.KEYS.ANALYZER_CARTHAGE_ENABLED));
         settings.setBoolean(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED,
                 !cli.isDisabled(CliParser.ARGUMENT.DISABLE_RUBYGEMS, Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED));
         settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED,

diff --git a/cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/cli/src/main/java/org/owasp/dependencycheck/CliParser.java
@@ -494,6 +494,7 @@ private void addAdvancedOptions(final Options options) {
                 .addOption(newOption(ARGUMENT.DISABLE_OSSINDEX, "Disable the Sonatype OSS Index Analyzer."))
                 .addOption(newOption(ARGUMENT.DISABLE_OSSINDEX_CACHE, "Disallow the OSS Index Analyzer from caching results"))
                 .addOption(newOption(ARGUMENT.DISABLE_COCOAPODS, "Disable the CocoaPods Analyzer."))
+                .addOption(newOption(ARGUMENT.DISABLE_CARTHAGE, "Disable the Carthage Analyzer."))
                 .addOption(newOption(ARGUMENT.DISABLE_SWIFT, "Disable the swift package Analyzer."))
                 .addOption(newOption(ARGUMENT.DISABLE_SWIFT_RESOLVED, "Disable the swift package resolved Analyzer."))
                 .addOption(newOption(ARGUMENT.DISABLE_GO_DEP, "Disable the Golang Package Analyzer."))
@@ -1286,6 +1287,10 @@ public static class ARGUMENT {
          * Disables the cocoapods analyzer.
          */
         public static final String DISABLE_COCOAPODS = "disableCocoapodsAnalyzer";
+        /**
+         * Disables the Carthage analyzer.
+         */
+        public static final String DISABLE_CARTHAGE = "disableCarthageAnalyzer";
         /**
          * Disables the swift package manager analyzer.
          */

diff --git a/cli/src/main/resources/completion-for-dependency-check.sh b/cli/src/main/resources/completion-for-dependency-check.sh
@@ -32,6 +32,7 @@ _odc_completions()
             --disableCentralCache
             --disableCmake
             --disableCocoapodsAnalyzer
+            --disableCarthageAnalyzer
             --disableComposer
             --disableDart
             --disableFileName

diff --git a/cli/src/site/markdown/arguments.md b/cli/src/site/markdown/arguments.md
@@ -63,6 +63,7 @@ Advanced Options
 |       | \-\-disableRubygems                   |                 | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used.                                                                                                           | &nbsp;        |
 |       | \-\-disableBundleAudit                |                 | Sets whether the [experimental](../analyzers/index.html) Ruby Bundler Audit Analyzer will be used.                                                                                                     | &nbsp;        |
 |       | \-\-disableCocoapodsAnalyzer          |                 | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer will be used.                                                                                                              | &nbsp;        |
+|       | \-\-disableCarthageAnalyzer           |                 | Sets whether the [experimental](../analyzers/index.html) Carthage Analyzer will be used.                                                                                                               | &nbsp;        |
 |       | \-\-disableSwiftPackageManagerAnalyzer |                 | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer will be used.                                                                                                 | &nbsp;        |
 |       | \-\-disableSwiftPackageResolvedAnalyzer|                 | Sets whether the [experimental](../analyzers/index.html) Swift Package Resolved Analyzer will be used.                                                                                                | &nbsp;        |
 |       | \-\-disableAutoconf                   |                 | Sets whether the [experimental](../analyzers/index.html) Autoconf Analyzer will be used.                                                                                                               | &nbsp;        |

diff --git a/cli/src/test/resources/sample.properties b/cli/src/test/resources/sample.properties
@@ -21,6 +21,7 @@ analyzer.openssl.enabled=true
 analyzer.central.enabled=true
 analyzer.nexus.enabled=false
 analyzer.cocoapods.enabled=true
+analyzer.carthage.enabled=true
 analyzer.swift.package.manager.enabled=true
 #whether the nexus analyzer uses the proxy
 analyzer.nexus.proxy=true

diff --git a/cli/src/test/resources/sample2.properties b/cli/src/test/resources/sample2.properties
@@ -21,6 +21,7 @@ analyzer.openssl.enabled=false
 analyzer.central.enabled=false
 analyzer.nexus.enabled=true
 analyzer.cocoapods.enabled=false
+analyzer.carthage.enabled=false
 analyzer.swift.package.manager.enabled=false
 #whether the nexus analyzer uses the proxy
 analyzer.nexus.proxy=false

diff --git a/core/pom.xml b/core/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>9.2.0-SNAPSHOT</version>
+        <version>9.2.1-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java
@@ -42,6 +42,7 @@ public enum AnalysisPhase {
      * {@link AutoconfAnalyzer}
      * {@link CMakeAnalyzer}
      * {@link CentralAnalyzer}
+     * {@link CarthageAnalyzer}
      * {@link CocoaPodsAnalyzer}
      * {@link ComposerLockAnalyzer}
      * {@link DartAnalyzer}