build(deps): bump io.github.jeremylong:open-vulnerability-clients from 7.3.2 to 9.0.2#7630
Conversation
Bumps [io.github.jeremylong:open-vulnerability-clients](https://github.com/jeremylong/vuln-tools) from 7.3.2 to 8.0.0. - [Release notes](https://github.com/jeremylong/vuln-tools/releases) - [Commits](https://github.com/jeremylong/vuln-tools/commits/v8.0.0) --- updated-dependencies: - dependency-name: io.github.jeremylong:open-vulnerability-clients dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
jeremylong
changed the title
boring-cyborg
bot
added
core
…ulnerability-clients-8.0.0
|
@nhumblot Think this could be merged too? Or is there a reason to not include it in a minor release of ODC? |
|
I felt this was a breaking change - so I was going to include it in the next major release. At least we should wait for the next minor release as opposed to the pending point release. |
|
While for the library it was a breaking release (split between CLI and the library code as separately released projects), I think for ODC it would not be a non-breaking change. AFAICT We're only adapting our internals and introducing two configuration properties (not exposed to the plugin configs) - one might consider the added properties a new feature for people using properties-file configurstion, so I can see how you may want to skip the revision level and wait for a feature release, though I would say for a proper feature it should be extended with extending the configurability in the gradle- and maven plugin configuration settings. |
|
Hi, Sorry for the late reply. I marked commit 8cc9ade with a I have to admit I did not manual test this part extensively. I am going to proceed additional testing and share with you if my initial thought was good or not. |
|
A newer version of io.github.jeremylong:open-vulnerability-clients exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged. |
|
I'll revisit this PR soon based on @aikebah's comment above and the recent release of 9.0.1 (although most of the changes in 9.0.1 are related to GHSA). |
…ulnerability-clients-8.0.0
nhumblot
changed the title
This supposition is invalid. This is not a blocker change as default values are hard-coded into Test conducted with a CLI packaged from commit 63575bb ( I removed the breaking change notification |
nhumblot
changed the title
Major version bump to 9.x.x is due to the removal of a public getter, which is not used by Dependency Check. I proposed to add it in this PR through 10de1bb. PR title has been changed. |
…ulnerability-clients-8.0.0
|
Relates to #7870 |
|
I was planning on finishing this PR today and merging it... however, with the current cloudflare issue I am unable to test. |
Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…3.11.3 to 3.12.0 (#8012) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [commons-codec:commons-codec](https://github.com/apache/commons-codec) from 1.19.0 to 1.20.0. - [Changelog](https://github.com/apache/commons-codec/blob/master/RELEASE-NOTES.txt) - [Commits](apache/commons-codec@rel/commons-codec-1.19.0...rel/commons-codec-1.20.0) --- updated-dependencies: - dependency-name: commons-codec:commons-codec dependency-version: 1.20.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [JamesIves/github-pages-deploy-action](https://github.com/jamesives/github-pages-deploy-action) from 4.7.3 to 4.7.4. - [Release notes](https://github.com/jamesives/github-pages-deploy-action/releases) - [Commits](JamesIves/github-pages-deploy-action@v4.7.3...v4.7.4) --- updated-dependencies: - dependency-name: JamesIves/github-pages-deploy-action dependency-version: 4.7.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [commons-io:commons-io](https://github.com/apache/commons-io) from 2.20.0 to 2.21.0. - [Changelog](https://github.com/apache/commons-io/blob/master/RELEASE-NOTES.txt) - [Commits](apache/commons-io@rel/commons-io-2.20.0...rel/commons-io-2.21.0) --- updated-dependencies: - dependency-name: commons-io:commons-io dependency-version: 2.21.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…3.1.1 to 3.2.0 (#8109) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jeremy Long <jeremy.long@gmail.com>
… 25/Docker by making CLI classpath deterministic (#8117) Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com> Co-authored-by: Jeremy Long <jeremy.long@gmail.com>
Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps org.apache.commons:commons-lang3 from 3.19.0 to 3.20.0. --- updated-dependencies: - dependency-name: org.apache.commons:commons-lang3 dependency-version: 3.20.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
boring-cyborg
bot
added
ant
jeremylong
changed the title
…ulnerability-clients-8.0.0
|
After mangling the git history on this branch (sorry about that - luckily we will squash this) - I've tested the latest and it appears to work well: $ ./dependency-check.sh --updateonly --nvdApiKey ********-****-****-****-************
[INFO] Checking for updates
[INFO] NVD API has 318,678 records in this update
[INFO] Downloaded 10,000/318,678 (3%)
[INFO] Downloaded 20,000/318,678 (6%)
...
[INFO] Downloaded 300,000/318,678 (94%)
[INFO] Downloaded 310,000/318,678 (97%)
[INFO] Downloaded 318,678/318,678 (100%)
[INFO] Completed processing batch 1/160 (1%) in 11,001ms
[INFO] Completed processing batch 2/160 (1%) in 11,560ms
...
[INFO] Completed processing batch 159/160 (99%) in 204ms
[INFO] Completed processing batch 160/160 (100%) in 43ms
[INFO] Updating CISA Known Exploited Vulnerability list: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
[INFO] Begin database defrag
[INFO] End database defrag (3308 ms)
[INFO] Check for updates complete (108342 ms) |
jeremylong
deleted the
dependabot/maven/io.github.jeremylong-open-vulnerability-clients-8.0.0
branch
9 participants
Bumps io.github.jeremylong:open-vulnerability-clients from 7.3.2 to 8.0.0.
Release notes
Sourced from io.github.jeremylong:open-vulnerability-clients's releases.
Commits
You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)