Merge branch 'main' into 7510-improve-error-message

Author: nhumblot

CHANGELOG.md

@@ -1,13 +1,39 @@
 # Change Log
 
+## [Version 12.1.1](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.1) (2025-04-05)
+
+- fix: resolve NVD data Parse error `com.fasterxml.jackson.core.JsonParseException: Unexpected character (']' (code 93))`
+  - bump open-vulnerability-client from 7.3.1 to 7.3.2  (#7577)
+- fix: update links for repository move from `jeremylong` to the `dependency-check` organization (#7373)
+- fix: resolve NPE when processing CVE-2025-2682 (#7558)
+- fix: prevent rogue base suppression files (#7544)
+- fix: #6819 handle invalid toml file (#7548)
+- fix: Use unscored severity only in absence of any CVSS baseScore (#7530)
+- fix: protect against exotic version number of yarn (#7525)
+- fix: Ignore require-bundle MANIFEST.MF entry for evidence (#7523)
+- fix: avoid error on yarn berry audit when no vulnerability found (#7501)
+- fix: improve null checks in Downloader (#7493)
+- fix: improve null checks resolves https://github.com/dependency-check/dependency-check-gradle/issues/441
+- fix: Avoid FPs when Composer product name has php (#7486)
+- fix: cli not honoring window paths correctly (#7470)
+- fix: Also apply muteNoisyLoggers to UpdateMojo (#7469)
+- fix: Make HC5 Downloader honor the connection- and readTimeout settings that the old URLConnectionFactory based downloads observed (#7437) 
+- docs: sync the supported Maven version with the one stated in the system requirement section (#7570)
+- docs: update proxy config documentation (#7550)
+- docs: Remove copyright as requested by the Apache foundation
+- docs: drop redundant text in the Internet Access Required section (#7521)
+- docs: correct gradle documentation (#7511)
+
+See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/95?closed=1)
+
 ## [Version 12.1.0](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.0) (2025-02-16)
 
 - build(deps): bump open-vulnerability-client to 7.2.2 (#7407)
   - resolves issue with downloading data from the NVD (#7406)
 - fix: Improve thread safety issue #7338 alternative (#7367)
 - feat: Implement Yarn Berry Analyser (#7319)
 
-See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/94?closed=1
+See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/94?closed=1)
 
 ## [Version 12.0.2](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.0.2) (2025-01-29)
 

ant/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.1-SNAPSHOT</version>
+        <version>12.1.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>

archetype/pom.xml

@@ -20,14 +20,14 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.1-SNAPSHOT</version>
+        <version>12.1.2-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-plugin</artifactId>
     <name>Dependency-Check Plugin Archetype</name>
     <packaging>jar</packaging>
     <properties>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-02-16T14:08:32Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-04-05T11:25:33Z</project.build.outputTimestamp>
     </properties>
     <scm>
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>

cli/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.1-SNAPSHOT</version>
+        <version>12.1.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>

core/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.1-SNAPSHOT</version>
+        <version>12.1.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>

core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java

@@ -359,7 +359,7 @@ private Vulnerability transform(final ComponentReport report, final ComponentRep
                         availabilityImpact = CvssV2Data.CiaType.fromValue(tmp);
                     }
                     final String severity = Cvss2Severity.of((float) cvssScore).name().toUpperCase();
-                    final CvssV2Data cvssData = new CvssV2Data("2.0", source.getCvssVector(), accessVector,
+                    final CvssV2Data cvssData = new CvssV2Data(CvssV2Data.Version._2_0, source.getCvssVector(), accessVector,
                             accessComplexity, authentication, confidentialityImpact,
                             integrityImpact, availabilityImpact, cvssScore,
                             severity, null, null, null, null, null, null, null, null, null, null);

core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java

@@ -741,12 +741,7 @@ public Vulnerability getVulnerability(String cve, Connection conn) throws Databa
                                 integrityImpact == null ? "" : integrityImpact.value().substring(0, 1),
                                 availabilityImpact == null ? "" : availabilityImpact.value().substring(0, 1));
 
-                        //some older test data may not correctly have the version set.
-                        String cveVersion = "2.0";
-                        if (rsV.getString(18) != null) {
-                            cveVersion = rsV.getString(18);
-                        }
-                        final CvssV2Data cvssData = new CvssV2Data(cveVersion, vector, accessVector,
+                        final CvssV2Data cvssData = new CvssV2Data(CvssV2Data.Version._2_0, vector, accessVector,
                                 accessComplexity, authentication, confidentialityImpact,
                                 integrityImpact, availabilityImpact, rsV.getDouble(11), rsV.getString(3),
                                 null, null, null, null, null, null, null, null, null, null);

core/src/main/java/org/owasp/dependencycheck/processing/BundlerAuditProcessor.java

@@ -242,7 +242,7 @@ private void addCriticalityToVulnerability(String parentName, Vulnerability vuln
                     score = 2.0;
                 }
                 LOGGER.debug("bundle-audit vulnerability missing CVSS data: {}", vulnerability.getName());
-                final CvssV2Data cvssData = new CvssV2Data("2.0", null, null, null, null, null, null, null, score, criticality.toUpperCase(),
+                final CvssV2Data cvssData = new CvssV2Data(CvssV2Data.Version._2_0, null, null, null, null, null, null, null, score, criticality.toUpperCase(),
                         null, null, null, null, null, null, null, null, null, null);
                 final CvssV2 cvssV2 = new CvssV2(null, null, cvssData, criticality.toUpperCase(), null, null, null, null, null, null, null);
                 vulnerability.setCvssV2(cvssV2);

core/src/main/java/org/owasp/dependencycheck/utils/CvssUtil.java

@@ -115,7 +115,6 @@ public static CvssV2 vectorToCvssV2(String vectorString, Double baseScore) {
                             vectorString));
         }
 
-        final String version = CvssV2Data.Version._2_0.value();
         //"AV:L/AC:L/Au:N/C:N/I:N/A:C"
         final CvssV2Data.AccessVectorType accessVector = CvssV2Data.AccessVectorType.fromValue(metrics.get("AV"));
         final CvssV2Data.AccessComplexityType attackComplexity = CvssV2Data.AccessComplexityType.fromValue(metrics.get("AC"));
@@ -125,7 +124,7 @@ public static CvssV2 vectorToCvssV2(String vectorString, Double baseScore) {
         final CvssV2Data.CiaType availabilityImpact = CvssV2Data.CiaType.fromValue(metrics.get("A"));
 
         final String baseSeverity = cvssV2ScoreToSeverity(baseScore);
-        final CvssV2Data data = new CvssV2Data(version, vectorString, accessVector, attackComplexity,
+        final CvssV2Data data = new CvssV2Data(CvssV2Data.Version._2_0, vectorString, accessVector, attackComplexity,
                 authentication, confidentialityImpact, integrityImpact, availabilityImpact, baseScore, baseSeverity,
                 null, null, null, null, null, null, null, null, null, null);
         final CvssV2 cvss = new CvssV2(null, null, data, baseSeverity, null, null, null, null, null, null, null);

core/src/test/java/org/owasp/dependencycheck/data/nvd/ecosystem/UrlEcosystemMapperTest.java

@@ -38,7 +38,7 @@ public void testGetEcosystemMustHandleNullCveReferences() {
         // Given
         UrlEcosystemMapper mapper = new UrlEcosystemMapper();
 
-        CveItem cveItem = new CveItem();
+        CveItem cveItem = new CveItem(null,null,null,null,null);
         DefCveItem defCveItem = new DefCveItem(cveItem);
 
         // When
@@ -53,7 +53,7 @@ public void testGetEcosystemMustHandleNullCve() {
         // Given
         UrlEcosystemMapper mapper = new UrlEcosystemMapper();
 
-        DefCveItem cveItem = new DefCveItem();
+        DefCveItem cveItem = new DefCveItem(null);
 
         // When
         String output = mapper.getEcosystem(cveItem);