tez Bump dependency-check-maven from 1.3.6 to 3.2.0

Bumps dependency-check-maven from 1.3.6 to 3.2.0.

Changelog

Sourced from dependency-check-maven's changelog.

Version 3.2.0 (2018-05-21)

Security Fix

Unsafe unzip operations (zip slip), as reported by the Snyk Security Research Team, have been corrected. CVE-2018-12036 allows attackers to write to arbitrary files via a crafted archive that holds directory traversal filenames.

Bug Fixes

The dependency-check-maven plugin no longer uses the Central Analyzer by default

Updated dependency-check-maven so that it will not fail when your multi-module build has dependencies that have not yet been built in the reactor (See #740)

Note if the required dependency has not yet been built in the reactor and the dependency is available in a configured repository dependency-check-maven, as expected, would pull the dependency from the repository for analysis.

Minor documentation updates

False positive reduction

Fixed the Gradle Plugin and Ant Task so that the temp directory is properly cleaned up after execution

Removed TLSv1 from the list of protocols used by default (See #1237)

Enhancements

Excess white space has been removed from the XML and HTML reports; the JSON report is still pretty printed (a future release will convert this to a configurable option)

Better error reporting

Changed to use commons-text instead of commons-lang3 as a portion of commons-lang3 was moved to commonts-text

Added more flexible suppression rules with the introduction of the until attribute (see #1145 and dependency-suppression.1.2.xsd

Version 3.1.2 (2018-04-02)

Bug Fixes

Updated the NVD URLs

Updated documentation

Add project references to the JSON and XML report; in aggregate scans using Maven or Gradle the dependencies will include a reference to the project/module where they were found

The configuration option versionCheckEnabled was added to Maven to allow users to disable the check for new versions of dependency-check; this will be added to gradle plugin, Ant Task, and the CLI in a future release

The XML and JSON reports were fixed so that the correct version number is displayed see [issue #1109](jeremylong/DependencyCheck#1109)

The initial database creation time for H2 databases was improved

Changes made to decrease false positive and false negatives

Version 3.1.1 (2018-01-29)

Bug Fixes

Fixed the Central Analyzer to use the updated SHA1 query syntax.

Reverted change that broke Maven 3.1.0 compatability; Maven 3.1.0 and beyond is once again supported.

False positive reduction.

Minor documentation cleanup.

Version 3.1.0 (2018-01-02)

Enhancements

... (truncated)

Commits

974cdb9 v3.2.0
099f9a8 improved error message
654e772 checkstyle suggestions
6d05b45 Merge pull request #1237 from jeremylong/updateTls
e9f5f7b Merge pull request #1283 from jeremylong/issue1271
9a2a28a Merge pull request #1284 from jeremylong/resolveFP
8f7149a fix per #987
532760a per #1026
071b488 per #1055
507d23f do not add erroneous data
Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

> **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

Nov 28 '22 11:11 dependabot[bot]

:broken_heart: -1 overall

Vote	Subsystem	Runtime	Comment
+0 :ok:	reexec	32m 41s	Docker mode activated.
		_ Prechecks _
+1 :green_heart:	dupname	0m 0s	No case conflicting files found.
+1 :green_heart:	@author	0m 0s	The patch does not contain any @author tags.
-1 :x:	test4tests	0m 0s	The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
		_ master Compile Tests _
+1 :green_heart:	mvninstall	15m 19s	master passed
+1 :green_heart:	compile	2m 18s	master passed with JDK Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04
+1 :green_heart:	compile	2m 5s	master passed with JDK Private Build-1.8.0_352-8u352-ga-1~20.04-b08
+1 :green_heart:	javadoc	2m 35s	master passed with JDK Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04
+1 :green_heart:	javadoc	1m 51s	master passed with JDK Private Build-1.8.0_352-8u352-ga-1~20.04-b08
		_ Patch Compile Tests _
+1 :green_heart:	mvninstall	3m 55s	the patch passed
+1 :green_heart:	compile	2m 20s	the patch passed with JDK Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04
+1 :green_heart:	javac	2m 20s	the patch passed
+1 :green_heart:	compile	2m 9s	the patch passed with JDK Private Build-1.8.0_352-8u352-ga-1~20.04-b08
+1 :green_heart:	javac	2m 9s	the patch passed
+1 :green_heart:	whitespace	0m 0s	The patch has no whitespace issues.
+1 :green_heart:	xml	0m 1s	The patch has no ill-formed XML file.
+1 :green_heart:	javadoc	2m 22s	the patch passed with JDK Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04
+1 :green_heart:	javadoc	1m 55s	the patch passed with JDK Private Build-1.8.0_352-8u352-ga-1~20.04-b08
		_ Other Tests _
+1 :green_heart:	unit	74m 40s	root in the patch passed.
+1 :green_heart:	asflicense	0m 55s	The patch does not generate ASF License warnings.
		146m 12s

Subsystem	Report/Notes
Docker	ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-252/1/artifact/out/Dockerfile
GITHUB PR	https://github.com/apache/tez/pull/252
Optional Tests	dupname asflicense javac javadoc unit xml compile
uname	Linux 7b06a064b889 4.15.0-191-generic #202-Ubuntu SMP Thu Aug 4 01:49:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	personality/tez.sh
git revision	master / 25fc8c488
Default Java	Private Build-1.8.0_352-8u352-ga-1~20.04-b08
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.17+8-post-Ubuntu-1ubuntu220.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_352-8u352-ga-1~20.04-b08
Test Results	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-252/1/testReport/
Max. process+thread count	1483 (vs. ulimit of 5500)
modules	C: . U: .
Console output	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-252/1/console
versions	git=2.25.1 maven=3.6.3
Powered by	Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

Nov 28 '22 13:11 tez-yetus

@dependabot rebase

May 28 '24 05:05 ayushtkn

:broken_heart: -1 overall

Vote	Subsystem	Runtime	Comment
+0 :ok:	reexec	22m 19s	Docker mode activated.
		_ Prechecks _
+1 :green_heart:	dupname	0m 0s	No case conflicting files found.
+1 :green_heart:	@author	0m 0s	The patch does not contain any @author tags.
-1 :x:	test4tests	0m 0s	The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
		_ master Compile Tests _
+1 :green_heart:	mvninstall	14m 44s	master passed
+1 :green_heart:	compile	2m 15s	master passed with JDK Ubuntu-11.0.22+7-post-Ubuntu-0ubuntu222.04.1
+1 :green_heart:	compile	2m 9s	master passed with JDK Private Build-1.8.0_402-8u402-ga-2ubuntu1~22.04-b06
+1 :green_heart:	javadoc	1m 46s	master passed with JDK Ubuntu-11.0.22+7-post-Ubuntu-0ubuntu222.04.1
+1 :green_heart:	javadoc	1m 11s	master passed with JDK Private Build-1.8.0_402-8u402-ga-2ubuntu1~22.04-b06
		_ Patch Compile Tests _
+1 :green_heart:	mvninstall	4m 23s	the patch passed
+1 :green_heart:	compile	2m 18s	the patch passed with JDK Ubuntu-11.0.22+7-post-Ubuntu-0ubuntu222.04.1
+1 :green_heart:	javac	2m 18s	the patch passed
+1 :green_heart:	compile	2m 9s	the patch passed with JDK Private Build-1.8.0_402-8u402-ga-2ubuntu1~22.04-b06
+1 :green_heart:	javac	2m 9s	the patch passed
+1 :green_heart:	whitespace	0m 0s	The patch has no whitespace issues.
+1 :green_heart:	xml	0m 2s	The patch has no ill-formed XML file.
+1 :green_heart:	javadoc	1m 16s	the patch passed with JDK Ubuntu-11.0.22+7-post-Ubuntu-0ubuntu222.04.1
+1 :green_heart:	javadoc	1m 13s	the patch passed with JDK Private Build-1.8.0_402-8u402-ga-2ubuntu1~22.04-b06
		_ Other Tests _
-1 :x:	unit	82m 38s	root in the patch failed.
+1 :green_heart:	asflicense	0m 41s	The patch does not generate ASF License warnings.
		140m 22s

Reason	Tests
Failed junit tests	tez.analyzer.TestAnalyzer

Subsystem	Report/Notes
Docker	ClientAPI=1.45 ServerAPI=1.45 base: https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-252/2/artifact/out/Dockerfile
GITHUB PR	https://github.com/apache/tez/pull/252
Optional Tests	dupname asflicense javac javadoc unit xml compile
uname	Linux 3599d25cee49 5.15.0-106-generic #116-Ubuntu SMP Wed Apr 17 09:17:56 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	personality/tez.sh
git revision	master / 38c5aaccd
Default Java	Private Build-1.8.0_402-8u402-ga-2ubuntu1~22.04-b06
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.22+7-post-Ubuntu-0ubuntu222.04.1 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_402-8u402-ga-2ubuntu1~22.04-b06
unit	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-252/2/artifact/out/patch-unit-root.txt
Test Results	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-252/2/testReport/
Max. process+thread count	2100 (vs. ulimit of 5500)
modules	C: . U: .
Console output	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-252/2/console
versions	git=2.34.1 maven=3.6.3
Powered by	Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

May 28 '24 08:05 tez-yetus

@dependabot rebase

Aug 16 '24 07:08 ayushtkn

:broken_heart: -1 overall

Vote	Subsystem	Runtime	Comment
+0 :ok:	reexec	22m 17s	Docker mode activated.
		_ Prechecks _
+1 :green_heart:	dupname	0m 0s	No case conflicting files found.
+1 :green_heart:	@author	0m 0s	The patch does not contain any @author tags.
-1 :x:	test4tests	0m 0s	The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
		_ master Compile Tests _
+1 :green_heart:	mvninstall	18m 24s	master passed
+1 :green_heart:	compile	2m 23s	master passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu322.04
+1 :green_heart:	compile	2m 14s	master passed with JDK Private Build-1.8.0_422-8u422-b05-1~22.04-b05
+1 :green_heart:	javadoc	1m 48s	master passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu322.04
+1 :green_heart:	javadoc	1m 12s	master passed with JDK Private Build-1.8.0_422-8u422-b05-1~22.04-b05
		_ Patch Compile Tests _
+1 :green_heart:	mvninstall	4m 23s	the patch passed
+1 :green_heart:	compile	2m 24s	the patch passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu322.04
+1 :green_heart:	javac	2m 24s	the patch passed
+1 :green_heart:	compile	2m 9s	the patch passed with JDK Private Build-1.8.0_422-8u422-b05-1~22.04-b05
+1 :green_heart:	javac	2m 9s	the patch passed
+1 :green_heart:	whitespace	0m 0s	The patch has no whitespace issues.
+1 :green_heart:	xml	0m 2s	The patch has no ill-formed XML file.
+1 :green_heart:	javadoc	1m 17s	the patch passed with JDK Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu322.04
+1 :green_heart:	javadoc	1m 13s	the patch passed with JDK Private Build-1.8.0_422-8u422-b05-1~22.04-b05
		_ Other Tests _
-1 :x:	unit	82m 11s	root in the patch failed.
+1 :green_heart:	asflicense	0m 43s	The patch does not generate ASF License warnings.
		143m 57s

Reason	Tests
Failed junit tests	tez.analyzer.TestAnalyzer

Subsystem	Report/Notes
Docker	ClientAPI=1.46 ServerAPI=1.46 base: https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-252/3/artifact/out/Dockerfile
GITHUB PR	https://github.com/apache/tez/pull/252
Optional Tests	dupname asflicense javac javadoc unit xml compile
uname	Linux 2c2f9987f728 5.15.0-117-generic #127-Ubuntu SMP Fri Jul 5 20:13:28 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	personality/tez.sh
git revision	master / cd6ceec3d
Default Java	Private Build-1.8.0_422-8u422-b05-1~22.04-b05
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.24+8-post-Ubuntu-1ubuntu322.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_422-8u422-b05-1~22.04-b05
unit	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-252/3/artifact/out/patch-unit-root.txt
Test Results	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-252/3/testReport/
Max. process+thread count	2100 (vs. ulimit of 5500)
modules	C: . U: .
Console output	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-252/3/console
versions	git=2.34.1 maven=3.6.3
Powered by	Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

Aug 16 '24 09:08 tez-yetus