From 02ada0fbfdf206197b2807f7569bbde8961f232a Mon Sep 17 00:00:00 2001
From: Toby Crawley <toby@tcrawley.org>
Date: Mon, 24 Feb 2025 08:46:23 -0500
Subject: [PATCH 1/2] Update to dependency-check-core 12.1.0

Users need to use 12.1.0 due to [1]. However, this change means that the
minimum java version is now 11, as dependency-check dropped support for
java 8 in 11.0.0[2]. This upgrade also means that users will have to
provide an NVD api-key[3]. So this is a pretty significant upgrade.

[1]: https://github.com/dependency-check/DependencyCheck/issues/7406
[2]: https://github.com/dependency-check/DependencyCheck?tab=readme-ov-file#breaking-changes-in-1100
[3]: https://github.com/dependency-check/DependencyCheck?tab=readme-ov-file#mandatory-upgrade-notice
---
 deps.edn    | 2 +-
 project.clj | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/deps.edn b/deps.edn
index 545315a..b4b7e90 100644
--- a/deps.edn
+++ b/deps.edn
@@ -4,7 +4,7 @@
         clansi/clansi {:mvn/version "1.0.0"}
         org.clojure/data.json {:mvn/version "2.5.0"}
         org.slf4j/slf4j-simple {:mvn/version "2.0.10"}
-        org.owasp/dependency-check-core {:mvn/version "9.0.8"}
+        org.owasp/dependency-check-core {:mvn/version "12.1.0"}
         rm-hull/table {:mvn/version "0.7.1"}
         trptcolin/versioneer {:mvn/version "0.2.0"}}
  :mvn/repos {"central" {:url "https://repo1.maven.org/maven2/"}
diff --git a/project.clj b/project.clj
index d520b1f..d67788c 100644
--- a/project.clj
+++ b/project.clj
@@ -7,7 +7,7 @@
                  [clansi "1.0.0"]
                  [org.clojure/data.json "2.5.0"]
                  [org.slf4j/slf4j-simple "2.0.10"]
-                 [org.owasp/dependency-check-core "9.0.8"]
+                 [org.owasp/dependency-check-core "12.1.0"]
                  [rm-hull/table "0.7.1"]
                  [trptcolin/versioneer "0.2.0"]
                  ;; Explicitly depend on a certain Jackson, consistently.

From 88b2150908fc42b5476ec5dddc7558457fa28d3e Mon Sep 17 00:00:00 2001
From: Toby Crawley <toby@tcrawley.org>
Date: Mon, 24 Feb 2025 08:52:05 -0500
Subject: [PATCH 2/2] Configure singleton Downloader

This Downloader instance is used when a datafeed[1] URL is provided, but
will throw an NPE if it isn't configured[2].

[1]: https://github.com/rm-hull/nvd-clojure?tab=readme-ov-file#configuration-options
[2]: https://github.com/rm-hull/nvd-clojure/issues/182
---
 src/nvd/config.clj | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/nvd/config.clj b/src/nvd/config.clj
index 9e5d680..f22939f 100644
--- a/src/nvd/config.clj
+++ b/src/nvd/config.clj
@@ -30,7 +30,7 @@
   (:import
    (java.io File)
    (org.owasp.dependencycheck Engine)
-   (org.owasp.dependencycheck.utils Settings Settings$KEYS)))
+   (org.owasp.dependencycheck.utils Downloader Settings Settings$KEYS)))
 
 (def ^:private string-mappings
   {Settings$KEYS/ANALYZER_NEXUS_URL        [:analyzer :nexus-url]
@@ -209,6 +209,8 @@ You can pass an empty string for an .edn file to be automatically created."
 
         (.setString settings Settings$KEYS/NVD_API_KEY api-key)))
 
+    (.configure (Downloader/getInstance) settings)
+
     (-> project
         (assoc-in [:nvd :data-directory] (.getDataDirectory settings))
         (assoc :engine      (Engine. settings)