dependency-check
diff --git a/‎.gitattributes‎
Lines changed: 12 additions & 7 deletions b/‎.gitattributes‎
Lines changed: 12 additions & 7 deletions
diff --git a/‎.github/ISSUE_TEMPLATE/false-positive-report.yml‎
Lines changed: 5 additions & 3 deletions b/‎.github/ISSUE_TEMPLATE/false-positive-report.yml‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 65 additions & 64 deletions b/‎.github/workflows/build.yml‎
Lines changed: 65 additions & 64 deletions
diff --git a/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎.github/workflows/coverity.yml‎
Lines changed: 0 additions & 37 deletions b/‎.github/workflows/coverity.yml‎
Lines changed: 0 additions & 37 deletions
diff --git a/‎.github/workflows/false-positive-approvals.yml‎
Lines changed: 16 additions & 6 deletions b/‎.github/workflows/false-positive-approvals.yml‎
Lines changed: 16 additions & 6 deletions
diff --git a/‎.github/workflows/false-positive-cleanup.yml‎
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/false-positive-cleanup.yml‎
Lines changed: 1 addition & 0 deletions
@@ -1,8 +1,13 @@
 *.html linguist-documentation
-(^|/)site/) linguist-documentation
-src/test/resources/* linguist-vendored
-cli/src/test/resources/* linguist-vendored
-core/src/test/resources/* linguist-vendored
-maven/src/test/resources/* linguist-vendored
-ant/src/test/resources/* linguist-vendored
-utils/src/test/resources/* linguist-vendored
+src/site/** linguist-documentation
+cli/src/site/** linguist-documentation
+core/src/site/** linguist-documentation
+maven/src/site/** linguist-documentation
+ant/src/site/** linguist-documentation
+utils/src/site/** linguist-documentation
+src/test/resources/** linguist-vendored
+cli/src/test/resources/** linguist-vendored
+core/src/test/resources/** linguist-vendored
+maven/src/test/resources/** linguist-vendored
+ant/src/test/resources/** linguist-vendored
+utils/src/test/resources/** linguist-vendored
@@ -6,6 +6,8 @@ body:
   - type: markdown
     attributes:
       value: |
+        **Ensure you are using the latest version of dependency-check.**
+        
         **Automation is used to process most false positives reports**; failure to follow these guidelines will delay the process:
         
           - Only enter a **single (1) Package URL**.
@@ -27,15 +29,15 @@ body:
     id: cpe
     attributes:
       label: CPE
-      description: Please enter the single Common Platform enumeration (CPE) as identified in the HTML Report. Only a **single CPE** can be specified. **Please put backtic characters around the CPE to ensure it displays correctly**.
+      description: Please enter the single Common Platform enumeration (CPE) as identified in the HTML Report. Only a **single CPE** can be specified. **Please put backtick characters around the CPE to ensure it displays correctly**.
       placeholder: ex. `cpe:2.3:a:apache:log4j:2.12.1:*:*:*:*:*:*:*`
     validations:
       required: true
   - type: input
     id: cve
     attributes:
       label: CVE
-      description: The vulnerability name as identified in the HTML Report. If specifying a CPE this is not necassary; if entered please enter only a **signle CVE**; if multiple CVE should be suppressed please enter multiple FP reports. This is optional and may not be needed as most FP reports are due to an incorrect CPE.
+      description: The vulnerability name as identified in the HTML Report. If specifying a CPE this is not necessary; if entered please enter only a **single CVE**; if multiple CVE should be suppressed please enter multiple FP reports. This is optional and may not be needed as most FP reports are due to an incorrect CPE.
       placeholder: ex. CVE-2021-44228
     validations:
       required: false
@@ -66,4 +68,4 @@ body:
       label: Description
       description: Additional information regarding the false positive report.
     validations:
-      required: false
+      required: false
@@ -9,87 +9,99 @@ on:
       - '**/*.txt'
 
 permissions: {}
+
 jobs:
   build:
+    strategy:
+      matrix:
+        jdk_default_version: [ '25' ]                # Single JDK version to run Maven with and use for compilation etc
+        jdk_test_version: [ '11', '17', '21', '25' ] # JDK version to run surefire/failsafe tests using
+      fail-fast: false
+
+    name: Build and Test (JDK ${{ matrix.jdk_test_version }}${{ matrix.jdk_test_version == matrix.jdk_default_version && ' - Default' || '' }})
     permissions:
       contents: read # to fetch code (actions/checkout)
-
-    name: Build dependency-check
-    runs-on: ubuntu-latest 
+    runs-on: ubuntu-latest
     steps:
       - name: Install gpg secret key
+        if: matrix.jdk_test_version == matrix.jdk_default_version && github.repository_owner == 'dependency-check'
         id: install-gpg-key
         run: |
-          cat <(echo -e "${{ secrets.OSSRH_GPG_SECRET_KEY }}") | gpg --batch --import
+          cat <(echo -e "${{ secrets.GPG_PRIVATE_KEY }}") | gpg --batch --import
           gpg --list-secret-keys --keyid-format LONG
-      - uses: actions/checkout@v4
-      - name: Check Maven Cache
-        id: maven-cache
-        uses: actions/cache@v4
-        with:
-          path: ~/.m2/repository
-          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
-          restore-keys: |
-            ${{ runner.os }}-maven-
-      - name: Check Local Maven Cache
+      - uses: actions/checkout@v6
+      - name: Maven Integration Test Cache
         id: maven-it-cache
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: maven/target/local-repo
           key: mvn-it-repo
       - name: Check ODC Data Cache
         id: odc-data-cache
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: core/target/data
           key: odc-data
-      - uses: actions/setup-dotnet@v4.3.1
+      - uses: actions/setup-dotnet@v5.1.0
         with:
           dotnet-version: '8.0.x'
-      - name: Set up JDK 11
-        id: jdk-11
-        uses: actions/setup-java@v4
+      - name: Set up JDKs
+        uses: actions/setup-java@v5
         with:
-          java-version: 11
+          java-version: | # last version takes precedence as default
+            ${{ matrix.jdk_test_version }}
+            ${{ matrix.jdk_default_version }}
           distribution: 'zulu'
-          server-id: ossrh
-          server-username: ${{ secrets.OSSRH_USERNAME }}
-          server-password: ${{ secrets.OSSRH_TOKEN }}
-      - uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+          check-latest: true
+          cache: 'maven'
+          cache-dependency-path: '**/pom.xml'
+          server-id: central
+          server-username: ${{ secrets.CENTRAL_USER }}
+          server-password: ${{ secrets.CENTRAL_PASSWORD }}
+      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
         with:
           version: 6.0.2
-      - name: Build Snapshot with Maven
+      - name: Build/Test Snapshot with Maven${{ steps.install-gpg-key.outcome == 'success' && ' (then Deploy)' || '' }}
         id: build-snapshot
         env:
-          MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
-          MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
+          MAVEN_USERNAME: ${{ secrets.CENTRAL_USER }}
+          MAVEN_PASSWORD: ${{ secrets.CENTRAL_PASSWORD }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PRIVATE_KEY_PASSWORD }}
           NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
-        run: mvn -V -s settings.xml -Prelease clean package verify source:jar javadoc:jar gpg:sign deploy -DreleaseTesting --no-transfer-progress --batch-mode -Dgpg.passphrase=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
+        run: >
+          mvn -V -s settings.xml 
+          clean verify -PFullIntegrationTesting
+          -Dtoolchain.jdk.test.version=${{ matrix.jdk_test_version }} -Dtoolchain.jdk.test.home="$JAVA_HOME_${{ matrix.jdk_test_version }}_X64"
+          ${{ matrix.jdk_test_version == matrix.jdk_default_version && 'source:jar javadoc:jar site' || '' }}
+          ${{ steps.install-gpg-key.outcome == 'success' && '-Prelease gpg:sign deploy' || '' }} 
+          --no-transfer-progress --batch-mode -Dstyle.color=always
       - name: SARIF Multitool
-        uses: microsoft/sarif-actions@v0.1
+        uses: microsoft/sarif-actions@v0.2
         with:
           # Command to be sent to SARIF Multitool
           command: 'validate core/target/test-reports/Report.sarif'
       - name: Archive IT test logs
         id: archive-logs
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
-          name: it-test-logs
+          name: it-test-logs-jdk-${{ matrix.jdk_test_version }}
           retention-days: 7
           path: maven/target/it/**/build.log
       - name: Archive code coverage results
+        if: matrix.jdk_test_version == matrix.jdk_default_version
         id: archive-coverage
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: code-coverage-report
           retention-days: 7
           path: |
             **/target/jacoco-results/jacoco.xml
             **/target/jacoco-results/**/*.html
       - name: Archive Snapshot
+        if: matrix.jdk_test_version == matrix.jdk_default_version
         id: archive-snapshot
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: archive-snapshot
           retention-days: 7
@@ -100,49 +112,38 @@ jobs:
             ant/target/*.zip
             cli/target/*.zip
 
-  publish_coverage:
-    name: publish code coverage reports  
-    runs-on: ubuntu-latest 
-    needs: build
-    steps:
-      - name: Download coverage reports
-        uses: actions/download-artifact@v4
-        with:
-          name: code-coverage-report
-      - name: Run codacy-coverage-reporter
-        uses: codacy/codacy-coverage-reporter-action@master
-        with:
-          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
-          coverage-reports: utils/target/jacoco-results/jacoco.xml,core/target/jacoco-results/jacoco.xml,maven/target/jacoco-results/jacoco.xml,ant/target/jacoco-results/jacoco.xml,cli/target/jacoco-results/jacoco.xml
-
   docker:
     permissions:
       contents: read # to fetch code (actions/checkout)
 
     name: Build and Test Docker
     runs-on: ubuntu-latest
     needs: build
-    env:
-      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-      DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
-      - name: Check Maven Cache
-        id: maven-cache
-        uses: actions/cache@v4
+        uses: actions/checkout@v6
+      - name: Set up JDK
+        uses: actions/setup-java@v5
         with:
-          path: ~/.m2/repository
-          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
-          restore-keys: |
-            ${{ runner.os }}-maven-
+          java-version: '25'
+          distribution: 'zulu'
+          check-latest: true
+          cache: 'maven'
+          cache-dependency-path: '**/pom.xml'
       - name: Download release build
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v7
         with:
           name: archive-snapshot
+      - name: Set up Docker
+        uses: docker/setup-docker-action@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
       - name: Build Docker Image
-        run: ./build-docker.sh
+        run: ./docker-build.sh
       - name: build scan target
-        run: mvn -V -s settings.xml package -DskipTests=true --no-transfer-progress --batch-mode
+        run: >
+          mvn -V -s settings.xml -pl cli -am 
+          package -DskipTests=true
+          --no-transfer-progress --batch-mode -Dstyle.color=always
       - name: Test Docker Image
-        run: ./test-docker.sh
+        run: ./docker-test.sh
@@ -33,11 +33,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +58,7 @@ jobs:
     #    uses a compiled language
 
     - run: |
-       mvn -s settings.xml clean package -DskipTests=true --no-transfer-progress --batch-mode
+       mvn -s settings.xml clean package -DskipTests=true --no-transfer-progress --batch-mode -Dstyle.color=always
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v4
@@ -18,19 +18,20 @@ jobs:
       (github.event.comment.user.login == 'jeremylong' ||
       github.event.comment.user.login == 'aikebah' || 
       github.event.comment.user.login == 'nhumblot' ||
+      github.event.comment.user.login == 'marcelstoer' ||
       github.event.comment.user.login == 'chadlwilson') }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           ref: generatedSuppressions
-      - uses: actions/setup-node@v4.4.0
+      - uses: actions/setup-node@v6.2.0
       - run: |
           npm install fast-xml-parser@4.0.9
           npm install fs
       - name: Commit Suppression Rule
         id: fp-ops-commit
-        uses: actions/github-script@v7.0.1
+        uses: actions/github-script@v8.0.0
         with:
           script: |
             const { execSync } = require("child_process");
@@ -117,7 +118,16 @@ jobs:
               if (!fs.existsSync('./suppressions')){
                   fs.mkdirSync('./suppressions');
               }
-              fs.appendFileSync('suppressions/publishedSuppressions.xml', '<?xml version="1.0" encoding="UTF-8"?>\n<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">' + generatedSuppressions + '\n' + suppression.trim() + '\n</suppressions>', function (err) {
+              fs.appendFileSync('suppressions/publishedSuppressions.xml',
+            `<?xml version="1.0" encoding="UTF-8"?>
+            <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"
+                          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                          xsi:schemaLocation="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd
+                                              https://dependency-check.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+            ${generatedSuppressions}
+            ${suppression.trim()}
+            </suppressions>`,
+              function (err) {
                 if (err) throw err;
                 console.log('publishedSuppressions.xml created');
               });
@@ -151,14 +161,14 @@ jobs:
             } 
       - name: Publish Updated Suppressions
         if: ${{ steps.fp-ops-commit.outputs.publish == 'true' }}
-        uses: JamesIves/github-pages-deploy-action@v4.7.3
+        uses: JamesIves/github-pages-deploy-action@v4.8.0
         with:
           branch: gh-pages
           folder: suppressions
           target-folder: suppressions
       - name: Message failure
         if: ${{ failure() || steps.fp-ops-commit.outputs.failed }}
-        uses: actions/github-script@v7.0.1
+        uses: actions/github-script@v8.0.0
         with:
           script: |
             github.rest.issues.createComment({
 
@@ -7,6 +7,7 @@ on:
 permissions: {}
 jobs:
   cleanup:
+    if: github.repository_owner == 'dependency-check'
     permissions:
       actions: write  #  to delete workflow runs