[pull] main from jeremylong:main

.github/ISSUE_TEMPLATE/bug_report.md

@@ -7,6 +7,9 @@ assignees: ''
 
 ---
 
+**Precondition**
+- [ ] I checked the issues list for existing open or closed reports of the same problem.
+
 **Describe the bug**
 A clear and concise description of what the bug is.
 

.github/ISSUE_TEMPLATE/false-positive-report.yml

@@ -6,28 +6,38 @@ body:
   - type: markdown
     attributes:
       value: |
-        False Positive identified.
+        **Ensure you are using the latest version of dependency-check.**
+
+        **Automation is used to process most false positives reports**; failure to follow these guidelines will delay the process:
+
+          - Only enter a **single (1) Package URL**.
+          - Only enter a **single (1) CPE or CVE**.
+          - If filing a CPE report you do not need to add the CVEs. Note that **most reports should be for incorrectly matched CPEs**.
+
+        If reporting false positives for multiple PURL and/or CPE please file multiple reports.
+
+        Thank you for filing a false positive report!
   - type: input
     id: purl
     attributes:
       label: Package URl
-      description: The identified package URL as identified in the HTML Report.
+      description: Please enter the single identified package URL as identified in the HTML Report. Only a **single PURL** can be specified, if you are reporting more then one - please open two issues using this template.
       placeholder: ex. pkg:maven/org.apache.logging.log4j/log4j-slf4j-impl@2.12.1 
     validations:
       required: true
   - type: input
     id: cpe
     attributes:
       label: CPE
-      description: The Common Platform enumeration (CPE) as identified in the HTML Report. Please put backtic characters around the CPE to ensure it displays correctly.
+      description: Please enter the single Common Platform enumeration (CPE) as identified in the HTML Report. Only a **single CPE** can be specified. **Please put backtick characters around the CPE to ensure it displays correctly**.
       placeholder: ex. `cpe:2.3:a:apache:log4j:2.12.1:*:*:*:*:*:*:*`
     validations:
       required: true
   - type: input
     id: cve
     attributes:
       label: CVE
-      description: The vulnerability name as identified in the HTML Report. This is optional and may not be needed as most FP reports are due to an incorrect CPE.
+      description: The vulnerability name as identified in the HTML Report. If specifying a CPE this is not necessary; if entered please enter only a **single CVE**; if multiple CVE should be suppressed please enter multiple FP reports. This is optional and may not be needed as most FP reports are due to an incorrect CPE.
       placeholder: ex. CVE-2021-44228
     validations:
       required: false
@@ -58,4 +68,4 @@ body:
       label: Description
       description: Additional information regarding the false positive report.
     validations:
-      required: false
+      required: false

.github/contributing.md

@@ -3,8 +3,8 @@
 ## Reporting Bugs
 
 - Ensure you're running the latest version of dependency-check.
-- Ensure the bug has not [already been reported](https://github.com/jeremylong/DependencyCheck/issues).
-- If you're unable to find an open issue addressing the problem, please [submit a new issue](https://github.com/jeremylong/DependencyCheck/issues/new/choose).
+- Ensure the bug has not [already been reported](https://github.com/dependency-check/DependencyCheck/issues).
+- If you're unable to find an open issue addressing the problem, please [submit a new issue](https://github.com/dependency-check/DependencyCheck/issues/new/choose).
   - Please fill out the appropriate section of the bug report template provided.
   - Delete any sections not needed in the template.
 
@@ -14,13 +14,13 @@
 
 ## Asking Questions
 
-- Your question may be answered by taking a look at the [documentation](https://jeremylong.github.io/DependencyCheck/).
-- Search both the [open and closed issues issues in GitHub](https://github.com/jeremylong/DependencyCheck/issues/)
-- If you still have a question ask a [new question](https://github.com/jeremylong/DependencyCheck/issues/new?assignees=&labels=question&template=ask-a-question.md&title=)
+- Your question may be answered by taking a look at the [documentation](https://dependency-check.github.io/DependencyCheck/).
+- Search both the [open and closed issues issues in GitHub](https://github.com/dependency-check/DependencyCheck/issues/)
+- If you still have a question ask a [new question](https://github.com/dependency-check/DependencyCheck/issues/new?assignees=&labels=question&template=ask-a-question.md&title=)
 
 ## Enhancement Requests
 
-- Suggest changes by [submitting a new issue](https://github.com/jeremylong/DependencyCheck/issues/new?assignees=&labels=enhancement&template=feature_request.md&title=) and begin coding.
+- Suggest changes by [submitting a new issue](https://github.com/dependency-check/DependencyCheck/issues/new?assignees=&labels=enhancement&template=feature_request.md&title=) and begin coding.
 
 ## Contributing Code
 

.github/dependabot.yml

@@ -11,10 +11,4 @@ updates:
   - package-ecosystem: "docker"
     directory: "/"
     schedule:
-      interval: "daily"
-     ignore:
-      # stay .net 3.1
-      - dependency-name: "mcr.microsoft.com/dotnet/runtime"
-        versions:
-          - "5.x"
-          - "6.x"
+     interval: "daily"

.github/pull_request_template.md

@@ -1,8 +1,16 @@
-## Fixes Issue #
-
 ## Description of Change
 
-*Please add a description of the proposed change*
+<!--
+Please add a description of the proposed change
+-->
+
+## Related issues
+
+<!--
+e.g 
+- fixes #xxxx
+- relates to #xxxx
+-->
 
 ## Have test cases been added to cover the new functionality?
 

.github/workflows/build.yml

@@ -20,66 +20,68 @@ jobs:
       - name: Install gpg secret key
         id: install-gpg-key
         run: |
-          cat <(echo -e "${{ secrets.OSSRH_GPG_SECRET_KEY }}") | gpg --batch --import
+          cat <(echo -e "${{ secrets.GPG_PRIVATE_KEY }}") | gpg --batch --import
           gpg --list-secret-keys --keyid-format LONG
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
       - name: Check Maven Cache
         id: maven-cache
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
           restore-keys: |
             ${{ runner.os }}-maven-
       - name: Check Local Maven Cache
         id: maven-it-cache
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: maven/target/local-repo
           key: mvn-it-repo
       - name: Check ODC Data Cache
         id: odc-data-cache
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: core/target/data
           key: odc-data
-      - uses: actions/setup-dotnet@v3.0.3
+      - uses: actions/setup-dotnet@v5.0.0
         with:
-          dotnet-version: '6.0.x'
-      - name: Set up JDK 1.8
-        id: jdk-8
-        uses: actions/setup-java@v3
+          dotnet-version: '8.0.x'
+      - name: Set up JDK 11
+        id: jdk-11
+        uses: actions/setup-java@v5
         with:
-          java-version: 8
+          java-version: 11
           distribution: 'zulu'
-          server-id: ossrh
-          server-username: ${{ secrets.OSSRH_USERNAME }}
-          server-password: ${{ secrets.OSSRH_TOKEN }}
-      - uses: pnpm/action-setup@v2.2.4
+          server-id: central
+          server-username: ${{ secrets.CENTRAL_USER }}
+          server-password: ${{ secrets.CENTRAL_PASSWORD }}
+      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
         with:
           version: 6.0.2
       - name: Build Snapshot with Maven
         id: build-snapshot
         env:
-          MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
-          MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
-        run: mvn -s settings.xml -Prelease clean package verify source:jar javadoc:jar gpg:sign deploy -DreleaseTesting --no-transfer-progress --batch-mode -Dgpg.passphrase=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
+          MAVEN_USERNAME: ${{ secrets.CENTRAL_USER }}
+          MAVEN_PASSWORD: ${{ secrets.CENTRAL_PASSWORD }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PRIVATE_KEY_PASSWORD }}
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+        run: mvn -V -s settings.xml -Prelease clean package verify source:jar javadoc:jar gpg:sign deploy -DreleaseTesting --no-transfer-progress --batch-mode
       - name: SARIF Multitool
-        uses: microsoft/sarif-actions@v0.1
+        uses: microsoft/sarif-actions@v0.2
         with:
           # Command to be sent to SARIF Multitool
           command: 'validate core/target/test-reports/Report.sarif'
       - name: Archive IT test logs
         id: archive-logs
         if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: it-test-logs
           retention-days: 7
           path: maven/target/it/**/build.log
       - name: Archive code coverage results
         id: archive-coverage
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: code-coverage-report
           retention-days: 7
@@ -88,7 +90,7 @@ jobs:
             **/target/jacoco-results/**/*.html
       - name: Archive Snapshot
         id: archive-snapshot
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: archive-snapshot
           retention-days: 7
@@ -99,20 +101,20 @@ jobs:
             ant/target/*.zip
             cli/target/*.zip
 
-  publish_coverage:
-    name: publish code coverage reports  
-    runs-on: ubuntu-latest 
-    needs: build
-    steps:
-      - name: Download coverage reports
-        uses: actions/download-artifact@v3
-        with:
-          name: code-coverage-report
-      - name: Run codacy-coverage-reporter
-        uses: codacy/codacy-coverage-reporter-action@master
-        with:
-          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
-          coverage-reports: utils/target/jacoco-results/jacoco.xml,core/target/jacoco-results/jacoco.xml,maven/target/jacoco-results/jacoco.xml,ant/target/jacoco-results/jacoco.xml,cli/target/jacoco-results/jacoco.xml
+#  publish_coverage:
+#    name: publish code coverage reports
+#    runs-on: ubuntu-latest
+#    needs: build
+#    steps:
+#      - name: Download coverage reports
+#        uses: actions/download-artifact@v5
+#        with:
+#          name: code-coverage-report
+#      - name: Run codacy-coverage-reporter
+#        uses: codacy/codacy-coverage-reporter-action@master
+#        with:
+#          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
+#          coverage-reports: utils/target/jacoco-results/jacoco.xml,core/target/jacoco-results/jacoco.xml,maven/target/jacoco-results/jacoco.xml,ant/target/jacoco-results/jacoco.xml,cli/target/jacoco-results/jacoco.xml
 
   docker:
     permissions:
@@ -126,22 +128,34 @@ jobs:
       DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
       - name: Check Maven Cache
         id: maven-cache
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
           restore-keys: |
             ${{ runner.os }}-maven-
       - name: Download release build
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v5
         with:
           name: archive-snapshot
+      - name: Set up Docker
+        uses: docker/setup-docker-action@v4
+        with:
+          daemon-config: |
+            {
+              "debug": true,
+              "features": {
+                "containerd-snapshotter": true
+              }
+            }
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
       - name: Build Docker Image
         run: ./build-docker.sh
       - name: build scan target
-        run: mvn -s settings.xml package -DskipTests=true --no-transfer-progress --batch-mode
+        run: mvn -V -s settings.xml package -DskipTests=true --no-transfer-progress --batch-mode
       - name: Test Docker Image
         run: ./test-docker.sh

.github/workflows/codeql-analysis.yml

@@ -33,11 +33,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v5
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -61,4 +61,4 @@ jobs:
        mvn -s settings.xml clean package -DskipTests=true --no-transfer-progress --batch-mode
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v4