chore(deps): update dependency-check-maven.version to v12.2.2

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.owasp:dependency-check-maven (source)	12.1.7 → 12.2.2

---

Release Notes

dependency-check/DependencyCheck (org.owasp:dependency-check-maven)

v12.2.2

Compare Source

NOTE: The database schema was updated to fix #​8466 - if using an external database the update scripts must be run!

• feat: improve Sonatype Guide / OSS Index cache handling and insufficient credits error reporting (#​8451)
• feat: support and prefer githubID vuln identifiers from RetireJS (#​8419)
• fix(db): widen reference URL column to handle long Mozilla CVE URLs (#​8467)
• fix: add corepack to docker image (#​8386)
• fix: bump open-vulnerability-clients to resolve NVD timestamp parsing errors (#​8427)
• fix: de-duplicate and sort both includedBy and projectReferences in reports (#​8440)
• fix: migrate default OSS Index API URL to Sonatype Guide; supporting optional username (#​8404)
• docs: correct missing documentation for Gradle plugin (#​8431)
• docs: tweak docs site structure; documenting missing analyzers (#​8462)
• chore: remove spurious bundle-audit log line when there are no errors (#​8454)
• chore: tidy CHANGELOG formatting (#​8414)
• chore(fp): remove duplicate log4j FP suppressions (#​8468)
• build(deps): bump apache.ant.version from 1.10.16 to 1.10.17 (#​8416)
• build(deps): bump com.fasterxml.jackson:jackson-bom from 2.21.2 to 2.21.3 (#​8465)
• build(deps): bump com.google.guava:guava from 33.5.0-jre to 33.6.0-jre (#​8420)
• build(deps): bump com.mysql:mysql-connector-j from 9.6.0 to 9.7.0 (#​8445)
• build(deps): bump commons-codec:commons-codec from 1.21.0 to 1.22.0 (#​8453)
• build(deps): bump commons-io:commons-io from 2.21.0 to 2.22.0 (#​8448)
• build(deps): bump httpcomponents.client.version from 5.6 to 5.6.1 (#​8432)
• build(deps): bump joda-time:joda-time from 2.14.1 to 2.14.2 (#​8464)
• build(deps): bump org.apache.maven.plugins:maven-invoker-plugin from 3.9.1 to 3.10.0 (#​8452)
• build(deps): bump org.jsoup:jsoup from 1.22.1 to 1.22.2 (#​8437)
• build(deps): bump org.postgresql:postgresql from 42.7.10 to 42.7.11 (#​8463)
• build(deps): bump the actions-deps group with 8 updates (#​8472)

See the full listing of changes

v12.2.1

Compare Source

• fix(core): correct xml schema validation handling without needing external access (#​8272)
• fix(deps): upgrade slf4j and logback (#​8306)
• fix(test): disable pnpm analyzer during test (#​8305)
• fix: Correct published/hosted suppressions namespace header and indent (#​8258)
• fix: Suppress noisy WARN logging from Apache Lucene within Maven and Ant plugins (#​8248)
• fix: #​8140 AssemblyAnalyzer version resolution issue (#​8352)
• fix: #​8140 fix version resolution
• fix: #​8140 hint azure_identity_library_for_.net
• fix: #​8356 narrow down VersionFilterAnalyzer scope to JAR files (#​8358)
• fix: correct parsing for CVSSv4 strings with Provider Urgency (#​8377)
• fix: evidence source in Retire JS analyzer (#​8303)
• fix: exclude deprecations from Yarn Berry audit results (#​8380)
• fix: improve PEAnalyzer reliability by migrating to maintained PE/COFF 4J library fork (#​8245)
• fix: improve configuration consistency (casing) (#​8355)
• fix: improve logging of unexpected Java Errors during processing of NVD (#​8250)
• fix: raw type warning in ProcessReader (#​8324)
• fix: suppress false positives for zabbix-utils #​8087 (#​8218)
• fix: update docs (#​8405)
• fix: warn if deprecated configs are used (#​8366)
• docs: define schema locations in XML examples (#​8254)
• docs: document external data sources and hostnames (#​8219)
• docs: ensure OSS Index URL override is consistently documented (#​8338)
• docs: fix minor typo in README (#​8246)
• chore: avoid use of parent pom and maven properties where unnecessary (#​8322)
• chore: bump java development to 25.0 (#​8365)
• chore: fix Charset warnings; preferring typed charsets (#​8326)
• chore: fix Maven scm tags after 12.2.1-SNAPSHOT bump (#​8265)
• chore: pin GitHub actions to specific SHAs rather than mutable tags (#​8381)
• chore: remove unused properties and schemas (#​8378)
• test: Make tests locale independent (#​8328)
• test: #​8140 reproduce current behavior
• test: avoid polluting test classpaths with sample dependencies to be scanned (#​8267)
• build: improve GHA workflow experience for forks (#​8285)
• build: use maven jdk toolchains to build with Java 25; test against Java 11/17/21/25 (#​8292)

See the full listing of changes

v12.2.0

Compare Source

• feat: package and utilize generated suppression file (#​8116)
• feat: override pnpm audit registry parameter (#​8158)
• feat: support multiple cvssBelow thresholds per version (#​2563) (#​8024)
• feat: usage telemetry via scarf (#​8066)
• feat: add new suppression xsd allowing grouping of suppressions (#​7957)
• fix: add hint for Elastic APM Java agent CPE mapping (#​8200)
• fix: Allow NVD data feed metadata downloads to fail on 1st Jan while logging correct errors (#​8205)
• fix: correct XML/JSON report CVSS field & HTML report URL mappings (#​8156)
• fix: log GrokAssembly output when dotnet invocation fails (#​8141)
• fix: correct reliability of Central etc (JCS cache) analyzers on Java 25/Docker by making CLI classpath deterministic (#​8117)
• fix(ant): resolve relative paths against basedir (#​8202)
• fix(ant): resolve paths relative to basedir for suppression and output
• docs: Update & correct README (#​8166)
• docs: update suppression schema version (#​8136)
• docs: fix typos in some files (#​8135)
• chore: remove duplicate suppression rules from base that are in the generated branch (#​8138)
• chore: remove suppression rules that were deleted from the generatedSuppression branch (#​8119)
• build: transition dependency to org.eclipse.parsson groupId (#​8128)

See the full listing of changes

v12.1.9

Compare Source

• fix: correct bundle audit gem in Dockerfile (#​8121)
• fix: normalization during comparisons (#​8046)
• fix(fp): Improve false positive suppression for matches against golang web_project (#​8059)
• fix(fp): Consolidate/update icu4j suppressions for false positives (#​8062)
• fix(fp): Correct GRPC java suppressions for newer C/C++/native false positives (#​8063)
• fix(fp): Suppress false positive CPEs for protobuf-java per #​7854 (#​8064)
• docs: document multiple configurations for gradle (#​8111)
• docs: fix typos in some files (#​8106)
• docs: Update SBT plugin link; fix dead report link (#​8086)
• docs: fix #​8076 - Error in documentation "Suppressing False Positives" (#​8077)
• chore: Replace deprecated lucene methods (#​8079)

See the full listing of changes

v12.1.8

Compare Source

• fix: improve VulnerableSoftware comparison (#​8031)
• docs: Improve Gradle docs wrt experimental analyzers, use of Central and Proxy configuration (#​8036)
• docs: add note about central analyzer for gradle (#​8038)
• build: fix flaky central test (#​8039)

See the full listing of changes

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.