From 8ac6dc5ccab70d2156bbc699f2949f58d070a1e9 Mon Sep 17 00:00:00 2001 From: PauloASilva Date: Thu, 4 Jul 2024 10:55:28 +0100 Subject: [PATCH 01/74] fix(docker): deprecated MAINTAINER instruction --- VMs/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VMs/Dockerfile b/VMs/Dockerfile index a2faa9a6cd..bbc2c22761 100644 --- a/VMs/Dockerfile +++ b/VMs/Dockerfile @@ -1,6 +1,6 @@ # This dockerfile builds a container that pulls down and runs the latest version of BenchmarkJava FROM ubuntu:latest -MAINTAINER "Dave Wichers dave.wichers@owasp.org" +LABEL org.opencontainers.image.authors="Dave Wichers dave.wichers@owasp.org" RUN apt-get update RUN DEBIAN_FRONTEND="noninteractive" apt-get -y install tzdata From 63b11d625793134110c482f0a68f2b8368594b58 Mon Sep 17 00:00:00 2001 From: PauloASilva Date: Thu, 4 Jul 2024 10:56:35 +0100 Subject: [PATCH 02/74] fix(docker): legacy "ENV key value" format --- VMs/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VMs/Dockerfile b/VMs/Dockerfile index bbc2c22761..4ee0191ec0 100644 --- a/VMs/Dockerfile +++ b/VMs/Dockerfile @@ -35,7 +35,7 @@ RUN useradd -d /home/bench -m -s /bin/bash bench RUN echo bench:bench | chpasswd RUN chown -R bench /owasp/ -ENV PATH /owasp/BenchmarkJava:$PATH +ENV PATH=/owasp/BenchmarkJava:$PATH # start up Benchmark once, for 60 seconds, then kill it, so the additional dependencies required to run it are downloaded/cached in the image as well. # exit 0 is required to return a 'success' code, otherwise the timeout returns a failure code, causing the Docker build to fail. From 109e3ed19d0b339f4444b198b122ab90cd993449 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 27 Jun 2025 11:51:26 +0000 Subject: [PATCH 03/74] Bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.3.1 to 4.9.3.2 Bumps [com.github.spotbugs:spotbugs-maven-plugin](https://github.com/spotbugs/spotbugs-maven-plugin) from 4.9.3.1 to 4.9.3.2. - [Release notes](https://github.com/spotbugs/spotbugs-maven-plugin/releases) - [Commits](https://github.com/spotbugs/spotbugs-maven-plugin/compare/spotbugs-maven-plugin-4.9.3.1...spotbugs-maven-plugin-4.9.3.2) --- updated-dependencies: - dependency-name: com.github.spotbugs:spotbugs-maven-plugin dependency-version: 4.9.3.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index df06267aea..ce857f79e2 100644 --- a/pom.xml +++ b/pom.xml @@ -1249,7 +1249,7 @@ 2.1.0 3.6.10.Final - 4.9.3.1 + 4.9.3.2 4.9.3 5.3.39 From eae3c169fafb86b8a21e9229f7f02c329be07f1b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Jun 2025 14:21:25 +0000 Subject: [PATCH 04/74] Bump org.owasp.esapi:esapi from 2.6.2.0 to 2.7.0.0 Bumps [org.owasp.esapi:esapi](https://github.com/ESAPI/esapi-java-legacy) from 2.6.2.0 to 2.7.0.0. - [Release notes](https://github.com/ESAPI/esapi-java-legacy/releases) - [Changelog](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.0-readme-crypto-changes.html) - [Commits](https://github.com/ESAPI/esapi-java-legacy/compare/esapi-2.6.2.0...esapi-2.7.0.0) --- updated-dependencies: - dependency-name: org.owasp.esapi:esapi dependency-version: 2.7.0.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index ce857f79e2..92f8efb105 100644 --- a/pom.xml +++ b/pom.xml @@ -810,7 +810,7 @@ org.owasp.esapi esapi - 2.6.2.0 + 2.7.0.0 From 520e8d1f6d6303b9c633ceb66cf42efc58988ed8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 2 Jul 2025 11:35:07 +0000 Subject: [PATCH 05/74] Bump org.apache.maven.plugins:maven-enforcer-plugin from 3.5.0 to 3.6.0 Bumps [org.apache.maven.plugins:maven-enforcer-plugin](https://github.com/apache/maven-enforcer) from 3.5.0 to 3.6.0. - [Release notes](https://github.com/apache/maven-enforcer/releases) - [Commits](https://github.com/apache/maven-enforcer/compare/enforcer-3.5.0...enforcer-3.6.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-enforcer-plugin dependency-version: 3.6.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 92f8efb105..ce92a56994 100644 --- a/pom.xml +++ b/pom.xml @@ -942,7 +942,7 @@ org.apache.maven.plugins maven-enforcer-plugin - 3.5.0 + 3.6.0 org.codehaus.mojo From 5aa83203eb40eb9846057e6228e0104477151f5d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 8 Jul 2025 11:21:03 +0000 Subject: [PATCH 06/74] Bump com.diffplug.spotless:spotless-maven-plugin from 2.44.5 to 2.45.0 Bumps [com.diffplug.spotless:spotless-maven-plugin](https://github.com/diffplug/spotless) from 2.44.5 to 2.45.0. - [Release notes](https://github.com/diffplug/spotless/releases) - [Changelog](https://github.com/diffplug/spotless/blob/main/CHANGES.md) - [Commits](https://github.com/diffplug/spotless/compare/maven/2.44.5...lib/2.45.0) --- updated-dependencies: - dependency-name: com.diffplug.spotless:spotless-maven-plugin dependency-version: 2.45.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index ce92a56994..7f49c824ce 100644 --- a/pom.xml +++ b/pom.xml @@ -1104,7 +1104,7 @@ com.diffplug.spotless spotless-maven-plugin - 2.44.5 + 2.45.0 origin/master From b79b28f84977ba1531c793690db72b651aaa89c8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 16 Jul 2025 11:37:01 +0000 Subject: [PATCH 07/74] Bump org.apache.maven.plugins:maven-enforcer-plugin from 3.6.0 to 3.6.1 Bumps [org.apache.maven.plugins:maven-enforcer-plugin](https://github.com/apache/maven-enforcer) from 3.6.0 to 3.6.1. - [Release notes](https://github.com/apache/maven-enforcer/releases) - [Commits](https://github.com/apache/maven-enforcer/compare/enforcer-3.6.0...enforcer-3.6.1) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-enforcer-plugin dependency-version: 3.6.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 7f49c824ce..df276a44b7 100644 --- a/pom.xml +++ b/pom.xml @@ -942,7 +942,7 @@ org.apache.maven.plugins maven-enforcer-plugin - 3.6.0 + 3.6.1 org.codehaus.mojo From ecbd3a2b316877d86fbac0b82a468b11d0dd8503 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Jul 2025 12:54:59 +0000 Subject: [PATCH 08/74] Bump commons-io:commons-io from 2.19.0 to 2.20.0 Bumps [commons-io:commons-io](https://github.com/apache/commons-io) from 2.19.0 to 2.20.0. - [Changelog](https://github.com/apache/commons-io/blob/master/RELEASE-NOTES.txt) - [Commits](https://github.com/apache/commons-io/compare/rel/commons-io-2.19.0...rel/commons-io-2.20.0) --- updated-dependencies: - dependency-name: commons-io:commons-io dependency-version: 2.20.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 7f49c824ce..35563f9098 100644 --- a/pom.xml +++ b/pom.xml @@ -637,7 +637,7 @@ commons-io commons-io - 2.19.0 + 2.20.0 From e1dcc84663da642f8ae4bdcdca5b8d84bb7ac91a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Jul 2025 12:57:58 +0000 Subject: [PATCH 09/74] Bump com.fasterxml.jackson.core:jackson-databind from 2.19.1 to 2.19.2 Bumps [com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson) from 2.19.1 to 2.19.2. - [Commits](https://github.com/FasterXML/jackson/commits) --- updated-dependencies: - dependency-name: com.fasterxml.jackson.core:jackson-databind dependency-version: 2.19.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 7f49c824ce..3f00dea646 100644 --- a/pom.xml +++ b/pom.xml @@ -854,7 +854,7 @@ com.fasterxml.jackson.core jackson-databind - 2.19.1 + 2.19.2 From d9348d65f2c42de28e8cca604f2cbea51fd80c6a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 22 Jul 2025 11:32:26 +0000 Subject: [PATCH 10/74] Bump com.diffplug.spotless:spotless-maven-plugin from 2.45.0 to 2.46.1 Bumps [com.diffplug.spotless:spotless-maven-plugin](https://github.com/diffplug/spotless) from 2.45.0 to 2.46.1. - [Release notes](https://github.com/diffplug/spotless/releases) - [Changelog](https://github.com/diffplug/spotless/blob/main/CHANGES.md) - [Commits](https://github.com/diffplug/spotless/compare/lib/2.45.0...maven/2.46.1) --- updated-dependencies: - dependency-name: com.diffplug.spotless:spotless-maven-plugin dependency-version: 2.46.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 7f49c824ce..90c69b28c3 100644 --- a/pom.xml +++ b/pom.xml @@ -1104,7 +1104,7 @@ com.diffplug.spotless spotless-maven-plugin - 2.45.0 + 2.46.1 origin/master From d087c0cae9810e5c8c3a3be34bb440c1d7aac349 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 23 Jul 2025 11:17:47 +0000 Subject: [PATCH 11/74] Bump commons-codec:commons-codec from 1.18.0 to 1.19.0 Bumps [commons-codec:commons-codec](https://github.com/apache/commons-codec) from 1.18.0 to 1.19.0. - [Changelog](https://github.com/apache/commons-codec/blob/master/RELEASE-NOTES.txt) - [Commits](https://github.com/apache/commons-codec/compare/rel/commons-codec-1.18.0...rel/commons-codec-1.19.0) --- updated-dependencies: - dependency-name: commons-codec:commons-codec dependency-version: 1.19.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 7f49c824ce..c4eb3cd295 100644 --- a/pom.xml +++ b/pom.xml @@ -624,7 +624,7 @@ commons-codec commons-codec - 1.18.0 + 1.19.0 From a8a92a38af5928146752029b980f70effe620724 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Aug 2025 16:09:09 +0000 Subject: [PATCH 12/74] Bump com.github.spotbugs:spotbugs from 4.9.3 to 4.9.4 Bumps [com.github.spotbugs:spotbugs](https://github.com/spotbugs/spotbugs) from 4.9.3 to 4.9.4. - [Release notes](https://github.com/spotbugs/spotbugs/releases) - [Changelog](https://github.com/spotbugs/spotbugs/blob/master/CHANGELOG.md) - [Commits](https://github.com/spotbugs/spotbugs/compare/4.9.3...4.9.4) --- updated-dependencies: - dependency-name: com.github.spotbugs:spotbugs dependency-version: 4.9.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index a7eecb8c90..8078c86e8d 100644 --- a/pom.xml +++ b/pom.xml @@ -1250,7 +1250,7 @@ 3.6.10.Final 4.9.3.2 - 4.9.3 + 4.9.4 5.3.39 From fb9e3c7f6e4d10a33d14f32eb493d3c73331ec6d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Aug 2025 17:10:46 +0000 Subject: [PATCH 13/74] Bump org.codehaus.cargo:cargo-maven3-plugin from 1.10.20 to 1.10.21 Bumps org.codehaus.cargo:cargo-maven3-plugin from 1.10.20 to 1.10.21. --- updated-dependencies: - dependency-name: org.codehaus.cargo:cargo-maven3-plugin dependency-version: 1.10.21 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index a7eecb8c90..7cba36072b 100644 --- a/pom.xml +++ b/pom.xml @@ -1053,7 +1053,7 @@ org.codehaus.cargo cargo-maven3-plugin - 1.10.20 + 1.10.21 From 87aad4533500347f3ae898af62f32a9983a99f06 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Aug 2025 21:32:59 +0000 Subject: [PATCH 14/74] Bump actions/checkout from 4 to 5 Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/maven.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 5f97798420..e0f09d5abd 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 # Get full history for spotless ratchetFrom with: fetch-depth: 0 diff --git a/.github/workflows/maven.yaml b/.github/workflows/maven.yaml index 2997beeb28..91fef81d6e 100644 --- a/.github/workflows/maven.yaml +++ b/.github/workflows/maven.yaml @@ -8,7 +8,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: fetch-depth: 0 - name: Set up JDK 11 From 9b45fb60ef7cbfd9d234968ea39aa94f35fc14ec Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Aug 2025 11:23:00 +0000 Subject: [PATCH 15/74] Bump actions/setup-java from 4 to 5 Bumps [actions/setup-java](https://github.com/actions/setup-java) from 4 to 5. - [Release notes](https://github.com/actions/setup-java/releases) - [Commits](https://github.com/actions/setup-java/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/setup-java dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/maven.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/maven.yaml b/.github/workflows/maven.yaml index 91fef81d6e..dde78ebc51 100644 --- a/.github/workflows/maven.yaml +++ b/.github/workflows/maven.yaml @@ -12,7 +12,7 @@ jobs: with: fetch-depth: 0 - name: Set up JDK 11 - uses: actions/setup-java@v4 + uses: actions/setup-java@v5 with: java-version: '11' distribution: 'zulu' From 21b66e647b70e815b8cddf6e8f1e48ac92bfaab7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 22 Aug 2025 11:07:21 +0000 Subject: [PATCH 16/74] Bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.3.2 to 4.9.4.0 Bumps [com.github.spotbugs:spotbugs-maven-plugin](https://github.com/spotbugs/spotbugs-maven-plugin) from 4.9.3.2 to 4.9.4.0. - [Release notes](https://github.com/spotbugs/spotbugs-maven-plugin/releases) - [Commits](https://github.com/spotbugs/spotbugs-maven-plugin/compare/spotbugs-maven-plugin-4.9.3.2...spotbugs-maven-plugin-4.9.4.0) --- updated-dependencies: - dependency-name: com.github.spotbugs:spotbugs-maven-plugin dependency-version: 4.9.4.0 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index d79d887efb..8c48df51f6 100644 --- a/pom.xml +++ b/pom.xml @@ -1249,7 +1249,7 @@ 2.1.0 3.6.10.Final - 4.9.3.2 + 4.9.4.0 4.9.4 5.3.39 From fc267b1dd86565e0d5f1e0be9bd0b015052c0e1f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 29 Aug 2025 11:05:47 +0000 Subject: [PATCH 17/74] Bump com.fasterxml.jackson.core:jackson-databind from 2.19.2 to 2.20.0 Bumps [com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson) from 2.19.2 to 2.20.0. - [Commits](https://github.com/FasterXML/jackson/commits) --- updated-dependencies: - dependency-name: com.fasterxml.jackson.core:jackson-databind dependency-version: 2.20.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 8c48df51f6..25aa499373 100644 --- a/pom.xml +++ b/pom.xml @@ -854,7 +854,7 @@ com.fasterxml.jackson.core jackson-databind - 2.19.2 + 2.20.0 From 16cea00210c826d4a0786b8a82ee6890b71d4958 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Sep 2025 23:40:20 +0000 Subject: [PATCH 18/74] Bump org.apache.httpcomponents.core5:httpcore5 from 5.3.4 to 5.3.5 Bumps [org.apache.httpcomponents.core5:httpcore5](https://github.com/apache/httpcomponents-core) from 5.3.4 to 5.3.5. - [Changelog](https://github.com/apache/httpcomponents-core/blob/rel/v5.3.5/RELEASE_NOTES.txt) - [Commits](https://github.com/apache/httpcomponents-core/compare/rel/v5.3.4...rel/v5.3.5) --- updated-dependencies: - dependency-name: org.apache.httpcomponents.core5:httpcore5 dependency-version: 5.3.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 25aa499373..d4d2d60a0c 100644 --- a/pom.xml +++ b/pom.xml @@ -771,7 +771,7 @@ org.apache.httpcomponents.core5 httpcore5 - 5.3.4 + 5.3.5 From 638cefef1e41d5dd2cf5e917a1842d8c9a008603 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 3 Sep 2025 07:10:44 +0000 Subject: [PATCH 19/74] Bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.4.0 to 4.9.4.1 Bumps [com.github.spotbugs:spotbugs-maven-plugin](https://github.com/spotbugs/spotbugs-maven-plugin) from 4.9.4.0 to 4.9.4.1. - [Release notes](https://github.com/spotbugs/spotbugs-maven-plugin/releases) - [Commits](https://github.com/spotbugs/spotbugs-maven-plugin/compare/spotbugs-maven-plugin-4.9.4.0...spotbugs-maven-plugin-4.9.4.1) --- updated-dependencies: - dependency-name: com.github.spotbugs:spotbugs-maven-plugin dependency-version: 4.9.4.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 25aa499373..d5d89f31df 100644 --- a/pom.xml +++ b/pom.xml @@ -1249,7 +1249,7 @@ 2.1.0 3.6.10.Final - 4.9.4.0 + 4.9.4.1 4.9.4 5.3.39 From 20b5b54999a2dde3cb6c3525ff3e45d2239cf26d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 5 Sep 2025 11:05:49 +0000 Subject: [PATCH 20/74] Bump org.codehaus.mojo:versions-maven-plugin from 2.18.0 to 2.19.0 Bumps [org.codehaus.mojo:versions-maven-plugin](https://github.com/mojohaus/versions) from 2.18.0 to 2.19.0. - [Release notes](https://github.com/mojohaus/versions/releases) - [Changelog](https://github.com/mojohaus/versions/blob/master/ReleaseNotes.md) - [Commits](https://github.com/mojohaus/versions/compare/2.18.0...2.19.0) --- updated-dependencies: - dependency-name: org.codehaus.mojo:versions-maven-plugin dependency-version: 2.19.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index ac681469d3..9dcbfc7ae8 100644 --- a/pom.xml +++ b/pom.xml @@ -1059,7 +1059,7 @@ org.codehaus.mojo versions-maven-plugin - 2.18.0 + 2.19.0 From 18aed35cea21971c190cf564e0505a03abcc3fe1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 11:21:52 +0000 Subject: [PATCH 21/74] Bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.4.1 to 4.9.4.2 Bumps [com.github.spotbugs:spotbugs-maven-plugin](https://github.com/spotbugs/spotbugs-maven-plugin) from 4.9.4.1 to 4.9.4.2. - [Release notes](https://github.com/spotbugs/spotbugs-maven-plugin/releases) - [Commits](https://github.com/spotbugs/spotbugs-maven-plugin/compare/spotbugs-maven-plugin-4.9.4.1...spotbugs-maven-plugin-4.9.4.2) --- updated-dependencies: - dependency-name: com.github.spotbugs:spotbugs-maven-plugin dependency-version: 4.9.4.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 9dcbfc7ae8..8875ef6d94 100644 --- a/pom.xml +++ b/pom.xml @@ -1249,7 +1249,7 @@ 2.1.0 3.6.10.Final - 4.9.4.1 + 4.9.4.2 4.9.4 5.3.39 From bececc20c4487f5b8b2dc5749fe8a87161607f75 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Sep 2025 12:19:07 +0000 Subject: [PATCH 22/74] Bump com.github.spotbugs:spotbugs from 4.9.4 to 4.9.5 Bumps [com.github.spotbugs:spotbugs](https://github.com/spotbugs/spotbugs) from 4.9.4 to 4.9.5. - [Release notes](https://github.com/spotbugs/spotbugs/releases) - [Changelog](https://github.com/spotbugs/spotbugs/blob/master/CHANGELOG.md) - [Commits](https://github.com/spotbugs/spotbugs/compare/4.9.4...4.9.5) --- updated-dependencies: - dependency-name: com.github.spotbugs:spotbugs dependency-version: 4.9.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 8875ef6d94..908e94ee30 100644 --- a/pom.xml +++ b/pom.xml @@ -1250,7 +1250,7 @@ 3.6.10.Final 4.9.4.2 - 4.9.4 + 4.9.5 5.3.39 From 2664051b8b6f6a020d0eded7294dcddff315e5a6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Sep 2025 12:20:04 +0000 Subject: [PATCH 23/74] Bump org.codehaus.cargo:cargo-maven3-plugin from 1.10.21 to 1.10.22 Bumps org.codehaus.cargo:cargo-maven3-plugin from 1.10.21 to 1.10.22. --- updated-dependencies: - dependency-name: org.codehaus.cargo:cargo-maven3-plugin dependency-version: 1.10.22 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 8875ef6d94..898f733f01 100644 --- a/pom.xml +++ b/pom.xml @@ -1053,7 +1053,7 @@ org.codehaus.cargo cargo-maven3-plugin - 1.10.21 + 1.10.22 From cb8a418bc00b0ad262e3f01e110eb57b9d4c5be4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Sep 2025 12:20:50 +0000 Subject: [PATCH 24/74] Bump org.apache.maven.plugins:maven-surefire-plugin from 3.5.3 to 3.5.4 Bumps [org.apache.maven.plugins:maven-surefire-plugin](https://github.com/apache/maven-surefire) from 3.5.3 to 3.5.4. - [Release notes](https://github.com/apache/maven-surefire/releases) - [Commits](https://github.com/apache/maven-surefire/compare/surefire-3.5.3...surefire-3.5.4) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-surefire-plugin dependency-version: 3.5.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 8875ef6d94..87f152441e 100644 --- a/pom.xml +++ b/pom.xml @@ -1038,7 +1038,7 @@ org.apache.maven.plugins maven-surefire-plugin - 3.5.3 + 3.5.4 From 2ba07818825c5e828c3dd46266eeade1048a54d3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Sep 2025 11:04:17 +0000 Subject: [PATCH 25/74] Bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.4.2 to 4.9.5.0 Bumps [com.github.spotbugs:spotbugs-maven-plugin](https://github.com/spotbugs/spotbugs-maven-plugin) from 4.9.4.2 to 4.9.5.0. - [Release notes](https://github.com/spotbugs/spotbugs-maven-plugin/releases) - [Commits](https://github.com/spotbugs/spotbugs-maven-plugin/compare/spotbugs-maven-plugin-4.9.4.2...spotbugs-maven-plugin-4.9.5.0) --- updated-dependencies: - dependency-name: com.github.spotbugs:spotbugs-maven-plugin dependency-version: 4.9.5.0 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 1c2ef1fa80..6ab8d4f9ac 100644 --- a/pom.xml +++ b/pom.xml @@ -1249,7 +1249,7 @@ 2.1.0 3.6.10.Final - 4.9.4.2 + 4.9.5.0 4.9.5 5.3.39 From 2e430b2d8060b0011b93bc8af277a7e09dde7812 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Sep 2025 11:06:29 +0000 Subject: [PATCH 26/74] Bump com.github.spotbugs:spotbugs from 4.9.5 to 4.9.6 Bumps [com.github.spotbugs:spotbugs](https://github.com/spotbugs/spotbugs) from 4.9.5 to 4.9.6. - [Release notes](https://github.com/spotbugs/spotbugs/releases) - [Changelog](https://github.com/spotbugs/spotbugs/blob/master/CHANGELOG.md) - [Commits](https://github.com/spotbugs/spotbugs/compare/4.9.5...4.9.6) --- updated-dependencies: - dependency-name: com.github.spotbugs:spotbugs dependency-version: 4.9.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 6ab8d4f9ac..6dc106072b 100644 --- a/pom.xml +++ b/pom.xml @@ -1250,7 +1250,7 @@ 3.6.10.Final 4.9.5.0 - 4.9.5 + 4.9.6 5.3.39 From 74b56496889dbf2fd12a60a2f3a4dde24a6ca99f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Sep 2025 11:05:46 +0000 Subject: [PATCH 27/74] Bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.5.0 to 4.9.6.0 Bumps [com.github.spotbugs:spotbugs-maven-plugin](https://github.com/spotbugs/spotbugs-maven-plugin) from 4.9.5.0 to 4.9.6.0. - [Release notes](https://github.com/spotbugs/spotbugs-maven-plugin/releases) - [Commits](https://github.com/spotbugs/spotbugs-maven-plugin/compare/spotbugs-maven-plugin-4.9.5.0...spotbugs-maven-plugin-4.9.6.0) --- updated-dependencies: - dependency-name: com.github.spotbugs:spotbugs-maven-plugin dependency-version: 4.9.6.0 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 6dc106072b..2e6ca42ff6 100644 --- a/pom.xml +++ b/pom.xml @@ -1249,7 +1249,7 @@ 2.1.0 3.6.10.Final - 4.9.5.0 + 4.9.6.0 4.9.6 5.3.39 From c9304de8113fd6d11e99579c3314e3e32df54251 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Sep 2025 11:17:33 +0000 Subject: [PATCH 28/74] Bump org.codehaus.mojo:versions-maven-plugin from 2.19.0 to 2.19.1 Bumps [org.codehaus.mojo:versions-maven-plugin](https://github.com/mojohaus/versions) from 2.19.0 to 2.19.1. - [Release notes](https://github.com/mojohaus/versions/releases) - [Changelog](https://github.com/mojohaus/versions/blob/master/ReleaseNotes.md) - [Commits](https://github.com/mojohaus/versions/compare/2.19.0...2.19.1) --- updated-dependencies: - dependency-name: org.codehaus.mojo:versions-maven-plugin dependency-version: 2.19.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 2e6ca42ff6..23c7df6a86 100644 --- a/pom.xml +++ b/pom.xml @@ -1059,7 +1059,7 @@ org.codehaus.mojo versions-maven-plugin - 2.19.0 + 2.19.1 From 37b4f5dc7d5d6fb5e7afa80b71fe40c3cee3455a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Sep 2025 11:20:12 +0000 Subject: [PATCH 29/74] Bump org.apache.maven.plugins:maven-compiler-plugin Bumps [org.apache.maven.plugins:maven-compiler-plugin](https://github.com/apache/maven-compiler-plugin) from 3.14.0 to 3.14.1. - [Release notes](https://github.com/apache/maven-compiler-plugin/releases) - [Commits](https://github.com/apache/maven-compiler-plugin/compare/maven-compiler-plugin-3.14.0...maven-compiler-plugin-3.14.1) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-compiler-plugin dependency-version: 3.14.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 2e6ca42ff6..d914c6024b 100644 --- a/pom.xml +++ b/pom.xml @@ -924,7 +924,7 @@ org.apache.maven.plugins maven-compiler-plugin - 3.14.0 + 3.14.1 true 1000m From d6765488eba221b105cc22b56ae342fbb04126d9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Sep 2025 11:23:48 +0000 Subject: [PATCH 30/74] Bump org.apache.httpcomponents.core5:httpcore5 from 5.3.5 to 5.3.6 Bumps [org.apache.httpcomponents.core5:httpcore5](https://github.com/apache/httpcomponents-core) from 5.3.5 to 5.3.6. - [Changelog](https://github.com/apache/httpcomponents-core/blob/rel/v5.3.6/RELEASE_NOTES.txt) - [Commits](https://github.com/apache/httpcomponents-core/compare/rel/v5.3.5...rel/v5.3.6) --- updated-dependencies: - dependency-name: org.apache.httpcomponents.core5:httpcore5 dependency-version: 5.3.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 2e6ca42ff6..515cc8047e 100644 --- a/pom.xml +++ b/pom.xml @@ -771,7 +771,7 @@ org.apache.httpcomponents.core5 httpcore5 - 5.3.5 + 5.3.6 From 846a7c7e2152cbb72d09aed1a291b7e004b2a248 Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Thu, 25 Sep 2025 09:41:05 -0500 Subject: [PATCH 31/74] Upgrade Tomcat 9 to latest version. --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 5d9baa9bb3..7913294488 100644 --- a/pom.xml +++ b/pom.xml @@ -1255,7 +1255,7 @@ 5.3.39 9 - 9.0.97 + 9.0.109 https://archive.apache.org/dist/tomcat/tomcat-${tomcat.major.version}/v${version.tomcat}/bin/apache-tomcat-${version.tomcat}.zip From 5bd80cf2d69bd999795a947874fa291746cbec7b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Sep 2025 15:08:13 +0000 Subject: [PATCH 32/74] Bump org.apache.httpcomponents.client5:httpclient5 from 5.5 to 5.5.1 Bumps [org.apache.httpcomponents.client5:httpclient5](https://github.com/apache/httpcomponents-client) from 5.5 to 5.5.1. - [Changelog](https://github.com/apache/httpcomponents-client/blob/rel/v5.5.1/RELEASE_NOTES.txt) - [Commits](https://github.com/apache/httpcomponents-client/compare/rel/v5.5...rel/v5.5.1) --- updated-dependencies: - dependency-name: org.apache.httpcomponents.client5:httpclient5 dependency-version: 5.5.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 7913294488..00194e8506 100644 --- a/pom.xml +++ b/pom.xml @@ -765,7 +765,7 @@ org.apache.httpcomponents.client5 httpclient5 - 5.5 + 5.5.1 From 96aee6695fbced0847cf38295a7e320ce5ad351a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 3 Oct 2025 11:04:52 +0000 Subject: [PATCH 33/74] Bump org.apache.maven.plugins:maven-enforcer-plugin from 3.6.1 to 3.6.2 Bumps [org.apache.maven.plugins:maven-enforcer-plugin](https://github.com/apache/maven-enforcer) from 3.6.1 to 3.6.2. - [Release notes](https://github.com/apache/maven-enforcer/releases) - [Commits](https://github.com/apache/maven-enforcer/compare/enforcer-3.6.1...enforcer-3.6.2) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-enforcer-plugin dependency-version: 3.6.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 00194e8506..3dc003dc42 100644 --- a/pom.xml +++ b/pom.xml @@ -942,7 +942,7 @@ org.apache.maven.plugins maven-enforcer-plugin - 3.6.1 + 3.6.2 org.codehaus.mojo From 946daf203c02209024dd405a2fcf2b1fad153e4e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 3 Oct 2025 11:07:35 +0000 Subject: [PATCH 34/74] Bump org.apache.maven.plugins:maven-dependency-plugin Bumps [org.apache.maven.plugins:maven-dependency-plugin](https://github.com/apache/maven-dependency-plugin) from 3.8.1 to 3.9.0. - [Release notes](https://github.com/apache/maven-dependency-plugin/releases) - [Commits](https://github.com/apache/maven-dependency-plugin/compare/maven-dependency-plugin-3.8.1...maven-dependency-plugin-3.9.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-dependency-plugin dependency-version: 3.9.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 00194e8506..5a4f4affb7 100644 --- a/pom.xml +++ b/pom.xml @@ -890,7 +890,7 @@ org.apache.maven.plugins maven-dependency-plugin - 3.8.1 + 3.9.0 com.sun.jersey:jersey-servlet From dffaae9da09be4332f75c21288515c841db913ef Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Oct 2025 11:40:52 +0000 Subject: [PATCH 35/74] Bump org.codehaus.mojo:extra-enforcer-rules from 1.10.0 to 1.11.0 Bumps [org.codehaus.mojo:extra-enforcer-rules](https://github.com/mojohaus/extra-enforcer-rules) from 1.10.0 to 1.11.0. - [Release notes](https://github.com/mojohaus/extra-enforcer-rules/releases) - [Commits](https://github.com/mojohaus/extra-enforcer-rules/compare/1.10.0...1.11.0) --- updated-dependencies: - dependency-name: org.codehaus.mojo:extra-enforcer-rules dependency-version: 1.11.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 00194e8506..43c0364fc8 100644 --- a/pom.xml +++ b/pom.xml @@ -947,7 +947,7 @@ org.codehaus.mojo extra-enforcer-rules - 1.10.0 + 1.11.0 From 28a9ea35dc568d85c8d28b7da6e4e25893e3ebf5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 8 Oct 2025 11:15:53 +0000 Subject: [PATCH 36/74] Bump github/codeql-action from 3 to 4 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v3...v4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql-analysis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e0f09d5abd..bd90fbab5f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -34,7 +34,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} queries: security-extended, security-experimental, security-and-quality @@ -43,7 +43,7 @@ jobs: run: mvn -DskipTests=true install - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 - name: Upload Output uses: actions/upload-artifact@v4 From b259a1fe0d24ff6c1c317be73e451e1ed04c2c59 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Oct 2025 11:52:33 +0000 Subject: [PATCH 37/74] Bump org.apache.maven.plugins:maven-pmd-plugin from 3.27.0 to 3.28.0 Bumps [org.apache.maven.plugins:maven-pmd-plugin](https://github.com/apache/maven-pmd-plugin) from 3.27.0 to 3.28.0. - [Release notes](https://github.com/apache/maven-pmd-plugin/releases) - [Commits](https://github.com/apache/maven-pmd-plugin/compare/maven-pmd-plugin-3.27.0...maven-pmd-plugin-3.28.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-pmd-plugin dependency-version: 3.28.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index b465e7b6c0..48e0425844 100644 --- a/pom.xml +++ b/pom.xml @@ -1005,7 +1005,7 @@ org.apache.maven.plugins maven-pmd-plugin - 3.27.0 + 3.28.0 From eacbd3c08afc34fe2c99d6e26af9a784f273a9d5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Oct 2025 11:53:13 +0000 Subject: [PATCH 38/74] Bump org.codehaus.cargo:cargo-maven3-plugin from 1.10.22 to 1.10.23 Bumps org.codehaus.cargo:cargo-maven3-plugin from 1.10.22 to 1.10.23. --- updated-dependencies: - dependency-name: org.codehaus.cargo:cargo-maven3-plugin dependency-version: 1.10.23 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index b465e7b6c0..098dc0b81b 100644 --- a/pom.xml +++ b/pom.xml @@ -1053,7 +1053,7 @@ org.codehaus.cargo cargo-maven3-plugin - 1.10.22 + 1.10.23 From e4b59d521211660bfaeccd54f2642fdfd0a08c0f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 Oct 2025 11:06:09 +0000 Subject: [PATCH 39/74] Bump com.github.spotbugs:spotbugs from 4.9.6 to 4.9.7 Bumps [com.github.spotbugs:spotbugs](https://github.com/spotbugs/spotbugs) from 4.9.6 to 4.9.7. - [Release notes](https://github.com/spotbugs/spotbugs/releases) - [Changelog](https://github.com/spotbugs/spotbugs/blob/master/CHANGELOG.md) - [Commits](https://github.com/spotbugs/spotbugs/compare/4.9.6...4.9.7) --- updated-dependencies: - dependency-name: com.github.spotbugs:spotbugs dependency-version: 4.9.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index ca95964fd6..e1beb2428b 100644 --- a/pom.xml +++ b/pom.xml @@ -1250,7 +1250,7 @@ 3.6.10.Final 4.9.6.0 - 4.9.6 + 4.9.7 5.3.39 From 3f099ccc34ddb8014e0e17c91e2011cc4db0941d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 Oct 2025 13:29:06 +0000 Subject: [PATCH 40/74] Bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.6.0 to 4.9.7.0 Bumps [com.github.spotbugs:spotbugs-maven-plugin](https://github.com/spotbugs/spotbugs-maven-plugin) from 4.9.6.0 to 4.9.7.0. - [Release notes](https://github.com/spotbugs/spotbugs-maven-plugin/releases) - [Commits](https://github.com/spotbugs/spotbugs-maven-plugin/compare/spotbugs-maven-plugin-4.9.6.0...spotbugs-maven-plugin-4.9.7.0) --- updated-dependencies: - dependency-name: com.github.spotbugs:spotbugs-maven-plugin dependency-version: 4.9.7.0 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index e1beb2428b..082019f66f 100644 --- a/pom.xml +++ b/pom.xml @@ -1249,7 +1249,7 @@ 2.1.0 3.6.10.Final - 4.9.6.0 + 4.9.7.0 4.9.7 5.3.39 From 8b172012652e78efc4e30e1cfdf7d518aa362774 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 16 Oct 2025 11:05:07 +0000 Subject: [PATCH 41/74] Bump org.codehaus.cargo:cargo-maven3-plugin from 1.10.23 to 1.10.24 Bumps org.codehaus.cargo:cargo-maven3-plugin from 1.10.23 to 1.10.24. --- updated-dependencies: - dependency-name: org.codehaus.cargo:cargo-maven3-plugin dependency-version: 1.10.24 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 082019f66f..58c6e4df9d 100644 --- a/pom.xml +++ b/pom.xml @@ -1053,7 +1053,7 @@ org.codehaus.cargo cargo-maven3-plugin - 1.10.23 + 1.10.24 From 65a053142e4b6a748ef33ed84447e66eaac54dcb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 Oct 2025 11:57:55 +0000 Subject: [PATCH 42/74] Bump com.github.spotbugs:spotbugs from 4.9.7 to 4.9.8 Bumps [com.github.spotbugs:spotbugs](https://github.com/spotbugs/spotbugs) from 4.9.7 to 4.9.8. - [Release notes](https://github.com/spotbugs/spotbugs/releases) - [Changelog](https://github.com/spotbugs/spotbugs/blob/master/CHANGELOG.md) - [Commits](https://github.com/spotbugs/spotbugs/compare/4.9.7...4.9.8) --- updated-dependencies: - dependency-name: com.github.spotbugs:spotbugs dependency-version: 4.9.8 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 58c6e4df9d..79b09666ae 100644 --- a/pom.xml +++ b/pom.xml @@ -1250,7 +1250,7 @@ 3.6.10.Final 4.9.7.0 - 4.9.7 + 4.9.8 5.3.39 From 6eef016ce92ff99e7eea84c552e876a0587e6d65 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 20 Oct 2025 12:00:53 +0000 Subject: [PATCH 43/74] Bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.7.0 to 4.9.8.1 Bumps [com.github.spotbugs:spotbugs-maven-plugin](https://github.com/spotbugs/spotbugs-maven-plugin) from 4.9.7.0 to 4.9.8.1. - [Release notes](https://github.com/spotbugs/spotbugs-maven-plugin/releases) - [Commits](https://github.com/spotbugs/spotbugs-maven-plugin/compare/spotbugs-maven-plugin-4.9.7.0...spotbugs-maven-plugin-4.9.8.1) --- updated-dependencies: - dependency-name: com.github.spotbugs:spotbugs-maven-plugin dependency-version: 4.9.8.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 58c6e4df9d..5adc96c1b2 100644 --- a/pom.xml +++ b/pom.xml @@ -1249,7 +1249,7 @@ 2.1.0 3.6.10.Final - 4.9.7.0 + 4.9.8.1 4.9.7 5.3.39 From 7255141fd1609c8df16872dfeff8cf0c33cc0d8c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 21 Oct 2025 11:05:17 +0000 Subject: [PATCH 44/74] Bump org.apache.maven.plugins:maven-antrun-plugin from 3.1.0 to 3.2.0 Bumps [org.apache.maven.plugins:maven-antrun-plugin](https://github.com/apache/maven-antrun-plugin) from 3.1.0 to 3.2.0. - [Release notes](https://github.com/apache/maven-antrun-plugin/releases) - [Commits](https://github.com/apache/maven-antrun-plugin/compare/maven-antrun-plugin-3.1.0...maven-antrun-plugin-3.2.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-antrun-plugin dependency-version: 3.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 5e30279b0d..4602b944bf 100644 --- a/pom.xml +++ b/pom.xml @@ -880,7 +880,7 @@ org.apache.maven.plugins maven-antrun-plugin - 3.1.0 + 3.2.0 org.apache.maven.plugins From 25d3b02824f7c42d62602cc560c9ca66ad50d19d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 Oct 2025 12:08:05 +0000 Subject: [PATCH 45/74] Bump org.apache.maven.plugins:maven-war-plugin from 3.4.0 to 3.5.0 Bumps [org.apache.maven.plugins:maven-war-plugin](https://github.com/apache/maven-war-plugin) from 3.4.0 to 3.5.0. - [Release notes](https://github.com/apache/maven-war-plugin/releases) - [Commits](https://github.com/apache/maven-war-plugin/compare/maven-war-plugin-3.4.0...maven-war-plugin-3.5.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-war-plugin dependency-version: 3.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 4602b944bf..a44e90f7cd 100644 --- a/pom.xml +++ b/pom.xml @@ -1044,7 +1044,7 @@ org.apache.maven.plugins maven-war-plugin - 3.4.0 + 3.5.0 ${maven.war.webxml} From 68b0dd9c0690a2be1bdc3a89fe334a27533fbf85 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 Oct 2025 12:22:33 +0000 Subject: [PATCH 46/74] Bump actions/upload-artifact from 4 to 5 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 5. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index bd90fbab5f..b6ca923ef9 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -46,7 +46,7 @@ jobs: uses: github/codeql-action/analyze@v4 - name: Upload Output - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v5 with: name: ${{ matrix.language }} SARIF path: ${{ runner.workspace }}/results/*.sarif From 096d215c82ec7ea1f08bc6def93a7245ecd7135e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 31 Oct 2025 11:04:40 +0000 Subject: [PATCH 47/74] Bump com.fasterxml.jackson.core:jackson-databind from 2.20.0 to 2.20.1 Bumps [com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson) from 2.20.0 to 2.20.1. - [Commits](https://github.com/FasterXML/jackson/commits) --- updated-dependencies: - dependency-name: com.fasterxml.jackson.core:jackson-databind dependency-version: 2.20.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index a44e90f7cd..1a8cce2f99 100644 --- a/pom.xml +++ b/pom.xml @@ -854,7 +854,7 @@ com.fasterxml.jackson.core jackson-databind - 2.20.0 + 2.20.1 From 124473582f0a93425b121aae7b1d5905aeedc2d1 Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Fri, 31 Oct 2025 15:02:06 -0400 Subject: [PATCH 48/74] Fix runBearer.sh script so docker now works in the tighter/more constrained permissions environment on Linux. --- scripts/runBearer.sh | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/scripts/runBearer.sh b/scripts/runBearer.sh index 950b1a192a..3a9ccd560f 100755 --- a/scripts/runBearer.sh +++ b/scripts/runBearer.sh @@ -2,6 +2,9 @@ # Check for install/updates at https://github.com/bearer/bearer +# For this script to work, you need to change the permissions on the results/ directory to 777 +# so docker can write the results file into the results/ folder + source scripts/requireCommand.sh requireCommand docker @@ -10,6 +13,17 @@ docker pull bearer/bearer --platform linux/amd64 benchmark_version=$(scripts/getBenchmarkVersion.sh) bearer_version=$(docker run --platform linux/amd64 bearer/bearer bearer --version | grep -o '[[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+') -result_file="/src/results/Benchmark_$benchmark_version-Bearer-v$bearer_version.json" +result_file="results/Benchmark_$benchmark_version-Bearer-v$bearer_version.json" +temp_result_file="$result_file.tmp" +docker_result_file="/benchmark/$temp_result_file" + +# if you set the Docker userid to match the current user id with: --user $(id -u):$(id -g) you get a suspicious git repository error +docker run --platform linux/amd64 --rm -v "${PWD}:/benchmark" bearer/bearer scan /benchmark/src/main/ --format jsonv2 --output "$docker_result_file" > /dev/null + +# Because the docker userid and current user ID might be different, we write the Bearer result to a temp file. +# Then copy it to the desired file name, and then delete the temp file. +# +# We can't just chown the file to the right user ID as Unix won't allow that. +cp $temp_result_file $result_file +rm -f $temp_result_file -docker run --platform linux/amd64 --rm -v "${PWD}:/src" bearer/bearer scan /src/src/main/ --format jsonv2 --output "$result_file" > /dev/null From 2665e65228fdf6b794d4cce4e5ade2f77e26cc71 Mon Sep 17 00:00:00 2001 From: davewichers Date: Sat, 1 Nov 2025 14:57:51 -0400 Subject: [PATCH 49/74] Minor tweaks to runCodeQL.sh and README. --- README.md | 12 +++++++++--- scripts/runCodeQL.sh | 2 +- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 8df3d4ffa1..881f16f85a 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,12 @@ -# OWASP Benchmark -The OWASP Benchmark Project is a Java test suite designed to verify the speed and accuracy of vulnerability detection tools. It is a fully runnable open source web application that can be analyzed by any type of Application Security Testing (AST) tool, including SAST, DAST (like ZAP), and IAST tools. The intent is that all the vulnerabilities deliberately included in and scored by the Benchmark are actually exploitable so its a fair test for any kind of application vulnerability detection tool. The Benchmark also includes scorecard generators for numerous open source and commercial AST tools, and the set of supported tools is growing all the time. +# OWASP Benchmark for Java +The OWASP Benchmark Project is a Java test suite designed to verify the speed and accuracy of vulnerability detection tools. It is a fully runnable open source web application that can be analyzed by any type of Application Security Testing (AST) tool, including SAST, DAST (like ZAP), and IAST tools. The intent is that all the vulnerabilities deliberately included in and scored by the Benchmark are actually exploitable so it's a fair test for any kind of application vulnerability detection tool. + +The Benchmark project also includes scorecard generators for numerous open source and commercial AST tools, and the set of supported tools is growing all the time. This scoring capability is implemented in the BenchmarkUtils project, which is at: https://github.com/OWASP/BenchmarkUtils. The project documentation is all on the OWASP site at the OWASP Benchmark project pages. Please refer to that site for all the project details. -The current latest release is v1.2. Note that all the releases that are available here: https://github.com/OWASP/Benchmark/releases are historical. The latest release is always available live by simply cloning or pulling the head of this repository (i.e., git pull). +The current latest release is v1.2. Note that all the releases that are available here: https://github.com/OWASP/BenchmarkJava/releases, are historical. The latest release is always available live by simply cloning or pulling the head of this repository (i.e., git pull). + +Running Benchmark Itself: +* runBenchmark.sh - run the Benchmark Web Application (accessible via local machine only) +* runRemoteAccessibleBenchmark.sh - like the above but allows port 8443 to be accessible outside the machine Benchmark is running on. diff --git a/scripts/runCodeQL.sh b/scripts/runCodeQL.sh index e85b1b0966..925040919f 100755 --- a/scripts/runCodeQL.sh +++ b/scripts/runCodeQL.sh @@ -9,7 +9,7 @@ ## For Rosetta 2, run: lsbom -f /Library/Apple/System/Library/Receipts/com.apple.pkg.RosettaUpdateAuto.bom - And if it returns a list of files, it's installed. # This then runs the CodeQL scan: -## The following CodeQL query is a big complex. I had to raise an issue with the CodeQL team to figure out how to do this. +## The following CodeQL query is a bit complex. I had to raise an issue with the CodeQL team to figure out how to do this. ## The issue raised and the answer that documents this query is here: https://github.com/github/codeql/issues/18518#issuecomment-2730684184 benchmark_version=$(scripts/getBenchmarkVersion.sh) ../../tools/codeql-home/codeql/codeql database analyze owasp-benchmark codeql/java-queries:codeql-suites/java-security-extended.qls --format=sarifv2.1.0 --output=results/Benchmark_1.2-codeql_java-security-extended.sarif -j0 --download From 63e07adc4c6d69c90f643951ae893d66314dee7f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 6 Nov 2025 11:04:57 +0000 Subject: [PATCH 50/74] Bump commons-codec:commons-codec from 1.19.0 to 1.20.0 Bumps [commons-codec:commons-codec](https://github.com/apache/commons-codec) from 1.19.0 to 1.20.0. - [Changelog](https://github.com/apache/commons-codec/blob/master/RELEASE-NOTES.txt) - [Commits](https://github.com/apache/commons-codec/compare/rel/commons-codec-1.19.0...rel/commons-codec-1.20.0) --- updated-dependencies: - dependency-name: commons-codec:commons-codec dependency-version: 1.20.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 1a8cce2f99..5b51b08e75 100644 --- a/pom.xml +++ b/pom.xml @@ -624,7 +624,7 @@ commons-codec commons-codec - 1.19.0 + 1.20.0 From 314b2af69c70b7f1ec8577db1a231ffcc6b446be Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Nov 2025 13:16:04 +0000 Subject: [PATCH 51/74] Bump commons-io:commons-io from 2.20.0 to 2.21.0 Bumps [commons-io:commons-io](https://github.com/apache/commons-io) from 2.20.0 to 2.21.0. - [Changelog](https://github.com/apache/commons-io/blob/master/RELEASE-NOTES.txt) - [Commits](https://github.com/apache/commons-io/compare/rel/commons-io-2.20.0...rel/commons-io-2.21.0) --- updated-dependencies: - dependency-name: commons-io:commons-io dependency-version: 2.21.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 1a8cce2f99..599a32775c 100644 --- a/pom.xml +++ b/pom.xml @@ -637,7 +637,7 @@ commons-io commons-io - 2.20.0 + 2.21.0 From 5f60686a9065e6810a5a9488654a4aec1462a2c3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Nov 2025 13:16:18 +0000 Subject: [PATCH 52/74] Bump org.apache.maven.plugins:maven-release-plugin from 3.1.1 to 3.2.0 Bumps [org.apache.maven.plugins:maven-release-plugin](https://github.com/apache/maven-release) from 3.1.1 to 3.2.0. - [Release notes](https://github.com/apache/maven-release/releases) - [Commits](https://github.com/apache/maven-release/compare/maven-release-3.1.1...maven-release-3.2.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-release-plugin dependency-version: 3.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 1a8cce2f99..f9e2b29de2 100644 --- a/pom.xml +++ b/pom.xml @@ -904,7 +904,7 @@ org.apache.maven.plugins maven-release-plugin - 3.1.1 + 3.2.0 From 0320c5d51468737d2589fbbf59a98e7eb8b3fbb1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Nov 2025 13:16:42 +0000 Subject: [PATCH 53/74] Bump org.codehaus.cargo:cargo-maven3-plugin from 1.10.24 to 1.10.25 Bumps org.codehaus.cargo:cargo-maven3-plugin from 1.10.24 to 1.10.25. --- updated-dependencies: - dependency-name: org.codehaus.cargo:cargo-maven3-plugin dependency-version: 1.10.25 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 1a8cce2f99..7bcab4fa1d 100644 --- a/pom.xml +++ b/pom.xml @@ -1053,7 +1053,7 @@ org.codehaus.cargo cargo-maven3-plugin - 1.10.24 + 1.10.25 From 2cf91fa2d180eff6a8713b2b8060bda0c6296fb1 Mon Sep 17 00:00:00 2001 From: davewichers Date: Wed, 19 Nov 2025 08:58:25 -0500 Subject: [PATCH 54/74] Upgrade spotless dependency and maven workflow since spotless now requires Java 17. --- .github/workflows/maven.yaml | 6 +++--- pom.xml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/maven.yaml b/.github/workflows/maven.yaml index dde78ebc51..3c38c13a9f 100644 --- a/.github/workflows/maven.yaml +++ b/.github/workflows/maven.yaml @@ -11,11 +11,11 @@ jobs: - uses: actions/checkout@v5 with: fetch-depth: 0 - - name: Set up JDK 11 + - name: Set up JDK 17 uses: actions/setup-java@v5 with: - java-version: '11' - distribution: 'zulu' + java-version: 17 + distribution: zulu - name: Run Spotless check run: mvn spotless:check - name: Create WAR diff --git a/pom.xml b/pom.xml index d666b8b8e2..c3e154843e 100644 --- a/pom.xml +++ b/pom.xml @@ -1104,7 +1104,7 @@ com.diffplug.spotless spotless-maven-plugin - 2.46.1 + 3.1.0 origin/master From b74c1dfe23426843b5ac13e35e89aa396792645b Mon Sep 17 00:00:00 2001 From: jrsuh Date: Fri, 21 Nov 2025 17:10:48 +0900 Subject: [PATCH 55/74] Update Dockerfile to use java 17 --- VMs/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/VMs/Dockerfile b/VMs/Dockerfile index a2faa9a6cd..47ed2d870f 100644 --- a/VMs/Dockerfile +++ b/VMs/Dockerfile @@ -5,8 +5,8 @@ MAINTAINER "Dave Wichers dave.wichers@owasp.org" RUN apt-get update RUN DEBIAN_FRONTEND="noninteractive" apt-get -y install tzdata RUN apt-get install -q -y \ - openjdk-11-jre-headless \ - openjdk-11-jdk \ + openjdk-17-jre-headless \ + openjdk-17-jdk \ git \ maven \ wget \ From f0de687aecba9ff8ae86c89958f7d6f92b394702 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 21 Nov 2025 11:20:23 +0000 Subject: [PATCH 56/74] Bump actions/checkout from 5 to 6 Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/maven.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index b6ca923ef9..a2635b225b 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 # Get full history for spotless ratchetFrom with: fetch-depth: 0 diff --git a/.github/workflows/maven.yaml b/.github/workflows/maven.yaml index 3c38c13a9f..29e50a43e2 100644 --- a/.github/workflows/maven.yaml +++ b/.github/workflows/maven.yaml @@ -8,7 +8,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 with: fetch-depth: 0 - name: Set up JDK 17 From 17f30c868ba61ea80ea0c760bbf732c2113a356a Mon Sep 17 00:00:00 2001 From: davewichers Date: Fri, 21 Nov 2025 12:59:41 -0500 Subject: [PATCH 57/74] Minor enhancements to some tool scripts. --- scripts/runFindBugs.bat | 5 +++-- scripts/runFindSecBugs.bat | 8 +++++--- scripts/runFindSecBugs.sh | 3 ++- scripts/runPMD.bat | 6 +++--- scripts/runPMD.sh | 2 +- scripts/runSnykSAST.sh | 4 +++- scripts/runSnykSAST_OnWindows.sh | 4 +++- scripts/runSpotBugs.bat | 6 +++--- scripts/runSpotBugs.sh | 2 +- 9 files changed, 24 insertions(+), 16 deletions(-) diff --git a/scripts/runFindBugs.bat b/scripts/runFindBugs.bat index 52dfa7961f..d3c68beb65 100644 --- a/scripts/runFindBugs.bat +++ b/scripts/runFindBugs.bat @@ -1,6 +1,7 @@ # source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet) + # FindBugs is dead, so this specifies the specific (last) version of findbugs. Its version is not defined in the pom.xml file. # The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml -CALL mvn compile org.codehaus.mojo:findbugs-maven-plugin:3.0.5:findbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv -CALL mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=findbugs +call mvn compile org.codehaus.mojo:findbugs-maven-plugin:3.0.5:findbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv +call mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=findbugs diff --git a/scripts/runFindSecBugs.bat b/scripts/runFindSecBugs.bat index 2033a71843..5e5d660ec8 100644 --- a/scripts/runFindSecBugs.bat +++ b/scripts/runFindSecBugs.bat @@ -1,5 +1,7 @@ # source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet) -# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml -CALL mvn compile -Pfindsecbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv -CALL mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=findsecbugs + +# The buildtime elements when invoking the findbugs-maven-plugin thru the findsecbugs profile leverage the +# buildtime extension specified in: .mvn/extensions.xml +call mvn compile -Pfindsecbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv +call mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=findsecbugs diff --git a/scripts/runFindSecBugs.sh b/scripts/runFindSecBugs.sh index 2ad9731138..dcf442a37c 100755 --- a/scripts/runFindSecBugs.sh +++ b/scripts/runFindSecBugs.sh @@ -1,5 +1,6 @@ source "scripts/verifyBenchmarkPluginAvailable.sh" -# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml +# The buildtime elements when invoking the findbugs-maven-plugin thru the findsecbugs profile leverage the +# buildtime extension specified in: .mvn/extensions.xml mvn compile -Pfindsecbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=findsecbugs diff --git a/scripts/runPMD.bat b/scripts/runPMD.bat index c40598c7f5..378d26381a 100644 --- a/scripts/runPMD.bat +++ b/scripts/runPMD.bat @@ -1,5 +1,5 @@ # source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet) -# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml -CALL mvn compile pmd:pmd -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv -CALL mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=pmd +# The buildtime elements when invoking the PMD plugin leverage the buildtime extension specified in: .mvn/extensions.xml +call mvn compile pmd:pmd -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv +call mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=pmd diff --git a/scripts/runPMD.sh b/scripts/runPMD.sh index 202e2744fd..1d3538771c 100755 --- a/scripts/runPMD.sh +++ b/scripts/runPMD.sh @@ -1,5 +1,5 @@ source "scripts/verifyBenchmarkPluginAvailable.sh" -# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml +# The buildtime elements when invoking the PMD plugin leverage the buildtime extension specified in: .mvn/extensions.xml mvn compile pmd:pmd -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=pmd diff --git a/scripts/runSnykSAST.sh b/scripts/runSnykSAST.sh index af618f59c1..09904bb508 100755 --- a/scripts/runSnykSAST.sh +++ b/scripts/runSnykSAST.sh @@ -1,6 +1,8 @@ # Install Snyk per: https://docs.snyk.io/snyk-cli/install-or-update-the-snyk-cli +# Before running this, you must first run: snyk auth (and then authenticate) so snyk code is authorized to run. + benchmark_version=$(scripts/getBenchmarkVersion.sh) Snyk_version=$(snyk -v) -snyk code --sarif-file-output=results/Benchmark_$benchmark_version-snykCodeCli-v$Snyk_version.sarif +snyk code test --sarif-file-output=results/Benchmark_$benchmark_version-snykCodeCli-v$Snyk_version-$SECONDS.sarif diff --git a/scripts/runSnykSAST_OnWindows.sh b/scripts/runSnykSAST_OnWindows.sh index bdc0498436..97e7f0f96d 100644 --- a/scripts/runSnykSAST_OnWindows.sh +++ b/scripts/runSnykSAST_OnWindows.sh @@ -1,6 +1,8 @@ # Install Snyk per: https://docs.snyk.io/snyk-cli/install-or-update-the-snyk-cli +# Before running this, you must first run: snyk auth (and then authenticate) so snyk code is authorized to run. + benchmark_version=$(scripts/getBenchmarkVersion.sh) Snyk_version=$(snyk-win -v) -snyk-win code test --sarif-file-output=results/Benchmark_$benchmark_version-snykCodeCli-v$Snyk_version.sarif +snyk-win code test --sarif-file-output=results/Benchmark_$benchmark_version-snykCodeCli-v$Snyk_version-$SECONDS.sarif diff --git a/scripts/runSpotBugs.bat b/scripts/runSpotBugs.bat index 428125a6ad..68fefaed0c 100755 --- a/scripts/runSpotBugs.bat +++ b/scripts/runSpotBugs.bat @@ -1,5 +1,5 @@ # source "scripts/verifyBenchmarkPluginAvailable.sh" - Don't have .bat version of this (yet) -# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml -CALL mvn compile spotbugs:spotbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv -CALL mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=spotbugs +# The buildtime elements when invoking the Spotbugs plugin leverage the buildtime extension specified in: .mvn/extensions.xml +call mvn compile spotbugs:spotbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv +call mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=spotbugs diff --git a/scripts/runSpotBugs.sh b/scripts/runSpotBugs.sh index b3c37eca9d..54719e2880 100755 --- a/scripts/runSpotBugs.sh +++ b/scripts/runSpotBugs.sh @@ -1,5 +1,5 @@ source "scripts/verifyBenchmarkPluginAvailable.sh" -# The buildtime elements when invoking the findbugs-maven-plugin leverage the buildtime extension specified in: .mvn/extensions.xml +# The buildtime elements when invoking the Spotbugs plugin leverage the buildtime extension specified in: .mvn/extensions.xml mvn compile spotbugs:spotbugs -Dbuildtime.output.csv=true -Dbuildtime.output.csv.file=../data/out.csv mvn org.owasp:benchmarkutils-maven-plugin:append-time -DtoolName=spotbugs From ec7def2b1de5964b057150074bc6ed6ed803a937 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Nov 2025 11:35:51 +0000 Subject: [PATCH 58/74] Bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.8.1 to 4.9.8.2 Bumps [com.github.spotbugs:spotbugs-maven-plugin](https://github.com/spotbugs/spotbugs-maven-plugin) from 4.9.8.1 to 4.9.8.2. - [Release notes](https://github.com/spotbugs/spotbugs-maven-plugin/releases) - [Commits](https://github.com/spotbugs/spotbugs-maven-plugin/compare/spotbugs-maven-plugin-4.9.8.1...spotbugs-maven-plugin-4.9.8.2) --- updated-dependencies: - dependency-name: com.github.spotbugs:spotbugs-maven-plugin dependency-version: 4.9.8.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index c3e154843e..9aa30774f0 100644 --- a/pom.xml +++ b/pom.xml @@ -1249,7 +1249,7 @@ 2.1.0 3.6.10.Final - 4.9.8.1 + 4.9.8.2 4.9.8 5.3.39 From d3f1e08517d5ef2f0e62b6bd4bb1a36ef76d68b1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Nov 2025 11:36:03 +0000 Subject: [PATCH 59/74] Bump org.codehaus.mojo:versions-maven-plugin from 2.19.1 to 2.20.0 Bumps [org.codehaus.mojo:versions-maven-plugin](https://github.com/mojohaus/versions) from 2.19.1 to 2.20.0. - [Release notes](https://github.com/mojohaus/versions/releases) - [Changelog](https://github.com/mojohaus/versions/blob/master/ReleaseNotes.md) - [Commits](https://github.com/mojohaus/versions/compare/2.19.1...2.20.0) --- updated-dependencies: - dependency-name: org.codehaus.mojo:versions-maven-plugin dependency-version: 2.20.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index c3e154843e..4fd057dc29 100644 --- a/pom.xml +++ b/pom.xml @@ -1059,7 +1059,7 @@ org.codehaus.mojo versions-maven-plugin - 2.19.1 + 2.20.0 From 633afabbefc811240680b55e082217e60875657b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Nov 2025 11:03:54 +0000 Subject: [PATCH 60/74] Bump org.codehaus.mojo:versions-maven-plugin from 2.20.0 to 2.20.1 Bumps [org.codehaus.mojo:versions-maven-plugin](https://github.com/mojohaus/versions) from 2.20.0 to 2.20.1. - [Release notes](https://github.com/mojohaus/versions/releases) - [Changelog](https://github.com/mojohaus/versions/blob/master/ReleaseNotes.md) - [Commits](https://github.com/mojohaus/versions/compare/2.20.0...2.20.1) --- updated-dependencies: - dependency-name: org.codehaus.mojo:versions-maven-plugin dependency-version: 2.20.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 5956899391..a5d5d779ba 100644 --- a/pom.xml +++ b/pom.xml @@ -1059,7 +1059,7 @@ org.codehaus.mojo versions-maven-plugin - 2.20.0 + 2.20.1 From cbcb9ea4a4c6cb1c08f942f479f1b766e1f68361 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Dec 2025 11:03:39 +0000 Subject: [PATCH 61/74] Bump org.apache.maven.plugins:maven-resources-plugin from 3.3.1 to 3.4.0 Bumps [org.apache.maven.plugins:maven-resources-plugin](https://github.com/apache/maven-resources-plugin) from 3.3.1 to 3.4.0. - [Release notes](https://github.com/apache/maven-resources-plugin/releases) - [Commits](https://github.com/apache/maven-resources-plugin/compare/maven-resources-plugin-3.3.1...v3.4.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-resources-plugin dependency-version: 3.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index a5d5d779ba..195a2a2c2b 100644 --- a/pom.xml +++ b/pom.xml @@ -1017,7 +1017,7 @@ org.apache.maven.plugins maven-resources-plugin - 3.3.1 + 3.4.0 From b50ec2afc07e177af47b4a419baa790475046825 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Dec 2025 11:03:44 +0000 Subject: [PATCH 62/74] Bump org.apache.maven.plugins:maven-assembly-plugin from 3.7.1 to 3.8.0 Bumps [org.apache.maven.plugins:maven-assembly-plugin](https://github.com/apache/maven-assembly-plugin) from 3.7.1 to 3.8.0. - [Release notes](https://github.com/apache/maven-assembly-plugin/releases) - [Commits](https://github.com/apache/maven-assembly-plugin/compare/maven-assembly-plugin-3.7.1...v3.8.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-assembly-plugin dependency-version: 3.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index a5d5d779ba..5f7e93778c 100644 --- a/pom.xml +++ b/pom.xml @@ -885,7 +885,7 @@ org.apache.maven.plugins maven-assembly-plugin - 3.7.1 + 3.8.0 org.apache.maven.plugins From e70b8dac68627de02c19b81be2a9c5898d05b546 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Dec 2025 11:05:36 +0000 Subject: [PATCH 63/74] Bump org.apache.maven.plugins:maven-war-plugin from 3.5.0 to 3.5.1 Bumps [org.apache.maven.plugins:maven-war-plugin](https://github.com/apache/maven-war-plugin) from 3.5.0 to 3.5.1. - [Release notes](https://github.com/apache/maven-war-plugin/releases) - [Commits](https://github.com/apache/maven-war-plugin/compare/maven-war-plugin-3.5.0...maven-war-plugin-3.5.1) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-war-plugin dependency-version: 3.5.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index a5d5d779ba..f1ba1f3efc 100644 --- a/pom.xml +++ b/pom.xml @@ -1044,7 +1044,7 @@ org.apache.maven.plugins maven-war-plugin - 3.5.0 + 3.5.1 ${maven.war.webxml} From ed937c02c11a9650e21ec553f8f6e49161c519c2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Dec 2025 11:05:00 +0000 Subject: [PATCH 64/74] Bump org.apache.maven.plugins:maven-release-plugin from 3.2.0 to 3.3.0 Bumps [org.apache.maven.plugins:maven-release-plugin](https://github.com/apache/maven-release) from 3.2.0 to 3.3.0. - [Release notes](https://github.com/apache/maven-release/releases) - [Commits](https://github.com/apache/maven-release/compare/maven-release-3.2.0...maven-release-3.3.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-release-plugin dependency-version: 3.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index a5d5d779ba..4e9f0b2804 100644 --- a/pom.xml +++ b/pom.xml @@ -904,7 +904,7 @@ org.apache.maven.plugins maven-release-plugin - 3.2.0 + 3.3.0 From 02fb88d499d4bd07eb7b59e9c873f51c94df2c09 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Dec 2025 11:05:55 +0000 Subject: [PATCH 65/74] Bump org.apache.maven.plugins:maven-release-plugin from 3.3.0 to 3.3.1 Bumps [org.apache.maven.plugins:maven-release-plugin](https://github.com/apache/maven-release) from 3.3.0 to 3.3.1. - [Release notes](https://github.com/apache/maven-release/releases) - [Commits](https://github.com/apache/maven-release/compare/maven-release-3.3.0...maven-release-3.3.1) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-release-plugin dependency-version: 3.3.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 8d35c162c2..89c044831c 100644 --- a/pom.xml +++ b/pom.xml @@ -904,7 +904,7 @@ org.apache.maven.plugins maven-release-plugin - 3.3.0 + 3.3.1 From 21e104cc53c031332cefacb19ab60e03facc2789 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Dec 2025 11:06:03 +0000 Subject: [PATCH 66/74] Bump org.apache.httpcomponents.core5:httpcore5 from 5.3.6 to 5.4 Bumps [org.apache.httpcomponents.core5:httpcore5](https://github.com/apache/httpcomponents-core) from 5.3.6 to 5.4. - [Changelog](https://github.com/apache/httpcomponents-core/blob/master/RELEASE_NOTES.txt) - [Commits](https://github.com/apache/httpcomponents-core/compare/rel/v5.3.6...rel/v5.4) --- updated-dependencies: - dependency-name: org.apache.httpcomponents.core5:httpcore5 dependency-version: '5.4' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 8d35c162c2..bd4dbe7fbd 100644 --- a/pom.xml +++ b/pom.xml @@ -771,7 +771,7 @@ org.apache.httpcomponents.core5 httpcore5 - 5.3.6 + 5.4 From 0d0d1be86ab3e9dc3ce45262270d93d9ca8a9e4b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Dec 2025 11:14:26 +0000 Subject: [PATCH 67/74] Bump actions/upload-artifact from 5 to 6 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5 to 6. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index a2635b225b..e235340075 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -46,7 +46,7 @@ jobs: uses: github/codeql-action/analyze@v4 - name: Upload Output - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@v6 with: name: ${{ matrix.language }} SARIF path: ${{ runner.workspace }}/results/*.sarif From 5ed20d1b0324594846f5826cd382f1f7753b194c Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Mon, 15 Dec 2025 12:00:14 -0500 Subject: [PATCH 68/74] Upgrade Tomcat version. --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index df59b49ddb..8a73b1dab2 100644 --- a/pom.xml +++ b/pom.xml @@ -1255,7 +1255,7 @@ 5.3.39 9 - 9.0.109 + 9.0.113 https://archive.apache.org/dist/tomcat/tomcat-${tomcat.major.version}/v${version.tomcat}/bin/apache-tomcat-${version.tomcat}.zip From 45bab03e54ca236598365ae2adeb89e41c6b76b1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Dec 2025 11:03:40 +0000 Subject: [PATCH 69/74] Bump org.apache.httpcomponents.client5:httpclient5 from 5.5.1 to 5.6 Bumps [org.apache.httpcomponents.client5:httpclient5](https://github.com/apache/httpcomponents-client) from 5.5.1 to 5.6. - [Changelog](https://github.com/apache/httpcomponents-client/blob/master/RELEASE_NOTES.txt) - [Commits](https://github.com/apache/httpcomponents-client/compare/rel/v5.5.1...rel/v5.6) --- updated-dependencies: - dependency-name: org.apache.httpcomponents.client5:httpclient5 dependency-version: '5.6' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 8a73b1dab2..ac34ba161e 100644 --- a/pom.xml +++ b/pom.xml @@ -765,7 +765,7 @@ org.apache.httpcomponents.client5 httpclient5 - 5.5.1 + 5.6 From 0fa407673ff66f06db77f6934b5ba79b7567cfa9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Jan 2026 11:05:16 +0000 Subject: [PATCH 70/74] Bump org.codehaus.cargo:cargo-maven3-plugin from 1.10.25 to 1.10.26 Bumps org.codehaus.cargo:cargo-maven3-plugin from 1.10.25 to 1.10.26. --- updated-dependencies: - dependency-name: org.codehaus.cargo:cargo-maven3-plugin dependency-version: 1.10.26 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index ac34ba161e..2d82960bd9 100644 --- a/pom.xml +++ b/pom.xml @@ -1053,7 +1053,7 @@ org.codehaus.cargo cargo-maven3-plugin - 1.10.25 + 1.10.26 From dc9abba6346a440e38841bcb3c13dc0c13ac99af Mon Sep 17 00:00:00 2001 From: Sascha Knoop Date: Sun, 11 Jan 2026 16:05:04 +0100 Subject: [PATCH 71/74] fix wrong hostname --- .../java/org/owasp/benchmark/report/sonarqube/SonarReport.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/benchmark/report/sonarqube/SonarReport.java b/src/main/java/org/owasp/benchmark/report/sonarqube/SonarReport.java index 5498447d0f..c9fb1459f9 100644 --- a/src/main/java/org/owasp/benchmark/report/sonarqube/SonarReport.java +++ b/src/main/java/org/owasp/benchmark/report/sonarqube/SonarReport.java @@ -24,7 +24,7 @@ public class SonarReport { private static final String SONAR_USER = "admin"; private static final String SONAR_PASSWORD = "P4ssword!!!!"; private static final String SONAR_PROJECT = "benchmark"; - public static final String SONAR_HOST = "ubuntu-server"; + public static final String SONAR_HOST = "localhost"; public static final String SONAR_PORT = "9876"; private static final int PAGE_SIZE = 500; From 3b4bdf5dbcb695f80be2bc1bc93e0e414ab559de Mon Sep 17 00:00:00 2001 From: Sascha Knoop Date: Sun, 11 Jan 2026 16:09:23 +0100 Subject: [PATCH 72/74] fix-outdated-urls --- README.md | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 881f16f85a..f3cd9edf60 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,25 @@ # OWASP Benchmark for Java -The OWASP Benchmark Project is a Java test suite designed to verify the speed and accuracy of vulnerability detection tools. It is a fully runnable open source web application that can be analyzed by any type of Application Security Testing (AST) tool, including SAST, DAST (like ZAP), and IAST tools. The intent is that all the vulnerabilities deliberately included in and scored by the Benchmark are actually exploitable so it's a fair test for any kind of application vulnerability detection tool. -The Benchmark project also includes scorecard generators for numerous open source and commercial AST tools, and the set of supported tools is growing all the time. This scoring capability is implemented in the BenchmarkUtils project, which is at: https://github.com/OWASP/BenchmarkUtils. +The OWASP Benchmark Project is a Java test suite designed to verify the speed and accuracy of vulnerability detection +tools. It is a fully runnable open source web application that can be analyzed by any type of Application Security +Testing (AST) tool, including SAST, DAST (like ZAP), and IAST tools. The intent +is that all the vulnerabilities deliberately included in and scored by the Benchmark are actually exploitable so it's a +fair test for any kind of application vulnerability detection tool. -The project documentation is all on the OWASP site at the OWASP Benchmark project pages. Please refer to that site for all the project details. +The Benchmark project also includes scorecard generators for numerous open source and commercial AST tools, and the set +of supported tools is growing all the time. This scoring capability is implemented in the BenchmarkUtils project, which +is at: https://github.com/OWASP-Benchmark/BenchmarkUtils. -The current latest release is v1.2. Note that all the releases that are available here: https://github.com/OWASP/BenchmarkJava/releases, are historical. The latest release is always available live by simply cloning or pulling the head of this repository (i.e., git pull). +The project documentation is all on the OWASP site at the OWASP +Benchmark project pages. Please refer to that site for all the project details. + +The current latest release is v1.2. Note that all the releases that are available +here: https://github.com/OWASP-Benchmark/BenchmarkJava/releases, are historical. The latest release is always available +live by +simply cloning or pulling the head of this repository (i.e., git pull). Running Benchmark Itself: + * runBenchmark.sh - run the Benchmark Web Application (accessible via local machine only) -* runRemoteAccessibleBenchmark.sh - like the above but allows port 8443 to be accessible outside the machine Benchmark is running on. +* runRemoteAccessibleBenchmark.sh - like the above but allows port 8443 to be accessible outside the machine Benchmark + is running on. From e36b02892b6ab6cc950c23c50f585e57e2455dab Mon Sep 17 00:00:00 2001 From: davewichers Date: Sun, 11 Jan 2026 14:42:27 -0500 Subject: [PATCH 73/74] Add instructions on how to publish the updated Benchmark for Java Docker image to Docker Hub. --- VMs/buildDockerImage.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/VMs/buildDockerImage.sh b/VMs/buildDockerImage.sh index 6c96f0a8c1..b0dd310374 100755 --- a/VMs/buildDockerImage.sh +++ b/VMs/buildDockerImage.sh @@ -11,3 +11,6 @@ fi docker image rm benchmark:latest docker build -t benchmark . +# Once verified/tested, to publish an update to the OWASP Benchmark Docker image, run the following: +# docker push owasp/benchmark:latest + From 6ff6662570ee9a8e191b0bed91b256b14094c985 Mon Sep 17 00:00:00 2001 From: Sascha Knoop Date: Sun, 11 Jan 2026 22:15:00 +0100 Subject: [PATCH 74/74] remove linebreaks --- README.md | 23 +++++------------------ 1 file changed, 5 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index f3cd9edf60..fd9787cd08 100644 --- a/README.md +++ b/README.md @@ -1,25 +1,12 @@ # OWASP Benchmark for Java +The OWASP Benchmark Project is a Java test suite designed to verify the speed and accuracy of vulnerability detection tools. It is a fully runnable open source web application that can be analyzed by any type of Application Security Testing (AST) tool, including SAST, DAST (like ZAP), and IAST tools. The intent is that all the vulnerabilities deliberately included in and scored by the Benchmark are actually exploitable so it's a fair test for any kind of application vulnerability detection tool. -The OWASP Benchmark Project is a Java test suite designed to verify the speed and accuracy of vulnerability detection -tools. It is a fully runnable open source web application that can be analyzed by any type of Application Security -Testing (AST) tool, including SAST, DAST (like ZAP), and IAST tools. The intent -is that all the vulnerabilities deliberately included in and scored by the Benchmark are actually exploitable so it's a -fair test for any kind of application vulnerability detection tool. +The Benchmark project also includes scorecard generators for numerous open source and commercial AST tools, and the set of supported tools is growing all the time. This scoring capability is implemented in the BenchmarkUtils project, which is at: https://github.com/OWASP-Benchmark/BenchmarkUtils. -The Benchmark project also includes scorecard generators for numerous open source and commercial AST tools, and the set -of supported tools is growing all the time. This scoring capability is implemented in the BenchmarkUtils project, which -is at: https://github.com/OWASP-Benchmark/BenchmarkUtils. +The project documentation is all on the OWASP site at the OWASP Benchmark project pages. Please refer to that site for all the project details. -The project documentation is all on the OWASP site at the OWASP -Benchmark project pages. Please refer to that site for all the project details. - -The current latest release is v1.2. Note that all the releases that are available -here: https://github.com/OWASP-Benchmark/BenchmarkJava/releases, are historical. The latest release is always available -live by -simply cloning or pulling the head of this repository (i.e., git pull). +The current latest release is v1.2. Note that all the releases that are available here: https://github.com/OWASP-Benchmark/BenchmarkJava/releases, are historical. The latest release is always available live by simply cloning or pulling the head of this repository (i.e., git pull). Running Benchmark Itself: - * runBenchmark.sh - run the Benchmark Web Application (accessible via local machine only) -* runRemoteAccessibleBenchmark.sh - like the above but allows port 8443 to be accessible outside the machine Benchmark - is running on. +* runRemoteAccessibleBenchmark.sh - like the above but allows port 8443 to be accessible outside the machine Benchmark is running on.