From 6db483091b197cf193c8e181e3a5b5347c6e3d4c Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Thu, 12 Feb 2026 14:09:19 +0800
Subject: [PATCH 1/3] chore: clean up scripts to prefer user env bash
On MacOS /bin/bash is an ancient system bash (3.2) which is largely unusable :)
Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
coverity_scan.sh | 12 ------------
list-changes.sh | 5 +++--
prepare-release.sh | 5 +++--
release_stats.sh | 4 ++--
sha256_cli.sh | 4 ++--
5 files changed, 10 insertions(+), 20 deletions(-)
delete mode 100755 coverity_scan.sh
diff --git a/coverity_scan.sh b/coverity_scan.sh
deleted file mode 100755
index 368af917a73..00000000000
--- a/coverity_scan.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash -e
-
-if [ $TRAVIS_BRANCH = "master" ] && [ $TRAVIS_EVENT_TYPE = "cron" ] ; then
- echo "Executing Coverity Scan"
-
- export COVERITY_SCAN_PROJECT_NAME="jeremylong/DependencyCheck"
- export COVERITY_SCAN_NOTIFICATION_EMAIL="jeremy.long@owasp.org"
- export COVERITY_SCAN_BRANCH_PATTERN="master"
- export COVERITY_SCAN_BUILD_COMMAND="mvn package -Dmaven.test.skip=true"
-
- curl -s https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh | bash
-fi
\ No newline at end of file
diff --git a/list-changes.sh b/list-changes.sh
index 99eed75c718..01ca0ab0579 100755
--- a/list-changes.sh
+++ b/list-changes.sh
@@ -1,5 +1,6 @@
-#!/bin/bash -e
+#!/usr/bin/env bash
+set -euo pipefail
##https://blogs.sap.com/2018/06/22/generating-release-notes-from-git-commit-messages-using-basic-shell-commands-gitgrep/
-git --no-pager log $(git describe --tags --abbrev=0)..HEAD --pretty=format:" - %s" \
+git --no-pager log "$(git describe --tags --abbrev=0)..HEAD" --pretty=format:" - %s" \
| grep -v ' - Bump' \
| sed -E 's/#([0-9]+)/[#\1](https:\/\/github.com\/dependency-check\/DependencyCheck\/pull\/\1)/g'
diff --git a/prepare-release.sh b/prepare-release.sh
index fce0531ce83..02b2667b95b 100755
--- a/prepare-release.sh
+++ b/prepare-release.sh
@@ -1,9 +1,10 @@
-#!/bin/bash -e
+#!/usr/bin/env bash
+set -euo pipefail
git checkout main
git pull --rebase
-SNAPSHOT=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
+SNAPSHOT=$(mvn help:evaluate -q --non-recursive -DforceStdout -Dexpression=project.version)
RELEASE=${SNAPSHOT/-SNAPSHOT/}
git checkout -b "release-$RELEASE"
diff --git a/release_stats.sh b/release_stats.sh
index 4d9f28a43c5..52d6c4f20ac 100755
--- a/release_stats.sh
+++ b/release_stats.sh
@@ -1,3 +1,3 @@
-#/bin/bash
-
+#!/usr/bin/env bash
+set -euo pipefail
curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/dependency-check/DependencyCheck/releases| jq -r '.[] | (.tag_name + "," + (.assets[]|(.name+","+(.download_count|tostring))))' | grep -v \.asc | sort
\ No newline at end of file
diff --git a/sha256_cli.sh b/sha256_cli.sh
index 9cc9f3a2965..7a3724f827e 100755
--- a/sha256_cli.sh
+++ b/sha256_cli.sh
@@ -1,5 +1,5 @@
-#/bin/bash
-
+#!/usr/bin/env bash
+set -euo pipefail
ver=$(curl -s https://dependency-check.github.io/DependencyCheck/current.txt)
echo "Version $ver"
wget -q https://github.com/dependency-check/DependencyCheck/releases/download/v$ver/dependency-check-$ver-release.zip
From 0ef6ede3fd1079db65c207b5e629c6b76491e342 Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Thu, 12 Feb 2026 14:22:05 +0800
Subject: [PATCH 2/3] test: improve speed of docker tests by building only what
is necessary to scan
Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
.github/workflows/build.yml | 5 ++++-
.github/workflows/pull_requests.yml | 5 ++++-
.github/workflows/release.yml | 5 ++++-
shell-docker.sh | 7 -------
4 files changed, 12 insertions(+), 10 deletions(-)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index c159f852da5..fef3f95db44 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -131,6 +131,9 @@ jobs:
- name: Build Docker Image
run: ./build-docker.sh
- name: build scan target
- run: mvn -V -s settings.xml package -DskipTests=true --no-transfer-progress --batch-mode
+ run: >
+ mvn -V -s settings.xml -pl cli -am
+ package -DskipTests=true
+ --no-transfer-progress --batch-mode
- name: Test Docker Image
run: ./test-docker.sh
diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml
index b03fe839ff0..3030dfb2e03 100644
--- a/.github/workflows/pull_requests.yml
+++ b/.github/workflows/pull_requests.yml
@@ -186,6 +186,9 @@ jobs:
- name: Build Docker Image
run: ./build-docker.sh
- name: build scan target
- run: mvn -V -s settings.xml package -DskipTests=true --no-transfer-progress --batch-mode
+ run: >
+ mvn -V -s settings.xml -pl cli -am
+ package -DskipTests=true
+ --no-transfer-progress --batch-mode
- name: Test Docker Image
run: ./test-docker.sh
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index de099546a73..e0db149dc61 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -157,7 +157,10 @@ jobs:
- name: Build Docker Image
run: ./build-docker.sh
- name: build scan target
- run: mvn -s settings.xml package -DskipTests=true --no-transfer-progress --batch-mode
+ run: >
+ mvn -V -s settings.xml -pl cli -am
+ package -DskipTests=true
+ --no-transfer-progress --batch-mode
- name: Test Docker Image
run: ./test-docker.sh
- name: Deploy Docker Image
diff --git a/shell-docker.sh b/shell-docker.sh
index b95eb8f1bf1..f6503653edf 100755
--- a/shell-docker.sh
+++ b/shell-docker.sh
@@ -6,13 +6,6 @@ VERSION=$(mvn -q \
--non-recursive \
org.codehaus.mojo:exec-maven-plugin:3.5.1:exec)
-SCAN_TARGET="./cli/target/release/lib"
-
-if [ ! -d "$SCAN_TARGET" ]; then
- echo "Scan target does not exist: $SCAN_TARGET"
- exit 1
-fi
-
OWASPDC_DIRECTORY=$HOME/OWASP-Dependency-Check
DATA_DIRECTORY="$OWASPDC_DIRECTORY/data"
REPORT_DIRECTORY="$OWASPDC_DIRECTORY/reports"
From d628eb30115528af3d533a54a4ffcaea5f465c97 Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Thu, 12 Feb 2026 14:08:19 +0800
Subject: [PATCH 3/3] build(deps): allow dependabot to manage
container-embedded mysql/postgres driver versions
Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
.github/workflows/build.yml | 4 ++--
.github/workflows/pull_requests.yml | 4 ++--
.github/workflows/release.yml | 6 +++---
Dockerfile | 11 +++++------
README.md | 2 +-
core/pom.xml | 9 ++++++++-
build-docker.sh => docker-build.sh | 15 ++++++---------
docker-publish.sh | 15 +++++++++++++++
docker-pullcount.sh | 4 ++--
shell-docker.sh => docker-shell.sh | 10 +++-------
test-docker.sh => docker-test.sh | 10 +++-------
pom.xml | 2 ++
publish-docker.sh | 18 ------------------
13 files changed, 52 insertions(+), 58 deletions(-)
rename build-docker.sh => docker-build.sh (63%)
create mode 100755 docker-publish.sh
rename shell-docker.sh => docker-shell.sh (85%)
rename test-docker.sh => docker-test.sh (92%)
delete mode 100755 publish-docker.sh
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index fef3f95db44..880523191e8 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -129,11 +129,11 @@ jobs:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build Docker Image
- run: ./build-docker.sh
+ run: ./docker-build.sh
- name: build scan target
run: >
mvn -V -s settings.xml -pl cli -am
package -DskipTests=true
--no-transfer-progress --batch-mode
- name: Test Docker Image
- run: ./test-docker.sh
+ run: ./docker-test.sh
diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml
index 3030dfb2e03..d8db8b1d669 100644
--- a/.github/workflows/pull_requests.yml
+++ b/.github/workflows/pull_requests.yml
@@ -184,11 +184,11 @@ jobs:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build Docker Image
- run: ./build-docker.sh
+ run: ./docker-build.sh
- name: build scan target
run: >
mvn -V -s settings.xml -pl cli -am
package -DskipTests=true
--no-transfer-progress --batch-mode
- name: Test Docker Image
- run: ./test-docker.sh
+ run: ./docker-test.sh
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e0db149dc61..834bee4b461 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -155,18 +155,18 @@ jobs:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build Docker Image
- run: ./build-docker.sh
+ run: ./docker-build.sh
- name: build scan target
run: >
mvn -V -s settings.xml -pl cli -am
package -DskipTests=true
--no-transfer-progress --batch-mode
- name: Test Docker Image
- run: ./test-docker.sh
+ run: ./docker-test.sh
- name: Deploy Docker Image
run: |
echo $DOCKER_TOKEN | docker login -u $DOCKER_USERNAME --password-stdin 2>/dev/null
- ./publish-docker.sh
+ ./docker-publish.sh
release:
name: Publish Release
diff --git a/Dockerfile b/Dockerfile
index fb0960acb02..ca74f6535f4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,8 +7,9 @@ RUN "$JAVA_HOME/bin/jlink" --compress=zip-6 --module-path /opt/java/openjdk/jmod
FROM mcr.microsoft.com/dotnet/runtime:8.0-alpine
ARG VERSION
-ARG POSTGRES_DRIVER_VERSION=42.7.9
-ARG MYSQL_DRIVER_VERSION=9.6.0
+ARG POSTGRES_DRIVER_VERSION
+ARG MYSQL_DRIVER_VERSION
+ARG MAVEN_REPOSITORY_URL="https://repo1.maven.org/maven2"
ARG UID=1000
ARG GID=1000
@@ -34,10 +35,8 @@ RUN apk update
unzip dependency-check-${VERSION}-release.zip -d /usr/share/ && \
rm dependency-check-${VERSION}-release.zip && \
cd /usr/share/dependency-check/plugins && \
- curl -Os "https://jdbc.postgresql.org/download/postgresql-${POSTGRES_DRIVER_VERSION}.jar" && \
- curl -Ls "https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-${MYSQL_DRIVER_VERSION}.tar.gz" \
- | tar -xz --directory "/usr/share/dependency-check/plugins" --strip-components=1 --no-same-owner \
- "mysql-connector-j-${MYSQL_DRIVER_VERSION}/mysql-connector-j-${MYSQL_DRIVER_VERSION}.jar" && \
+ curl -fSLO "${MAVEN_REPOSITORY_URL}/org/postgresql/postgresql/${POSTGRES_DRIVER_VERSION}/postgresql-${POSTGRES_DRIVER_VERSION}.jar" && \
+ curl -fSLO "${MAVEN_REPOSITORY_URL}/com/mysql/mysql-connector-j/${MYSQL_DRIVER_VERSION}/mysql-connector-j-${MYSQL_DRIVER_VERSION}.jar" && \
addgroup -S -g ${GID} ${user} && adduser -S -D -u ${UID} -G ${user} ${user} && \
mkdir /usr/share/dependency-check/data && \
chown -R ${user}:0 /usr/share/dependency-check && \
diff --git a/README.md b/README.md
index 9b55d9d7299..c6e6f9ca7d9 100644
--- a/README.md
+++ b/README.md
@@ -356,7 +356,7 @@ To build dependency-check docker image run the command:
```
mvn -s settings.xml install
-./build-docker.sh
+./docker-build.sh
```
License
diff --git a/core/pom.xml b/core/pom.xml
index 284385c976b..e876b7f96f1 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -421,6 +421,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
mysql
+
+
+ com.mysql
+ mysql-connector-j
+ ${driver.mysql.version}
+
+
@@ -459,7 +466,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
org.postgresql
postgresql
- 42.7.9
+ ${driver.postgresql.version}
diff --git a/build-docker.sh b/docker-build.sh
similarity index 63%
rename from build-docker.sh
rename to docker-build.sh
index 297ecc4cbd7..86354b1f9ba 100755
--- a/build-docker.sh
+++ b/docker-build.sh
@@ -1,15 +1,11 @@
-#!/bin/bash
+#!/usr/bin/env bash
set -euo pipefail
-
-VERSION=$(mvn -q \
- -Dexec.executable="echo" \
- -Dexec.args='${project.version}' \
- --non-recursive \
- org.codehaus.mojo:exec-maven-plugin:3.5.1:exec)
+function mvn_prop() { mvn help:evaluate -q --non-recursive -DforceStdout -Dexpression="$1"; }
+read -r VERSION POSTGRES_DRIVER_VERSION MYSQL_DRIVER_VERSION <<< "$(mvn_prop project.version) $(mvn_prop driver.postgresql.version) $(mvn_prop driver.mysql.version)"
FILE=./cli/target/dependency-check-$VERSION-release.zip
if [ ! -f "$FILE" ]; then
- echo "$FILE does not exist - run 'mvn package' first"
+ echo "$FILE does not exist - run 'mvn package -DskipTests' first"
exit 1
fi
@@ -22,6 +18,7 @@ fi
extra_tag_args="$([[ ! $VERSION = *"SNAPSHOT"* ]] && echo "--tag owasp/dependency-check:latest" || echo "")"
+# shellcheck disable=SC2086
docker buildx build --pull --load --platform linux/amd64,linux/arm64 . \
- --build-arg VERSION=$VERSION \
+ --build-arg "VERSION=$VERSION" --build-arg "POSTGRES_DRIVER_VERSION=$POSTGRES_DRIVER_VERSION" --build-arg "MYSQL_DRIVER_VERSION=$MYSQL_DRIVER_VERSION" \
--tag owasp/dependency-check:$VERSION ${extra_tag_args}
diff --git a/docker-publish.sh b/docker-publish.sh
new file mode 100755
index 00000000000..eaaee6208f2
--- /dev/null
+++ b/docker-publish.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -euo pipefail
+function mvn_prop() { mvn help:evaluate -q --non-recursive -DforceStdout -Dexpression="$1"; }
+read -r VERSION POSTGRES_DRIVER_VERSION MYSQL_DRIVER_VERSION <<< "$(mvn_prop project.version) $(mvn_prop driver.postgresql.version) $(mvn_prop driver.mysql.version)"
+
+if [[ $VERSION = *"SNAPSHOT"* ]]; then
+ echo "Do not publish a snapshot version of dependency-check"
+ exit 1
+fi
+
+# Build args should match ./docker-build.sh so the builder cache is re-used
+docker buildx build --pull=false --push --platform linux/amd64,linux/arm64 . \
+ --build-arg "VERSION=$VERSION" --build-arg "POSTGRES_DRIVER_VERSION=$POSTGRES_DRIVER_VERSION" --build-arg "MYSQL_DRIVER_VERSION=$MYSQL_DRIVER_VERSION" \
+ --tag owasp/dependency-check:$VERSION \
+ --tag owasp/dependency-check:latest
diff --git a/docker-pullcount.sh b/docker-pullcount.sh
index 143e635f573..247d9f21005 100755
--- a/docker-pullcount.sh
+++ b/docker-pullcount.sh
@@ -1,3 +1,3 @@
-#/bin/bash
-
+#!/usr/bin/env bash
+set -euo pipefail
curl -s https://hub.docker.com/v2/repositories/owasp/dependency-check/ | python3 -c "import sys, json; print(json.load(sys.stdin)['pull_count'])"
\ No newline at end of file
diff --git a/shell-docker.sh b/docker-shell.sh
similarity index 85%
rename from shell-docker.sh
rename to docker-shell.sh
index f6503653edf..0733f32f527 100755
--- a/shell-docker.sh
+++ b/docker-shell.sh
@@ -1,10 +1,6 @@
-#!/bin/bash -e
-
-VERSION=$(mvn -q \
- -Dexec.executable="echo" \
- -Dexec.args='${project.version}' \
- --non-recursive \
- org.codehaus.mojo:exec-maven-plugin:3.5.1:exec)
+#!/usr/bin/env bash
+set -euo pipefail
+VERSION="$(mvn help:evaluate -q --non-recursive -DforceStdout -Dexpression=project.version)"
OWASPDC_DIRECTORY=$HOME/OWASP-Dependency-Check
DATA_DIRECTORY="$OWASPDC_DIRECTORY/data"
diff --git a/test-docker.sh b/docker-test.sh
similarity index 92%
rename from test-docker.sh
rename to docker-test.sh
index 51d3738e58c..e8084925314 100755
--- a/test-docker.sh
+++ b/docker-test.sh
@@ -1,10 +1,6 @@
-#!/bin/bash -e
-
-VERSION=$(mvn -q \
- -Dexec.executable="echo" \
- -Dexec.args='${project.version}' \
- --non-recursive \
- org.codehaus.mojo:exec-maven-plugin:3.5.1:exec)
+#!/usr/bin/env bash
+set -euo pipefail
+VERSION="$(mvn help:evaluate -q --non-recursive -DforceStdout -Dexpression=project.version)"
SCAN_TARGET="./cli/target/release/lib"
diff --git a/pom.xml b/pom.xml
index 599e27c0c42..a46a0272190 100644
--- a/pom.xml
+++ b/pom.xml
@@ -172,6 +172,8 @@ Copyright (c) 2012 - Jeremy Long
4.3.0
3.0.4
2.21.0
+ 42.7.10
+ 9.6.0
5.15.0
diff --git a/publish-docker.sh b/publish-docker.sh
deleted file mode 100755
index ffdcd9e8c06..00000000000
--- a/publish-docker.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/bash -e
-
-VERSION=$(mvn -q \
- -Dexec.executable="echo" \
- -Dexec.args='${project.version}' \
- --non-recursive \
- org.codehaus.mojo:exec-maven-plugin:3.5.1:exec)
-
-if [[ $VERSION = *"SNAPSHOT"* ]]; then
- echo "Do not publish a snapshot version of dependency-check"
- exit 1
-fi
-
-# Build args should match ./build-docker.sh so the builder cache is re-used
-docker buildx build --push --platform linux/amd64,linux/arm64 . \
- --build-arg VERSION=$VERSION \
- --tag owasp/dependency-check:$VERSION \
- --tag owasp/dependency-check:latest