dependency-check · chadlwilson · Feb 12, 2026 · Feb 12, 2026 · Feb 12, 2026
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -129,8 +129,11 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Build Docker Image
-        run: ./build-docker.sh
+        run: ./docker-build.sh
       - name: build scan target
-        run: mvn -V -s settings.xml package -DskipTests=true --no-transfer-progress --batch-mode
+        run: >
+          mvn -V -s settings.xml -pl cli -am 
+          package -DskipTests=true
+          --no-transfer-progress --batch-mode
       - name: Test Docker Image
-        run: ./test-docker.sh
+        run: ./docker-test.sh
diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml
@@ -184,8 +184,11 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Build Docker Image
-        run: ./build-docker.sh
+        run: ./docker-build.sh
       - name: build scan target
-        run: mvn -V -s settings.xml package -DskipTests=true --no-transfer-progress --batch-mode
+        run: >
+          mvn -V -s settings.xml -pl cli -am 
+          package -DskipTests=true
+          --no-transfer-progress --batch-mode
       - name: Test Docker Image
-        run: ./test-docker.sh
+        run: ./docker-test.sh
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -155,15 +155,18 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Build Docker Image
-        run: ./build-docker.sh
+        run: ./docker-build.sh
       - name: build scan target
-        run: mvn -s settings.xml package -DskipTests=true --no-transfer-progress --batch-mode
+        run: >
+          mvn -V -s settings.xml -pl cli -am 
+          package -DskipTests=true
+          --no-transfer-progress --batch-mode
       - name: Test Docker Image
-        run: ./test-docker.sh
+        run: ./docker-test.sh
       - name: Deploy Docker Image
         run: |
           echo $DOCKER_TOKEN | docker login -u $DOCKER_USERNAME --password-stdin 2>/dev/null
-          ./publish-docker.sh
+          ./docker-publish.sh
 
   release:
     name: Publish Release

diff --git a/Dockerfile b/Dockerfile
@@ -7,8 +7,9 @@ RUN "$JAVA_HOME/bin/jlink" --compress=zip-6 --module-path /opt/java/openjdk/jmod
 FROM mcr.microsoft.com/dotnet/runtime:8.0-alpine
 
 ARG VERSION
-ARG POSTGRES_DRIVER_VERSION=42.7.9
-ARG MYSQL_DRIVER_VERSION=9.6.0
+ARG POSTGRES_DRIVER_VERSION
+ARG MYSQL_DRIVER_VERSION
+ARG MAVEN_REPOSITORY_URL="https://repo1.maven.org/maven2"
 ARG UID=1000
 ARG GID=1000
 
@@ -34,10 +35,8 @@ RUN apk update
     unzip dependency-check-${VERSION}-release.zip -d /usr/share/                                     && \
     rm dependency-check-${VERSION}-release.zip                                                       && \
     cd /usr/share/dependency-check/plugins                                                           && \
-    curl -Os "https://jdbc.postgresql.org/download/postgresql-${POSTGRES_DRIVER_VERSION}.jar"        && \
-    curl -Ls "https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-${MYSQL_DRIVER_VERSION}.tar.gz" \
-        | tar -xz --directory "/usr/share/dependency-check/plugins" --strip-components=1 --no-same-owner \
-            "mysql-connector-j-${MYSQL_DRIVER_VERSION}/mysql-connector-j-${MYSQL_DRIVER_VERSION}.jar" && \
+    curl -fSLO "${MAVEN_REPOSITORY_URL}/org/postgresql/postgresql/${POSTGRES_DRIVER_VERSION}/postgresql-${POSTGRES_DRIVER_VERSION}.jar"    && \
+    curl -fSLO "${MAVEN_REPOSITORY_URL}/com/mysql/mysql-connector-j/${MYSQL_DRIVER_VERSION}/mysql-connector-j-${MYSQL_DRIVER_VERSION}.jar" && \
     addgroup -S -g ${GID} ${user} && adduser -S -D -u ${UID} -G ${user} ${user}                      && \
     mkdir /usr/share/dependency-check/data                                                           && \
     chown -R ${user}:0 /usr/share/dependency-check                                                   && \

diff --git a/README.md b/README.md
@@ -356,7 +356,7 @@ To build dependency-check docker image run the command:
 
 ```
 mvn -s settings.xml install
-./build-docker.sh
+./docker-build.sh
 ```
 
 License

diff --git a/core/pom.xml b/core/pom.xml
@@ -421,6 +421,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                     <name>mysql</name>
                 </property>
             </activation>
+            <dependencies>
+                <dependency>
+                    <groupId>com.mysql</groupId>
+                    <artifactId>mysql-connector-j</artifactId>
+                    <version>${driver.mysql.version}</version>
+                </dependency>
+            </dependencies>
             <build>
                 <plugins>
                     <plugin>
@@ -459,7 +466,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                 <dependency>
                     <groupId>org.postgresql</groupId>
                     <artifactId>postgresql</artifactId>
-                    <version>42.7.9</version>
+                    <version>${driver.postgresql.version}</version>
                 </dependency>
             </dependencies>
             <build>

diff --git a/coverity_scan.sh b/coverity_scan.sh
diff --git a/build-docker.sh → docker-build.sh b/build-docker.sh → docker-build.sh
@@ -1,15 +1,11 @@
-#!/bin/bash
+#!/usr/bin/env bash
 set -euo pipefail
-
-VERSION=$(mvn -q \
-    -Dexec.executable="echo" \
-    -Dexec.args='${project.version}' \
-    --non-recursive \
-    org.codehaus.mojo:exec-maven-plugin:3.5.1:exec)
+function mvn_prop() { mvn help:evaluate -q --non-recursive -DforceStdout -Dexpression="$1"; }
+read -r VERSION POSTGRES_DRIVER_VERSION MYSQL_DRIVER_VERSION <<< "$(mvn_prop project.version) $(mvn_prop driver.postgresql.version) $(mvn_prop driver.mysql.version)"
 
 FILE=./cli/target/dependency-check-$VERSION-release.zip
 if [ ! -f "$FILE" ]; then
-    echo "$FILE does not exist - run 'mvn package' first"
+    echo "$FILE does not exist - run 'mvn package -DskipTests' first"
     exit 1
 fi
 
@@ -22,6 +18,7 @@ fi
 
 extra_tag_args="$([[ ! $VERSION = *"SNAPSHOT"* ]] && echo "--tag owasp/dependency-check:latest" || echo "")"
 
+# shellcheck disable=SC2086
 docker buildx build --pull --load --platform linux/amd64,linux/arm64 . \
-    --build-arg VERSION=$VERSION \
+    --build-arg "VERSION=$VERSION" --build-arg "POSTGRES_DRIVER_VERSION=$POSTGRES_DRIVER_VERSION" --build-arg "MYSQL_DRIVER_VERSION=$MYSQL_DRIVER_VERSION" \
     --tag owasp/dependency-check:$VERSION ${extra_tag_args}
diff --git a/docker-publish.sh b/docker-publish.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -euo pipefail
+function mvn_prop() { mvn help:evaluate -q --non-recursive -DforceStdout -Dexpression="$1"; }
+read -r VERSION POSTGRES_DRIVER_VERSION MYSQL_DRIVER_VERSION <<< "$(mvn_prop project.version) $(mvn_prop driver.postgresql.version) $(mvn_prop driver.mysql.version)"
+
+if [[ $VERSION = *"SNAPSHOT"* ]]; then
+    echo "Do not publish a snapshot version of dependency-check"
+    exit 1
+fi
+
+# Build args should match ./docker-build.sh so the builder cache is re-used
+docker buildx build --pull=false --push --platform linux/amd64,linux/arm64 . \
+    --build-arg "VERSION=$VERSION" --build-arg "POSTGRES_DRIVER_VERSION=$POSTGRES_DRIVER_VERSION" --build-arg "MYSQL_DRIVER_VERSION=$MYSQL_DRIVER_VERSION" \
+    --tag owasp/dependency-check:$VERSION \
+    --tag owasp/dependency-check:latest
diff --git a/docker-pullcount.sh b/docker-pullcount.sh
@@ -1,3 +1,3 @@
-#/bin/bash
-
+#!/usr/bin/env bash
+set -euo pipefail
 curl -s https://hub.docker.com/v2/repositories/owasp/dependency-check/ | python3 -c "import sys, json; print(json.load(sys.stdin)['pull_count'])"
diff --git a/shell-docker.sh → docker-shell.sh b/shell-docker.sh → docker-shell.sh
@@ -1,17 +1,6 @@
-#!/bin/bash -e
-
-VERSION=$(mvn -q \
-    -Dexec.executable="echo" \
-    -Dexec.args='${project.version}' \
-    --non-recursive \
-    org.codehaus.mojo:exec-maven-plugin:3.5.1:exec)
-
-SCAN_TARGET="./cli/target/release/lib"
-
-if [ ! -d "$SCAN_TARGET" ]; then 
-  echo "Scan target does not exist: $SCAN_TARGET"
-  exit 1
-fi
+#!/usr/bin/env bash
+set -euo pipefail
+VERSION="$(mvn help:evaluate -q --non-recursive -DforceStdout -Dexpression=project.version)"
 
 OWASPDC_DIRECTORY=$HOME/OWASP-Dependency-Check
 DATA_DIRECTORY="$OWASPDC_DIRECTORY/data"

diff --git a/test-docker.sh → docker-test.sh b/test-docker.sh → docker-test.sh
@@ -1,10 +1,6 @@
-#!/bin/bash -e
-
-VERSION=$(mvn -q \
-    -Dexec.executable="echo" \
-    -Dexec.args='${project.version}' \
-    --non-recursive \
-    org.codehaus.mojo:exec-maven-plugin:3.5.1:exec)
+#!/usr/bin/env bash
+set -euo pipefail
+VERSION="$(mvn help:evaluate -q --non-recursive -DforceStdout -Dexpression=project.version)"
 
 SCAN_TARGET="./cli/target/release/lib"
 

diff --git a/list-changes.sh b/list-changes.sh
@@ -1,5 +1,6 @@
-#!/bin/bash -e
+#!/usr/bin/env bash
+set -euo pipefail
 ##https://blogs.sap.com/2018/06/22/generating-release-notes-from-git-commit-messages-using-basic-shell-commands-gitgrep/
-git --no-pager log $(git describe --tags --abbrev=0)..HEAD --pretty=format:" - %s" \
+git --no-pager log "$(git describe --tags --abbrev=0)..HEAD" --pretty=format:" - %s" \
   | grep -v ' - Bump' \
   | sed -E 's/#([0-9]+)/[#\1](https:\/\/github.com\/dependency-check\/DependencyCheck\/pull\/\1)/g'
diff --git a/pom.xml b/pom.xml
@@ -172,6 +172,8 @@ Copyright (c) 2012 - Jeremy Long
         <gmavenplus-plugin.version>4.3.0</gmavenplus-plugin.version>
         <com.h3xstream.retirejs.core.version>3.0.4</com.h3xstream.retirejs.core.version>
         <jackson.version>2.21.0</jackson.version>
+        <driver.postgresql.version>42.7.10</driver.postgresql.version>
+        <driver.mysql.version>9.6.0</driver.mysql.version>
         <!--necessary for some IDEs to be able to execute test cases (Netbeans)-->
         <surefireArgLine />
         <mock-server.version>5.15.0</mock-server.version>

diff --git a/prepare-release.sh b/prepare-release.sh
@@ -1,9 +1,10 @@
-#!/bin/bash -e
+#!/usr/bin/env bash
+set -euo pipefail
 
 git checkout main
 git pull --rebase
 
-SNAPSHOT=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
+SNAPSHOT=$(mvn help:evaluate -q --non-recursive -DforceStdout -Dexpression=project.version)
 RELEASE=${SNAPSHOT/-SNAPSHOT/}
 
 git checkout -b "release-$RELEASE"

diff --git a/publish-docker.sh b/publish-docker.sh
diff --git a/release_stats.sh b/release_stats.sh
@@ -1,3 +1,3 @@
-#/bin/bash
-
+#!/usr/bin/env bash
+set -euo pipefail
 curl   -H "Accept: application/vnd.github.v3+json"   https://api.github.com/repos/dependency-check/DependencyCheck/releases| jq -r '.[] | (.tag_name + "," + (.assets[]|(.name+","+(.download_count|tostring))))' | grep -v \.asc | sort
diff --git a/sha256_cli.sh b/sha256_cli.sh
@@ -1,5 +1,5 @@
-#/bin/bash
-
+#!/usr/bin/env bash
+set -euo pipefail
 ver=$(curl -s https://dependency-check.github.io/DependencyCheck/current.txt)
 echo "Version $ver"
 wget -q https://github.com/dependency-check/DependencyCheck/releases/download/v$ver/dependency-check-$ver-release.zip
-Original file line number
+Diff line change
@@ Expand Up / @@ -356,7 +356,7 @@ To build dependency-check docker image run the command: @@
     ```
     mvn -s settings.xml install
-    ./build-docker.sh
+    ./docker-build.sh
     ```
     License
@@ Expand Down @@