From 47787636c6ffda7e9d4c03b0d3428902987711ca Mon Sep 17 00:00:00 2001
From: Nicolas Humblot <contact@nicolashumblot.fr>
Date: Thu, 3 Apr 2025 13:41:06 +0200
Subject: [PATCH 001/195] feat!: #7510 Display a dedicated message when
 receiving an HTTP 403

BREAKING CHANGE: adds a new checked exception as a return type of the
utils module public API
---
 .../analyzer/CentralAnalyzer.java             | 10 ++++++-
 .../data/artifactory/ArtifactorySearch.java   |  3 ++
 .../data/central/CentralSearch.java           |  6 +++-
 .../data/nexus/NexusV2Search.java             |  5 ++--
 .../data/nexus/NexusV3Search.java             |  3 +-
 .../data/update/KnownExploitedDataSource.java |  3 +-
 .../analyzer/CentralAnalyzerTest.java         |  7 +++--
 .../dependencycheck/utils/Downloader.java     | 12 +++++---
 .../utils/ForbiddenException.java             | 30 +++++++++++++++++++
 9 files changed, 66 insertions(+), 13 deletions(-)
 create mode 100644 utils/src/main/java/org/owasp/dependencycheck/utils/ForbiddenException.java

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
index 098585c22dd..2cd3fa2f80a 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
@@ -34,6 +34,7 @@
 import org.owasp.dependencycheck.utils.Downloader;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.FileUtils;
+import org.owasp.dependencycheck.utils.ForbiddenException;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.ResourceNotFoundException;
 import org.owasp.dependencycheck.utils.Settings;
@@ -313,6 +314,12 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy
             final String message = "Could not connect to Central search. Analysis failed.";
             LOGGER.error(message, ioe);
             throw new AnalysisException(message, ioe);
+        } catch (ForbiddenException e) {
+            final String message = "Connection to Central search refused. This is most likely not a problem with " +
+                    "Dependency-Check itself and is related to network connectivity. Please check " +
+                    "https://central.sonatype.org/faq/403-error-central/.";
+            LOGGER.error(message);
+            throw new AnalysisException(message, e);
         }
     }
 
@@ -330,7 +337,8 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy
      * @throws TooManyRequestsException if Central has received too many
      * requests.
      */
-    protected List<MavenArtifact> fetchMavenArtifacts(Dependency dependency) throws IOException, TooManyRequestsException {
+    protected List<MavenArtifact> fetchMavenArtifacts(Dependency dependency) throws IOException,
+            TooManyRequestsException, ForbiddenException {
         IOException lastException = null;
         long sleepingTimeBetweenRetriesInMillis = BASE_RETRY_WAIT;
         int triesLeft = numberOfRetries;
diff --git a/core/src/main/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearch.java b/core/src/main/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearch.java
index 534b5d899eb..f8ff879fcff 100644
--- a/core/src/main/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearch.java
+++ b/core/src/main/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearch.java
@@ -33,6 +33,7 @@
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Checksum;
 import org.owasp.dependencycheck.utils.Downloader;
+import org.owasp.dependencycheck.utils.ForbiddenException;
 import org.owasp.dependencycheck.utils.ResourceNotFoundException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.TooManyRequestsException;
@@ -116,6 +117,8 @@ public List<MavenArtifact> search(Dependency dependency) throws IOException {
             throw new IOException(msg.append(" (400): Invalid URL").toString(), e);
         } catch (ResourceNotFoundException e) {
             throw new IOException(msg.append(" (404): Not found").toString(), e);
+        } catch (ForbiddenException e) {
+            throw new IOException(msg.append(" (403): Forbidden").toString(), e);
         }
     }
 
diff --git a/core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java b/core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
index 0b598684e99..4e2f5dfc624 100644
--- a/core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
+++ b/core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
@@ -21,6 +21,7 @@
 import org.apache.hc.core5.http.message.BasicHeader;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
+import org.owasp.dependencycheck.utils.ForbiddenException;
 import org.owasp.dependencycheck.utils.ResourceNotFoundException;
 import org.owasp.dependencycheck.utils.TooManyRequestsException;
 import java.io.FileNotFoundException;
@@ -135,7 +136,7 @@ public CentralSearch(Settings settings) throws MalformedURLException {
      * @throws TooManyRequestsException if Central has received too many
      * requests.
      */
-    public List<MavenArtifact> searchSha1(String sha1) throws IOException, TooManyRequestsException {
+    public List<MavenArtifact> searchSha1(String sha1) throws IOException, TooManyRequestsException, ForbiddenException {
         if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
             throw new IllegalArgumentException("Invalid SHA1 format");
         }
@@ -180,6 +181,9 @@ public List<MavenArtifact> searchSha1(String sha1) throws IOException, TooManyRe
         } catch (URISyntaxException e) {
             final String errorMessage = "Could not convert central search URL to a URI " + e.getMessage();
             throw new IOException(errorMessage, e);
+        } catch (ForbiddenException e) {
+            final String errorMessage = "Forbidden access to MavenCentral " + e.getMessage();
+            throw new ForbiddenException(errorMessage, e);
         }
         if (cache != null) {
             cache.put(sha1, result);
diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV2Search.java b/core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV2Search.java
index 3c8766fceb9..3802a6b55b9 100644
--- a/core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV2Search.java
+++ b/core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV2Search.java
@@ -34,6 +34,7 @@
 import org.apache.hc.core5.http.message.BasicHeader;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
+import org.owasp.dependencycheck.utils.ForbiddenException;
 import org.owasp.dependencycheck.utils.ResourceNotFoundException;
 import org.owasp.dependencycheck.utils.Settings;
 
@@ -147,7 +148,7 @@ public MavenArtifact searchSha1(String sha1) throws IOException {
                 throw new IOException("Could not connect to Nexus");
         } catch (ResourceNotFoundException e) {
             throw new FileNotFoundException("Artifact not found in Nexus");
-        } catch (XPathExpressionException | URISyntaxException e) {
+        } catch (XPathExpressionException | URISyntaxException | ForbiddenException e) {
             throw new IOException(e.getMessage(), e);
         }
     }
@@ -163,7 +164,7 @@ public boolean preflightRequest() {
                 LOGGER.warn("Pre-flight request to Nexus failed; expected root node name of status, got {}", doc.getDocumentElement().getNodeName());
                 return false;
             }
-        } catch (IOException | TooManyRequestsException | ResourceNotFoundException | URISyntaxException e) {
+        } catch (IOException | TooManyRequestsException | ResourceNotFoundException | URISyntaxException | ForbiddenException e) {
             LOGGER.warn("Pre-flight request to Nexus failed: ", e);
             return false;
         }
diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV3Search.java b/core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV3Search.java
index 943e21f3f84..8bb31bc7573 100644
--- a/core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV3Search.java
+++ b/core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV3Search.java
@@ -27,6 +27,7 @@
 import org.jetbrains.annotations.Nullable;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
+import org.owasp.dependencycheck.utils.ForbiddenException;
 import org.owasp.dependencycheck.utils.ResourceNotFoundException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.TooManyRequestsException;
@@ -146,7 +147,7 @@ private String retrievePageAndAddMatchingArtifact(CloseableHttpClient client, Li
         try {
             return Downloader.getInstance().fetchAndHandle(client, url, handler, List.of(new BasicHeader(HttpHeaders.ACCEPT,
                             ContentType.APPLICATION_JSON)));
-        } catch (TooManyRequestsException | ResourceNotFoundException | DownloadFailedException e) {
+        } catch (TooManyRequestsException | ResourceNotFoundException | DownloadFailedException | ForbiddenException e) {
             if (LOGGER.isDebugEnabled()) {
                 int responseCode = -1;
                 String responseMessage = "";
diff --git a/core/src/main/java/org/owasp/dependencycheck/data/update/KnownExploitedDataSource.java b/core/src/main/java/org/owasp/dependencycheck/data/update/KnownExploitedDataSource.java
index 2bae99b04a3..9a52e79d795 100644
--- a/core/src/main/java/org/owasp/dependencycheck/data/update/KnownExploitedDataSource.java
+++ b/core/src/main/java/org/owasp/dependencycheck/data/update/KnownExploitedDataSource.java
@@ -35,6 +35,7 @@
 import org.owasp.dependencycheck.data.update.exception.CorruptedDatastreamException;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.utils.Downloader;
+import org.owasp.dependencycheck.utils.ForbiddenException;
 import org.owasp.dependencycheck.utils.ResourceNotFoundException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.TooManyRequestsException;
@@ -102,7 +103,7 @@ public KnownExploitedVulnerabilitiesSchema handleEntity(HttpEntity entity) throw
                 dbProperties.save(DatabaseProperties.KEV_LAST_CHECKED, Long.toString(System.currentTimeMillis() / 1000));
                 return true;
             } catch (TooManyRequestsException | ResourceNotFoundException | IOException | DatabaseException
-                     | SQLException | URISyntaxException ex) {
+                     | SQLException | URISyntaxException | ForbiddenException ex) {
                 throw new UpdateException(ex);
             }
         }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java
index fb17c03ea2f..c3496c6b84d 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java
@@ -21,6 +21,7 @@
 import org.junit.Test;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.central.CentralSearch;
+import org.owasp.dependencycheck.utils.ForbiddenException;
 import org.owasp.dependencycheck.utils.TooManyRequestsException;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -50,7 +51,7 @@ public class CentralAnalyzerTest extends BaseTest {
 
     @Test
     @SuppressWarnings("PMD.NonStaticInitializer")
-    public void testFetchMavenArtifactsWithoutException() throws IOException, TooManyRequestsException {
+    public void testFetchMavenArtifactsWithoutException() throws IOException, TooManyRequestsException, ForbiddenException {
             CentralAnalyzer instance = new CentralAnalyzer();
             instance.setCentralSearch(centralSearch);
             when(dependency.getSha1sum()).thenReturn(SHA1_SUM);
@@ -64,7 +65,7 @@ public void testFetchMavenArtifactsWithoutException() throws IOException, TooMan
     @Test(expected = FileNotFoundException.class)
     @SuppressWarnings("PMD.NonStaticInitializer")
     public void testFetchMavenArtifactsRethrowsFileNotFoundException()
-            throws IOException, TooManyRequestsException {
+            throws IOException, TooManyRequestsException, ForbiddenException {
         CentralAnalyzer instance = new CentralAnalyzer();
         instance.setCentralSearch(centralSearch);
         when(dependency.getSha1sum()).thenReturn(SHA1_SUM);
@@ -75,7 +76,7 @@ public void testFetchMavenArtifactsRethrowsFileNotFoundException()
     @Test(expected = IOException.class)
     @SuppressWarnings("PMD.NonStaticInitializer")
     public void testFetchMavenArtifactsAlwaysThrowsIOException()
-            throws IOException, TooManyRequestsException {
+            throws IOException, TooManyRequestsException, ForbiddenException {
         getSettings().setInt(Settings.KEYS.ANALYZER_CENTRAL_RETRY_COUNT, 1);
         getSettings().setBoolean(Settings.KEYS.ANALYZER_CENTRAL_USE_CACHE, false);
         CentralAnalyzer instance = new CentralAnalyzer();
diff --git a/utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java b/utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java
index e4eb9b69efa..df2ec1f746d 100644
--- a/utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java
+++ b/utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java
@@ -649,7 +649,7 @@ public CloseableHttpClient getHttpClient(boolean useProxy) {
      * @throws ResourceNotFoundException When HTTP status 404 is encountered
      */
     public <T> T fetchAndHandle(@NotNull URL url, @NotNull HttpClientResponseHandler<T> handler)
-            throws IOException, TooManyRequestsException, ResourceNotFoundException, URISyntaxException {
+            throws IOException, TooManyRequestsException, ResourceNotFoundException, URISyntaxException, ForbiddenException {
         return fetchAndHandle(url, handler, Collections.emptyList(), true);
     }
 
@@ -666,7 +666,7 @@ public <T> T fetchAndHandle(@NotNull URL url, @NotNull HttpClientResponseHandler
      * @throws ResourceNotFoundException When HTTP status 404 is encountered
      */
     public <T> T fetchAndHandle(@NotNull URL url, @NotNull HttpClientResponseHandler<T> handler, @NotNull List<Header> hdr)
-            throws IOException, TooManyRequestsException, ResourceNotFoundException, URISyntaxException {
+            throws IOException, TooManyRequestsException, ResourceNotFoundException, URISyntaxException, ForbiddenException {
         return fetchAndHandle(url, handler, hdr, true);
     }
 
@@ -684,7 +684,7 @@ public <T> T fetchAndHandle(@NotNull URL url, @NotNull HttpClientResponseHandler
      * @throws ResourceNotFoundException When HTTP status 404 is encountered
      */
     public <T> T fetchAndHandle(@NotNull URL url, @NotNull HttpClientResponseHandler<T> handler, @NotNull List<Header> hdr, boolean useProxy)
-            throws IOException, TooManyRequestsException, ResourceNotFoundException, URISyntaxException {
+            throws IOException, TooManyRequestsException, ResourceNotFoundException, URISyntaxException, ForbiddenException {
         final T data;
         if ("file".equals(url.getProtocol())) {
             final Path p = Paths.get(url.toURI());
@@ -717,7 +717,8 @@ public <T> T fetchAndHandle(@NotNull URL url, @NotNull HttpClientResponseHandler
      * @throws ResourceNotFoundException When HTTP status 404 is encountered
      */
     public <T> T fetchAndHandle(@NotNull CloseableHttpClient client, @NotNull URL url, @NotNull HttpClientResponseHandler<T> handler,
-                                @NotNull List<Header> hdr) throws IOException, TooManyRequestsException, ResourceNotFoundException {
+                                @NotNull List<Header> hdr) throws IOException, TooManyRequestsException,
+            ResourceNotFoundException, ForbiddenException {
         try {
             final String theProtocol = url.getProtocol();
             if (!("http".equals(theProtocol) || "https".equals(theProtocol))) {
@@ -732,6 +733,9 @@ public <T> T fetchAndHandle(@NotNull CloseableHttpClient client, @NotNull URL ur
         } catch (HttpResponseException hre) {
             final String messageFormat = "%s - Server status: %d - Server reason: %s";
             switch (hre.getStatusCode()) {
+                case 403:
+                    throw new ForbiddenException(String.format(messageFormat, url, hre.getStatusCode(),
+                            hre.getReasonPhrase()));
                 case 404:
                     throw new ResourceNotFoundException(String.format(messageFormat, url, hre.getStatusCode(), hre.getReasonPhrase()));
                 case 429:
diff --git a/utils/src/main/java/org/owasp/dependencycheck/utils/ForbiddenException.java b/utils/src/main/java/org/owasp/dependencycheck/utils/ForbiddenException.java
new file mode 100644
index 00000000000..75e3f21eaf6
--- /dev/null
+++ b/utils/src/main/java/org/owasp/dependencycheck/utils/ForbiddenException.java
@@ -0,0 +1,30 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.owasp.dependencycheck.utils;
+
+public class ForbiddenException extends Exception {
+
+    public ForbiddenException(String message) {
+        super(message);
+    }
+
+    public ForbiddenException(String message, ForbiddenException cause) {
+        super(message, cause);
+    }
+}

From 8fd4679cdd4c709e04eed82f1f7ec372c61cf22f Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 5 Apr 2025 07:25:33 -0400
Subject: [PATCH 002/195] build: prepare for next development iteration

---
 ant/pom.xml       | 4 ++--
 archetype/pom.xml | 6 +++---
 cli/pom.xml       | 4 ++--
 core/pom.xml      | 4 ++--
 maven/pom.xml     | 4 ++--
 pom.xml           | 6 +++---
 utils/pom.xml     | 4 ++--
 7 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/ant/pom.xml b/ant/pom.xml
index 87ee99d07b2..a13058037cc 100644
--- a/ant/pom.xml
+++ b/ant/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.1</version>
+        <version>12.1.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/ant</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.1</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <build>
         <resources>
diff --git a/archetype/pom.xml b/archetype/pom.xml
index ceffb22eb4c..3fa3ab642c3 100644
--- a/archetype/pom.xml
+++ b/archetype/pom.xml
@@ -20,20 +20,20 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.1</version>
+        <version>12.1.2-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-plugin</artifactId>
     <name>Dependency-Check Plugin Archetype</name>
     <packaging>jar</packaging>
     <properties>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-04-05T11:23:00Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-04-05T11:25:33Z</project.build.outputTimestamp>
     </properties>
     <scm>
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/archetype</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-      <tag>v12.1.1</tag>
+      <tag>HEAD</tag>
   </scm>
     <build>
         <plugins>
diff --git a/cli/pom.xml b/cli/pom.xml
index 1d8e808ceab..03e33230f50 100644
--- a/cli/pom.xml
+++ b/cli/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.1</version>
+        <version>12.1.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/cli</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.1</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <build>
         <finalName>dependency-check-${project.version}</finalName>
diff --git a/core/pom.xml b/core/pom.xml
index f8bf2b1cc60..0db4c3f6801 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.1</version>
+        <version>12.1.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/core</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.1</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <build>
         <resources>
diff --git a/maven/pom.xml b/maven/pom.xml
index 769a982c987..aa58a3c401f 100644
--- a/maven/pom.xml
+++ b/maven/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.1</version>
+        <version>12.1.2-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-maven</artifactId>
     <packaging>maven-plugin</packaging>
@@ -34,7 +34,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/master/maven</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.1</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <prerequisites>
         <maven>3.6.3</maven>
diff --git a/pom.xml b/pom.xml
index 1ab2c64c6b3..48260e92ed3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>12.1.1</version>
+    <version>12.1.2-SNAPSHOT</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -94,7 +94,7 @@ Copyright (c) 2012 - Jeremy Long
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck</url>
         <developerConnection>scm:git:https://github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.1</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <issueManagement>
         <system>github</system>
@@ -113,7 +113,7 @@ Copyright (c) 2012 - Jeremy Long
     <properties>
         <maven.compiler.release>11</maven.compiler.release>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-04-05T11:23:00Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-04-05T11:25:33Z</project.build.outputTimestamp>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <github.global.server>github</github.global.server>
diff --git a/utils/pom.xml b/utils/pom.xml
index 95ed9359188..fb9d1366c88 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.1</version>
+        <version>12.1.2-SNAPSHOT</version>
    </parent>
 
     <artifactId>dependency-check-utils</artifactId>
@@ -30,7 +30,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/utils</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.1</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <properties>
         <spotbugs.onlyAnalyze>org.owasp.dependencycheck.utils.*</spotbugs.onlyAnalyze>

From 87cacfea379fbdc02147fe30137f514a89bceec9 Mon Sep 17 00:00:00 2001
From: Nicolas Humblot <contact@nicolashumblot.fr>
Date: Sat, 5 Apr 2025 10:04:51 +0200
Subject: [PATCH 003/195] refactor: #7510 preserve line break

---
 .../dependencycheck/data/artifactory/ArtifactorySearch.java     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearch.java b/core/src/main/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearch.java
index f8ff879fcff..8674103c388 100644
--- a/core/src/main/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearch.java
+++ b/core/src/main/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearch.java
@@ -45,7 +45,7 @@
  * Class of methods to search Artifactory for hashes and determine Maven GAV
  * from there.
  *
- * Data classes copied from JFrog's artifactory-client-java project.
+ * <p>Data classes copied from JFrog's artifactory-client-java project.</p>
  *
  * @author nhenneaux
  */

From 3643d5a2cd0d31c1e8a9017d53b763ea048d00df Mon Sep 17 00:00:00 2001
From: Nicolas Humblot <contact@nicolashumblot.fr>
Date: Sat, 5 Apr 2025 16:53:30 +0200
Subject: [PATCH 004/195] refactor: #7510 use parameterized log message

---
 .../org/owasp/dependencycheck/data/central/CentralSearch.java   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java b/core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
index 4e2f5dfc624..3ee1135a1ec 100644
--- a/core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
+++ b/core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
@@ -143,7 +143,7 @@ public List<MavenArtifact> searchSha1(String sha1) throws IOException, TooManyRe
         if (cache != null) {
             final List<MavenArtifact> cached = cache.get(sha1);
             if (cached != null) {
-                LOGGER.debug("cache hit for Central: " + sha1);
+                LOGGER.debug("cache hit for Central: {}", sha1);
                 if (cached.isEmpty()) {
                     throw new FileNotFoundException("Artifact not found in Central");
                 }

From 5158c50d479b1b9e6de2b430da88b9c1d516afac Mon Sep 17 00:00:00 2001
From: Nicolas Humblot <contact@nicolashumblot.fr>
Date: Sun, 6 Apr 2025 19:34:26 +0200
Subject: [PATCH 005/195] refactor: #7510 remove unnecessary space

---
 .../org/owasp/dependencycheck/utils/ForbiddenException.java     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/src/main/java/org/owasp/dependencycheck/utils/ForbiddenException.java b/utils/src/main/java/org/owasp/dependencycheck/utils/ForbiddenException.java
index 75e3f21eaf6..8cf5cc71cf9 100644
--- a/utils/src/main/java/org/owasp/dependencycheck/utils/ForbiddenException.java
+++ b/utils/src/main/java/org/owasp/dependencycheck/utils/ForbiddenException.java
@@ -4,7 +4,7 @@
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
- *  "License"); you may not use this file except in compliance
+ * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  * https://www.apache.org/licenses/LICENSE-2.0

From dbf8e67505d0dd81d9199aafe02a098c2270018b Mon Sep 17 00:00:00 2001
From: Nicolas Humblot <contact@nicolashumblot.fr>
Date: Sun, 6 Apr 2025 19:40:08 +0200
Subject: [PATCH 006/195] refactor: #7510 make change non-breaking at public
 API level

---
 .../dependencycheck/analyzer/CentralAnalyzer.java      | 10 +++++-----
 .../dependencycheck/data/nexus/NexusV2Search.java      |  2 +-
 .../data/update/KnownExploitedDataSource.java          |  3 +--
 .../dependencycheck/utils/ForbiddenException.java      |  4 +++-
 4 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
index 2cd3fa2f80a..9349413e34f 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
@@ -310,16 +310,16 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy
             LOGGER.info("invalid sha1-hash on {}", dependency.getFileName());
         } catch (FileNotFoundException fnfe) {
             LOGGER.debug("Artifact not found in repository: '{}", dependency.getFileName());
-        } catch (IOException ioe) {
-            final String message = "Could not connect to Central search. Analysis failed.";
-            LOGGER.error(message, ioe);
-            throw new AnalysisException(message, ioe);
         } catch (ForbiddenException e) {
             final String message = "Connection to Central search refused. This is most likely not a problem with " +
                     "Dependency-Check itself and is related to network connectivity. Please check " +
                     "https://central.sonatype.org/faq/403-error-central/.";
             LOGGER.error(message);
             throw new AnalysisException(message, e);
+        } catch (IOException ioe) {
+            final String message = "Could not connect to Central search. Analysis failed.";
+            LOGGER.error(message, ioe);
+            throw new AnalysisException(message, ioe);
         }
     }
 
@@ -338,7 +338,7 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy
      * requests.
      */
     protected List<MavenArtifact> fetchMavenArtifacts(Dependency dependency) throws IOException,
-            TooManyRequestsException, ForbiddenException {
+            TooManyRequestsException {
         IOException lastException = null;
         long sleepingTimeBetweenRetriesInMillis = BASE_RETRY_WAIT;
         int triesLeft = numberOfRetries;
diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV2Search.java b/core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV2Search.java
index 3802a6b55b9..9e2401fc3e8 100644
--- a/core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV2Search.java
+++ b/core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusV2Search.java
@@ -164,7 +164,7 @@ public boolean preflightRequest() {
                 LOGGER.warn("Pre-flight request to Nexus failed; expected root node name of status, got {}", doc.getDocumentElement().getNodeName());
                 return false;
             }
-        } catch (IOException | TooManyRequestsException | ResourceNotFoundException | URISyntaxException | ForbiddenException e) {
+        } catch (IOException | TooManyRequestsException | ResourceNotFoundException | URISyntaxException e) {
             LOGGER.warn("Pre-flight request to Nexus failed: ", e);
             return false;
         }
diff --git a/core/src/main/java/org/owasp/dependencycheck/data/update/KnownExploitedDataSource.java b/core/src/main/java/org/owasp/dependencycheck/data/update/KnownExploitedDataSource.java
index 9a52e79d795..2bae99b04a3 100644
--- a/core/src/main/java/org/owasp/dependencycheck/data/update/KnownExploitedDataSource.java
+++ b/core/src/main/java/org/owasp/dependencycheck/data/update/KnownExploitedDataSource.java
@@ -35,7 +35,6 @@
 import org.owasp.dependencycheck.data.update.exception.CorruptedDatastreamException;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.utils.Downloader;
-import org.owasp.dependencycheck.utils.ForbiddenException;
 import org.owasp.dependencycheck.utils.ResourceNotFoundException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.TooManyRequestsException;
@@ -103,7 +102,7 @@ public KnownExploitedVulnerabilitiesSchema handleEntity(HttpEntity entity) throw
                 dbProperties.save(DatabaseProperties.KEV_LAST_CHECKED, Long.toString(System.currentTimeMillis() / 1000));
                 return true;
             } catch (TooManyRequestsException | ResourceNotFoundException | IOException | DatabaseException
-                     | SQLException | URISyntaxException | ForbiddenException ex) {
+                     | SQLException | URISyntaxException ex) {
                 throw new UpdateException(ex);
             }
         }
diff --git a/utils/src/main/java/org/owasp/dependencycheck/utils/ForbiddenException.java b/utils/src/main/java/org/owasp/dependencycheck/utils/ForbiddenException.java
index 8cf5cc71cf9..498f24653e4 100644
--- a/utils/src/main/java/org/owasp/dependencycheck/utils/ForbiddenException.java
+++ b/utils/src/main/java/org/owasp/dependencycheck/utils/ForbiddenException.java
@@ -18,7 +18,9 @@
  */
 package org.owasp.dependencycheck.utils;
 
-public class ForbiddenException extends Exception {
+import java.io.IOException;
+
+public class ForbiddenException extends IOException {
 
     public ForbiddenException(String message) {
         super(message);

From fd48db4e2ee88757042c101a50225bb10a4e9620 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 9 Apr 2025 06:21:51 -0400
Subject: [PATCH 007/195] build(deps): bump com.google.guava:guava from
 33.4.6-jre to 33.4.7-jre (#7588)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 48260e92ed3..c77360463bd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1303,7 +1303,7 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>com.google.guava</groupId>
                 <artifactId>guava</artifactId>
-                <version>33.4.6-jre</version>
+                <version>33.4.7-jre</version>
             </dependency>
             <dependency>
                 <groupId>com.hankcs</groupId>

From a6ad37e0c18c7bf81af9144d91a93afaae59f9c8 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 11 Apr 2025 05:44:46 -0400
Subject: [PATCH 008/195] build(deps): bump org.apache.commons:commons-text
 from 1.13.0 to 1.13.1 (#7592)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index c77360463bd..137a10761bd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -147,7 +147,7 @@ Copyright (c) 2012 - Jeremy Long
         <commons-cli.version>1.9.0</commons-cli.version>
         <commons-io.version>2.18.0</commons-io.version>
         <commons-lang3.version>3.17.0</commons-lang3.version>
-        <commons-text.version>1.13.0</commons-text.version>
+        <commons-text.version>1.13.1</commons-text.version>
         <httpcomponents.client.version>5.4.3</httpcomponents.client.version>
         <httpcomponents.core.version>5.3.4</httpcomponents.core.version>
         <!-- note that logging will be noisy and broken until we upgrade to 3.2

From cf5fd44c6a9c6e427726ff1a6f2ebf556fe9682b Mon Sep 17 00:00:00 2001
From: Nicolas Humblot <contact@nicolashumblot.fr>
Date: Fri, 11 Apr 2025 13:35:21 +0200
Subject: [PATCH 009/195] fix: remove duplicate dependency declaration

---
 pom.xml | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/pom.xml b/pom.xml
index 137a10761bd..474b1d30c94 100644
--- a/pom.xml
+++ b/pom.xml
@@ -137,7 +137,6 @@ Copyright (c) 2012 - Jeremy Long
         <maven-project-info-reports-plugin.version>3.9.0</maven-project-info-reports-plugin.version>
         <maven-surefire-report-plugin.version>3.5.3</maven-surefire-report-plugin.version>
         <jacoco-maven-plugin.version>0.8.13</jacoco-maven-plugin.version>
-        <spotbugs.version>4.9.3</spotbugs.version>
         <spotbugs.maven.plugin.version>4.9.3.0</spotbugs.maven.plugin.version>
         <taglist-maven-plugin.version>3.2.1</taglist-maven-plugin.version>
         <versions-maven-plugin.version>2.18.0</versions-maven-plugin.version>
@@ -1003,13 +1002,6 @@ Copyright (c) 2012 - Jeremy Long
                 <artifactId>cpe-parser</artifactId>
                 <version>3.0.0</version>
             </dependency>
-            <dependency>
-                <groupId>com.github.spotbugs</groupId>
-                <artifactId>spotbugs-annotations</artifactId>
-                <version>${spotbugs.version}</version>
-                <scope>compile</scope>
-                <optional>true</optional>
-            </dependency>
             <dependency>
                 <groupId>org.whitesource</groupId>
                 <artifactId>pecoff4j</artifactId>
@@ -1353,12 +1345,6 @@ Copyright (c) 2012 - Jeremy Long
             <scope>compile</scope>
             <optional>true</optional>
         </dependency>
-        <dependency>
-            <groupId>com.github.spotbugs</groupId>
-            <artifactId>spotbugs-annotations</artifactId>
-            <scope>compile</scope>
-            <optional>true</optional>
-        </dependency>
         <!-- endregion -->
     </dependencies>
     <profiles>

From 044af60e7421156093b438cf36f111c25f05d78f Mon Sep 17 00:00:00 2001
From: Nicolas Humblot <contact@nicolashumblot.fr>
Date: Fri, 11 Apr 2025 13:51:24 +0200
Subject: [PATCH 010/195] fix: #7591 tell the stage goal has to be used

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 7f8bf13bc48..142df4a70e7 100644
--- a/README.md
+++ b/README.md
@@ -341,7 +341,7 @@ Building the documentation
 
 The documentation on the [github pages](https://dependency-check.github.io/DependencyCheck/) is generated from this repository:
 
-    mvn -s settings.xml site  site:staging
+    mvn -s settings.xml site site:stage
 
 Once done, point your browser to `./target/staging/index.html`.
 

From 956ceccb8ab90a027cc4175cfb5881568684ac74 Mon Sep 17 00:00:00 2001
From: Hans Aikema <aikebah-github@aikebah.net>
Date: Mon, 14 Apr 2025 13:05:33 +0200
Subject: [PATCH 011/195] chore: remove the unused URLConnectionFactory (#7595)

---
 .../utils/URLConnectionFactory.java           | 250 ------------------
 .../utils/URLConnectionFactoryIT.java         | 105 --------
 2 files changed, 355 deletions(-)
 delete mode 100644 utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
 delete mode 100644 utils/src/test/java/org/owasp/dependencycheck/utils/URLConnectionFactoryIT.java

diff --git a/utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java b/utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
deleted file mode 100644
index 4a14dd729d7..00000000000
--- a/utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
+++ /dev/null
@@ -1,250 +0,0 @@
-/*
- * This file is part of dependency-check-utils.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
- */
-package org.owasp.dependencycheck.utils;
-
-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
-import org.apache.commons.lang3.StringUtils;
-
-import java.io.IOException;
-import java.net.Authenticator;
-import java.net.HttpURLConnection;
-import java.net.InetSocketAddress;
-import java.net.PasswordAuthentication;
-import java.net.Proxy;
-import java.net.SocketAddress;
-import java.net.URL;
-import java.util.Base64;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import static java.nio.charset.StandardCharsets.UTF_8;
-
-/**
- * A URLConnection Factory to create new connections. This encapsulates several
- * configuration checks to ensure that the connection uses the correct proxy
- * settings.
- *
- * @author Jeremy Long
- */
-public final class URLConnectionFactory {
-
-    /**
-     * The logger.
-     */
-    private static final Logger LOGGER = LoggerFactory.getLogger(URLConnectionFactory.class);
-    /**
-     * The configured settings.
-     */
-    private final Settings settings;
-
-    /**
-     * Private constructor for this factory.
-     *
-     * @param settings reference to the configured settings
-     */
-    public URLConnectionFactory(Settings settings) {
-        this.settings = settings;
-    }
-
-    /**
-     * Utility method to create an HttpURLConnection. If the application is
-     * configured to use a proxy this method will retrieve the proxy settings
-     * and use them when setting up the connection.
-     *
-     * @param url the URL to connect to
-     * @return an HttpURLConnection
-     * @throws org.owasp.dependencycheck.utils.URLConnectionFailureException
-     * thrown if there is an exception
-     */
-    @SuppressWarnings("squid:S2583")
-    @SuppressFBWarnings(justification = "yes, there is a redundant null check in the catch - to suppress warnings we are leaving the null check",
-            value = {"RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE"})
-    public HttpURLConnection createHttpURLConnection(URL url) throws URLConnectionFailureException {
-        HttpURLConnection conn = null;
-        final String proxyHost = settings.getString(Settings.KEYS.PROXY_SERVER);
-
-        try {
-            if (proxyHost != null && !matchNonProxy(url)) {
-                final int proxyPort = settings.getInt(Settings.KEYS.PROXY_PORT);
-                final SocketAddress address = new InetSocketAddress(proxyHost, proxyPort);
-
-                final String username = settings.getString(Settings.KEYS.PROXY_USERNAME);
-                final String password = settings.getString(Settings.KEYS.PROXY_PASSWORD);
-
-                if (username != null && password != null) {
-                    final Authenticator auth = new Authenticator() {
-                        @Override
-                        public PasswordAuthentication getPasswordAuthentication() {
-                            if (proxyHost.equals(getRequestingHost()) || getRequestorType().equals(Authenticator.RequestorType.PROXY)) {
-                                LOGGER.debug("Using the configured proxy username and password");
-                                if (settings.getBoolean(Settings.KEYS.PROXY_DISABLE_SCHEMAS, true)) {
-                                    System.setProperty("jdk.http.auth.tunneling.disabledSchemes", "");
-                                }
-                                return new PasswordAuthentication(username, password.toCharArray());
-                            }
-                            return super.getPasswordAuthentication();
-                        }
-                    };
-                    Authenticator.setDefault(auth);
-                }
-
-                final Proxy proxy = new Proxy(Proxy.Type.HTTP, address);
-                conn = (HttpURLConnection) url.openConnection(proxy);
-            } else {
-                conn = (HttpURLConnection) url.openConnection();
-            }
-            final int connectionTimeout = settings.getInt(Settings.KEYS.CONNECTION_TIMEOUT, 10000);
-            // set a conservative long default timeout to compensate for MITM-proxies that return the (final) bytes only
-            // after all security checks passed
-            final int readTimeout = settings.getInt(Settings.KEYS.CONNECTION_READ_TIMEOUT, 60_000);
-            conn.setConnectTimeout(connectionTimeout);
-            conn.setReadTimeout(readTimeout);
-            conn.setInstanceFollowRedirects(true);
-        } catch (IOException ex) {
-            if (conn != null) {
-                try {
-                    conn.disconnect();
-                } finally {
-                    conn = null;
-                }
-            }
-            throw new URLConnectionFailureException("Error getting connection.", ex);
-        }
-        addAuthenticationIfPresent(conn);
-        return conn;
-    }
-
-    /**
-     * Adds the basic authorization header if the URL contains a username and
-     * password. Example URL that will have the basic authorization header
-     * added:
-     * <code>http://username:password@passwordprotectednvdsite.internal/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz</code>
-     *
-     * @param conn the connection
-     */
-    private void addAuthenticationIfPresent(HttpURLConnection conn) {
-        final String userInfo = conn.getURL().getUserInfo();
-        if (userInfo != null) {
-            final String basicAuth = "Basic " + Base64.getEncoder().encodeToString(userInfo.getBytes(UTF_8));
-            if (LOGGER.isDebugEnabled()) {
-                LOGGER.debug("Adding user info as basic authorization");
-            }
-            conn.addRequestProperty("Authorization", basicAuth);
-        }
-    }
-
-    /**
-     * Adds a basic authentication header if the values in the settings are not
-     * null.
-     *
-     * @param conn the connection to add the basic auth header
-     * @param userKey the settings key for the username
-     * @param passwordKey the settings key for the password
-     */
-    public void addBasicAuthentication(HttpURLConnection conn, String userKey, String passwordKey) {
-        if (StringUtils.isNotEmpty(settings.getString(userKey))
-                && StringUtils.isNotEmpty(settings.getString(passwordKey))) {
-            final String user = settings.getString(userKey);
-            final String password = settings.getString(passwordKey);
-
-            if (user.isEmpty() || password.isEmpty()) {
-                if (LOGGER.isDebugEnabled()) {
-                    LOGGER.debug("Skip authentication as user and/or password is empty");
-                }
-            } else {
-                final String userColonPassword = user + ":" + password;
-                final String basicAuth = "Basic " + Base64.getEncoder().encodeToString(userColonPassword.getBytes(UTF_8));
-                if (LOGGER.isDebugEnabled()) {
-                    LOGGER.debug("Adding user/password from settings.xml as basic authorization");
-                }
-                conn.addRequestProperty("Authorization", basicAuth);
-            }
-        }
-    }
-
-    /**
-     * Check if host name matches nonProxy settings
-     *
-     * @param url the URL to connect to
-     * @return matching result. true: match nonProxy
-     */
-    @SuppressWarnings("StringSplitter")
-    private boolean matchNonProxy(final URL url) {
-        final String host = url.getHost();
-
-        // code partially from org.apache.maven.plugins.site.AbstractDeployMojo#getProxyInfo
-        final String nonProxyHosts = settings.getString(Settings.KEYS.PROXY_NON_PROXY_HOSTS);
-        if (null != nonProxyHosts) {
-            final String[] nonProxies = nonProxyHosts.split("(,)|(;)|(\\|)");
-            for (final String nonProxyHost : nonProxies) {
-                //if ( StringUtils.contains( nonProxyHost, "*" ) )
-                if (null != nonProxyHost && nonProxyHost.contains("*")) {
-                    // Handle wildcard at the end, beginning or middle of the nonProxyHost
-                    final int pos = nonProxyHost.indexOf('*');
-                    final String nonProxyHostPrefix = nonProxyHost.substring(0, pos);
-                    final String nonProxyHostSuffix = nonProxyHost.substring(pos + 1);
-                    // prefix*
-                    if (!StringUtils.isBlank(nonProxyHostPrefix) && host.startsWith(nonProxyHostPrefix) && StringUtils.isBlank(nonProxyHostSuffix)) {
-                        return true;
-                    }
-                    // *suffix
-                    if (StringUtils.isBlank(nonProxyHostPrefix) && !StringUtils.isBlank(nonProxyHostSuffix) && host.endsWith(nonProxyHostSuffix)) {
-                        return true;
-                    }
-                    // prefix*suffix
-                    if (!StringUtils.isBlank(nonProxyHostPrefix) && host.startsWith(nonProxyHostPrefix) && !StringUtils.isBlank(nonProxyHostSuffix)
-                            && host.endsWith(nonProxyHostSuffix)) {
-                        return true;
-                    }
-                } else if (host.equals(nonProxyHost)) {
-                    return true;
-                }
-            }
-        }
-        return false;
-    }
-
-    /**
-     * Utility method to create an HttpURLConnection. The use of a proxy here is
-     * optional as there may be cases where a proxy is configured but we don't
-     * want to use it (for example, if there's an internal repository
-     * configured)
-     *
-     * @param url the URL to connect to
-     * @param proxy whether to use the proxy (if configured)
-     * @return a newly constructed HttpURLConnection
-     * @throws org.owasp.dependencycheck.utils.URLConnectionFailureException
-     * thrown if there is an exception
-     */
-    public HttpURLConnection createHttpURLConnection(URL url, boolean proxy) throws URLConnectionFailureException {
-        if (proxy) {
-            return createHttpURLConnection(url);
-        }
-        final HttpURLConnection conn;
-        try {
-            conn = (HttpURLConnection) url.openConnection();
-            final int timeout = settings.getInt(Settings.KEYS.CONNECTION_TIMEOUT, 10000);
-            conn.setConnectTimeout(timeout);
-            conn.setInstanceFollowRedirects(true);
-        } catch (IOException ioe) {
-            throw new URLConnectionFailureException("Error getting connection.", ioe);
-        }
-        addAuthenticationIfPresent(conn);
-        return conn;
-    }
-
-}
diff --git a/utils/src/test/java/org/owasp/dependencycheck/utils/URLConnectionFactoryIT.java b/utils/src/test/java/org/owasp/dependencycheck/utils/URLConnectionFactoryIT.java
deleted file mode 100644
index e07b097ad4d..00000000000
--- a/utils/src/test/java/org/owasp/dependencycheck/utils/URLConnectionFactoryIT.java
+++ /dev/null
@@ -1,105 +0,0 @@
-/*
- * This file is part of dependency-check-utils.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2019 Jeremy Long. All Rights Reserved.
- */
-package org.owasp.dependencycheck.utils;
-
-import io.netty.handler.codec.http.HttpResponseStatus;
-import java.io.IOException;
-import java.net.HttpURLConnection;
-import java.net.URL;
-import org.junit.Test;
-import static org.junit.Assert.*;
-import org.junit.Before;
-import org.junit.Rule;
-import org.mockserver.client.MockServerClient;
-import org.mockserver.junit.MockServerRule;
-import org.mockserver.matchers.Times;
-import org.mockserver.model.HttpRequest;
-import org.mockserver.model.HttpResponse;
-
-/**
- *
- * @author Jeremy Long
- */
-public class URLConnectionFactoryIT extends BaseTest {
-
-    @Rule
-    public MockServerRule mockServerRule = new MockServerRule(this);
-
-    private MockServerClient mockServerClient;
-
-    @Before
-    public void reset() {
-        mockServerClient.reset();
-    }
-
-    /**
-     * Test of createHttpURLConnection method, of class URLConnectionFactory to
-     * validate if a basic authorization header is added.
-     */
-    @Test
-    public void testCreateHttpURLConnection_Authorization_unauthorized() throws Exception {
-        mockServerClient.when(HttpRequest.request().withMethod("GET")
-                .withHeader("Authorization", "Basic dXNlcm5hbWU6cGFzc3dvcmQ=")
-                .withPath("/secure/resource.xml"), Times.once())
-                .respond(HttpResponse.response().withBody("ok").withStatusCode(200));
-        mockServerClient.when(HttpRequest.request().withMethod("GET")
-                .withPath("/secure/resource.xml"), Times.once())
-                .respond(HttpResponse.response().withBody("Unauthorized").withStatusCode(401));
-
-        URL url = new URL("http://localhost:"
-                + mockServerClient.remoteAddress().getPort()
-                + "/secure/resource.xml");
-        URLConnectionFactory instance = new URLConnectionFactory(getSettings());
-        HttpURLConnection conn = instance.createHttpURLConnection(url);
-        try {
-            conn.connect();
-        } catch (IOException ex) {
-
-        }
-        assertEquals(HttpResponseStatus.UNAUTHORIZED.code(), conn.getResponseCode());
-        conn.disconnect();
-    }
-
-    /**
-     * Test of createHttpURLConnection method, of class URLConnectionFactory to
-     * validate if a basic authorization header is added.
-     */
-    @Test
-    public void testCreateHttpURLConnection_Authorization() throws Exception {
-        mockServerClient.when(HttpRequest.request().withMethod("GET")
-                .withHeader("Authorization", "Basic dXNlcm5hbWU6cGFzc3dvcmQ=")
-                .withPath("/secure/resource.xml"), Times.once())
-                .respond(HttpResponse.response().withBody("ok").withStatusCode(200));
-        mockServerClient.when(HttpRequest.request().withMethod("GET")
-                .withPath("/secure/resource.xml"), Times.once())
-                .respond(HttpResponse.response().withBody("Unauthorized").withStatusCode(401));
-
-        URL url = new URL("http://username:password@localhost:"
-                + mockServerClient.remoteAddress().getPort()
-                + "/secure/resource.xml");
-        URLConnectionFactory instance = new URLConnectionFactory(getSettings());
-        HttpURLConnection conn = instance.createHttpURLConnection(url);
-        try {
-            conn.connect();
-        } catch (IOException ex) {
-
-        }
-        assertEquals(HttpResponseStatus.OK.code(), conn.getResponseCode());
-        conn.disconnect();
-    }
-}

From 9c66722b32a827dd84f2ecfa6cec7c11bb2f0b62 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 14 Apr 2025 06:06:07 -0500
Subject: [PATCH 012/195] build(deps): bump commons-io:commons-io from 2.18.0
 to 2.19.0 (#7597)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 474b1d30c94..9f3867132c7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -144,7 +144,7 @@ Copyright (c) 2012 - Jeremy Long
         <findbugs.spotbugs.version>4.9.3</findbugs.spotbugs.version>
         <com.h2database.version>2.3.232</com.h2database.version>
         <commons-cli.version>1.9.0</commons-cli.version>
-        <commons-io.version>2.18.0</commons-io.version>
+        <commons-io.version>2.19.0</commons-io.version>
         <commons-lang3.version>3.17.0</commons-lang3.version>
         <commons-text.version>1.13.1</commons-text.version>
         <httpcomponents.client.version>5.4.3</httpcomponents.client.version>

From 3b501ad5a5deccf9ffab24a74c16c7278a2ccca6 Mon Sep 17 00:00:00 2001
From: Hans Aikema <aikebah-github@aikebah.net>
Date: Mon, 14 Apr 2025 13:06:32 +0200
Subject: [PATCH 013/195] chore: Add a serialVersionUID to serializable classes
 that don't have it (#7596)

---
 .../data/update/exception/CorruptedDatastreamException.java     | 2 ++
 .../org/owasp/dependencycheck/utils/ForbiddenException.java     | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/core/src/main/java/org/owasp/dependencycheck/data/update/exception/CorruptedDatastreamException.java b/core/src/main/java/org/owasp/dependencycheck/data/update/exception/CorruptedDatastreamException.java
index 2794adb98bf..3ce88bf2f26 100644
--- a/core/src/main/java/org/owasp/dependencycheck/data/update/exception/CorruptedDatastreamException.java
+++ b/core/src/main/java/org/owasp/dependencycheck/data/update/exception/CorruptedDatastreamException.java
@@ -27,6 +27,8 @@
 @ThreadSafe
 public class CorruptedDatastreamException extends Exception {
 
+    private static final long serialVersionUID = 1L;
+
     /**
      * Create a new CorruptedDatastreamException.
      */
diff --git a/utils/src/main/java/org/owasp/dependencycheck/utils/ForbiddenException.java b/utils/src/main/java/org/owasp/dependencycheck/utils/ForbiddenException.java
index 498f24653e4..ee2c63728f5 100644
--- a/utils/src/main/java/org/owasp/dependencycheck/utils/ForbiddenException.java
+++ b/utils/src/main/java/org/owasp/dependencycheck/utils/ForbiddenException.java
@@ -22,6 +22,8 @@
 
 public class ForbiddenException extends IOException {
 
+    private static final long serialVersionUID = 1L;
+
     public ForbiddenException(String message) {
         super(message);
     }

From 3529fbee8cad774b0726f1052be68614e11f2eb4 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 15 Apr 2025 06:37:01 -0500
Subject: [PATCH 014/195] build(deps): bump com.google.guava:guava from
 33.4.7-jre to 33.4.8-jre (#7600)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 9f3867132c7..ce0a1a73cee 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1295,7 +1295,7 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>com.google.guava</groupId>
                 <artifactId>guava</artifactId>
-                <version>33.4.7-jre</version>
+                <version>33.4.8-jre</version>
             </dependency>
             <dependency>
                 <groupId>com.hankcs</groupId>

From 0ea4fc32d5a67b121ad69f7dcc941ab4103ad9a2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 15 Apr 2025 06:40:34 -0500
Subject: [PATCH 015/195] build(deps): bump actions/setup-node from 4.3.0 to
 4.4.0 (#7599)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/false-positive-approvals.yml | 2 +-
 .github/workflows/false-positive-ops.yml       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/false-positive-approvals.yml b/.github/workflows/false-positive-approvals.yml
index 24bca4e69c3..66ab4f96fb2 100644
--- a/.github/workflows/false-positive-approvals.yml
+++ b/.github/workflows/false-positive-approvals.yml
@@ -24,7 +24,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: generatedSuppressions
-      - uses: actions/setup-node@v4.3.0
+      - uses: actions/setup-node@v4.4.0
       - run: |
           npm install fast-xml-parser@4.0.9
           npm install fs
diff --git a/.github/workflows/false-positive-ops.yml b/.github/workflows/false-positive-ops.yml
index 3ea10dc092f..783b9427fe3 100644
--- a/.github/workflows/false-positive-ops.yml
+++ b/.github/workflows/false-positive-ops.yml
@@ -41,7 +41,7 @@ jobs:
         with:
           issue-body: ${{ github.event.issue.body }}
           template-path: odc/.github/ISSUE_TEMPLATE/false-positive-report.yml
-      - uses: actions/setup-node@v4.3.0
+      - uses: actions/setup-node@v4.4.0
         with:
           node-version: 14
       - name: Initialize npm

From f653a815f53183622b63a3687094ea5a2bc18484 Mon Sep 17 00:00:00 2001
From: Nicolas Humblot <contact@nicolashumblot.fr>
Date: Sat, 19 Apr 2025 11:39:08 +0200
Subject: [PATCH 016/195] feat: #7610 add a reference to NVD mirroring in
 getting started documentation (#7611)

---
 ant/src/site/markdown/index.md.vm                     | 5 ++++-
 maven/src/site/markdown/index.md.vm                   | 5 ++++-
 src/site/markdown/data/mirrornvd.md                   | 2 +-
 src/site/markdown/dependency-check-gradle/index.md.vm | 5 ++++-
 4 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/ant/src/site/markdown/index.md.vm b/ant/src/site/markdown/index.md.vm
index 5a7f9a44526..77f85c1bd90 100644
--- a/ant/src/site/markdown/index.md.vm
+++ b/ant/src/site/markdown/index.md.vm
@@ -35,7 +35,10 @@ Installation
 
 It is important to understand that the first time this task is executed it may
 take 10 minutes or more as it downloads and processes the data from the National
-Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov
+Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov.
 
 After the first batch download, as long as the task is executed at least once every
 seven days the update will only take a few seconds.
+
+The Dependency-Check team strongly recommends to [mirror the NVD database](../data/mirrornvd.html) for any operational
+integration. If not done, any service disruption of the NVD database will make the usage of Dependency-Check difficult.
diff --git a/maven/src/site/markdown/index.md.vm b/maven/src/site/markdown/index.md.vm
index aa9f5d629db..2284ba43e98 100644
--- a/maven/src/site/markdown/index.md.vm
+++ b/maven/src/site/markdown/index.md.vm
@@ -5,11 +5,14 @@ plug-in or as part of the site plug-in. The plug-in requires Maven 3.6.3 or high
 
 It is important to understand that the first time this task is executed it may
 take 20 minutes or more as it downloads and processes the data from the National
-Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov
+Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov.
 
 After the first batch download, as long as the plug-in is executed at least once every
 seven days the update will only take a few seconds.
 
+The Dependency-Check team strongly recommends to [mirror the NVD database](../data/mirrornvd.html) for any operational
+integration. If not done, any service disruption of the NVD database will make the usage of Dependency-Check difficult.
+
 ### Default Phase
 The dependency-check plugin is, by default, tied to the `verify` or `site` phase
 depending on if it is configured as a build or reporting plugin. The examples
diff --git a/src/site/markdown/data/mirrornvd.md b/src/site/markdown/data/mirrornvd.md
index e269d9abdb2..c3c94e827c9 100644
--- a/src/site/markdown/data/mirrornvd.md
+++ b/src/site/markdown/data/mirrornvd.md
@@ -7,7 +7,7 @@ The NVD API and the Retire JS repository.
 Creating an offline cache for the NVD API
 ------------------------------------------------------------
 
-The Open Vulnerability Project's [vuln CLI](https://github.com/dependency-check/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data)
+The Open Vulnerability Project's [vuln CLI](https://github.com/jeremylong/open-vulnerability-cli/blob/main/README.md)
 can be used to create an offline copy of the data obtained from the NVD API.
 Then configure dependency-check to use the NVD Datafeed URL.
 
diff --git a/src/site/markdown/dependency-check-gradle/index.md.vm b/src/site/markdown/dependency-check-gradle/index.md.vm
index 1420ff43b5d..5d48ff723c3 100644
--- a/src/site/markdown/dependency-check-gradle/index.md.vm
+++ b/src/site/markdown/dependency-check-gradle/index.md.vm
@@ -5,11 +5,14 @@ libraries; creating a report of known vulnerable components that are included in
 
 It is important to understand that the first time this task is executed it may
 take 5-20 minutes as it downloads and processes the data from the National
-Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov
+Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov.
 
 After the first batch download, as long as the plugin is executed at least once every
 seven days the update will only take a few seconds.
 
+The Dependency-Check team strongly recommends to [mirror the NVD database](../data/mirrornvd.html) for any operational
+integration. If not done, any service disruption of the NVD database will make the usage of Dependency-Check difficult.
+
 #set( $H = '#' )
 
 $H$H Quick Start

From c9392b49938c076b239c0808509658eb0bebad40 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sat, 19 Apr 2025 05:39:31 -0400
Subject: [PATCH 017/195] build(deps): bump
 org.apache.maven.shared:file-management from 3.1.0 to 3.2.0 (#7609)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index ce0a1a73cee..b5ce949115e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -159,7 +159,7 @@ Copyright (c) 2012 - Jeremy Long
         <mockito-core.version>5.12.0</mockito-core.version>
         <jsoup.version>1.19.1</jsoup.version>
         <commons-compress.version>1.27.1</commons-compress.version>
-        <org.apache.maven.shared.file-management.version>3.1.0</org.apache.maven.shared.file-management.version>
+        <org.apache.maven.shared.file-management.version>3.2.0</org.apache.maven.shared.file-management.version>
         <maven-plugin-testing-harness.version>3.3.0</maven-plugin-testing-harness.version>
         <maven-plugin-annotations.version>3.15.1</maven-plugin-annotations.version>
         <maven-reporting-api.version>4.0.0</maven-reporting-api.version>

From e3da14cc9620ca1853804a026dceeae8da9661d7 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 23 Apr 2025 01:52:32 +0000
Subject: [PATCH 018/195] build(deps): bump
 org.apache.commons:commons-collections4

Bumps org.apache.commons:commons-collections4 from 4.4 to 4.5.0.

---
updated-dependencies:
- dependency-name: org.apache.commons:commons-collections4
  dependency-version: 4.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index b5ce949115e..9c76ffab46f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1210,7 +1210,7 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>org.apache.commons</groupId>
                 <artifactId>commons-collections4</artifactId>
-                <version>4.4</version>
+                <version>4.5.0</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.velocity</groupId>

From 718a08ab4276bdf23d9c6839b98f597e58a28a66 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 25 Apr 2025 01:41:45 +0000
Subject: [PATCH 019/195] build(deps): bump jackson.version from 2.18.3 to
 2.19.0

Bumps `jackson.version` from 2.18.3 to 2.19.0.

Updates `com.fasterxml.jackson:jackson-bom` from 2.18.3 to 2.19.0
- [Commits](https://github.com/FasterXML/jackson-bom/compare/jackson-bom-2.18.3...jackson-bom-2.19.0)

Updates `com.fasterxml.jackson.datatype:jackson-datatype-jsr310` from 2.18.3 to 2.19.0

Updates `com.fasterxml.jackson.core:jackson-databind` from 2.18.3 to 2.19.0
- [Commits](https://github.com/FasterXML/jackson/commits)

Updates `com.fasterxml.jackson.core:jackson-core` from 2.18.3 to 2.19.0
- [Commits](https://github.com/FasterXML/jackson-core/compare/jackson-core-2.18.3...jackson-core-2.19.0)

---
updated-dependencies:
- dependency-name: com.fasterxml.jackson:jackson-bom
  dependency-version: 2.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: com.fasterxml.jackson.datatype:jackson-datatype-jsr310
  dependency-version: 2.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: com.fasterxml.jackson.core:jackson-databind
  dependency-version: 2.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: com.fasterxml.jackson.core:jackson-core
  dependency-version: 2.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 9c76ffab46f..1ebe4271b16 100644
--- a/pom.xml
+++ b/pom.xml
@@ -171,7 +171,7 @@ Copyright (c) 2012 - Jeremy Long
         <groovy-all.version>2.4.21</groovy-all.version>
         <gmavenplus-plugin.version>4.1.1</gmavenplus-plugin.version>
         <com.h3xstream.retirejs.core.version>3.0.4</com.h3xstream.retirejs.core.version>
-        <jackson.version>2.18.3</jackson.version>
+        <jackson.version>2.19.0</jackson.version>
         <!--necassary for some IDEs to be able to execute test cases (Netbeans)-->
         <surefireArgLine />
         <mock-server.version>5.15.0</mock-server.version>

From e79ebfc6340e7e78bc0676f47e228abfe3b4bc90 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 25 Apr 2025 01:41:54 +0000
Subject: [PATCH 020/195] build(deps): bump
 org.apache.httpcomponents.client5:httpclient5

Bumps [org.apache.httpcomponents.client5:httpclient5](https://github.com/apache/httpcomponents-client) from 5.4.3 to 5.4.4.
- [Changelog](https://github.com/apache/httpcomponents-client/blob/rel/v5.4.4/RELEASE_NOTES.txt)
- [Commits](https://github.com/apache/httpcomponents-client/compare/rel/v5.4.3...rel/v5.4.4)

---
updated-dependencies:
- dependency-name: org.apache.httpcomponents.client5:httpclient5
  dependency-version: 5.4.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 9c76ffab46f..c6a7c658f79 100644
--- a/pom.xml
+++ b/pom.xml
@@ -147,7 +147,7 @@ Copyright (c) 2012 - Jeremy Long
         <commons-io.version>2.19.0</commons-io.version>
         <commons-lang3.version>3.17.0</commons-lang3.version>
         <commons-text.version>1.13.1</commons-text.version>
-        <httpcomponents.client.version>5.4.3</httpcomponents.client.version>
+        <httpcomponents.client.version>5.4.4</httpcomponents.client.version>
         <httpcomponents.core.version>5.3.4</httpcomponents.core.version>
         <!-- note that logging will be noisy and broken until we upgrade to 3.2
             See https://issues.apache.org/jira/browse/JCS-232 and

From db0bda77736f429a37c2e1cab3c5c99ac490ab23 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 29 Apr 2025 01:53:02 +0000
Subject: [PATCH 021/195] build(deps): bump
 org.codehaus.gmavenplus:gmavenplus-plugin

Bumps [org.codehaus.gmavenplus:gmavenplus-plugin](https://github.com/groovy/GMavenPlus) from 4.1.1 to 4.2.0.
- [Release notes](https://github.com/groovy/GMavenPlus/releases)
- [Commits](https://github.com/groovy/GMavenPlus/compare/4.1.1...4.2.0)

---
updated-dependencies:
- dependency-name: org.codehaus.gmavenplus:gmavenplus-plugin
  dependency-version: 4.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index d20f4833023..b2c658b5f2f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -169,7 +169,7 @@ Copyright (c) 2012 - Jeremy Long
         <maven-artifact-transfer.version>0.13.1</maven-artifact-transfer.version>
         <maven-common-artifact-filters.version>3.4.0</maven-common-artifact-filters.version>
         <groovy-all.version>2.4.21</groovy-all.version>
-        <gmavenplus-plugin.version>4.1.1</gmavenplus-plugin.version>
+        <gmavenplus-plugin.version>4.2.0</gmavenplus-plugin.version>
         <com.h3xstream.retirejs.core.version>3.0.4</com.h3xstream.retirejs.core.version>
         <jackson.version>2.19.0</jackson.version>
         <!--necassary for some IDEs to be able to execute test cases (Netbeans)-->

From 142420a8befebbd916fc100b95e653bd5ccd4e6e Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Tue, 29 Apr 2025 06:22:55 -0400
Subject: [PATCH 022/195] chore: add publish suppressions workflow (#7620)

---
 .github/workflows/publish-suppressions.yml | 26 ++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 .github/workflows/publish-suppressions.yml

diff --git a/.github/workflows/publish-suppressions.yml b/.github/workflows/publish-suppressions.yml
new file mode 100644
index 00000000000..eed8d2dda43
--- /dev/null
+++ b/.github/workflows/publish-suppressions.yml
@@ -0,0 +1,26 @@
+name: Publish Suppressions
+
+on:
+  workflow_dispatch:
+
+permissions: {}
+jobs:
+  update_suppression:
+    permissions:
+      contents: write # to push changes in repo (jamesives/github-pages-deploy-action)
+
+    name: Publish Suppressions
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: generatedSuppressions
+      - uses: actions/setup-node@v4.4.0
+      - name: Publish Updated Suppressions
+        if: ${{ steps.fp-ops-commit.outputs.publish == 'true' }}
+        uses: JamesIves/github-pages-deploy-action@v4.7.3
+        with:
+          branch: gh-pages
+          folder: suppressions
+          target-folder: suppressions
+

From f821b99bcf3369ba1d1e1d129900d0156fd3023b Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Tue, 29 Apr 2025 06:26:29 -0400
Subject: [PATCH 023/195] chore: fix publish suppressions workflow (#7621)

---
 .github/workflows/publish-suppressions.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/publish-suppressions.yml b/.github/workflows/publish-suppressions.yml
index eed8d2dda43..27d6c0d6c82 100644
--- a/.github/workflows/publish-suppressions.yml
+++ b/.github/workflows/publish-suppressions.yml
@@ -17,7 +17,6 @@ jobs:
           ref: generatedSuppressions
       - uses: actions/setup-node@v4.4.0
       - name: Publish Updated Suppressions
-        if: ${{ steps.fp-ops-commit.outputs.publish == 'true' }}
         uses: JamesIves/github-pages-deploy-action@v4.7.3
         with:
           branch: gh-pages

From 64366923baf27fea67b226b27e5ee660c4469c0f Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Tue, 29 Apr 2025 06:39:02 -0400
Subject: [PATCH 024/195] chore: fix publish suppressions workflow (#7622)

---
 .github/workflows/publish-suppressions.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/publish-suppressions.yml b/.github/workflows/publish-suppressions.yml
index 27d6c0d6c82..bfe7fe68fc4 100644
--- a/.github/workflows/publish-suppressions.yml
+++ b/.github/workflows/publish-suppressions.yml
@@ -16,6 +16,21 @@ jobs:
         with:
           ref: generatedSuppressions
       - uses: actions/setup-node@v4.4.0
+      - run: |
+          npm install fs
+      - name: Create Generated Suppressions XML
+        uses: actions/github-script@v7.0.1
+        with:
+          script: |
+            const fs = require('fs');
+            const generatedSuppressions = fs.readFileSync('generatedSuppressions.xml', 'utf8');
+            if (!fs.existsSync('./suppressions')){
+                fs.mkdirSync('./suppressions');
+            }
+            fs.appendFileSync('suppressions/publishedSuppressions.xml', '<?xml version="1.0" encoding="UTF-8"?>\n<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">' + generatedSuppressions + '\n</suppressions>', function (err) {
+              if (err) throw err;
+              console.log('publishedSuppressions.xml created');
+            });
       - name: Publish Updated Suppressions
         uses: JamesIves/github-pages-deploy-action@v4.7.3
         with:

From e7fb7dce1980cf3d04bcae1c3a96b0d2b17c1173 Mon Sep 17 00:00:00 2001
From: strangelookingnerd
 <49242855+strangelookingnerd@users.noreply.github.com>
Date: Tue, 29 Apr 2025 14:27:19 +0200
Subject: [PATCH 025/195] Migrate tests to JUnit5 (parent)

* Migrate annotations and imports
* Migrate assertions
* Remove public visibility for test classes and methods
* Minor code cleanup
---
 pom.xml | 37 ++++++++++++++++---------------------
 1 file changed, 16 insertions(+), 21 deletions(-)

diff --git a/pom.xml b/pom.xml
index d20f4833023..ce537ce5592 100644
--- a/pom.xml
+++ b/pom.xml
@@ -117,14 +117,14 @@ Copyright (c) 2012 - Jeremy Long
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <github.global.server>github</github.global.server>
-        
+
         <apache.lucene.version>9.12.0</apache.lucene.version>
         <apache.ant.version>1.10.15</apache.ant.version>
-        
+
         <!-- upgrading slf4j and logback can cause issues ;) https://github.com/dependency-check/DependencyCheck/issues/4846 -->
         <slf4j.version>1.7.36</slf4j.version>
         <logback.version>1.2.13</logback.version>
-        
+
         <maven.api.version>3.6.3</maven.api.version>
         <reporting.checkstyle-plugin.version>3.6.0</reporting.checkstyle-plugin.version>
         <reporting.checkstyle.tool.version>9.3</reporting.checkstyle.tool.version>
@@ -154,9 +154,9 @@ Copyright (c) 2012 - Jeremy Long
             https://github.com/apache/commons-jcs/pull/120 -->
         <commons-jcs-core.version>3.2.1</commons-jcs-core.version>
         <aho-corasick-double-array-trie.version>1.2.3</aho-corasick-double-array-trie.version>
-        <junit.version>4.13.2</junit.version>
+        <junit.version>5.12.2</junit.version>
         <hamcrest.version>3.0</hamcrest.version>
-        <mockito-core.version>5.12.0</mockito-core.version>
+        <mockito.version>5.12.0</mockito.version>
         <jsoup.version>1.19.1</jsoup.version>
         <commons-compress.version>1.27.1</commons-compress.version>
         <org.apache.maven.shared.file-management.version>3.2.0</org.apache.maven.shared.file-management.version>
@@ -172,7 +172,7 @@ Copyright (c) 2012 - Jeremy Long
         <gmavenplus-plugin.version>4.1.1</gmavenplus-plugin.version>
         <com.h3xstream.retirejs.core.version>3.0.4</com.h3xstream.retirejs.core.version>
         <jackson.version>2.19.0</jackson.version>
-        <!--necassary for some IDEs to be able to execute test cases (Netbeans)-->
+        <!--necessary for some IDEs to be able to execute test cases (Netbeans)-->
         <surefireArgLine />
         <mock-server.version>5.15.0</mock-server.version>
     </properties>
@@ -415,7 +415,7 @@ Copyright (c) 2012 - Jeremy Long
                             </scripts>
                         </configuration>
                     </execution>
-                    
+
                     <execution>
                         <id>add-dynamic-properties-site</id>
                         <phase>pre-site</phase>
@@ -523,6 +523,7 @@ Copyright (c) 2012 - Jeremy Long
                     <detectJavaApiLink>false</detectJavaApiLink>
                 </configuration>
             </plugin>
+            <!--
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-enforcer-plugin</artifactId>
@@ -577,6 +578,7 @@ Copyright (c) 2012 - Jeremy Long
                     </execution>
                 </executions>
             </plugin>
+            -->
             <plugin>
                 <groupId>org.jacoco</groupId>
                 <artifactId>jacoco-maven-plugin</artifactId>
@@ -952,14 +954,14 @@ Copyright (c) 2012 - Jeremy Long
             </dependency>
             <dependency>
                 <groupId>org.mock-server</groupId>
-                <artifactId>mockserver-junit-rule</artifactId>
+                <artifactId>mockserver-junit-jupiter</artifactId>
                 <version>${mock-server.version}</version>
                 <scope>test</scope>
             </dependency>
             <dependency>
                 <groupId>org.mockito</groupId>
-                <artifactId>mockito-core</artifactId>
-                <version>${mockito-core.version}</version>
+                <artifactId>mockito-junit-jupiter</artifactId>
+                <version>${mockito.version}</version>
                 <scope>test</scope>
             </dependency>
             <dependency>
@@ -1079,16 +1081,9 @@ Copyright (c) 2012 - Jeremy Long
                 <version>${logback.version}</version>
             </dependency>
             <dependency>
-                <groupId>junit</groupId>
-                <artifactId>junit</artifactId>
+                <groupId>org.junit.jupiter</groupId>
+                <artifactId>junit-jupiter</artifactId>
                 <version>${junit.version}</version>
-                <exclusions>
-                    <exclusion>
-                        <!-- deprecated coordinates, replaced by org.hamcrest:hamcrest -->
-                        <groupId>org.hamcrest</groupId>
-                        <artifactId>hamcrest-core</artifactId>
-                    </exclusion>
-                </exclusions>
                 <scope>test</scope>
             </dependency>
             <dependency>
@@ -1322,8 +1317,8 @@ Copyright (c) 2012 - Jeremy Long
     <dependencies>
         <!-- region generic test dependencies -->
         <dependency>
-            <groupId>junit</groupId>
-            <artifactId>junit</artifactId>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter</artifactId>
             <scope>test</scope>
         </dependency>
         <dependency>

From 07f806164e28f0a2ddf1d34abd62a2771b3fc194 Mon Sep 17 00:00:00 2001
From: strangelookingnerd
 <49242855+strangelookingnerd@users.noreply.github.com>
Date: Tue, 29 Apr 2025 14:29:26 +0200
Subject: [PATCH 026/195] Migrate tests to JUnit5 (ant)

* Migrate annotations and imports
* Migrate assertions
* Remove public visibility for test classes and methods
* Minor code cleanup
---
 .../taskdefs/DependencyCheckTaskIT.java       | 79 +++++++++++--------
 1 file changed, 45 insertions(+), 34 deletions(-)

diff --git a/ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskIT.java b/ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskIT.java
index a020d72092e..d5da603f281 100644
--- a/ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskIT.java
+++ b/ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskIT.java
@@ -17,29 +17,29 @@
  */
 package org.owasp.dependencycheck.taskdefs;
 
-import java.io.File;
-
 import org.apache.tools.ant.BuildException;
 import org.apache.tools.ant.BuildFileRule;
 import org.apache.tools.ant.types.LogLevel;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.Rule;
-import org.junit.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
 
-import static org.junit.Assert.assertTrue;
+import java.io.File;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
 
 /**
  *
  * @author Jeremy Long
  */
-public class DependencyCheckTaskIT extends BaseDBTestCase {
+class DependencyCheckTaskIT extends BaseDBTestCase {
 
-    @Rule
-    public final BuildFileRule buildFileRule = new BuildFileRule();
+    private final BuildFileRule buildFileRule = new BuildFileRule();
 
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -47,17 +47,28 @@ public void setUp() throws Exception {
         buildFileRule.configureProject(buildFile, LogLevel.VERBOSE.getLevel());
     }
 
+    @AfterEach
+    @Override
+    public void tearDown() throws Exception {
+        super.tearDown();
+        if (buildFileRule.getProject() != null) {
+            if (this.buildFileRule.getProject().getTargets().containsKey("tearDown")) {
+                this.buildFileRule.getProject().executeTarget("tearDown");
+            }
+        }
+    }
+
     /**
      * Test of addFileSet method, of class DependencyCheckTask.
      */
     @Test
-    public void testAddFileSet() throws Exception {
+    void testAddFileSet() throws Exception {
         File report = new File("target/dependency-check-report.html");
         if (report.exists() && !report.delete()) {
             throw new Exception("Unable to delete 'target/dependency-check-report.html' prior to test.");
         }
         buildFileRule.executeTarget("test.fileset");
-        assertTrue("DependencyCheck report was not generated", report.exists());
+        assertTrue(report.exists(), "DependencyCheck report was not generated");
     }
 
     /**
@@ -66,7 +77,7 @@ public void testAddFileSet() throws Exception {
      * @throws Exception
      */
     @Test
-    public void testAddFileList() throws Exception {
+    void testAddFileList() throws Exception {
         File report = new File("target/dependency-check-report.xml");
         if (report.exists()) {
             if (!report.delete()) {
@@ -75,7 +86,7 @@ public void testAddFileList() throws Exception {
         }
         buildFileRule.executeTarget("test.filelist");
 
-        assertTrue("DependencyCheck report was not generated", report.exists());
+        assertTrue(report.exists(), "DependencyCheck report was not generated");
     }
 
     /**
@@ -84,7 +95,7 @@ public void testAddFileList() throws Exception {
      * @throws Exception
      */
     @Test
-    public void testAddDirSet() throws Exception {
+    void testAddDirSet() throws Exception {
         File report = new File("target/dependency-check-report.csv");
         if (report.exists()) {
             if (!report.delete()) {
@@ -92,11 +103,11 @@ public void testAddDirSet() throws Exception {
             }
         }
         buildFileRule.executeTarget("test.dirset");
-        assertTrue("DependencyCheck report was not generated", report.exists());
+        assertTrue(report.exists(), "DependencyCheck report was not generated");
     }
 
     @Test
-    public void testNestedReportFormat() throws Exception {
+    void testNestedReportFormat() throws Exception {
         File reportHTML = new File("target/dependency-check-report.html");
         File reportCSV = new File("target/dependency-check-report.csv");
         if (reportCSV.exists()) {
@@ -110,17 +121,17 @@ public void testNestedReportFormat() throws Exception {
             }
         }
         buildFileRule.executeTarget("test.formatNested");
-        assertTrue("DependencyCheck CSV report was not generated", reportCSV.exists());
-        assertTrue("DependencyCheck HTML report was not generated", reportHTML.exists());
+        assertTrue(reportCSV.exists(), "DependencyCheck CSV report was not generated");
+        assertTrue(reportHTML.exists(), "DependencyCheck HTML report was not generated");
     }
 
     @Test
-    public void testNestedBADReportFormat() throws Exception {
+    void testNestedBADReportFormat() {
         try {
             buildFileRule.executeTarget("test.formatBADNested");
-            Assert.fail("Should have had a buildExceotion for a bad format attribute");
+            fail("Should have had a buildExceotion for a bad format attribute");
         } catch (BuildException e) {
-            assertTrue("Message did not have BAD, unexpected exception: " + e.getMessage(), e.getMessage().contains("BAD is not a legal value for this attribute"));
+            assertTrue(e.getMessage().contains("BAD is not a legal value for this attribute"), "Message did not have BAD, unexpected exception: " + e.getMessage());
         }
     }
 
@@ -128,20 +139,20 @@ public void testNestedBADReportFormat() throws Exception {
      * Test of getFailBuildOnCVSS method, of class DependencyCheckTask.
      */
     @Test
-    public void testGetFailBuildOnCVSS() {
-        Exception exception = Assert.assertThrows(BuildException.class, () -> buildFileRule.executeTarget("failCVSS"));
+    void testGetFailBuildOnCVSS() {
+        Exception exception = assertThrows(BuildException.class, () -> buildFileRule.executeTarget("failCVSS"));
 
         String expectedMessage = String.format("One or more dependencies were identified with vulnerabilities that "
                 + "have a CVSS score greater than or equal to '%.1f':", 3.0f);
 
-        Assert.assertTrue(exception.getMessage().contains(expectedMessage));
+        assertTrue(exception.getMessage().contains(expectedMessage));
     }
 
     /**
      * Test the DependencyCheckTask where a CVE is suppressed.
      */
     @Test
-    public void testSuppressingCVE() {
+    void testSuppressingCVE() {
         // GIVEN an ant task with a vulnerability
         final String antTaskName = "suppression";
 
@@ -157,7 +168,7 @@ public void testSuppressingCVE() {
 
         // THEN the ant task executed without error
         final File report = new File("target/suppression-report.html");
-        assertTrue("Expected the DependencyCheck report to be generated", report.exists());
+        assertTrue(report.exists(), "Expected the DependencyCheck report to be generated");
     }
 
     /**
@@ -165,7 +176,7 @@ public void testSuppressingCVE() {
      * exception with a warning.
      */
     @Test
-    public void testSuppressingSingle() {
+    void testSuppressingSingle() {
         // GIVEN an ant task with a vulnerability using the legacy property
         final String antTaskName = "suppression-single";
         // WHEN executing the ant task
@@ -173,7 +184,7 @@ public void testSuppressingSingle() {
 
         // THEN the ant task executed without error
         final File report = new File("target/suppression-single-report.html");
-        assertTrue("Expected the DependencyCheck report to be generated", report.exists());
+        assertTrue(report.exists(), "Expected the DependencyCheck report to be generated");
     }
 
     /**
@@ -181,7 +192,7 @@ public void testSuppressingSingle() {
      * exception with a warning.
      */
     @Test
-    public void testSuppressingMultiple() {
+    void testSuppressingMultiple() {
         // GIVEN an ant task with a vulnerability using multiple was to configure the suppression file
         final String antTaskName = "suppression-multiple";
         // WHEN executing the ant task
@@ -189,14 +200,14 @@ public void testSuppressingMultiple() {
 
         // THEN the ant task executed without error
         final File report = new File("target/suppression-multiple-report.html");
-        assertTrue("Expected the DependencyCheck report to be generated", report.exists());
+        assertTrue(report.exists(), "Expected the DependencyCheck report to be generated");
     }
 
     /**
      * Test the DependencyCheckTask retireJS configuration.
      */
     @Test
-    public void testRetireJsConfiguration() {
+    void testRetireJsConfiguration() {
         // GIVEN an ant task with a vulnerability using multiple was to configure the suppression file
         final String antTaskName = "retireJS";
 
@@ -205,6 +216,6 @@ public void testRetireJsConfiguration() {
 
         // THEN the ant task executed without error
         final File report = new File("target/retirejs-report.html");
-        assertTrue("Expected the DependencyCheck report to be generated", report.exists());
+        assertTrue(report.exists(), "Expected the DependencyCheck report to be generated");
     }
 }

From b4a8eafc0df4e4d0d912e91002006469b4dc781f Mon Sep 17 00:00:00 2001
From: strangelookingnerd
 <49242855+strangelookingnerd@users.noreply.github.com>
Date: Tue, 29 Apr 2025 14:30:00 +0200
Subject: [PATCH 027/195] Migrate tests to JUnit5 (archetype)

* Migrate annotations and imports
* Migrate assertions
* Remove public visibility for test classes and methods
* Minor code cleanup
---
 .../resources/archetype-resources/pom.xml     |  6 +--
 .../src/test/java/__analyzerName__Test.java   | 52 ++++++++++---------
 2 files changed, 30 insertions(+), 28 deletions(-)

diff --git a/archetype/src/main/resources/archetype-resources/pom.xml b/archetype/src/main/resources/archetype-resources/pom.xml
index 805d8f39ae0..85154e4cee0 100644
--- a/archetype/src/main/resources/archetype-resources/pom.xml
+++ b/archetype/src/main/resources/archetype-resources/pom.xml
@@ -4,10 +4,10 @@
     <groupId>\${groupId}</groupId>
     <artifactId>\${artifactId}</artifactId>
     <version>\${version}</version>
-    
+
     <name>\${artifactId}</name>
     <packaging>jar</packaging>
-    
+
     <licenses>
         <license>
             <name>The Apache Software License, Version 2.0</name>
@@ -40,7 +40,7 @@
         <dependency>
             <groupId>org.junit.jupiter</groupId>
             <artifactId>junit-jupiter-engine</artifactId>
-            <version>5.8.2</version>
+            <version>5.12.2</version>
             <scope>test</scope>
         </dependency>
     </dependencies>
diff --git a/archetype/src/main/resources/archetype-resources/src/test/java/__analyzerName__Test.java b/archetype/src/main/resources/archetype-resources/src/test/java/__analyzerName__Test.java
index 89942160280..69ecf2c8b16 100644
--- a/archetype/src/main/resources/archetype-resources/src/test/java/__analyzerName__Test.java
+++ b/archetype/src/main/resources/archetype-resources/src/test/java/__analyzerName__Test.java
@@ -13,43 +13,45 @@
  */
 package ${package};
 
-import java.io.File;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeAll;
-import org.junit.jupiter.api.AfterAll;
-import static org.junit.jupiter.api.Assertions.*;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.AnalysisPhase;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
 
+import java.io.File;
+
+import static org.junit.jupiter.api.Assertions.*;
+
 /**
  * Test cases for ${analyzerName}
  */
-public class ${analyzerName}Test {
-    
+class ${analyzerName}Test {
+
     Settings settings = null;
-	
-    public ${analyzerName}Test() {
+
+    ${analyzerName}Test() {
     }
-    
+
     @BeforeAll
-    public static void setUpClass() {
+    static void setUpClass() {
     }
-    
+
     @AfterAll
-    public static void tearDownClass() {
+    static void tearDownClass() {
     }
-    
+
     @BeforeEach
-    public void setUp() {
+    void setUp() {
         settings = new Settings();
     }
 
     @AfterEach
-    public void tearDown() {
+    void tearDown() {
         settings.cleanup();
     }
 
@@ -57,7 +59,7 @@ public void tearDown() {
      * Test of accept method, of class ${analyzerName}.
      */
     @Test
-    public void testAccept() {
+    void testAccept() {
         File pathname = new File("test.file");
         ${analyzerName} instance = new ${analyzerName}();
         boolean expResult = true;
@@ -69,13 +71,13 @@ public void testAccept() {
      * Test of analyze method, of class ${analyzerName}.
      */
     @Test
-    public void testAnalyze() throws Exception {
+    void testAnalyze() throws Exception {
         //The engine is generally null for most analyzer test cases but can be instantiated if needed.
         Engine engine = null;
         ${analyzerName} instance = new ${analyzerName}();
         instance.initialize(settings);
         instance.prepare(engine);
-		
+
         File file = new File(${analyzerName}.class.getClassLoader().getResource("test.file").toURI().getPath());
         Dependency dependency = new Dependency(file);
 
@@ -87,7 +89,7 @@ public void testAnalyze() throws Exception {
      * Test of getName method, of class ${analyzerName}.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         ${analyzerName} instance = new ${analyzerName}();
         String expResult = "${analyzerName}";
         String result = instance.getName();
@@ -98,7 +100,7 @@ public void testGetName() {
      * Test of getAnalysisPhase method, of class ${analyzerName}.
      */
     @Test
-    public void testGetAnalysisPhase() {
+    void testGetAnalysisPhase() {
         ${analyzerName} instance = new ${analyzerName}();
         AnalysisPhase expResult = AnalysisPhase.INFORMATION_COLLECTION;
         AnalysisPhase result = instance.getAnalysisPhase();
@@ -109,7 +111,7 @@ public void testGetAnalysisPhase() {
      * Test of initialize method, of class ${analyzerName}.
      */
     @Test
-    public void testInitialize() throws Exception {
+    void testInitialize() throws Exception {
         ${analyzerName} instance = new ${analyzerName}();
         instance.initialize(settings);
     }
@@ -118,7 +120,7 @@ public void testInitialize() throws Exception {
      * Test of close method, of class ${analyzerName}.
      */
     @Test
-    public void testClose() throws Exception {
+    void testClose() throws Exception {
         ${analyzerName} instance = new ${analyzerName}();
         instance.close();
     }
@@ -127,7 +129,7 @@ public void testClose() throws Exception {
      * Test of supportsParallelProcessing method, of class ${analyzerName}.
      */
     @Test
-    public void testSupportsParallelProcessing() {
+    void testSupportsParallelProcessing() {
         ${analyzerName} instance = new ${analyzerName}();
         boolean expResult = true;
         boolean result = instance.supportsParallelProcessing();
@@ -138,7 +140,7 @@ public void testSupportsParallelProcessing() {
      * Test of isEnabled method, of class ${analyzerName}.
      */
     @Test
-    public void testIsEnabled() {
+    void testIsEnabled() {
         ${analyzerName} instance = new ${analyzerName}();
         boolean expResult = true;
         boolean result = instance.isEnabled();

From 2408e966af50b58982f6f34aad01359167653217 Mon Sep 17 00:00:00 2001
From: strangelookingnerd
 <49242855+strangelookingnerd@users.noreply.github.com>
Date: Tue, 29 Apr 2025 14:30:39 +0200
Subject: [PATCH 028/195] Migrate tests to JUnit5 (cli)

* Migrate annotations and imports
* Migrate assertions
* Remove public visibility for test classes and methods
* Minor code cleanup
---
 .../org/owasp/dependencycheck/AppTest.java    |  42 ++---
 .../org/owasp/dependencycheck/BaseTest.java   |   8 +-
 .../owasp/dependencycheck/CliParserTest.java  | 175 +++++++++---------
 3 files changed, 114 insertions(+), 111 deletions(-)

diff --git a/cli/src/test/java/org/owasp/dependencycheck/AppTest.java b/cli/src/test/java/org/owasp/dependencycheck/AppTest.java
index ea41abb957e..0a45a9647b8 100644
--- a/cli/src/test/java/org/owasp/dependencycheck/AppTest.java
+++ b/cli/src/test/java/org/owasp/dependencycheck/AppTest.java
@@ -17,35 +17,34 @@
  */
 package org.owasp.dependencycheck;
 
-import static org.hamcrest.core.Is.is;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
+import org.apache.commons.cli.ParseException;
+import org.apache.commons.cli.UnrecognizedOptionException;
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
+import org.owasp.dependencycheck.utils.Settings.KEYS;
 
 import java.io.File;
 import java.io.FileNotFoundException;
-import java.net.URISyntaxException;
 import java.util.HashMap;
 import java.util.Map;
 
-import org.apache.commons.cli.ParseException;
-import org.apache.commons.cli.UnrecognizedOptionException;
 import static org.hamcrest.MatcherAssert.assertThat;
-import org.junit.Assert;
-import org.junit.Test;
-import org.owasp.dependencycheck.utils.InvalidSettingException;
-import org.owasp.dependencycheck.utils.Settings;
-import org.owasp.dependencycheck.utils.Settings.KEYS;
+import static org.hamcrest.core.Is.is;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  * Tests for the {@link AppTest} class.
  */
-public class AppTest extends BaseTest {
+class AppTest extends BaseTest {
 
     /**
      * Test of ensureCanonicalPath method, of class App.
      */
     @Test
-    public void testEnsureCanonicalPath() {
+    void testEnsureCanonicalPath() {
         String file = "../*.jar";
         App instance = new App(getSettings());
         String result = instance.ensureCanonicalPath(file);
@@ -55,7 +54,7 @@ public void testEnsureCanonicalPath() {
         file = "../some/skip/../path/file.txt";
         String expResult = "/some/path/file.txt";
         result = instance.ensureCanonicalPath(file);
-        assertTrue("result=" + result, result.endsWith(expResult));
+        assertTrue(result.endsWith(expResult), "result=" + result);
     }
 
     /**
@@ -65,7 +64,7 @@ public void testEnsureCanonicalPath() {
      * @throws Exception the unexpected {@link Exception}.
      */
     @Test
-    public void testPopulateSettings() throws Exception {
+    void testPopulateSettings() throws Exception {
         File prop = new File(this.getClass().getClassLoader().getResource("sample.properties").toURI().getPath());
         String[] args = {"-P", prop.getAbsolutePath()};
         Map<String, Boolean> expected = new HashMap<>();
@@ -115,13 +114,12 @@ public void testPopulateSettings() throws Exception {
      * Assert that an {@link UnrecognizedOptionException} is thrown when a
      * property that is not supported is specified on the CLI.
      *
-     * @throws Exception the unexpected {@link Exception}.
      */
     @Test
-    public void testPopulateSettingsException() throws Exception {
+    void testPopulateSettingsException() {
         String[] args = {"-invalidPROPERTY"};
-        Exception exception = Assert.assertThrows(UnrecognizedOptionException.class, () -> testBooleanProperties(args, null));
-        Assert.assertTrue(exception.getMessage().contains("Unrecognized option: -invalidPROPERTY"));
+        Exception exception = assertThrows(UnrecognizedOptionException.class, () -> testBooleanProperties(args, null));
+        assertTrue(exception.getMessage().contains("Unrecognized option: -invalidPROPERTY"));
     }
 
     /**
@@ -130,7 +128,7 @@ public void testPopulateSettingsException() throws Exception {
      * @throws Exception the unexpected {@link Exception}.
      */
     @Test
-    public void testPopulatingSuppressionSettingsWithASingleFile() throws Exception {
+    void testPopulatingSuppressionSettingsWithASingleFile() throws Exception {
         // GIVEN CLI properties with the mandatory arguments
         File prop = new File(this.getClass().getClassLoader().getResource("sample.properties").toURI().getPath());
 
@@ -154,7 +152,7 @@ public void testPopulatingSuppressionSettingsWithASingleFile() throws Exception
      * @throws Exception the unexpected {@link Exception}.
      */
     @Test
-    public void testPopulatingSuppressionSettingsWithMultipleFiles() throws Exception {
+    void testPopulatingSuppressionSettingsWithMultipleFiles() throws Exception {
         // GIVEN CLI properties with the mandatory arguments
         File prop = new File(this.getClass().getClassLoader().getResource("sample.properties").toURI().getPath());
 
@@ -172,7 +170,7 @@ public void testPopulatingSuppressionSettingsWithMultipleFiles() throws Exceptio
     }
 
 
-    private boolean testBooleanProperties(String[] args, Map<String, Boolean> expected) throws URISyntaxException, FileNotFoundException, ParseException, InvalidSettingException {
+    private boolean testBooleanProperties(String[] args, Map<String, Boolean> expected) throws FileNotFoundException, ParseException, InvalidSettingException {
         this.reloadSettings();
         final CliParser cli = new CliParser(getSettings());
         cli.parse(args);
diff --git a/cli/src/test/java/org/owasp/dependencycheck/BaseTest.java b/cli/src/test/java/org/owasp/dependencycheck/BaseTest.java
index b486fa6a089..072baf8593b 100644
--- a/cli/src/test/java/org/owasp/dependencycheck/BaseTest.java
+++ b/cli/src/test/java/org/owasp/dependencycheck/BaseTest.java
@@ -15,8 +15,8 @@
  */
 package org.owasp.dependencycheck;
 
-import org.junit.After;
-import org.junit.Before;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
@@ -33,7 +33,7 @@ public abstract class BaseTest {
     /**
      * Initialize the {@link Settings}.
      */
-    @Before
+    @BeforeEach
     public void setUp() {
         settings = new Settings();
     }
@@ -41,7 +41,7 @@ public void setUp() {
     /**
      * Clean the {@link Settings}.
      */
-    @After
+    @AfterEach
     public void tearDown() {
         settings.cleanup(true);
     }
diff --git a/cli/src/test/java/org/owasp/dependencycheck/CliParserTest.java b/cli/src/test/java/org/owasp/dependencycheck/CliParserTest.java
index 6800f4c4489..14c3b0ca098 100644
--- a/cli/src/test/java/org/owasp/dependencycheck/CliParserTest.java
+++ b/cli/src/test/java/org/owasp/dependencycheck/CliParserTest.java
@@ -17,21 +17,27 @@
  */
 package org.owasp.dependencycheck;
 
+import org.apache.commons.cli.ParseException;
+import org.junit.jupiter.api.Test;
+
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.PrintStream;
+
 import static java.nio.charset.StandardCharsets.UTF_8;
-import org.apache.commons.cli.ParseException;
-import org.junit.Assert;
-import org.junit.Test;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
 
 /**
  *
  * @author Jeremy Long
  */
-public class CliParserTest extends BaseTest {
+class CliParserTest extends BaseTest {
 
     /**
      * Test of parse method, of class CliParser.
@@ -39,7 +45,7 @@ public class CliParserTest extends BaseTest {
      * @throws Exception thrown when an exception occurs.
      */
     @Test
-    public void testParse() throws Exception {
+    void testParse() throws Exception {
 
         String[] args = {};
 
@@ -49,9 +55,9 @@ public void testParse() throws Exception {
         CliParser instance = new CliParser(getSettings());
         instance.parse(args);
 
-        Assert.assertFalse(instance.isGetVersion());
-        Assert.assertFalse(instance.isGetHelp());
-        Assert.assertFalse(instance.isRunScan());
+        assertFalse(instance.isGetVersion());
+        assertFalse(instance.isGetHelp());
+        assertFalse(instance.isRunScan());
     }
 
     /**
@@ -60,16 +66,16 @@ public void testParse() throws Exception {
      * @throws Exception thrown when an exception occurs.
      */
     @Test
-    public void testParse_help() throws Exception {
+    void testParse_help() throws Exception {
 
         String[] args = {"-help"};
 
         CliParser instance = new CliParser(getSettings());
         instance.parse(args);
 
-        Assert.assertFalse(instance.isGetVersion());
-        Assert.assertTrue(instance.isGetHelp());
-        Assert.assertFalse(instance.isRunScan());
+        assertFalse(instance.isGetVersion());
+        assertTrue(instance.isGetHelp());
+        assertFalse(instance.isRunScan());
     }
 
     /**
@@ -78,15 +84,15 @@ public void testParse_help() throws Exception {
      * @throws Exception thrown when an exception occurs.
      */
     @Test
-    public void testParse_version() throws Exception {
+    void testParse_version() throws Exception {
 
         String[] args = {"-version"};
 
         CliParser instance = new CliParser(getSettings());
         instance.parse(args);
-        Assert.assertTrue(instance.isGetVersion());
-        Assert.assertFalse(instance.isGetHelp());
-        Assert.assertFalse(instance.isRunScan());
+        assertTrue(instance.isGetVersion());
+        assertFalse(instance.isGetHelp());
+        assertFalse(instance.isRunScan());
 
     }
 
@@ -96,20 +102,20 @@ public void testParse_version() throws Exception {
      * @throws Exception thrown when an exception occurs.
      */
     @Test
-    public void testParse_failOnCVSSNoArg() throws Exception {
+    void testParse_failOnCVSSNoArg() throws Exception {
 
         String[] args = {"--failOnCVSS"};
 
         CliParser instance = new CliParser(getSettings());
         try {
             instance.parse(args);
-            Assert.fail("an argument for failOnCVSS was missing and an exception was not thrown");
+            fail("an argument for failOnCVSS was missing and an exception was not thrown");
         } catch (ParseException ex) {
-            Assert.assertTrue(ex.getMessage().contains("Missing argument"));
+            assertTrue(ex.getMessage().contains("Missing argument"));
         }
-        Assert.assertFalse(instance.isGetVersion());
-        Assert.assertFalse(instance.isGetHelp());
-        Assert.assertFalse(instance.isRunScan());
+        assertFalse(instance.isGetVersion());
+        assertFalse(instance.isGetHelp());
+        assertFalse(instance.isRunScan());
     }
 
     /**
@@ -119,16 +125,16 @@ public void testParse_failOnCVSSNoArg() throws Exception {
      * @throws Exception thrown when an exception occurs.
      */
     @Test
-    public void testParse_failOnCVSSInvalidArgument() throws Exception {
+    void testParse_failOnCVSSInvalidArgument() throws Exception {
 
         String[] args = {"--failOnCVSS", "bad"};
 
         CliParser instance = new CliParser(getSettings());
         instance.parse(args);
-        Assert.assertEquals("Default should be 11", 11.0, instance.getFailOnCVSS(), 0);
-        Assert.assertFalse(instance.isGetVersion());
-        Assert.assertFalse(instance.isGetHelp());
-        Assert.assertFalse(instance.isRunScan());
+        assertEquals(11.0, instance.getFailOnCVSS(), 0, "Default should be 11");
+        assertFalse(instance.isGetVersion());
+        assertFalse(instance.isGetHelp());
+        assertFalse(instance.isRunScan());
     }
 
     /**
@@ -138,16 +144,16 @@ public void testParse_failOnCVSSInvalidArgument() throws Exception {
      * @throws Exception thrown when an exception occurs.
      */
     @Test
-    public void testParse_failOnCVSSValidArgument() throws Exception {
+    void testParse_failOnCVSSValidArgument() throws Exception {
 
         String[] args = {"--failOnCVSS", "6"};
 
         CliParser instance = new CliParser(getSettings());
         instance.parse(args);
-        Assert.assertEquals(6.0, instance.getFailOnCVSS(), 0);
-        Assert.assertFalse(instance.isGetVersion());
-        Assert.assertFalse(instance.isGetHelp());
-        Assert.assertFalse(instance.isRunScan());
+        assertEquals(6.0, instance.getFailOnCVSS(), 0);
+        assertFalse(instance.isGetVersion());
+        assertFalse(instance.isGetHelp());
+        assertFalse(instance.isRunScan());
     }
 
     /**
@@ -156,7 +162,7 @@ public void testParse_failOnCVSSValidArgument() throws Exception {
      * @throws Exception thrown when an exception occurs.
      */
     @Test
-    public void testParse_unknown() throws Exception {
+    void testParse_unknown() throws Exception {
 
         String[] args = {"-unknown"};
 
@@ -169,13 +175,13 @@ public void testParse_unknown() throws Exception {
 
         try {
             instance.parse(args);
-            Assert.fail("Unrecognized option should have caused an exception");
+            fail("Unrecognized option should have caused an exception");
         } catch (ParseException ex) {
-            Assert.assertTrue(ex.getMessage().contains("Unrecognized option"));
+            assertTrue(ex.getMessage().contains("Unrecognized option"));
         }
-        Assert.assertFalse(instance.isGetVersion());
-        Assert.assertFalse(instance.isGetHelp());
-        Assert.assertFalse(instance.isRunScan());
+        assertFalse(instance.isGetVersion());
+        assertFalse(instance.isGetHelp());
+        assertFalse(instance.isRunScan());
     }
 
     /**
@@ -184,7 +190,7 @@ public void testParse_unknown() throws Exception {
      * @throws Exception thrown when an exception occurs.
      */
     @Test
-    public void testParse_scan() throws Exception {
+    void testParse_scan() throws Exception {
 
         String[] args = {"-scan"};
 
@@ -192,14 +198,14 @@ public void testParse_scan() throws Exception {
 
         try {
             instance.parse(args);
-            Assert.fail("Missing argument should have caused an exception");
+            fail("Missing argument should have caused an exception");
         } catch (ParseException ex) {
-            Assert.assertTrue(ex.getMessage().contains("Missing argument"));
+            assertTrue(ex.getMessage().contains("Missing argument"));
         }
 
-        Assert.assertFalse(instance.isGetVersion());
-        Assert.assertFalse(instance.isGetHelp());
-        Assert.assertFalse(instance.isRunScan());
+        assertFalse(instance.isGetVersion());
+        assertFalse(instance.isGetHelp());
+        assertFalse(instance.isRunScan());
     }
 
     /**
@@ -208,21 +214,21 @@ public void testParse_scan() throws Exception {
      * @throws Exception thrown when an exception occurs.
      */
     @Test
-    public void testParse_scan_unknownFile() throws Exception {
+    void testParse_scan_unknownFile() throws Exception {
 
         String[] args = {"-scan", "jar.that.does.not.exist", "--project", "test"};
 
         CliParser instance = new CliParser(getSettings());
         try {
             instance.parse(args);
-            Assert.fail("An exception should have been thrown");
+            fail("An exception should have been thrown");
         } catch (FileNotFoundException ex) {
-            Assert.assertTrue(ex.getMessage().contains("Invalid 'scan' argument"));
+            assertTrue(ex.getMessage().contains("Invalid 'scan' argument"));
         }
 
-        Assert.assertFalse(instance.isGetVersion());
-        Assert.assertFalse(instance.isGetHelp());
-        Assert.assertFalse(instance.isRunScan());
+        assertFalse(instance.isGetVersion());
+        assertFalse(instance.isGetHelp());
+        assertFalse(instance.isRunScan());
     }
 
     /**
@@ -231,28 +237,27 @@ public void testParse_scan_unknownFile() throws Exception {
      * @throws Exception thrown when an exception occurs.
      */
     @Test
-    public void testParse_scan_withFileExists() throws Exception {
+    void testParse_scan_withFileExists() throws Exception {
         File path = new File(this.getClass().getClassLoader().getResource("checkSumTest.file").toURI().getPath());
         String[] args = {"--scan", path.getCanonicalPath(), "--out", "./", "--project", "test"};
 
         CliParser instance = new CliParser(getSettings());
         instance.parse(args);
 
-        Assert.assertEquals(path.getCanonicalPath(), instance.getScanFiles()[0]);
+        assertEquals(path.getCanonicalPath(), instance.getScanFiles()[0]);
 
-        Assert.assertFalse(instance.isGetVersion());
-        Assert.assertFalse(instance.isGetHelp());
-        Assert.assertTrue(instance.isRunScan());
+        assertFalse(instance.isGetVersion());
+        assertFalse(instance.isGetHelp());
+        assertTrue(instance.isRunScan());
     }
 
     /**
      * Test of printVersionInfo, of class CliParser.
      *
-     * @throws Exception thrown when an exception occurs.
      */
     @Test
     @SuppressWarnings("StringSplitter")
-    public void testParse_printVersionInfo() throws Exception {
+    void testParse_printVersionInfo() {
 
         PrintStream out = System.out;
         ByteArrayOutputStream baos = new ByteArrayOutputStream();
@@ -262,14 +267,14 @@ public void testParse_printVersionInfo() throws Exception {
         instance.printVersionInfo();
         try {
             baos.flush();
-            String text = new String(baos.toByteArray(), UTF_8).toLowerCase();
-            String[] lines = text.split(System.getProperty("line.separator"));
-            Assert.assertTrue(lines.length >= 1);
-            Assert.assertTrue(text.contains("version"));
-            Assert.assertFalse(text.contains("unknown"));
+            String text = baos.toString(UTF_8).toLowerCase();
+            String[] lines = text.split(System.lineSeparator());
+            assertTrue(lines.length >= 1);
+            assertTrue(text.contains("version"));
+            assertFalse(text.contains("unknown"));
         } catch (IOException ex) {
             System.setOut(out);
-            Assert.fail("CliParser.printVersionInfo did not write anything to system.out.");
+            fail("CliParser.printVersionInfo did not write anything to system.out.");
         } finally {
             System.setOut(out);
         }
@@ -282,7 +287,7 @@ public void testParse_printVersionInfo() throws Exception {
      */
     @Test
     @SuppressWarnings("StringSplitter")
-    public void testParse_printHelp() throws Exception {
+    void testParse_printHelp() throws Exception {
 
         PrintStream out = System.out;
         ByteArrayOutputStream baos = new ByteArrayOutputStream();
@@ -297,13 +302,13 @@ public void testParse_printHelp() throws Exception {
         instance.printHelp();
         try {
             baos.flush();
-            String text = (new String(baos.toByteArray(), UTF_8));
-            String[] lines = text.split(System.getProperty("line.separator"));
-            Assert.assertTrue(lines[0].startsWith("usage: "));
-            Assert.assertTrue((lines.length > 2));
+            String text = (baos.toString(UTF_8));
+            String[] lines = text.split(System.lineSeparator());
+            assertTrue(lines[0].startsWith("usage: "));
+            assertTrue((lines.length > 2));
         } catch (IOException ex) {
             System.setOut(out);
-            Assert.fail("CliParser.printVersionInfo did not write anything to system.out.");
+            fail("CliParser.printVersionInfo did not write anything to system.out.");
         } finally {
             System.setOut(out);
         }
@@ -313,70 +318,70 @@ public void testParse_printHelp() throws Exception {
      * Test of getBooleanArgument method, of class CliParser.
      */
     @Test
-    public void testGetBooleanArgument() throws ParseException {
+    void testGetBooleanArgument() throws ParseException {
         String[] args = {"--scan", "missing.file", "--artifactoryUseProxy", "false", "--artifactoryParallelAnalysis", "true", "--project", "test"};
 
         CliParser instance = new CliParser(getSettings());
         try {
             instance.parse(args);
-            Assert.fail("invalid scan should have caused an error");
+            fail("invalid scan should have caused an error");
         } catch (FileNotFoundException ex) {
-            Assert.assertTrue(ex.getMessage().contains("Invalid 'scan' argument"));
+            assertTrue(ex.getMessage().contains("Invalid 'scan' argument"));
         }
         boolean expResult;
         Boolean result = instance.getBooleanArgument("missingArgument");
-        Assert.assertNull(result);
+        assertNull(result);
 
         expResult = false;
         result = instance.getBooleanArgument(CliParser.ARGUMENT.ARTIFACTORY_USES_PROXY);
-        Assert.assertEquals(expResult, result);
+        assertEquals(expResult, result);
         expResult = true;
         result = instance.getBooleanArgument(CliParser.ARGUMENT.ARTIFACTORY_PARALLEL_ANALYSIS);
-        Assert.assertEquals(expResult, result);
+        assertEquals(expResult, result);
     }
 
     /**
      * Test of getStringArgument method, of class CliParser.
      */
     @Test
-    public void testGetStringArgument() throws ParseException {
+    void testGetStringArgument() throws ParseException {
 
         String[] args = {"--scan", "missing.file", "--artifactoryUsername", "blue42", "--project", "test"};
 
         CliParser instance = new CliParser(getSettings());
         try {
             instance.parse(args);
-            Assert.fail("invalid scan argument should have caused an exception");
+            fail("invalid scan argument should have caused an exception");
         } catch (FileNotFoundException ex) {
-            Assert.assertTrue(ex.getMessage().contains("Invalid 'scan' argument"));
+            assertTrue(ex.getMessage().contains("Invalid 'scan' argument"));
         }
         String expResult;
         String result = instance.getStringArgument("missingArgument");
-        Assert.assertNull(result);
+        assertNull(result);
 
         expResult = "blue42";
         result = instance.getStringArgument(CliParser.ARGUMENT.ARTIFACTORY_USERNAME);
-        Assert.assertEquals(expResult, result);
+        assertEquals(expResult, result);
     }
 
     @Test
-    public void testHasOption() throws ParseException {
+    void testHasOption() throws ParseException {
 
         String[] args = {"--scan", "missing.file", "--artifactoryUsername", "blue42", "--project", "test"};
 
         CliParser instance = new CliParser(getSettings());
         try {
             instance.parse(args);
-            Assert.fail("invalid scan argument should have caused an exception");
+            fail("invalid scan argument should have caused an exception");
         } catch (FileNotFoundException ex) {
-            Assert.assertTrue(ex.getMessage().contains("Invalid 'scan' argument"));
+            assertTrue(ex.getMessage().contains("Invalid 'scan' argument"));
         }
 
         Boolean result = instance.hasOption("missingOption");
-        Assert.assertNull(result);
+        assertNull(result);
 
         Boolean expResult = true;
         result = instance.hasOption(CliParser.ARGUMENT.PROJECT);
-        Assert.assertEquals(expResult, result);
+        assertEquals(expResult, result);
     }
 }

From 03125303f76df84d991a09480594c9fc75bbfaf1 Mon Sep 17 00:00:00 2001
From: strangelookingnerd
 <49242855+strangelookingnerd@users.noreply.github.com>
Date: Tue, 29 Apr 2025 14:31:31 +0200
Subject: [PATCH 029/195] Migrate tests to JUnit5 (core)

* Migrate annotations and imports
* Migrate assertions
* Remove public visibility for test classes and methods
* Minor code cleanup
---
 core/pom.xml                                  |   2 +-
 .../dependencycheck/AnalysisTaskTest.java     |  28 +--
 .../owasp/dependencycheck/BaseDBTestCase.java |  21 +-
 .../org/owasp/dependencycheck/BaseTest.java   |  21 +-
 .../org/owasp/dependencycheck/EngineIT.java   |  38 ++-
 .../org/owasp/dependencycheck/EngineTest.java |   9 +-
 .../agent/DependencyCheckScanAgentIT.java     |  23 +-
 .../AbstractFileTypeAnalyzerTest.java         |  14 +-
 .../analyzer/AbstractNpmAnalyzerIT.java       |  14 +-
 .../AbstractSuppressionAnalyzerTest.java      |  47 ++--
 .../analyzer/AnalyzerServiceTest.java         |  28 +--
 .../analyzer/ArchiveAnalyzerIT.java           |  63 ++---
 .../analyzer/ArchiveAnalyzerTest.java         |  26 +--
 .../analyzer/AssemblyAnalyzerTest.java        |  51 ++---
 .../analyzer/AutoconfAnalyzerTest.java        |  51 +++--
 .../analyzer/CMakeAnalyzerTest.java           |  61 +++--
 .../analyzer/CPEAnalyzerIT.java               |  64 +++---
 .../analyzer/CPEAnalyzerTest.java             |  32 +--
 .../analyzer/CentralAnalyzerTest.java         |  39 ++--
 .../analyzer/ComposerLockAnalyzerTest.java    |  30 +--
 .../analyzer/CpeSuppressionAnalyzerIT.java    |  18 +-
 .../analyzer/DartAnalyzerTest.java            |  37 ++-
 .../DependencyBundlingAnalyzerIT.java         |   6 +-
 .../DependencyBundlingAnalyzerTest.java       |  42 ++--
 .../DependencyCheckPropertiesTest.java        |  19 +-
 .../DependencyMergingAnalyzerTest.java        |  40 ++--
 .../analyzer/ElixirMixAuditAnalyzerIT.java    |  46 ++--
 .../analyzer/ElixirMixAuditAnalyzerTest.java  |  28 +--
 .../analyzer/FalsePositiveAnalyzerTest.java   |  19 +-
 .../analyzer/FileNameAnalyzerTest.java        |  37 ++-
 .../analyzer/GolangDepAnalyzerTest.java       |  31 +--
 .../analyzer/GolangModAnalyzerTest.java       |  31 +--
 .../analyzer/HintAnalyzerTest.java            |  38 +--
 .../analyzer/JarAnalyzerTest.java             |  44 ++--
 .../analyzer/LibmanAnalyzerTest.java          |  23 +-
 .../analyzer/MSBuildProjectAnalyzerTest.java  |  39 ++--
 .../analyzer/NodeAuditAnalyzerIT.java         |  31 +--
 .../analyzer/NodeAuditAnalyzerTest.java       |  10 +-
 .../analyzer/NodePackageAnalyzerTest.java     |  93 ++++----
 .../analyzer/NpmCPEAnalyzerIT.java            |  15 +-
 .../analyzer/NpmCPEAnalyzerTest.java          |  11 +-
 .../analyzer/NugetconfAnalyzerTest.java       |  24 +-
 .../analyzer/NuspecAnalyzerTest.java          |  27 ++-
 .../analyzer/OpenSSLAnalyzerTest.java         |  32 +--
 .../analyzer/OssIndexAnalyzerTest.java        |  66 +++---
 .../analyzer/PEAnalyzerTest.java              |  27 ++-
 .../analyzer/PerlCpanfileAnalyzerTest.java    |  59 +++--
 .../PinnedMavenInstallAnalyzerTest.java       |  35 ++-
 .../analyzer/PipAnalyzerIT.java               |  25 +-
 .../analyzer/PipAnalyzerTest.java             |  32 +--
 .../analyzer/PipfileAnalyzerTest.java         |  32 +--
 .../analyzer/PipfilelockAnalyzerTest.java     |  31 ++-
 .../analyzer/PnpmAuditAnalyzerIT.java         |  20 +-
 .../analyzer/PnpmAuditAnalyzerTest.java       |  13 +-
 .../analyzer/PoetryAnalyzerTest.java          |  51 +++--
 .../PythonDistributionAnalyzerTest.java       | 107 ++++-----
 .../analyzer/PythonPackageAnalyzerTest.java   |  39 ++--
 .../analyzer/RetireJsAnalyzerFiltersTest.java |  21 +-
 .../analyzer/RetireJsAnalyzerIT.java          |  41 ++--
 .../analyzer/RubyBundleAuditAnalyzerIT.java   |  58 +++--
 .../analyzer/RubyBundlerAnalyzerTest.java     |  22 +-
 .../analyzer/RubyGemspecAnalyzerTest.java     |  22 +-
 .../analyzer/SwiftAnalyzersTest.java          |  50 ++--
 .../UnusedSuppressionRuleAnalyzerTest.java    |  72 +++---
 .../analyzer/VersionFilterAnalyzerTest.java   |  22 +-
 .../VulnerabilitySuppressionAnalyzerIT.java   |  20 +-
 .../analyzer/YarnAuditAnalyzerIT.java         |  28 +--
 .../analyzer/YarnAuditAnalyzerTest.java       |  12 +-
 .../data/artifactory/ArtifactorySearchIT.java |  18 +-
 .../ArtifactorySearchResponseHandlerTest.java |  36 +--
 .../artifactory/ArtifactorySearchTest.java    |  29 ++-
 .../data/cache/DataCacheFactoryTest.java      |  15 +-
 .../data/central/CentralSearchTest.java       |  66 +++---
 .../data/composer/ComposerLockParserTest.java |  41 ++--
 .../data/cpe/CpeMemoryIndexTest.java          |  31 +--
 .../data/cpe/IndexEntryTest.java              |  13 +-
 .../dependencycheck/data/cwe/CweDBTest.java   |  14 +-
 .../data/elixir/MixAuditJsonParserTest.java   |  18 +-
 .../data/golang/GoModJsonParserTest.java      |  10 +-
 .../data/lucene/AlphaNumericFilterTest.java   |  38 ++-
 .../data/lucene/FieldAnalyzerTest.java        |  22 +-
 .../data/lucene/LuceneUtilsTest.java          |  36 +--
 .../data/lucene/SearchFieldAnalyzerTest.java  |   9 +-
 .../TokenPairConcatenatingFilterTest.java     |  23 +-
 .../data/lucene/UrlTokenizingFilterTest.java  |  31 ++-
 .../data/nexus/MavenArtifactTest.java         |  12 +-
 .../data/nexus/NexusV2SearchTest.java         |  62 ++---
 .../data/nexus/NexusV3SearchTest.java         |  58 ++---
 .../data/nodeaudit/NodeAuditSearchTest.java   |  50 ++--
 .../data/nodeaudit/NpmPayloadBuilderTest.java | 107 ++++-----
 .../data/nuget/XPathNuspecParserTest.java     |  31 +--
 .../nvd/ecosystem/CveEcosystemMapperTest.java |  20 +-
 .../DescriptionEcosystemMapperTest.java       |  39 ++--
 .../nvd/ecosystem/UrlEcosystemMapperTest.java |  27 +--
 .../dependencycheck/data/nvdcve/CveDBIT.java  |  53 ++---
 .../data/nvdcve/CveDBMySqlIT.java             |  33 ++-
 .../data/nvdcve/CveItemOperatorTest.java      |  13 +-
 .../data/nvdcve/DatabaseManagerTest.java      |  11 +-
 .../data/nvdcve/DatabasePropertiesIT.java     |  39 ++--
 .../data/nvdcve/DriverLoaderTest.java         |  51 ++---
 .../data/update/EngineVersionCheckTest.java   |  34 +--
 .../data/update/NvdApiDataSourceTest.java     |  20 +-
 ...KnownExploitedVulnerabilityParserTest.java |  12 +-
 .../update/cpe/CpeEcosystemCacheTest.java     |  39 ++--
 .../update/nvd/api/NvdApiProcessorTest.java   |  15 +-
 .../dependency/CweSetTest.java                |  24 +-
 .../dependency/DependencyTest.java            |  70 +++---
 .../dependency/EvidenceTest.java              |  38 +--
 .../dependency/VulnerabilityTest.java         |  98 ++++----
 .../dependency/VulnerableSoftwareTest.java    |  26 ++-
 .../reporting/EscapeToolTest.java             |  30 +--
 .../reporting/ReportGeneratorIT.java          |  62 +++--
 .../DependencyCheckBaseSuppressionTest.java   |  28 +--
 .../dependencycheck/utils/CvssUtilTest.java   |  16 +-
 .../dependencycheck/utils/DateUtilTest.java   |  24 +-
 .../utils/DependencyVersionTest.java          |  51 +++--
 .../utils/DependencyVersionUtilTest.java      |  20 +-
 .../utils/ExtractionUtilTest.java             |  32 +--
 .../dependencycheck/utils/FilterTest.java     |  34 +--
 .../utils/InterpolationUtilTest.java          |  16 +-
 .../utils/PyPACoreMetadataParserTest.java     |  42 ++--
 .../dependencycheck/utils/SemverTest.java     |  17 +-
 .../utils/SeverityUtilTest.java               |   7 +-
 .../utils/UrlStringUtilsTest.java             |  20 +-
 .../dependencycheck/xml/XmlEntityTest.java    |   9 +-
 .../xml/XmlInputStreamTest.java               |  24 +-
 .../xml/assembly/GrokHandlerTest.java         |  20 +-
 .../xml/assembly/GrokParserTest.java          |  13 +-
 .../xml/hints/EvidenceMatcherTest.java        | 103 ++++-----
 .../xml/hints/HintHandlerTest.java            |  32 ++-
 .../xml/hints/HintParserTest.java             | 216 +++++++++---------
 .../dependencycheck/xml/pom/ModelTest.java    |  53 ++---
 .../xml/pom/PomParserTest.java                |  47 ++--
 .../xml/pom/PomProjectInputStreamTest.java    |  14 +-
 .../dependencycheck/xml/pom/PomUtilsTest.java |  17 +-
 .../xml/suppression/PropertyTypeTest.java     |  20 +-
 .../suppression/SuppressionHandlerTest.java   |  20 +-
 .../suppression/SuppressionParserTest.java    |  25 +-
 .../xml/suppression/SuppressionRuleTest.java  |  91 ++++----
 139 files changed, 2436 insertions(+), 2407 deletions(-)

diff --git a/core/pom.xml b/core/pom.xml
index 0db4c3f6801..d24457724c9 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -335,7 +335,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         </dependency>
         <dependency>
             <groupId>org.mockito</groupId>
-            <artifactId>mockito-core</artifactId>
+            <artifactId>mockito-junit-jupiter</artifactId>
             <scope>test</scope>
         </dependency>
         <dependency>
diff --git a/core/src/test/java/org/owasp/dependencycheck/AnalysisTaskTest.java b/core/src/test/java/org/owasp/dependencycheck/AnalysisTaskTest.java
index 50c51ccfeb5..2a7d57cca28 100644
--- a/core/src/test/java/org/owasp/dependencycheck/AnalysisTaskTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/AnalysisTaskTest.java
@@ -1,23 +1,23 @@
 package org.owasp.dependencycheck;
 
-import org.junit.Test;
-import org.junit.runner.RunWith;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mock;
-import org.mockito.junit.MockitoJUnitRunner;
+import org.mockito.junit.jupiter.MockitoExtension;
 import org.owasp.dependencycheck.analyzer.FileTypeAnalyzer;
 import org.owasp.dependencycheck.analyzer.HintAnalyzer;
 import org.owasp.dependencycheck.dependency.Dependency;
 
 import java.io.File;
 
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.mockito.Mockito.when;
-import static org.mockito.Mockito.verify;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
 
-@RunWith(MockitoJUnitRunner.class)
-public class AnalysisTaskTest extends BaseTest {
+@ExtendWith(MockitoExtension.class)
+class AnalysisTaskTest extends BaseTest {
 
     @Mock
     private FileTypeAnalyzer fileTypeAnalyzer;
@@ -30,14 +30,14 @@ public class AnalysisTaskTest extends BaseTest {
 
 
     @Test
-    public void shouldAnalyzeReturnsTrueForNonFileTypeAnalyzers() {
+    void shouldAnalyzeReturnsTrueForNonFileTypeAnalyzers() {
         AnalysisTask instance = new AnalysisTask(new HintAnalyzer(), null, null, null);
         boolean shouldAnalyze = instance.shouldAnalyze();
         assertTrue(shouldAnalyze);
     }
 
     @Test
-    public void shouldAnalyzeReturnsTrueIfTheFileTypeAnalyzersAcceptsTheDependency() {
+    void shouldAnalyzeReturnsTrueIfTheFileTypeAnalyzersAcceptsTheDependency() {
         final File dependencyFile = new File("");
         when(dependency.getActualFile()).thenReturn(dependencyFile);
         when(fileTypeAnalyzer.accept(dependencyFile)).thenReturn(true);
@@ -49,7 +49,7 @@ public void shouldAnalyzeReturnsTrueIfTheFileTypeAnalyzersAcceptsTheDependency()
     }
 
     @Test
-    public void shouldAnalyzeReturnsFalseIfTheFileTypeAnalyzerDoesNotAcceptTheDependency() {
+    void shouldAnalyzeReturnsFalseIfTheFileTypeAnalyzerDoesNotAcceptTheDependency() {
         final File dependencyFile = new File("");
         when(dependency.getActualFile()).thenReturn(dependencyFile);
         when(fileTypeAnalyzer.accept(dependencyFile)).thenReturn(false);
@@ -61,7 +61,7 @@ public void shouldAnalyzeReturnsFalseIfTheFileTypeAnalyzerDoesNotAcceptTheDepend
     }
 
     @Test
-    public void taskAnalyzes() throws Exception {
+    void taskAnalyzes() throws Exception {
         final AnalysisTask analysisTask = new AnalysisTask(fileTypeAnalyzer, dependency, engine, null);
         when(fileTypeAnalyzer.accept(dependency.getActualFile())).thenReturn(true);
 
@@ -71,7 +71,7 @@ public void taskAnalyzes() throws Exception {
     }
 
     @Test
-    public void taskDoesNothingIfItShouldNotAnalyze() throws Exception {
+    void taskDoesNothingIfItShouldNotAnalyze() throws Exception {
         final AnalysisTask analysisTask = new AnalysisTask(fileTypeAnalyzer, dependency, engine, null);
         when(fileTypeAnalyzer.accept(dependency.getActualFile())).thenReturn(false);
 
diff --git a/core/src/test/java/org/owasp/dependencycheck/BaseDBTestCase.java b/core/src/test/java/org/owasp/dependencycheck/BaseDBTestCase.java
index 1fa9d365732..4c0b7b10ebb 100644
--- a/core/src/test/java/org/owasp/dependencycheck/BaseDBTestCase.java
+++ b/core/src/test/java/org/owasp/dependencycheck/BaseDBTestCase.java
@@ -17,6 +17,14 @@
  */
 package org.owasp.dependencycheck;
 
+import org.apache.commons.io.IOUtils;
+import org.junit.jupiter.api.BeforeEach;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseManager;
+import org.owasp.dependencycheck.utils.Settings;
+import org.owasp.dependencycheck.utils.WriteLock;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 import java.io.BufferedInputStream;
 import java.io.BufferedOutputStream;
 import java.io.File;
@@ -24,13 +32,6 @@
 import java.io.FileOutputStream;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
-import org.apache.commons.io.IOUtils;
-import org.junit.Before;
-import org.owasp.dependencycheck.data.nvdcve.DatabaseManager;
-import org.owasp.dependencycheck.utils.WriteLock;
-import org.owasp.dependencycheck.utils.Settings;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 /**
  * An abstract database test case that is used to ensure the H2 DB exists prior
@@ -40,11 +41,11 @@
  */
 public abstract class BaseDBTestCase extends BaseTest {
 
-    protected final static int BUFFER_SIZE = 2048;
+    protected static final int BUFFER_SIZE = 2048;
 
-    private final static Logger LOGGER = LoggerFactory.getLogger(BaseDBTestCase.class);
+    private static final Logger LOGGER = LoggerFactory.getLogger(BaseDBTestCase.class);
 
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
diff --git a/core/src/test/java/org/owasp/dependencycheck/BaseTest.java b/core/src/test/java/org/owasp/dependencycheck/BaseTest.java
index 3998f241ed3..793c38dde4f 100644
--- a/core/src/test/java/org/owasp/dependencycheck/BaseTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/BaseTest.java
@@ -16,15 +16,16 @@
 package org.owasp.dependencycheck;
 
 import io.github.jeremylong.jcs3.slf4j.Slf4jAdapter;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.owasp.dependencycheck.utils.Settings;
+
 import java.io.File;
 import java.io.InputStream;
 import java.net.URISyntaxException;
-import org.junit.After;
 
-import org.junit.AfterClass;
-import org.junit.Assume;
-import org.junit.Before;
-import org.owasp.dependencycheck.utils.Settings;
+import static org.junit.jupiter.api.Assumptions.assumeTrue;
 
 /**
  *
@@ -40,7 +41,7 @@ public abstract class BaseTest {
     /**
      * Initialize the {@link Settings}.
      */
-    @Before
+    @BeforeEach
     public void setUp() throws Exception {
         System.setProperty("jcs.logSystem", "slf4j");
         Slf4jAdapter.muteLogging(true);
@@ -50,13 +51,13 @@ public void setUp() throws Exception {
     /**
      * Clean the {@link Settings}.
      */
-    @After
+    @AfterEach
     public void tearDown() throws Exception {
         settings.cleanup(true);
     }
 
-    @AfterClass
-    public static void tearDownClass() throws Exception {
+    @AfterAll
+    public static void tearDownClass() {
         File f = new File("./target/data/odc.mv.db");
         if (f.exists() && f.isFile() && f.length() < 71680) {
             System.err.println("------------------------------------------------");
@@ -93,7 +94,7 @@ public static InputStream getResourceAsStream(Object o, String resource) {
     public static File getResourceAsFile(Object o, String resource) {
         try {
             File f = new File(o.getClass().getClassLoader().getResource(resource).toURI().getPath());
-            Assume.assumeTrue(String.format("%n%n[SEVERE] Unable to load resource for test case: %s%n%n", resource), f.exists());
+            assumeTrue(f.exists(), String.format("%n%n[SEVERE] Unable to load resource for test case: %s%n%n", resource));
             return f;
         } catch (URISyntaxException e) {
             throw new UnsupportedOperationException(e);
diff --git a/core/src/test/java/org/owasp/dependencycheck/EngineIT.java b/core/src/test/java/org/owasp/dependencycheck/EngineIT.java
index 8917aa57e9b..2b38f6335bc 100644
--- a/core/src/test/java/org/owasp/dependencycheck/EngineIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/EngineIT.java
@@ -17,8 +17,17 @@
  */
 package org.owasp.dependencycheck;
 
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.owasp.dependencycheck.analyzer.Analyzer;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.exception.ExceptionCollection;
+import org.owasp.dependencycheck.exception.ReportException;
+import org.owasp.dependencycheck.utils.Settings;
+
 import java.io.File;
-import java.io.IOException;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
@@ -26,31 +35,20 @@
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.doThrow;
 import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.when;
 
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.Mock;
-import org.mockito.junit.MockitoJUnitRunner;
-import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
-import org.owasp.dependencycheck.exception.ExceptionCollection;
-import org.owasp.dependencycheck.exception.ReportException;
-import org.owasp.dependencycheck.utils.InvalidSettingException;
-import org.owasp.dependencycheck.utils.Settings;
-import org.owasp.dependencycheck.analyzer.Analyzer;
-
 /**
  *
  * @author Jeremy Long
  */
-@RunWith(MockitoJUnitRunner.class)
-public class EngineIT extends BaseDBTestCase {
+@ExtendWith(MockitoExtension.class)
+class EngineIT extends BaseDBTestCase {
 
     @Mock
     private Analyzer analyzer;
@@ -60,7 +58,7 @@ public class EngineIT extends BaseDBTestCase {
 
 
     @Test
-    public void exceptionDuringAnalysisTaskExecutionIsFatal() throws DatabaseException, ExceptionCollection {
+    void exceptionDuringAnalysisTaskExecutionIsFatal() throws DatabaseException {
          final ExecutorService executorService = Executors.newFixedThreadPool(3);
          try (Engine instance = spy(new Engine(new Settings()))) {
              final List<Throwable> exceptions = new ArrayList<>();
@@ -88,14 +86,12 @@ public void exceptionDuringAnalysisTaskExecutionIsFatal() throws DatabaseExcepti
     /**
      * Test running the entire engine.
      *
-     * @throws java.io.IOException
-     * @throws org.owasp.dependencycheck.utils.InvalidSettingException
      * @throws org.owasp.dependencycheck.data.nvdcve.DatabaseException
      * @throws org.owasp.dependencycheck.exception.ReportException
      * @throws org.owasp.dependencycheck.exception.ExceptionCollection
      */
     @Test
-    public void testEngine() throws IOException, InvalidSettingException, DatabaseException, ReportException, ExceptionCollection {
+    void testEngine() throws DatabaseException, ReportException, ExceptionCollection {
         String testClasses = "target/test-classes";
         getSettings().setBoolean(Settings.KEYS.AUTO_UPDATE, false);
         getSettings().setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
diff --git a/core/src/test/java/org/owasp/dependencycheck/EngineTest.java b/core/src/test/java/org/owasp/dependencycheck/EngineTest.java
index f511b14122b..0b83cfd9951 100644
--- a/core/src/test/java/org/owasp/dependencycheck/EngineTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/EngineTest.java
@@ -17,20 +17,19 @@
  */
 package org.owasp.dependencycheck;
 
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.analyzer.JarAnalyzer;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Dependency;
 
 import java.io.File;
 
-import static org.junit.Assert.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
  * @author Jeremy Long
  */
-public class EngineTest extends BaseDBTestCase {
-
+class EngineTest extends BaseDBTestCase {
 
 
     /**
@@ -40,7 +39,7 @@ public class EngineTest extends BaseDBTestCase {
      * there is an exception
      */
     @Test
-    public void testScanFile() throws DatabaseException {
+    void testScanFile() throws DatabaseException {
         try (Engine instance = new Engine(getSettings())) {
             instance.addFileTypeAnalyzer(new JarAnalyzer());
             File file = BaseTest.getResourceAsFile(this, "dwr.jar");
diff --git a/core/src/test/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgentIT.java b/core/src/test/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgentIT.java
index 959ec75bcee..6af495f1ce2 100644
--- a/core/src/test/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgentIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgentIT.java
@@ -17,32 +17,35 @@
  */
 package org.owasp.dependencycheck.agent;
 
-import org.junit.Assert;
-import org.junit.BeforeClass;
-import org.junit.Test;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.EvidenceType;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
 import org.owasp.dependencycheck.utils.FileUtils;
+
 import java.io.File;
 import java.util.ArrayList;
 import java.util.List;
-import org.owasp.dependencycheck.BaseDBTestCase;
 
-public class DependencyCheckScanAgentIT extends BaseDBTestCase {
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+class DependencyCheckScanAgentIT extends BaseDBTestCase {
 
     private static final File REPORT_DIR = new File("target/test-scan-agent/report");
 
-    @BeforeClass
-    public static void beforeClass() {
+    @BeforeAll
+    static void beforeClass() {
         if (!REPORT_DIR.exists()) {
             REPORT_DIR.mkdirs();
         }
     }
 
     @Test
-    public void testComponentMetadata() throws Exception {
+    void testComponentMetadata() throws Exception {
         List<Dependency> dependencies = new ArrayList<>();
         dependencies.add(createDependency("apache", "tomcat", "5.0.5"));
         DependencyCheckScanAgent scanAgent = createScanAgent();
@@ -50,10 +53,10 @@ public void testComponentMetadata() throws Exception {
         scanAgent.execute();
 
         Dependency tomcat = scanAgent.getDependencies().get(0);
-        Assert.assertTrue(tomcat.getVulnerableSoftwareIdentifiers().size() >= 1);
+        assertFalse(tomcat.getVulnerableSoftwareIdentifiers().isEmpty());
 
         // This will change over time
-        Assert.assertTrue(tomcat.getVulnerabilities().size() > 5);
+        assertTrue(tomcat.getVulnerabilities().size() > 5);
     }
 
     private DependencyCheckScanAgent createScanAgent() {
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzerTest.java
index 37c0de5ac29..2a9de6cbe15 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzerTest.java
@@ -17,23 +17,25 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import java.util.Set;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 
+import java.util.Set;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 /**
  *
  * @author Jeremy Long
  */
-public class AbstractFileTypeAnalyzerTest extends BaseTest {
+class AbstractFileTypeAnalyzerTest extends BaseTest {
 
     /**
      * Test of newHashSet method, of class AbstractAnalyzer.
      */
     @Test
-    public void testNewHashSet() {
+    void testNewHashSet() {
         Set<String> result = AbstractFileTypeAnalyzer.newHashSet("one", "two");
         assertEquals(2, result.size());
         assertTrue(result.contains("one"));
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractNpmAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractNpmAnalyzerIT.java
index 84b2f82b729..c8ed7c3296c 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractNpmAnalyzerIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractNpmAnalyzerIT.java
@@ -17,22 +17,24 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
+import org.junit.jupiter.api.Test;
+
 import java.util.ArrayList;
 import java.util.Collection;
-import org.junit.Test;
-import static org.junit.Assert.*;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
  *
  * @author jeremy long
  */
-public class AbstractNpmAnalyzerIT {
+class AbstractNpmAnalyzerIT {
 
     /**
      * Test of determineVersionFromMap method, of class AbstractNpmAnalyzer.
      */
     @Test
-    public void testDetermineVersionFromMap() {
+    void testDetermineVersionFromMap() {
         String versionRange = ">2.1.1 <5.0.1";
         Collection<String> availableVersions = new ArrayList<>();
         availableVersions.add("2.0.2");
@@ -49,7 +51,7 @@ public void testDetermineVersionFromMap() {
     }
 
     @Test
-    public void testDetermineVersionFromMap_1() {
+    void testDetermineVersionFromMap_1() {
         String versionRange = ">2.1.1 <5.0.1";
         Collection<String> availableVersions = new ArrayList<>();
         availableVersions.add("10.1.0");
@@ -59,7 +61,7 @@ public void testDetermineVersionFromMap_1() {
     }
 
     @Test
-    public void testDetermineVersionFromMap_2() {
+    void testDetermineVersionFromMap_2() {
         String versionRange = ">2.1.1 <5.0.1";
         Collection<String> availableVersions = new ArrayList<>();
         availableVersions.add("2.0.2");
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java
index 33c656ba9b5..38da80bc54a 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java
@@ -17,19 +17,11 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import static org.hamcrest.CoreMatchers.is;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
-import static org.hamcrest.MatcherAssert.assertThat;
-
-import java.util.Set;
-
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.Engine.Mode;
-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.Downloader;
@@ -37,10 +29,18 @@
 import org.owasp.dependencycheck.utils.Settings.KEYS;
 import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
 
+import java.util.Set;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
 /**
  * @author Jeremy Long
  */
-public class AbstractSuppressionAnalyzerTest extends BaseTest {
+class AbstractSuppressionAnalyzerTest extends BaseTest {
 
     /**
      * A second suppression file to test with.
@@ -54,8 +54,8 @@ public class AbstractSuppressionAnalyzerTest extends BaseTest {
 
     private AbstractSuppressionAnalyzer instance;
 
-    @Before
-    public void createObjectUnderTest() throws Exception {
+    @BeforeEach
+    void createObjectUnderTest() {
         instance = new AbstractSuppressionAnalyzerImpl();
     }
 
@@ -64,7 +64,7 @@ public void createObjectUnderTest() throws Exception {
      * AbstractSuppressionAnalyzer.
      */
     @Test
-    public void testGetSupportedExtensions() {
+    void testGetSupportedExtensions() {
         Set<String> result = instance.getSupportedExtensions();
         assertNull(result);
     }
@@ -74,10 +74,10 @@ public void testGetSupportedExtensions() {
      * suppression file declared as URL.
      */
     @Test
-    public void testGetRulesFromSuppressionFileFromURL() throws Exception {
+    void testGetRulesFromSuppressionFileFromURL() throws Exception {
         final String fileUrl = getClass().getClassLoader().getResource(SUPPRESSIONS_FILE).toURI().toURL().toString();
         final int numberOfExtraLoadedRules = getNumberOfRulesLoadedFromPath(fileUrl) - getNumberOfRulesLoadedInCoreFile();
-        assertEquals("Expected 5 extra rules in the given path", 5, numberOfExtraLoadedRules);
+        assertEquals(5, numberOfExtraLoadedRules, "Expected 5 extra rules in the given path");
     }
 
     /**
@@ -85,9 +85,9 @@ public void testGetRulesFromSuppressionFileFromURL() throws Exception {
      * suppression file on the class path.
      */
     @Test
-    public void testGetRulesFromSuppressionFileInClasspath() throws Exception {
+    void testGetRulesFromSuppressionFileInClasspath() throws Exception {
         final int numberOfExtraLoadedRules = getNumberOfRulesLoadedFromPath(SUPPRESSIONS_FILE) - getNumberOfRulesLoadedInCoreFile();
-        assertEquals("Expected 5 extra rules in the given file", 5, numberOfExtraLoadedRules);
+        assertEquals(5, numberOfExtraLoadedRules, "Expected 5 extra rules in the given file");
     }
 
     /**
@@ -95,7 +95,7 @@ public void testGetRulesFromSuppressionFileInClasspath() throws Exception {
      * defined in the {@link Settings}.
      */
     @Test
-    public void testGetRulesFromMultipleSuppressionFiles() throws Exception {
+    void testGetRulesFromMultipleSuppressionFiles() throws Exception {
         final int rulesInCoreFile = getNumberOfRulesLoadedInCoreFile();
 
         // GIVEN suppression rules from one file
@@ -116,12 +116,13 @@ public void testGetRulesFromMultipleSuppressionFiles() throws Exception {
         assertThat("Expected suppressions from both files", instance.getRuleCount(engine), is(expectedSize));
     }
 
-    @Test(expected = InitializationException.class)
-    public void testFailureToLocateSuppressionFileAnywhere() throws Exception {
+    @Test
+    void testFailureToLocateSuppressionFileAnywhere() {
         getSettings().setString(Settings.KEYS.SUPPRESSION_FILE, "doesnotexist.xml");
         instance.initialize(getSettings());
         Engine engine = new Engine(Mode.EVIDENCE_COLLECTION, getSettings());
-        instance.prepare(engine);
+        assertThrows(InitializationException.class, () ->
+            instance.prepare(engine));
     }
 
     /**
@@ -163,7 +164,7 @@ private int getNumberOfRulesLoadedFromPath(final String path) throws Exception {
     public static class AbstractSuppressionAnalyzerImpl extends AbstractSuppressionAnalyzer {
 
         @Override
-        public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
+        public void analyzeDependency(Dependency dependency, Engine engine) {
             throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
         }
 
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/AnalyzerServiceTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/AnalyzerServiceTest.java
index 1ee93bc6ea8..850ebd0eca1 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/AnalyzerServiceTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/AnalyzerServiceTest.java
@@ -17,15 +17,15 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.utils.Settings;
 
 import java.util.List;
 
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
 import static org.owasp.dependencycheck.analyzer.AnalysisPhase.FINAL;
 import static org.owasp.dependencycheck.analyzer.AnalysisPhase.INITIAL;
 
@@ -33,13 +33,13 @@
  *
  * @author Jeremy Long
  */
-public class AnalyzerServiceTest extends BaseDBTestCase {
+class AnalyzerServiceTest extends BaseDBTestCase {
 
     /**
      * Test of getAnalyzers method, of class AnalyzerService.
      */
     @Test
-    public void testGetAnalyzers() {
+    void testGetAnalyzers() {
         AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), getSettings());
         List<Analyzer> result = instance.getAnalyzers();
 
@@ -50,14 +50,14 @@ public void testGetAnalyzers() {
                 break;
             }
         }
-        assertTrue("JarAnalyzer loaded", found);
+        assertTrue(found, "JarAnalyzer loaded");
     }
 
     /**
      * Test of getAnalyzers method, of class AnalyzerService.
      */
     @Test
-    public void testGetAnalyzers_SpecificPhases() throws Exception {
+    void testGetAnalyzers_SpecificPhases() {
         AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), getSettings());
         List<Analyzer> result = instance.getAnalyzers(INITIAL, FINAL);
 
@@ -72,7 +72,7 @@ public void testGetAnalyzers_SpecificPhases() throws Exception {
      * Test of getAnalyzers method, of class AnalyzerService.
      */
     @Test
-    public void testGetExperimentalAnalyzers() {
+    void testGetExperimentalAnalyzers() {
         AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), getSettings());
         List<Analyzer> result = instance.getAnalyzers();
         String experimental = "CMake Analyzer";
@@ -83,8 +83,8 @@ public void testGetExperimentalAnalyzers() {
                 found = true;
             }
         }
-        assertFalse("Experimental analyzer loaded when set to false", found);
-        assertFalse("Retired analyzer loaded when set to false", retiredFound);
+        assertFalse(found, "Experimental analyzer loaded when set to false");
+        assertFalse(retiredFound, "Retired analyzer loaded when set to false");
 
         getSettings().setBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, true);
         instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), getSettings());
@@ -96,8 +96,8 @@ public void testGetExperimentalAnalyzers() {
                 found = true;
             }
         }
-        assertTrue("Experimental analyzer not loaded when set to true", found);
-        assertFalse("Retired analyzer loaded when set to false", retiredFound);
+        assertTrue(found, "Experimental analyzer not loaded when set to true");
+        assertFalse(retiredFound, "Retired analyzer loaded when set to false");
 
         getSettings().setBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, false);
         getSettings().setBoolean(Settings.KEYS.ANALYZER_RETIRED_ENABLED, true);
@@ -109,6 +109,6 @@ public void testGetExperimentalAnalyzers() {
                 found = true;
             }
         }
-        assertFalse("Experimental analyzer loaded when set to false", found);
+        assertFalse(found, "Experimental analyzer loaded when set to false");
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIT.java
index c4e8b52232b..13877daa793 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIT.java
@@ -17,29 +17,36 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import java.io.File;
-import java.util.HashSet;
-import java.util.Set;
-import static org.junit.Assert.*;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.Settings;
 
+import java.io.File;
+import java.util.HashSet;
+import java.util.Set;
+
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
+
 /**
  *
  * @author Jeremy Long
  */
-public class ArchiveAnalyzerIT extends BaseDBTestCase {
+class ArchiveAnalyzerIT extends BaseDBTestCase {
 
     /**
      * Test of getSupportedExtensions method, of class ArchiveAnalyzer.
      */
     @Test
-    public void testSupportsExtensions() {
+    void testSupportsExtensions() {
         ArchiveAnalyzer instance = new ArchiveAnalyzer();
         instance.initialize(getSettings());
         Set<String> expResult = new HashSet<>();
@@ -57,7 +64,7 @@ public void testSupportsExtensions() {
         expResult.add("tbz2");
         expResult.add("rpm");
         for (String ext : expResult) {
-            assertTrue(ext, instance.accept(new File("test." + ext)));
+            assertTrue(instance.accept(new File("test." + ext)), ext);
         }
     }
 
@@ -65,7 +72,7 @@ public void testSupportsExtensions() {
      * Test of getName method, of class ArchiveAnalyzer.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         ArchiveAnalyzer instance = new ArchiveAnalyzer();
         instance.initialize(getSettings());
         String expResult = "Archive Analyzer";
@@ -77,18 +84,18 @@ public void testGetName() {
      * Test of supportsExtension method, of class ArchiveAnalyzer.
      */
     @Test
-    public void testSupportsExtension() {
+    void testSupportsExtension() {
         String extension = "test.7z"; //not supported
         ArchiveAnalyzer instance = new ArchiveAnalyzer();
         instance.initialize(getSettings());
-        assertFalse(extension, instance.accept(new File(extension)));
+        assertFalse(instance.accept(new File(extension)), extension);
     }
 
     /**
      * Test of getAnalysisPhase method, of class ArchiveAnalyzer.
      */
     @Test
-    public void testGetAnalysisPhase() {
+    void testGetAnalysisPhase() {
         ArchiveAnalyzer instance = new ArchiveAnalyzer();
         instance.initialize(getSettings());
         AnalysisPhase expResult = AnalysisPhase.INITIAL;
@@ -100,7 +107,7 @@ public void testGetAnalysisPhase() {
      * Test of prepare and close methods, of class ArchiveAnalyzer.
      */
     @Test
-    public void testInitialize() {
+    void testInitialize() {
         ArchiveAnalyzer instance = new ArchiveAnalyzer();
         instance.initialize(getSettings());
         try {
@@ -110,11 +117,7 @@ public void testInitialize() {
         } catch (InitializationException ex) {
             fail(ex.getMessage());
         } finally {
-            try {
-                instance.close();
-            } catch (Exception ex) {
-                fail(ex.getMessage());
-            }
+            assertDoesNotThrow(instance::close);
         }
     }
 
@@ -124,7 +127,7 @@ public void testInitialize() {
      * @throws java.lang.Exception when an error occurs
      */
     @Test
-    public void testAnalyze() throws Exception {
+    void testAnalyze() throws Exception {
         Settings settings = getSettings();
         settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
         settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
@@ -154,7 +157,7 @@ public void testAnalyze() throws Exception {
      * Test of analyze method, of class ArchiveAnalyzer, with an executable jar.
      */
     @Test
-    public void testAnalyzeExecutableJar() throws Exception {
+    void testAnalyzeExecutableJar() throws Exception {
         Settings settings = getSettings();
         settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
         settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
@@ -181,7 +184,7 @@ public void testAnalyzeExecutableJar() throws Exception {
     }
 
     @Test
-    public void testAnalyzeJarStaticResources() throws Exception {
+    void testAnalyzeJarStaticResources() throws Exception {
         Settings settings = getSettings();
         settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
         settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
@@ -217,7 +220,7 @@ public void testAnalyzeJarStaticResources() throws Exception {
      * Test of analyze method, of class ArchiveAnalyzer.
      */
     @Test
-    public void testAnalyzeTar() throws Exception {
+    void testAnalyzeTar() throws Exception {
         Settings settings = getSettings();
         settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
         settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
@@ -249,7 +252,7 @@ public void testAnalyzeTar() throws Exception {
      * Test of analyze method, of class ArchiveAnalyzer.
      */
     @Test
-    public void testAnalyzeTarGz() throws Exception {
+    void testAnalyzeTarGz() throws Exception {
         Settings settings = getSettings();
         settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
         settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
@@ -282,7 +285,7 @@ public void testAnalyzeTarGz() throws Exception {
      * Test of analyze method, of class ArchiveAnalyzer.
      */
     @Test
-    public void testAnalyzeTarBz2() throws Exception {
+    void testAnalyzeTarBz2() throws Exception {
         Settings settings = getSettings();
         settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
         settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
@@ -310,7 +313,7 @@ public void testAnalyzeTarBz2() throws Exception {
      * Test of analyze method, of class ArchiveAnalyzer.
      */
     @Test
-    public void testAnalyzeTgz() throws Exception {
+    void testAnalyzeTgz() throws Exception {
         Settings settings = getSettings();
         settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
         settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
@@ -340,7 +343,7 @@ public void testAnalyzeTgz() throws Exception {
      * Test of analyze method, of class ArchiveAnalyzer.
      */
     @Test
-    public void testAnalyzeTbz2() throws Exception {
+    void testAnalyzeTbz2() throws Exception {
         Settings settings = getSettings();
         settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
         settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
@@ -367,7 +370,7 @@ public void testAnalyzeTbz2() throws Exception {
      * Test of analyze method, of class ArchiveAnalyzer.
      */
     @Test
-    public void testAnalyzeRpm() throws Exception {
+    void testAnalyzeRpm() throws Exception {
         Settings settings = getSettings();
         settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
         settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
@@ -380,7 +383,7 @@ public void testAnalyzeRpm() throws Exception {
         instance.accept(new File("struts-1.2.9-162.35.1.uyuni.noarch.rpm"));
         try (Engine engine = new Engine(settings)) {
             instance.prepare(null);
-            
+
             File file = BaseTest.getResourceAsFile(this, "xmlsec-2.0.7-3.7.uyuni.noarch.rpm");
             Dependency dependency = new Dependency(file);
 
@@ -397,7 +400,7 @@ public void testAnalyzeRpm() throws Exception {
      * Test of analyze method, of class ArchiveAnalyzer.
      */
     @Test
-    public void testAnalyze_badZip() throws Exception {
+    void testAnalyze_badZip() throws Exception {
         Settings settings = getSettings();
         settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
         settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java
index 594641edae8..1afa4740d47 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java
@@ -15,27 +15,23 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import java.io.File;
-import java.lang.reflect.InvocationTargetException;
-import java.lang.reflect.Method;
-import java.util.logging.Level;
-import java.util.logging.Logger;
-
-import org.junit.Before;
-import org.junit.Test;
-import static org.junit.Assert.*;
-import static org.junit.Assume.assumeFalse;
-
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.utils.Settings;
 
+import java.io.File;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 /**
  *
  * @author jeremy long
  */
-public class ArchiveAnalyzerTest extends BaseTest {
+class ArchiveAnalyzerTest extends BaseTest {
 
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -46,7 +42,7 @@ public void setUp() throws Exception {
      * Test of analyzeDependency method, of class ArchiveAnalyzer.
      */
     @Test
-    public void testZippableExtensions() throws Exception {
+    void testZippableExtensions() {
         ArchiveAnalyzer instance = new ArchiveAnalyzer();
         instance.initialize(getSettings());
         assertTrue(instance.getFileFilter().accept(new File("c:/test.zip")));
@@ -59,7 +55,7 @@ public void testZippableExtensions() throws Exception {
      * Test of analyzeDependency method, of class ArchiveAnalyzer.
      */
     @Test
-    public void testRpmExtension() throws Exception {
+    void testRpmExtension() {
         ArchiveAnalyzer instance = new ArchiveAnalyzer();
         instance.initialize(getSettings());
         assertTrue(instance.getFileFilter().accept(new File("/srv/struts-1.2.9-162.35.1.uyuni.noarch.rpm")));
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
index 3c405bfd5c1..60811a6849c 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
@@ -17,18 +17,9 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import java.io.File;
-import java.io.IOException;
-import org.junit.After;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-import org.junit.Assume;
-import static org.junit.Assume.assumeFalse;
-import static org.junit.Assume.assumeNotNull;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.analyzer.exception.UnexpectedAnalysisException;
@@ -41,13 +32,21 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.io.File;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
+import static org.junit.jupiter.api.Assumptions.assumeFalse;
+import static org.junit.jupiter.api.Assumptions.assumeTrue;
+
 /**
  * Tests for the AssemblyAnalyzer.
  *
  * @author colezlaw
  *
  */
-public class AssemblyAnalyzerTest extends BaseTest {
+class AssemblyAnalyzerTest extends BaseTest {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(AssemblyAnalyzerTest.class);
 
@@ -60,7 +59,7 @@ public class AssemblyAnalyzerTest extends BaseTest {
      *
      * @throws Exception if anything goes sideways
      */
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -76,28 +75,28 @@ public void setUp() throws Exception {
             } else {
                 LOGGER.warn("Exception setting up AssemblyAnalyzer. Tests will be incomplete");
             }
-            Assume.assumeNoException("Is dotnet installed? TESTS WILL BE INCOMPLETE", e);
+            assumeTrue(false, "Is dotnet installed? TESTS WILL BE INCOMPLETE: " + e);
         }
     }
 
-    private void assertGrokAssembly() throws IOException {
+    private void assertGrokAssembly() {
         // There must be an .exe and a .config files created in the temp
         // directory and they must match the resources they were created from.
         File grokAssemblyExeFile = analyzer.getGrokAssemblyPath();
-        assertTrue("The GrokAssembly executable was not created.", grokAssemblyExeFile.isFile());
+        assertTrue(grokAssemblyExeFile.isFile(), "The GrokAssembly executable was not created.");
     }
 
     /**
      * Tests to make sure the name is correct.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         assertEquals("Assembly Analyzer", analyzer.getName());
     }
 
     @Test
-    public void testAnalysis() throws Exception {
-        assumeNotNull(analyzer.buildArgumentList());
+    void testAnalysis() throws Exception {
+        assumeTrue(analyzer.buildArgumentList() != null);
         File f = analyzer.getGrokAssemblyPath();
         Dependency d = new Dependency(f);
         analyzer.analyze(d, null);
@@ -106,8 +105,8 @@ public void testAnalysis() throws Exception {
     }
 
     @Test
-    public void testLog4Net() throws Exception {
-        assumeNotNull(analyzer.buildArgumentList());
+    void testLog4Net() throws Exception {
+        assumeTrue(analyzer.buildArgumentList() != null);
         File f = BaseTest.getResourceAsFile(this, "log4net.dll");
 
         Dependency d = new Dependency(f);
@@ -120,8 +119,8 @@ public void testLog4Net() throws Exception {
     }
 
     @Test
-    public void testNonexistent() {
-        assumeNotNull(analyzer.buildArgumentList());
+    void testNonexistent() {
+        assumeTrue(analyzer.buildArgumentList() != null);
 
         // Tweak the log level so the warning doesn't show in the console
         String oldProp = System.getProperty(LOG_KEY, "info");
@@ -140,7 +139,7 @@ public void testNonexistent() {
     }
 
     @Test
-    public void testWithSettingMono() throws Exception {
+    void testWithSettingMono() {
 
         //This test doesn't work on Windows.
         assumeFalse(System.getProperty("os.name").startsWith("Windows"));
@@ -177,7 +176,7 @@ public void testWithSettingMono() throws Exception {
         }
     }
 
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         try {
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzerTest.java
index 3e0cb0899ab..042f74fba07 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzerTest.java
@@ -17,20 +17,20 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Evidence;
+import org.owasp.dependencycheck.dependency.EvidenceType;
 
 import java.io.File;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import org.owasp.dependencycheck.dependency.Confidence;
-import org.owasp.dependencycheck.dependency.Evidence;
-import org.owasp.dependencycheck.dependency.EvidenceType;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  * Unit tests for AutoconfAnalyzer. The test resources under autoconf/ were
@@ -43,7 +43,7 @@
  * @see <a href="https://gnu.org/software/binutils/">GNU Binutils</a>
  * @see <a href="https://gnu.org/software/ghostscript/">GNU Ghostscript</a>
  */
-public class AutoconfAnalyzerTest extends BaseTest {
+class AutoconfAnalyzerTest extends BaseTest {
 
     /**
      * The analyzer to test.
@@ -55,7 +55,7 @@ public class AutoconfAnalyzerTest extends BaseTest {
      *
      * @throws Exception thrown if there is a problem
      */
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -70,7 +70,7 @@ public void setUp() throws Exception {
      *
      * @throws Exception thrown if there is a problem
      */
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         analyzer.close();
@@ -84,7 +84,7 @@ public void tearDown() throws Exception {
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testAnalyzeConfigureAC1() throws AnalysisException {
+    void testAnalyzeConfigureAC1() throws AnalysisException {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(
                 this, "autoconf/ghostscript/configure.ac"));
         analyzer.analyze(result, null);
@@ -100,7 +100,7 @@ public void testAnalyzeConfigureAC1() throws AnalysisException {
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testAnalyzeConfigureAC2() throws AnalysisException {
+    void testAnalyzeConfigureAC2() throws AnalysisException {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(
                 this, "autoconf/readable-code/configure.ac"));
         analyzer.analyze(result, null);
@@ -117,7 +117,7 @@ public void testAnalyzeConfigureAC2() throws AnalysisException {
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testAnalyzeConfigureScript() throws AnalysisException {
+    void testAnalyzeConfigureScript() throws AnalysisException {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(
                 this, "autoconf/binutils/configure"));
         analyzer.analyze(result, null);
@@ -133,7 +133,7 @@ public void testAnalyzeConfigureScript() throws AnalysisException {
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testAnalyzeReadableConfigureScript() throws AnalysisException {
+    void testAnalyzeReadableConfigureScript() throws AnalysisException {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(
                 this, "autoconf/readable-code/configure"));
         analyzer.analyze(result, null);
@@ -148,21 +148,22 @@ public void testAnalyzeReadableConfigureScript() throws AnalysisException {
      * Test of getName method, of {@link AutoconfAnalyzer}.
      */
     @Test
-    public void testGetName() {
-        assertEquals("Analyzer name wrong.", "Autoconf Analyzer",
-                analyzer.getName());
+    void testGetName() {
+        assertEquals("Autoconf Analyzer",
+                analyzer.getName(),
+                "Analyzer name wrong.");
     }
 
     /**
      * Test of {@link AutoconfAnalyzer#accept(File)}.
      */
     @Test
-    public void testSupportsFileExtension() {
-        assertTrue("Should support \"ac\" extension.",
-                analyzer.accept(new File("configure.ac")));
-        assertTrue("Should support \"in\" extension.",
-                analyzer.accept(new File("configure.in")));
-        assertTrue("Should support \"configure\" extension.",
-                analyzer.accept(new File("configure")));
+    void testSupportsFileExtension() {
+        assertTrue(analyzer.accept(new File("configure.ac")),
+                "Should support \"ac\" extension.");
+        assertTrue(analyzer.accept(new File("configure.in")),
+                "Should support \"in\" extension.");
+        assertTrue(analyzer.accept(new File("configure")),
+                "Should support \"configure\" extension.");
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java
index faf116501ab..810217a1dff 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java
@@ -17,15 +17,17 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Evidence;
+import org.owasp.dependencycheck.dependency.EvidenceType;
 
 import java.io.File;
 import java.util.HashMap;
@@ -34,20 +36,17 @@
 
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.is;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.Assert.assertTrue;
-
-import org.owasp.dependencycheck.dependency.Evidence;
-import org.owasp.dependencycheck.dependency.EvidenceType;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  * Unit tests for CmakeAnalyzer.
  *
  * @author Dale Visser
  */
-public class CMakeAnalyzerTest extends BaseDBTestCase {
+class CMakeAnalyzerTest extends BaseDBTestCase {
 
     /**
      * The package analyzer to test.
@@ -59,7 +58,7 @@ public class CMakeAnalyzerTest extends BaseDBTestCase {
      *
      * @throws Exception if there is a problem
      */
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -74,7 +73,7 @@ public void setUp() throws Exception {
      *
      * @throws Exception if there is a problem
      */
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         try {
@@ -88,7 +87,7 @@ public void tearDown() throws Exception {
      * Test of getName method, of class PythonPackageAnalyzer.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         assertThat(analyzer.getName(), is(equalTo("CMake Analyzer")));
     }
 
@@ -96,11 +95,11 @@ public void testGetName() {
      * Test of supportsExtension method, of class PythonPackageAnalyzer.
      */
     @Test
-    public void testAccept() {
-        assertTrue("Should support \"CMakeLists.txt\" name.",
-                analyzer.accept(new File("CMakeLists.txt")));
-        assertTrue("Should support \"cmake\" extension.",
-                analyzer.accept(new File("test.cmake")));
+    void testAccept() {
+        assertTrue(analyzer.accept(new File("CMakeLists.txt")),
+                "Should support \"CMakeLists.txt\" name.");
+        assertTrue(analyzer.accept(new File("test.cmake")),
+                "Should support \"cmake\" extension.");
     }
 
     /**
@@ -109,7 +108,7 @@ public void testAccept() {
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testAnalyzeCMakeListsOpenCV() throws AnalysisException {
+    void testAnalyzeCMakeListsOpenCV() throws AnalysisException {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(
                 this, "cmake/opencv/CMakeLists.txt"));
         analyzer.analyze(result, null);
@@ -123,7 +122,7 @@ public void testAnalyzeCMakeListsOpenCV() throws AnalysisException {
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testAnalyzeCMakeListsZlib() throws AnalysisException {
+    void testAnalyzeCMakeListsZlib() throws AnalysisException {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(
                 this, "cmake/zlib/CMakeLists.txt"));
         analyzer.analyze(result, null);
@@ -137,7 +136,7 @@ public void testAnalyzeCMakeListsZlib() throws AnalysisException {
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testAnalyzeCMakeListsPython() throws AnalysisException {
+    void testAnalyzeCMakeListsPython() throws AnalysisException {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(
                 this, "cmake/opencv/cmake/OpenCVDetectPython.cmake"));
         analyzer.analyze(result, null);
@@ -154,7 +153,7 @@ private void assertProductEvidence(Dependency result, String product) {
                 break;
             }
         }
-        assertTrue("Expected product evidence to contain \"" + product + "\".", found);
+        assertTrue(found, "Expected product evidence to contain \"" + product + "\".");
     }
 
     /**
@@ -164,7 +163,7 @@ private void assertProductEvidence(Dependency result, String product) {
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testAnalyzeCMakeListsOpenCV3rdParty() throws AnalysisException, DatabaseException {
+    void testAnalyzeCMakeListsOpenCV3rdParty() throws AnalysisException, DatabaseException {
         try (Engine engine = new Engine(getSettings())) {
             final Dependency result = new Dependency(BaseTest.getResourceAsFile(
                     this, "cmake/opencv/3rdparty/ffmpeg/ffmpeg_version.cmake"));
@@ -172,10 +171,10 @@ public void testAnalyzeCMakeListsOpenCV3rdParty() throws AnalysisException, Data
             analyzer.analyze(result, engine);
             assertProductEvidence(result, "libavcodec");
             assertVersionEvidence(result, "55.18.102");
-            assertFalse("ALIASOF_ prefix shouldn't be present.",
-                    Pattern.compile("\\bALIASOF_\\w+").matcher(result.getEvidence(EvidenceType.PRODUCT).toString()).find());
+            assertFalse(Pattern.compile("\\bALIASOF_\\w+").matcher(result.getEvidence(EvidenceType.PRODUCT).toString()).find(),
+                    "ALIASOF_ prefix shouldn't be present.");
             final Dependency[] dependencies = engine.getDependencies();
-            assertEquals("Number of additional dependencies should be 4.", 4, dependencies.length);
+            assertEquals(4, dependencies.length, "Number of additional dependencies should be 4.");
             final Dependency last = dependencies[3];
             assertProductEvidence(last, "libavresample");
             assertVersionEvidence(last, "1.0.1");
@@ -190,11 +189,11 @@ private void assertVersionEvidence(Dependency result, String version) {
                 break;
             }
         }
-        assertTrue("Expected version evidence to contain \"" + version + "\".", found);
+        assertTrue(found, "Expected version evidence to contain \"" + version + "\".");
     }
 
     @Test
-    public void testRemoveSelfReferences() {
+    void testRemoveSelfReferences() {
         // Given
         Map<String, String> input = new HashMap<>();
         input.put("Deflate_OLD_FIND_LIBRARY_PREFIXES", "${CMAKE_FIND_LIBRARY_PREFIXES}");
@@ -220,7 +219,7 @@ public void testRemoveSelfReferences() {
     }
 
     @Test
-    public void testRemoveSelfReferences2() {
+    void testRemoveSelfReferences2() {
         // Given
         Map<String, String> input = new HashMap<>();
         input.put("FLTK2_DIR", "${FLTK2_INCLUDE_DIR}");
@@ -274,7 +273,7 @@ public void testRemoveSelfReferences2() {
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testAnalyzeCMakeTempVariable() throws AnalysisException {
+    void testAnalyzeCMakeTempVariable() throws AnalysisException {
         try (Engine engine = new Engine(getSettings())) {
             final Dependency result = new Dependency(BaseTest.getResourceAsFile(
                     this, "cmake/libtiff/FindDeflate.cmake"));
@@ -285,7 +284,7 @@ public void testAnalyzeCMakeTempVariable() throws AnalysisException {
     }
 
     @Test
-    public void testAnalyzeCMakeInfiniteLoop() throws AnalysisException {
+    void testAnalyzeCMakeInfiniteLoop() throws AnalysisException {
         try (Engine engine = new Engine(getSettings())) {
             final Dependency result = new Dependency(BaseTest.getResourceAsFile(
                     this, "cmake/cmake-modules/FindFLTK2.cmake"));
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java
index 30829316718..5c33a3c9893 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java
@@ -17,32 +17,36 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import java.io.File;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
 import org.apache.commons.lang3.mutable.MutableInt;
-import org.junit.Test;
-import org.owasp.dependencycheck.BaseTest;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
+import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.data.cpe.IndexEntry;
+import org.owasp.dependencycheck.data.nvd.ecosystem.Ecosystem;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-import org.owasp.dependencycheck.data.nvd.ecosystem.Ecosystem;
 import org.owasp.dependencycheck.dependency.EvidenceType;
 import org.owasp.dependencycheck.dependency.naming.Identifier;
 
+import java.io.File;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
+
 /**
  *
  * @author Jeremy Long
  */
-public class CPEAnalyzerIT extends BaseDBTestCase {
+class CPEAnalyzerIT extends BaseDBTestCase {
 
     /**
      * Tests of buildSearch of class CPEAnalyzer.
@@ -50,9 +54,9 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
      * @throws Exception is thrown when an IO Exception occurs.
      */
     @Test
-    public void testBuildSearch() throws Exception {
+    void testBuildSearch() throws Exception {
         Set<String> productWeightings = new HashSet<>();//Collections.singleton("struts2");
-        Set<String> vendorWeightings = new HashSet<>();//Collections.singleton("apache");        
+        Set<String> vendorWeightings = new HashSet<>();//Collections.singleton("apache");
         Map<String, MutableInt> vendor = new HashMap<>();
         Map<String, MutableInt> product = new HashMap<>();
         vendor.put("apache software foundation", new MutableInt(1));
@@ -62,14 +66,14 @@ public void testBuildSearch() throws Exception {
         instance.initialize(getSettings());
         String queryText = instance.buildSearch(vendor, product, vendorWeightings, productWeightings);
         String expResult = "product:(struts 2 core) AND vendor:(apache software foundation)";
-        assertTrue(expResult.equals(queryText));
+        assertEquals(expResult, queryText);
 
         vendorWeightings.add("apache");
         productWeightings.add("struts2");
 
         queryText = instance.buildSearch(vendor, product, vendorWeightings, productWeightings);
         expResult = "product:(struts^2 2 core struts2^2) AND vendor:(apache^2 software foundation)";
-        assertTrue(expResult.equals(queryText));
+        assertEquals(expResult, queryText);
         instance.close();
     }
 
@@ -79,7 +83,7 @@ public void testBuildSearch() throws Exception {
      * @throws Exception is thrown when an exception occurs
      */
     @Test
-    public void testDetermineCPE_full() throws Exception {
+    void testDetermineCPE_full() throws Exception {
         CPEAnalyzer cpeAnalyzer = new CPEAnalyzer();
         try (Engine e = new Engine(getSettings())) {
             //update needs to be performed so that xtream can be tested
@@ -130,7 +134,7 @@ public void testDetermineCPE_full() throws Exception {
      * @param cpeSuppression the CPE suppression analyzer
      * @throws Exception is thrown when an exception occurs
      */
-    public void callDetermineCPE_full(String depName, String expResult, CPEAnalyzer cpeAnalyzer, FileNameAnalyzer fnAnalyzer,
+    private void callDetermineCPE_full(String depName, String expResult, CPEAnalyzer cpeAnalyzer, FileNameAnalyzer fnAnalyzer,
             JarAnalyzer jarAnalyzer, HintAnalyzer hAnalyzer, FalsePositiveAnalyzer fp, CpeSuppressionAnalyzer cpeSuppression) throws Exception {
 
         //File file = new File(this.getClass().getClassLoader().getResource(depName).getPath());
@@ -153,7 +157,7 @@ public void callDetermineCPE_full(String depName, String expResult, CPEAnalyzer
                     break;
                 }
             }
-            assertTrue("Match not found: { dep:'" + dep.getFileName() + "', exp:'" + expResult + "' }", found);
+            assertTrue(found, "Match not found: { dep:'" + dep.getFileName() + "', exp:'" + expResult + "' }");
         } else {
             dep.getVulnerableSoftwareIdentifiers().forEach((id) -> fail("Unexpected match found: { dep:'" + dep.getFileName() + "', found:'" + id + "' }"));
         }
@@ -165,7 +169,7 @@ public void callDetermineCPE_full(String depName, String expResult, CPEAnalyzer
      * @throws Exception is thrown when an exception occurs
      */
     @Test
-    public void testDetermineCPE() throws Exception {
+    void testDetermineCPE() throws Exception {
         //File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
         File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
         //File file = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
@@ -221,7 +225,7 @@ public void testDetermineCPE() throws Exception {
             commonValidator.getVulnerableSoftwareIdentifiers().forEach((i) -> fail("Apache Common Validator found an unexpected CPE identifier - " + i.getValue()));
 
             String expResult = "cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*";
-            assertTrue("Incorrect match size - struts", struts.getVulnerableSoftwareIdentifiers().size() >= 1);
+            assertFalse(struts.getVulnerableSoftwareIdentifiers().isEmpty(), "Incorrect match size - struts");
             boolean found = false;
             for (Identifier i : struts.getVulnerableSoftwareIdentifiers()) {
                 if (expResult.equals(i.getValue())) {
@@ -229,8 +233,8 @@ public void testDetermineCPE() throws Exception {
                     break;
                 }
             }
-            assertTrue("Incorrect match - struts", found);
-            assertTrue("Incorrect match size - spring3 - " + spring3.getVulnerableSoftwareIdentifiers().size(), spring3.getVulnerableSoftwareIdentifiers().size() >= 1);
+            assertTrue(found, "Incorrect match - struts");
+            assertFalse(spring3.getVulnerableSoftwareIdentifiers().isEmpty(), "Incorrect match size - spring3 - " + spring3.getVulnerableSoftwareIdentifiers().size());
 
             jarAnalyzer.close();
             suppressionAnalyzer.close();
@@ -243,7 +247,7 @@ public void testDetermineCPE() throws Exception {
      * @throws Exception is thrown when an exception occurs
      */
     @Test
-    public void testDetermineIdentifiers() throws Exception {
+    void testDetermineIdentifiers() throws Exception {
 
         CPEAnalyzer instance = new CPEAnalyzer();
         try (Engine engine = new Engine(getSettings())) {
@@ -284,7 +288,7 @@ private void callDetermieIdentifiers(String vendor, String product, String versi
             System.out.println(id.getValue());
             return expectedCpe.equals(id.getValue());
         });
-        assertTrue(String.format("%s:%s:%s identifier not found", vendor, product, version), found);
+        assertTrue(found, String.format("%s:%s:%s identifier not found", vendor, product, version));
     }
 
     /**
@@ -293,7 +297,7 @@ private void callDetermieIdentifiers(String vendor, String product, String versi
      * @throws Exception is thrown when an exception occurs
      */
     @Test
-    public void testAnalyzeDependency() throws Exception {
+    void testAnalyzeDependency() throws Exception {
 
         CPEAnalyzer instance = new CPEAnalyzer();
         try (Engine engine = new Engine(getSettings())) {
@@ -344,7 +348,7 @@ private void callAnalyzeDependency(String vendor, String product, String version
             System.out.println(id.getValue());
             return expectedCpe.equals(id.getValue());
         });
-        assertTrue(String.format("%s:%s:%s identifier not found", vendor, product, version), found);
+        assertTrue(found, String.format("%s:%s:%s identifier not found", vendor, product, version));
     }
 
     /**
@@ -353,7 +357,7 @@ private void callAnalyzeDependency(String vendor, String product, String version
      * @throws Exception is thrown when an exception occurs
      */
     @Test
-    public void testSearchCPE() throws Exception {
+    void testSearchCPE() throws Exception {
         Map<String, MutableInt> vendor = new HashMap<>();
         Map<String, MutableInt> product = new HashMap<>();
         vendor.put("apache software foundation", new MutableInt(1));
@@ -379,7 +383,7 @@ public void testSearchCPE() throws Exception {
                     break;
                 }
             }
-            assertTrue("apache:struts was not identified", found);
+            assertTrue(found, "apache:struts was not identified");
         }
         instance.close();
     }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerTest.java
index da302c9a8bb..d64a009f6af 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerTest.java
@@ -17,30 +17,34 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
+import org.apache.commons.lang3.mutable.MutableInt;
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Evidence;
+import org.owasp.dependencycheck.utils.Settings;
+
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
-import org.apache.commons.lang3.mutable.MutableInt;
-import org.junit.Test;
-import static org.junit.Assert.*;
-import org.owasp.dependencycheck.dependency.Confidence;
-import org.owasp.dependencycheck.dependency.Evidence;
-import org.owasp.dependencycheck.utils.Settings;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  *
  * @author jeremy long
  */
-public class CPEAnalyzerTest {
+class CPEAnalyzerTest {
 
     /**
      * Test of getName method, of class CPEAnalyzer.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         CPEAnalyzer instance = new CPEAnalyzer();
         String expResult = "CPE Analyzer";
         String result = instance.getName();
@@ -51,7 +55,7 @@ public void testGetName() {
      * Test of getAnalysisPhase method, of class CPEAnalyzer.
      */
     @Test
-    public void testGetAnalysisPhase() {
+    void testGetAnalysisPhase() {
         CPEAnalyzer instance = new CPEAnalyzer();
         AnalysisPhase expResult = AnalysisPhase.IDENTIFIER_ANALYSIS;
         AnalysisPhase result = instance.getAnalysisPhase();
@@ -62,7 +66,7 @@ public void testGetAnalysisPhase() {
      * Test of getAnalyzerEnabledSettingKey method, of class CPEAnalyzer.
      */
     @Test
-    public void testGetAnalyzerEnabledSettingKey() {
+    void testGetAnalyzerEnabledSettingKey() {
         CPEAnalyzer instance = new CPEAnalyzer();
         String expResult = Settings.KEYS.ANALYZER_CPE_ENABLED;
         String result = instance.getAnalyzerEnabledSettingKey();
@@ -73,7 +77,7 @@ public void testGetAnalyzerEnabledSettingKey() {
      * Test of collectTerms method, of class CPEAnalyzer.
      */
     @Test
-    public void testAddEvidenceWithoutDuplicateTerms() {
+    void testAddEvidenceWithoutDuplicateTerms() {
         Map<String, MutableInt> terms = new HashMap<>();
         List<Evidence> evidence = new ArrayList<>();
         evidence.add(new Evidence("test case", "value", "test", Confidence.HIGHEST));
@@ -191,7 +195,7 @@ public void testAddEvidenceWithoutDuplicateTerms() {
     }
 
     @Test
-    public void testCollectTerms() {
+    void testCollectTerms() {
         Map<String, MutableInt> terms = new HashMap<>();
         List<Evidence> evidence = new ArrayList<>();
         evidence.add(new Evidence("\\@", "\\*", "\\+", Confidence.HIGHEST));
@@ -204,7 +208,7 @@ public void testCollectTerms() {
      * Test of buildSearch method, of class CPEAnalyzer.
      */
     @Test
-    public void testBuildSearch() {
+    void testBuildSearch() {
         Map<String, MutableInt> vendor = new HashMap<>();
         Map<String, MutableInt> product = new HashMap<>();
         vendor.put("apache software foundation", new MutableInt(1));
@@ -279,7 +283,7 @@ public void testBuildSearch() {
     }
 
     @Test
-    public void testBuildSearchBlank() {
+    void testBuildSearchBlank() {
         Map<String, MutableInt> vendor = new HashMap<>();
         Map<String, MutableInt> product = new HashMap<>();
         vendor.put("   ", new MutableInt(1));
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java
index c3496c6b84d..8628ff53366 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java
@@ -17,33 +17,28 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.BeforeClass;
-import org.junit.Test;
-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.data.central.CentralSearch;
-import org.owasp.dependencycheck.utils.ForbiddenException;
-import org.owasp.dependencycheck.utils.TooManyRequestsException;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Settings;
+import org.owasp.dependencycheck.utils.TooManyRequestsException;
 
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.util.Collections;
 import java.util.List;
-import org.apache.commons.lang3.StringUtils;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import org.junit.Assume;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
-import org.owasp.dependencycheck.BaseTest;
-import org.owasp.dependencycheck.utils.Settings;
 
 /**
  * Tests for the CentralAnalyzer.
  */
-public class CentralAnalyzerTest extends BaseTest {
+class CentralAnalyzerTest extends BaseTest {
 
     private static final String SHA1_SUM = "my-sha1-sum";
     final CentralSearch centralSearch = mock(CentralSearch.class);
@@ -51,7 +46,7 @@ public class CentralAnalyzerTest extends BaseTest {
 
     @Test
     @SuppressWarnings("PMD.NonStaticInitializer")
-    public void testFetchMavenArtifactsWithoutException() throws IOException, TooManyRequestsException, ForbiddenException {
+    void testFetchMavenArtifactsWithoutException() throws IOException, TooManyRequestsException {
             CentralAnalyzer instance = new CentralAnalyzer();
             instance.setCentralSearch(centralSearch);
             when(dependency.getSha1sum()).thenReturn(SHA1_SUM);
@@ -62,30 +57,28 @@ public void testFetchMavenArtifactsWithoutException() throws IOException, TooMan
             assertTrue(actualMavenArtifacts.isEmpty());
     }
 
-    @Test(expected = FileNotFoundException.class)
+    @Test
     @SuppressWarnings("PMD.NonStaticInitializer")
-    public void testFetchMavenArtifactsRethrowsFileNotFoundException()
-            throws IOException, TooManyRequestsException, ForbiddenException {
+    void testFetchMavenArtifactsRethrowsFileNotFoundException() throws Exception {
         CentralAnalyzer instance = new CentralAnalyzer();
         instance.setCentralSearch(centralSearch);
         when(dependency.getSha1sum()).thenReturn(SHA1_SUM);
         when(centralSearch.searchSha1(SHA1_SUM)).thenThrow(FileNotFoundException.class);
-        instance.fetchMavenArtifacts(dependency);
+        assertThrows(FileNotFoundException.class, () ->
+            instance.fetchMavenArtifacts(dependency));
     }
 
-    @Test(expected = IOException.class)
+    @Test
     @SuppressWarnings("PMD.NonStaticInitializer")
-    public void testFetchMavenArtifactsAlwaysThrowsIOException()
-            throws IOException, TooManyRequestsException, ForbiddenException {
+    void testFetchMavenArtifactsAlwaysThrowsIOException() throws Exception {
         getSettings().setInt(Settings.KEYS.ANALYZER_CENTRAL_RETRY_COUNT, 1);
         getSettings().setBoolean(Settings.KEYS.ANALYZER_CENTRAL_USE_CACHE, false);
         CentralAnalyzer instance = new CentralAnalyzer();
         instance.initialize(getSettings());
-        
         instance.setCentralSearch(centralSearch);
         when(dependency.getSha1sum()).thenReturn(SHA1_SUM);
         when(centralSearch.searchSha1(SHA1_SUM)).thenThrow(IOException.class);
-
-        instance.fetchMavenArtifacts(dependency);
+        assertThrows(IOException.class, () ->
+            instance.fetchMavenArtifacts(dependency));
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java
index 2ba74f1c4a5..ebb3607cdd0 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java
@@ -17,9 +17,10 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
+import org.apache.commons.lang3.ArrayUtils;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
@@ -27,20 +28,19 @@
 import org.owasp.dependencycheck.dependency.Dependency;
 
 import java.io.File;
-import org.apache.commons.lang3.ArrayUtils;
 
-import static org.hamcrest.CoreMatchers.*;
+import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  * Unit tests for NodePackageAnalyzer.
  *
  * @author Dale Visser
  */
-public class ComposerLockAnalyzerTest extends BaseDBTestCase {
+class ComposerLockAnalyzerTest extends BaseDBTestCase {
 
     /**
      * The analyzer to test.
@@ -52,7 +52,7 @@ public class ComposerLockAnalyzerTest extends BaseDBTestCase {
      *
      * @throws Exception thrown if there is a problem
      */
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -67,7 +67,7 @@ public void setUp() throws Exception {
      *
      * @throws Exception thrown if there is a problem
      */
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         analyzer.close();
@@ -78,7 +78,7 @@ public void tearDown() throws Exception {
      * Test of getName method, of class ComposerLockAnalyzer.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         assertEquals("Composer.lock analyzer", analyzer.getName());
     }
 
@@ -86,7 +86,7 @@ public void testGetName() {
      * Test of supportsExtension method, of class ComposerLockAnalyzer.
      */
     @Test
-    public void testSupportsFiles() {
+    void testSupportsFiles() {
         assertTrue(analyzer.accept(new File("composer.lock")));
     }
 
@@ -96,7 +96,7 @@ public void testSupportsFiles() {
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testAnalyzePackageJson() throws Exception {
+    void testAnalyzePackageJson() throws Exception {
         try (Engine engine = new Engine(getSettings())) {
             final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
                     "composer.lock"));
@@ -115,7 +115,7 @@ public void testAnalyzePackageJson() throws Exception {
                     assertEquals(ComposerLockAnalyzer.DEPENDENCY_ECOSYSTEM, d.getEcosystem());
                 }
             }
-            assertTrue("Expeced to find classpreloader", found);
+            assertTrue(found, "Expeced to find classpreloader");
         }
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzerIT.java
index 6e49c507d2d..8e61259f6e1 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzerIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzerIT.java
@@ -17,28 +17,30 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import java.io.File;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
+
+import java.io.File;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  * Testing the CPE suppression analyzer.
  *
  * @author Jeremy Long
  */
-public class CpeSuppressionAnalyzerIT extends BaseDBTestCase {
+class CpeSuppressionAnalyzerIT extends BaseDBTestCase {
 
     /**
      * Test of getName method, of class CpeSuppressionAnalyzer.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         CpeSuppressionAnalyzer instance = new CpeSuppressionAnalyzer();
         instance.initialize(getSettings());
         String expResult = "Cpe Suppression Analyzer";
@@ -50,7 +52,7 @@ public void testGetName() {
      * Test of getAnalysisPhase method, of class CpeSuppressionAnalyzer.
      */
     @Test
-    public void testGetAnalysisPhase() {
+    void testGetAnalysisPhase() {
         CpeSuppressionAnalyzer instance = new CpeSuppressionAnalyzer();
         instance.initialize(getSettings());
         AnalysisPhase expResult = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
@@ -62,7 +64,7 @@ public void testGetAnalysisPhase() {
      * Test of analyze method, of class CpeSuppressionAnalyzer.
      */
     @Test
-    public void testAnalyze() throws Exception {
+    void testAnalyze() throws Exception {
 
         File file = BaseTest.getResourceAsFile(this, "commons-fileupload-1.2.1.jar");
         File suppression = BaseTest.getResourceAsFile(this, "commons-fileupload-1.2.1.suppression.xml");
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/DartAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/DartAnalyzerTest.java
index f7b01851726..a47a4d79b3b 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/DartAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/DartAnalyzerTest.java
@@ -1,30 +1,29 @@
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.dependency.EvidenceType;
 import org.owasp.dependencycheck.dependency.naming.GenericIdentifier;
 import org.owasp.dependencycheck.dependency.naming.Identifier;
 import org.owasp.dependencycheck.dependency.naming.PurlIdentifier;
 
 import java.io.File;
-import java.util.Set;
 
-import static org.hamcrest.CoreMatchers.*;
+import static org.hamcrest.CoreMatchers.equalTo;
+import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.Assert.assertTrue;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  * Unit tests for DartAnalyzer
  *
  * @author Marc Rödder
  */
-public class DartAnalyzerTest extends BaseTest {
+class DartAnalyzerTest extends BaseTest {
 
     /**
      * The analyzer to test.
@@ -36,7 +35,7 @@ public class DartAnalyzerTest extends BaseTest {
      *
      * @throws Exception thrown if there is a problem
      */
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -51,7 +50,7 @@ public void setUp() throws Exception {
      *
      * @throws Exception thrown if there is a problem
      */
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         dartAnalyzer.close();
@@ -64,7 +63,7 @@ public void tearDown() throws Exception {
      * Test of getName method, of class DartAnalyzer.
      */
     @Test
-    public void testDartAnalyzerGetName() {
+    void testDartAnalyzerGetName() {
         assertThat(dartAnalyzer.getName(), is("Dart Package Analyzer"));
     }
 
@@ -73,7 +72,7 @@ public void testDartAnalyzerGetName() {
      * Test of supportsFiles method, of class DartAnalyzer.
      */
     @Test
-    public void testAnalyzerSupportsFiles() {
+    void testAnalyzerSupportsFiles() {
         assertThat(dartAnalyzer.accept(new File("pubspec.yaml")), is(true));
         assertThat(dartAnalyzer.accept(new File("pubspec.lock")), is(true));
     }
@@ -84,7 +83,7 @@ public void testAnalyzerSupportsFiles() {
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testDartPubspecLockAnalyzer() throws AnalysisException {
+    void testDartPubspecLockAnalyzer() throws AnalysisException {
         final Engine engine = new Engine(getSettings());
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
                 "dart/pubspec.lock"));
@@ -123,7 +122,7 @@ public void testDartPubspecLockAnalyzer() throws AnalysisException {
     }
 
     @Test
-    public void testDartPubspecYamlAnalyzer() throws AnalysisException {
+    void testDartPubspecYamlAnalyzer() throws AnalysisException {
         final Engine engine = new Engine(getSettings());
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
                 "dart.yaml/pubspec.yaml"));
@@ -187,10 +186,10 @@ public void testDartPubspecYamlAnalyzer() throws AnalysisException {
 
     /**
      * Test case for issue #5008.
-     * @throws AnalysisException 
+     * @throws AnalysisException
      */
     @Test
-    public void testDartPubspecYamlAnalyzerAddressbook() throws AnalysisException {
+    void testDartPubspecYamlAnalyzerAddressbook() throws AnalysisException {
         final Engine engine = new Engine(getSettings());
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
                 "dart.addressbook/pubspec.yaml"));
@@ -199,13 +198,13 @@ public void testDartPubspecYamlAnalyzerAddressbook() throws AnalysisException {
         assertThat(engine.getDependencies().length, equalTo(1));
 
         Dependency dependency1 = engine.getDependencies()[0];
-       
+
         assertThat(dependency1.getName(), equalTo("protobuf"));
         assertThat(dependency1.getVersion(), equalTo(""));
     }
-    
+
     @Test
-    public void testIsEnabledIsTrueByDefault() {
+    void testIsEnabledIsTrueByDefault() {
         assertTrue(dartAnalyzer.isEnabled());
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerIT.java
index 3378cf94ab1..629a0d22e2e 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerIT.java
@@ -17,20 +17,20 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
 
 /**
  *
  * @author Jeremy Long
  */
-public class DependencyBundlingAnalyzerIT extends BaseDBTestCase {
+class DependencyBundlingAnalyzerIT extends BaseDBTestCase {
 
     /**
      * Test of analyze method, of class DependencyBundlingAnalyzer.
      */
     @Test
-    public void testAnalyze() throws Exception {
+    void testAnalyze() {
 //        Engine engine = null;
 //        JarAnalyzer ja = null;
 //        FileNameAnalyzer fna = null;
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerTest.java
index 5aad595e7a4..d3cc9f6261d 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerTest.java
@@ -18,30 +18,30 @@
 package org.owasp.dependencycheck.analyzer;
 
 import com.github.packageurl.MalformedPackageURLException;
-import java.io.File;
-import org.junit.Test;
-import org.junit.runner.RunWith;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Answers;
 import org.mockito.Mock;
-import org.mockito.junit.MockitoJUnitRunner;
+import org.mockito.junit.jupiter.MockitoExtension;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.naming.PurlIdentifier;
+
+import java.io.File;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 
-import org.owasp.dependencycheck.dependency.Confidence;
-import org.owasp.dependencycheck.dependency.naming.PurlIdentifier;
-
 /**
  * @author Jeremy Long
  */
-@RunWith(MockitoJUnitRunner.class)
-public class DependencyBundlingAnalyzerTest extends BaseTest {
+@ExtendWith(MockitoExtension.class)
+class DependencyBundlingAnalyzerTest extends BaseTest {
 
     @Mock(answer = Answers.RETURNS_SMART_NULLS)
     private Engine engineMock;
@@ -50,7 +50,7 @@ public class DependencyBundlingAnalyzerTest extends BaseTest {
      * Test of getName method, of class DependencyBundlingAnalyzer.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         DependencyBundlingAnalyzer instance = new DependencyBundlingAnalyzer();
         String expResult = "Dependency Bundling Analyzer";
         String result = instance.getName();
@@ -61,7 +61,7 @@ public void testGetName() {
      * Test of getAnalysisPhase method, of class DependencyBundlingAnalyzer.
      */
     @Test
-    public void testGetAnalysisPhase() {
+    void testGetAnalysisPhase() {
         DependencyBundlingAnalyzer instance = new DependencyBundlingAnalyzer();
         AnalysisPhase expResult = AnalysisPhase.FINAL;
         AnalysisPhase result = instance.getAnalysisPhase();
@@ -73,7 +73,7 @@ public void testGetAnalysisPhase() {
      * passed dependency does not matter. The analyzer only runs once.
      */
     @Test
-    public void testAnalyze() throws Exception {
+    void testAnalyze() throws Exception {
         DependencyBundlingAnalyzer instance = new DependencyBundlingAnalyzer();
 
         // the actual dependency does not matter
@@ -93,7 +93,7 @@ public void testAnalyze() throws Exception {
      * Test of isCore method, of class DependencyBundlingAnalyzer.
      */
     @Test
-    public void testIsCore() {
+    void testIsCore() {
         Dependency left = new Dependency();
         Dependency right = new Dependency();
 
@@ -120,7 +120,7 @@ public void testIsCore() {
     }
 
     @Test
-    public void testFirstPathIsShortest() {
+    void testFirstPathIsShortest() {
         String left = "./a/c.jar";
         String right = "./d/e/f.jar";
         boolean expResult = true;
@@ -153,7 +153,7 @@ public void testFirstPathIsShortest() {
     }
 
     @Test
-    public void testIsShaded() throws MalformedPackageURLException {
+    void testIsShaded() throws MalformedPackageURLException {
         DependencyBundlingAnalyzer instance = new DependencyBundlingAnalyzer();
 
         Dependency left = null;
@@ -221,7 +221,7 @@ public void testIsShaded() throws MalformedPackageURLException {
     }
 
     @Test
-    public void testIsWebJar() throws MalformedPackageURLException {
+    void testIsWebJar() throws MalformedPackageURLException {
         DependencyBundlingAnalyzer instance = new DependencyBundlingAnalyzer();
 
         Dependency left = null;
@@ -273,8 +273,8 @@ public void testIsWebJar() throws MalformedPackageURLException {
         expResult = true;
         result = instance.isWebJar(left, right);
         assertEquals(expResult, result);
-        
-        
+
+
         left = new Dependency(new File("/path/spring-core.jar"), true);
         left.addSoftwareIdentifier(new PurlIdentifier("maven", "org.springframework", "spring-core", "3.0.0", Confidence.HIGHEST));
         expResult = false;
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyCheckPropertiesTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyCheckPropertiesTest.java
index a991d4d5501..7a28f19a0e1 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyCheckPropertiesTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyCheckPropertiesTest.java
@@ -1,10 +1,8 @@
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.Assert;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 
 import java.io.BufferedReader;
-import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -22,10 +20,13 @@
 import java.util.Set;
 import java.util.stream.Collectors;
 
-public class DependencyCheckPropertiesTest {
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+class DependencyCheckPropertiesTest {
 
     @Test
-    public void should_each_analyzer_have_default_enabled_property()
+    void should_each_analyzer_have_default_enabled_property()
             throws IOException, InstantiationException, IllegalAccessException {
         String packageName = "org.owasp.dependencycheck.analyzer";
         Set<Class<AbstractAnalyzer>> analyzerImplementations = findAllAnalyzerImplementations(packageName);
@@ -45,16 +46,16 @@ public void should_each_analyzer_have_default_enabled_property()
             properties.load(fis);
         }
 
-        Assert.assertFalse(analyzerEnabledSettingKeys.isEmpty());
+        assertFalse(analyzerEnabledSettingKeys.isEmpty());
 
         Set<String> absentKeys = analyzerEnabledSettingKeys.stream()
                 .filter(key -> !properties.containsKey(key))
                 .collect(Collectors.toSet());
 
-        Assert.assertTrue(absentKeys.isEmpty());
+        assertTrue(absentKeys.isEmpty());
     }
 
-    public Set<Class<AbstractAnalyzer>> findAllAnalyzerImplementations(String packageName)
+    private Set<Class<AbstractAnalyzer>> findAllAnalyzerImplementations(String packageName)
             throws IOException {
 
         Set<Class<?>> packageClasses = findAllClasses(packageName);
@@ -88,7 +89,7 @@ private boolean isATestAnalyzer(Class<?> clazz) {
         return clazz == AbstractSuppressionAnalyzerTest.AbstractSuppressionAnalyzerImpl.class;
     }
 
-    public Set<Class<?>> findAllClasses(String packageName) throws IOException {
+    private Set<Class<?>> findAllClasses(String packageName) throws IOException {
         String parsedPackageName = packageName.replaceAll("[.]", "/");
 
         Set<Class<?>> classes = new HashSet<>();
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzerTest.java
index eddec091aa5..1b1a23a393b 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzerTest.java
@@ -17,11 +17,7 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import java.io.File;
-import java.util.HashSet;
-import java.util.Set;
-import org.junit.Test;
-import static org.junit.Assert.*;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.data.nvd.ecosystem.Ecosystem;
@@ -30,17 +26,25 @@
 import org.owasp.dependencycheck.dependency.EvidenceType;
 import org.owasp.dependencycheck.utils.Settings;
 
+import java.io.File;
+import java.util.HashSet;
+import java.util.Set;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 /**
  *
  * @author Jeremy Long
  */
-public class DependencyMergingAnalyzerTest extends BaseTest {
+class DependencyMergingAnalyzerTest extends BaseTest {
 
     /**
      * Test of getName method, of class DependencyMergingAnalyzer.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         DependencyMergingAnalyzer instance = new DependencyMergingAnalyzer();
         String expResult = "Dependency Merging Analyzer";
         String result = instance.getName();
@@ -51,7 +55,7 @@ public void testGetName() {
      * Test of getAnalysisPhase method, of class DependencyMergingAnalyzer.
      */
     @Test
-    public void testGetAnalysisPhase() {
+    void testGetAnalysisPhase() {
         DependencyMergingAnalyzer instance = new DependencyMergingAnalyzer();
         AnalysisPhase expResult = AnalysisPhase.POST_INFORMATION_COLLECTION1;
         AnalysisPhase result = instance.getAnalysisPhase();
@@ -63,7 +67,7 @@ public void testGetAnalysisPhase() {
      * DependencyMergingAnalyzer.
      */
     @Test
-    public void testGetAnalyzerEnabledSettingKey() {
+    void testGetAnalyzerEnabledSettingKey() {
         DependencyMergingAnalyzer instance = new DependencyMergingAnalyzer();
         String expResult = Settings.KEYS.ANALYZER_DEPENDENCY_MERGING_ENABLED;
         String result = instance.getAnalyzerEnabledSettingKey();
@@ -74,7 +78,7 @@ public void testGetAnalyzerEnabledSettingKey() {
      * Test of evaluateDependencies method, of class DependencyMergingAnalyzer.
      */
     @Test
-    public void testEvaluateDependencies() {
+    void testEvaluateDependencies() {
 //        Dependency dependency = null;
 //        Dependency nextDependency = null;
 //        Set<Dependency> dependenciesToRemove = null;
@@ -88,7 +92,7 @@ public void testEvaluateDependencies() {
      * Test of mergeDependencies method, of class DependencyMergingAnalyzer.
      */
     @Test
-    public void testMergeDependencies() {
+    void testMergeDependencies() {
         Dependency dependency = new Dependency(true);
         dependency.setName("main");
         dependency.addEvidence(EvidenceType.VENDOR, "test", "vendor", "main", Confidence.HIGHEST);
@@ -114,7 +118,7 @@ public void testMergeDependencies() {
      * Test of isSameRubyGem method, of class DependencyMergingAnalyzer.
      */
     @Test
-    public void testIsSameRubyGem() {
+    void testIsSameRubyGem() {
         Dependency dependency1 = new Dependency(new File("some.gemspec"), true);
         Dependency dependency2 = new Dependency(new File("another.gemspec"), true);
         dependency1.setPackagePath("path1");
@@ -135,7 +139,7 @@ public void testIsSameRubyGem() {
      * DependencyMergingAnalyzer.
      */
     @Test
-    public void testGetMainGemspecDependency() {
+    void testGetMainGemspecDependency() {
         Dependency dependency1 = null;
         Dependency dependency2 = null;
         DependencyMergingAnalyzer instance = new DependencyMergingAnalyzer();
@@ -168,7 +172,7 @@ public void testGetMainGemspecDependency() {
      * Test of isSameSwiftPackage method, of class DependencyMergingAnalyzer.
      */
     @Test
-    public void testIsSameSwiftPackage() {
+    void testIsSameSwiftPackage() {
         Dependency dependency1 = new Dependency(new File("Package.swift"), true);
         Dependency dependency2 = new Dependency(new File("Package.swift"), true);
         dependency1.setPackagePath("path1");
@@ -189,7 +193,7 @@ public void testIsSameSwiftPackage() {
      * DependencyMergingAnalyzer.
      */
     @Test
-    public void testGetMainSwiftDependency() {
+    void testGetMainSwiftDependency() {
 
         Dependency dependency1 = null;
         Dependency dependency2 = null;
@@ -226,7 +230,7 @@ public void testGetMainSwiftDependency() {
      * @throws Exception thrown if there is an analysis exception
      */
     @Test
-    public void testGetMainAndroidDependency() throws Exception {
+    void testGetMainAndroidDependency() throws Exception {
         ArchiveAnalyzer aa = null;
         try (Engine engine = new Engine(Engine.Mode.EVIDENCE_COLLECTION, getSettings())) {
             Dependency dependency1 = new Dependency(BaseTest.getResourceAsFile(this, "aar-1.0.0.aar"));
@@ -245,7 +249,7 @@ public void testGetMainAndroidDependency() throws Exception {
                     break;
                 }
             }
-            assertNotNull("classes.jar was not found", dependency2);
+            assertNotNull(dependency2, "classes.jar was not found");
             dependency2.setEcosystem(Ecosystem.JAVA);
             DependencyMergingAnalyzer instance = new DependencyMergingAnalyzer();
             Dependency expResult = dependency1;
@@ -263,7 +267,7 @@ public void testGetMainAndroidDependency() throws Exception {
      * DependencyMergingAnalyzer.
      */
     @Test
-    public void testGetMainDotnetDependency() {
+    void testGetMainDotnetDependency() {
         Dependency dependency1 = new Dependency(BaseTest.getResourceAsFile(this, "log4net.dll"));
         dependency1.setEcosystem(AssemblyAnalyzer.DEPENDENCY_ECOSYSTEM);
         dependency1.setName("log4net");
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/ElixirMixAuditAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/ElixirMixAuditAnalyzerIT.java
index 09d636804b2..b666e36e295 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/ElixirMixAuditAnalyzerIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/ElixirMixAuditAnalyzerIT.java
@@ -1,25 +1,32 @@
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.After;
-import org.junit.Assume;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
-import org.owasp.dependencycheck.dependency.*;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Evidence;
+import org.owasp.dependencycheck.dependency.EvidenceType;
+import org.owasp.dependencycheck.dependency.Vulnerability;
+import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 import org.owasp.dependencycheck.exception.ExceptionCollection;
 import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import static org.hamcrest.Matchers.is;
-import static org.junit.Assert.*;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
+import static org.junit.jupiter.api.Assumptions.assumeTrue;
 
-public class ElixirMixAuditAnalyzerIT extends BaseDBTestCase {
+class ElixirMixAuditAnalyzerIT extends BaseDBTestCase {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(ElixirMixAuditAnalyzerIT.class);
 
@@ -31,7 +38,7 @@ public class ElixirMixAuditAnalyzerIT extends BaseDBTestCase {
      *
      * @throws Exception thrown if there is a problem
      */
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -48,7 +55,7 @@ public void setUp() throws Exception {
      *
      * @throws Exception thrown if there is a problem
      */
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         if (analyzer != null) {
@@ -62,10 +69,9 @@ public void tearDown() throws Exception {
     /**
      * Test Elixir MixAudit analysis.
      *
-     * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testAnalysis() throws AnalysisException, DatabaseException {
+    void testAnalysis() throws DatabaseException {
         try (Engine engine = new Engine(getSettings())) {
             engine.openDatabase();
             analyzer.prepare(engine);
@@ -74,7 +80,7 @@ public void testAnalysis() throws AnalysisException, DatabaseException {
             analyzer.analyze(result, engine);
 
             final Dependency[] dependencies = engine.getDependencies();
-            assertEquals("should be one result exactly", 1, dependencies.length);
+            assertEquals(1, dependencies.length, "should be one result exactly");
 
             Dependency d = dependencies[0];
             assertTrue(d.isVirtual());
@@ -91,7 +97,7 @@ public void testAnalysis() throws AnalysisException, DatabaseException {
             assertEquals("1.3.4", versionEvidence.getValue());
 
             assertTrue(d.getFilePath().endsWith(resource));
-            assertTrue(d.getFileName().equals("mix.lock"));
+            assertEquals("mix.lock", d.getFileName());
 
             Vulnerability v = d.getVulnerabilities().iterator().next();
             assertEquals("2018-1000883", v.getName());
@@ -103,7 +109,7 @@ public void testAnalysis() throws AnalysisException, DatabaseException {
 
         } catch (InitializationException | DatabaseException | AnalysisException e) {
             LOGGER.warn("Exception setting up ElixirAuditAnalyzer. Make sure Elixir and the mix_audit escript is installed. You may also need to set property \"analyzer.mix.audit.path\".");
-            Assume.assumeNoException("Exception setting up ElixirMixAuditAnalyzer; mix_audit may not be installed, or property \"analyzer.mix.audit.path\" may not be set.", e);
+            assumeTrue(false, "Exception setting up ElixirMixAuditAnalyzer; mix_audit may not be installed, or property \"analyzer.mix.audit.path\" may not be set: " + e);
         }
     }
 
@@ -111,10 +117,9 @@ public void testAnalysis() throws AnalysisException, DatabaseException {
     /**
      * Test when mix_audit is not available on the system or wrongly configured.
      *
-     * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testInvalidMixAuditExecutable() throws AnalysisException, DatabaseException {
+    void testInvalidMixAuditExecutable() throws DatabaseException {
 
         String path = BaseTest.getResourceAsFile(this, "elixir/invalid_executable").getAbsolutePath();
         getSettings().setString(Settings.KEYS.ANALYZER_MIX_AUDIT_PATH, path);
@@ -133,11 +138,10 @@ public void testInvalidMixAuditExecutable() throws AnalysisException, DatabaseEx
     /**
      * Test Mix dependencies and their paths.
      *
-     * @throws AnalysisException is thrown when an exception occurs.
      * @throws DatabaseException thrown when an exception occurs
      */
     @Test
-    public void testDependenciesPath() throws AnalysisException, DatabaseException {
+    void testDependenciesPath() throws DatabaseException {
         try (Engine engine = new Engine(getSettings())) {
             try {
                 engine.scan(BaseTest.getResourceAsFile(this, "elixir/mix.lock"));
@@ -146,12 +150,12 @@ public void testDependenciesPath() throws AnalysisException, DatabaseException {
                 LOGGER.error("NPE", ex);
                 fail(ex.getMessage());
             } catch (ExceptionCollection ex) {
-                Assume.assumeNoException("Exception setting up ElixirMixAuditAnalyzer; mix_audit may not be installed, or property \"analyzer.mix.audit.path\" may not be set.", ex);
+                assumeTrue(false, "Exception setting up ElixirMixAuditAnalyzer; mix_audit may not be installed, or property \"analyzer.mix.audit.path\" may not be set: "+ ex);
                 return;
             }
             Dependency[] dependencies = engine.getDependencies();
             LOGGER.info("{} dependencies found.", dependencies.length);
-            assertEquals("should find 0 (vulnerable) dependencies", 0, dependencies.length);
+            assertEquals(0, dependencies.length, "should find 0 (vulnerable) dependencies");
         }
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/ElixirMixAuditAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/ElixirMixAuditAnalyzerTest.java
index eeee6dbc391..4822258a8aa 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/ElixirMixAuditAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/ElixirMixAuditAnalyzerTest.java
@@ -1,20 +1,9 @@
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.After;
-import org.junit.Assume;
-import org.junit.Before;
-import org.junit.Test;
-import org.owasp.dependencycheck.BaseDBTestCase;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
-import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
-import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
-import org.owasp.dependencycheck.data.update.exception.UpdateException;
-import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.dependency.EvidenceType;
-import org.owasp.dependencycheck.dependency.Vulnerability;
-import org.owasp.dependencycheck.exception.ExceptionCollection;
-import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -23,14 +12,13 @@
 
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.Assert.*;
 
-public class ElixirMixAuditAnalyzerTest extends BaseTest {
+class ElixirMixAuditAnalyzerTest extends BaseTest {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(ElixirMixAuditAnalyzerTest.class);
     private ElixirMixAuditAnalyzer analyzer;
 
-    @Before
+    @BeforeEach
     public void setUp() throws Exception {
         super.setUp();
         getSettings().setBoolean(Settings.KEYS.AUTO_UPDATE, false);
@@ -39,7 +27,7 @@ public void setUp() throws Exception {
         analyzer.setFilesMatched(true);
     }
 
-    @After
+    @AfterEach
     public void tearDown() throws Exception {
         if (analyzer != null) {
             analyzer.close();
@@ -48,12 +36,12 @@ public void tearDown() throws Exception {
     }
 
     @Test
-    public void testGetName() {
+    void testGetName() {
         assertThat(analyzer.getName(), is("Elixir Mix Audit Analyzer"));
     }
 
     @Test
-    public void testSupportsFiles() {
+    void testSupportsFiles() {
         assertThat(analyzer.accept(new File("mix.lock")), is(true));
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzerTest.java
index 24606a5f138..451e98391b3 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzerTest.java
@@ -15,9 +15,7 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Confidence;
@@ -29,11 +27,14 @@
 import us.springett.parsers.cpe.CpeBuilder;
 import us.springett.parsers.cpe.values.Part;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 /**
  *
  * @author Jeremy Long
  */
-public class FalsePositiveAnalyzerTest extends BaseTest {
+class FalsePositiveAnalyzerTest extends BaseTest {
 
     /**
      * A CPE builder object.
@@ -44,7 +45,7 @@ public class FalsePositiveAnalyzerTest extends BaseTest {
      * Test of getName method, of class FalsePositiveAnalyzer.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         FalsePositiveAnalyzer instance = new FalsePositiveAnalyzer();
         String expResult = "False Positive Analyzer";
         String result = instance.getName();
@@ -55,7 +56,7 @@ public void testGetName() {
      * Test of getAnalysisPhase method, of class FalsePositiveAnalyzer.
      */
     @Test
-    public void testGetAnalysisPhase() {
+    void testGetAnalysisPhase() {
         FalsePositiveAnalyzer instance = new FalsePositiveAnalyzer();
         AnalysisPhase expResult = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
         AnalysisPhase result = instance.getAnalysisPhase();
@@ -67,7 +68,7 @@ public void testGetAnalysisPhase() {
      * FalsePositiveAnalyzer.
      */
     @Test
-    public void testGetAnalyzerEnabledSettingKey() {
+    void testGetAnalyzerEnabledSettingKey() {
         FalsePositiveAnalyzer instance = new FalsePositiveAnalyzer();
         String expResult = Settings.KEYS.ANALYZER_FALSE_POSITIVE_ENABLED;
         String result = instance.getAnalyzerEnabledSettingKey();
@@ -78,7 +79,7 @@ public void testGetAnalyzerEnabledSettingKey() {
      * Test of analyzeDependency method, of class FalsePositiveAnalyzer.
      */
     @Test
-    public void testAnalyzeDependency() throws Exception {
+    void testAnalyzeDependency() throws Exception {
         Dependency dependency = new Dependency();
         dependency.setFileName("pom.xml");
         dependency.setFilePath("pom.xml");
@@ -97,7 +98,7 @@ public void testAnalyzeDependency() throws Exception {
      * Test of removeBadMatches method, of class FalsePositiveAnalyzer.
      */
     @Test
-    public void testRemoveBadMatches() throws Exception {
+    void testRemoveBadMatches() throws Exception {
         Dependency dependency = new Dependency();
         dependency.setFileName("some.jar");
         dependency.setFilePath("some.jar");
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzerTest.java
index 33bde854b21..437368d3312 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzerTest.java
@@ -17,27 +17,28 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import java.io.File;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.EvidenceType;
-import org.owasp.dependencycheck.exception.InitializationException;
+
+import java.io.File;
+
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  *
  * @author Jeremy Long
  */
-public class FileNameAnalyzerTest extends BaseTest {
+class FileNameAnalyzerTest extends BaseTest {
 
     /**
      * Test of getName method, of class FileNameAnalyzer.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         FileNameAnalyzer instance = new FileNameAnalyzer();
         String expResult = "File Name Analyzer";
         String result = instance.getName();
@@ -48,7 +49,7 @@ public void testGetName() {
      * Test of getAnalysisPhase method, of class FileNameAnalyzer.
      */
     @Test
-    public void testGetAnalysisPhase() {
+    void testGetAnalysisPhase() {
         FileNameAnalyzer instance = new FileNameAnalyzer();
         AnalysisPhase expResult = AnalysisPhase.INFORMATION_COLLECTION;
         AnalysisPhase result = instance.getAnalysisPhase();
@@ -59,7 +60,7 @@ public void testGetAnalysisPhase() {
      * Test of analyze method, of class FileNameAnalyzer.
      */
     @Test
-    public void testAnalyze() throws Exception {
+    void testAnalyze() throws Exception {
         //File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
         File struts = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
         Dependency resultStruts = new Dependency(struts);
@@ -79,14 +80,12 @@ public void testAnalyze() throws Exception {
      * Test of prepare method, of class FileNameAnalyzer.
      */
     @Test
-    public void testInitialize() {
+    void testInitialize() {
         FileNameAnalyzer instance = new FileNameAnalyzer();
-        try {
+        assertDoesNotThrow(() -> {
             instance.initialize(getSettings());
             instance.prepare(null);
-        } catch (InitializationException ex) {
-            fail(ex.getMessage());
-        }
+        });
         assertTrue(instance.isEnabled());
     }
 
@@ -94,12 +93,8 @@ public void testInitialize() {
      * Test of close method, of class FileNameAnalyzer.
      */
     @Test
-    public void testClose() {
+    void testClose() {
         FileNameAnalyzer instance = new FileNameAnalyzer();
-        try {
-            instance.close();
-        } catch (Exception ex) {
-            fail(ex.getMessage());
-        }
+        assertDoesNotThrow(instance::close);
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/GolangDepAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/GolangDepAnalyzerTest.java
index 0f92c891083..b957e9774ce 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/GolangDepAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/GolangDepAnalyzerTest.java
@@ -17,26 +17,26 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import static org.hamcrest.CoreMatchers.is;
-import static org.junit.Assert.assertEquals;
-import static org.hamcrest.MatcherAssert.assertThat;
-
-import java.io.File;
-
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 
-public class GolangDepAnalyzerTest extends BaseTest {
+import java.io.File;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+class GolangDepAnalyzerTest extends BaseTest {
 
     private GolangDepAnalyzer analyzer;
     private Engine engine;
 
     @Override
-    @Before
+    @BeforeEach
     public void setUp() throws Exception {
         super.setUp();
         analyzer = new GolangDepAnalyzer();
@@ -44,18 +44,19 @@ public void setUp() throws Exception {
     }
 
     @Test
-    public void testName() {
-        assertEquals("Analyzer name wrong.", "Golang Dep Analyzer",
-                analyzer.getName());
+    void testName() {
+        assertEquals("Golang Dep Analyzer",
+                analyzer.getName(),
+                "Analyzer name wrong.");
     }
 
     @Test
-    public void testSupportsFiles() {
+    void testSupportsFiles() {
         assertThat(analyzer.accept(new File("Gopkg.lock")), is(true));
     }
 
     @Test
-    public void testGopkgLock() throws AnalysisException {
+    void testGopkgLock() throws AnalysisException {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "golang/Gopkg.lock"));
         analyzer.analyze(result, engine);
         assertEquals(12, engine.getDependencies().length);
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/GolangModAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/GolangModAnalyzerTest.java
index b2a0ed974e3..1404c1bcb53 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/GolangModAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/GolangModAnalyzerTest.java
@@ -17,36 +17,36 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.EvidenceType;
 import org.owasp.dependencycheck.exception.InitializationException;
+import org.owasp.dependencycheck.utils.Settings;
 
 import java.io.File;
 
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import org.owasp.dependencycheck.utils.Settings;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  * Unit tests for GolangModAnalyzer.
  *
  * @author Matthijs van den Bos
  */
-public class GolangModAnalyzerTest extends BaseTest {
+class GolangModAnalyzerTest extends BaseTest {
 
     private GolangModAnalyzer analyzer;
     private Engine engine;
 
     @Override
-    @Before
+    @BeforeEach
     public void setUp() throws Exception {
         super.setUp();
         getSettings().setBoolean(Settings.KEYS.AUTO_UPDATE, false);
@@ -71,7 +71,7 @@ public void setUp() throws Exception {
      *
      * @throws Exception thrown if there is a problem
      */
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         if (analyzer != null) {
@@ -82,18 +82,19 @@ public void tearDown() throws Exception {
     }
 
     @Test
-    public void testName() {
-        assertEquals("Analyzer name wrong.", "Golang Mod Analyzer",
-                analyzer.getName());
+    void testName() {
+        assertEquals("Golang Mod Analyzer",
+                analyzer.getName(),
+                "Analyzer name wrong.");
     }
 
     @Test
-    public void testSupportsFiles() {
+    void testSupportsFiles() {
         assertThat(analyzer.accept(new File("go.mod")), is(true));
     }
 
     @Test
-    public void testGoMod() throws AnalysisException, InitializationException {
+    void testGoMod() throws AnalysisException, InitializationException {
         analyzer.prepare(engine);
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "golang/go.mod"));
         analyzer.analyze(result, engine);
@@ -112,6 +113,6 @@ public void testGoMod() throws AnalysisException, InitializationException {
                 assertTrue(d.getEvidence(EvidenceType.VERSION).toString().toLowerCase().contains("1.5.0"));
             }
         }
-        assertTrue("Expected to find gitea/gitea", found);
+        assertTrue(found, "Expected to find gitea/gitea");
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java
index 88c36b6de9f..8bb6619dbaf 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java
@@ -15,33 +15,33 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import java.io.File;
-import java.util.Set;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
 import org.owasp.dependencycheck.dependency.EvidenceType;
 import org.owasp.dependencycheck.utils.Settings;
 
+import java.io.File;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 /**
  *
  * @author Jeremy Long
  */
-public class HintAnalyzerTest extends BaseDBTestCase {
+class HintAnalyzerTest extends BaseDBTestCase {
 
     /**
      * Test of getName method, of class HintAnalyzer.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         HintAnalyzer instance = new HintAnalyzer();
         String expResult = "Hint Analyzer";
         String result = instance.getName();
@@ -52,7 +52,7 @@ public void testGetName() {
      * Test of getAnalysisPhase method, of class HintAnalyzer.
      */
     @Test
-    public void testGetAnalysisPhase() {
+    void testGetAnalysisPhase() {
         HintAnalyzer instance = new HintAnalyzer();
         AnalysisPhase expResult = AnalysisPhase.POST_INFORMATION_COLLECTION2;
         AnalysisPhase result = instance.getAnalysisPhase();
@@ -63,7 +63,7 @@ public void testGetAnalysisPhase() {
      * Test of analyze method, of class HintAnalyzer.
      */
     @Test
-    public void testAnalyze() throws Exception {
+    void testAnalyze() throws Exception {
         //File guice = new File(this.getClass().getClassLoader().getResource("guice-3.0.jar").getPath());
         File guice = BaseTest.getResourceAsFile(this, "guice-3.0.jar");
         //Dependency guice = new EngineDependency(fileg);
@@ -110,7 +110,7 @@ public void testAnalyze() throws Exception {
      * Test of analyze method, of class HintAnalyzer.
      */
     @Test
-    public void testAnalyze_1() throws Exception {
+    void testAnalyze_1() throws Exception {
         File path = BaseTest.getResourceAsFile(this, "hints_12.xml");
         getSettings().setString(Settings.KEYS.HINTS_FILE, path.getPath());
         HintAnalyzer instance = new HintAnalyzer();
@@ -125,13 +125,13 @@ public void testAnalyze_1() throws Exception {
         d.addEvidence(EvidenceType.VENDOR, "hint analyzer", "other vendor name", "vendor", Confidence.HIGH);
         d.addEvidence(EvidenceType.PRODUCT, "hint analyzer", "other product name", "product", Confidence.HIGH);
 
-        assertEquals("vendor evidence mismatch", 2, d.getEvidence(EvidenceType.VENDOR).size());
-        assertEquals("product evidence mismatch", 2, d.getEvidence(EvidenceType.PRODUCT).size());
-        assertEquals("version evidence mismatch", 3, d.getEvidence(EvidenceType.VERSION).size());
+        assertEquals(2, d.getEvidence(EvidenceType.VENDOR).size(), "vendor evidence mismatch");
+        assertEquals(2, d.getEvidence(EvidenceType.PRODUCT).size(), "product evidence mismatch");
+        assertEquals(3, d.getEvidence(EvidenceType.VERSION).size(), "version evidence mismatch");
         instance.analyze(d, null);
-        assertEquals("vendor evidence mismatch", 1, d.getEvidence(EvidenceType.VENDOR).size());
-        assertEquals("product evidence mismatch", 1, d.getEvidence(EvidenceType.PRODUCT).size());
-        assertEquals("version evidence mismatch", 2, d.getEvidence(EvidenceType.VERSION).size());
+        assertEquals(1, d.getEvidence(EvidenceType.VENDOR).size(), "vendor evidence mismatch");
+        assertEquals(1, d.getEvidence(EvidenceType.PRODUCT).size(), "product evidence mismatch");
+        assertEquals(2, d.getEvidence(EvidenceType.VERSION).size(), "version evidence mismatch");
 
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java
index 5b88190bf6b..86c6ee6d11f 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java
@@ -17,7 +17,7 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -32,14 +32,14 @@
 import java.util.Collections;
 import java.util.List;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  * @author Jeremy Long
  */
-public class JarAnalyzerTest extends BaseTest {
+class JarAnalyzerTest extends BaseTest {
 
     /**
      * Test of inspect method, of class JarAnalyzer.
@@ -47,7 +47,7 @@ public class JarAnalyzerTest extends BaseTest {
      * @throws Exception is thrown when an exception occurs.
      */
     @Test
-    public void testAnalyze() throws Exception {
+    void testAnalyze() throws Exception {
         //File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
         File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
         Dependency result = new Dependency(file);
@@ -65,12 +65,12 @@ public void testAnalyze() throws Exception {
         boolean found = false;
         for (Evidence e : result.getEvidence(EvidenceType.VENDOR)) {
             if (e.getName().equals("url")) {
-                assertEquals("Project url was not as expected in dwr.jar", "http://getahead.ltd.uk/dwr", e.getValue());
+                assertEquals("http://getahead.ltd.uk/dwr", e.getValue(), "Project url was not as expected in dwr.jar");
                 found = true;
                 break;
             }
         }
-        assertTrue("Project url was not found in dwr.jar", found);
+        assertTrue(found, "Project url was not found in dwr.jar");
 
         //file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath());
         file = BaseTest.getResourceAsFile(this, "org.mortbay.jetty.jar");
@@ -84,7 +84,7 @@ public void testAnalyze() throws Exception {
                 break;
             }
         }
-        assertTrue("package-title of org.mortbay.http not found in org.mortbay.jetty.jar", found);
+        assertTrue(found, "package-title of org.mortbay.http not found in org.mortbay.jetty.jar");
 
         found = false;
         for (Evidence e : result.getEvidence(EvidenceType.VENDOR)) {
@@ -94,7 +94,7 @@ public void testAnalyze() throws Exception {
                 break;
             }
         }
-        assertTrue("implementation-url of http://jetty.mortbay.org not found in org.mortbay.jetty.jar", found);
+        assertTrue(found, "implementation-url of http://jetty.mortbay.org not found in org.mortbay.jetty.jar");
 
         found = false;
         for (Evidence e : result.getEvidence(EvidenceType.VERSION)) {
@@ -104,17 +104,17 @@ public void testAnalyze() throws Exception {
                 break;
             }
         }
-        assertTrue("implementation-version of 4.2.27 not found in org.mortbay.jetty.jar", found);
+        assertTrue(found, "implementation-version of 4.2.27 not found in org.mortbay.jetty.jar");
 
         //file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jmx.jar").getPath());
         file = BaseTest.getResourceAsFile(this, "org.mortbay.jmx.jar");
         result = new Dependency(file);
         instance.analyze(result, null);
-        assertEquals("org.mortbar.jmx.jar has version evidence?", 0, result.getEvidence(EvidenceType.VERSION).size());
+        assertEquals(0, result.getEvidence(EvidenceType.VERSION).size(), "org.mortbar.jmx.jar has version evidence?");
     }
 
     @Test
-    public void testAddMatchingValues() throws Exception {
+    void testAddMatchingValues() throws Exception {
         File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
         Dependency dependency = new Dependency(file);
         JarAnalyzer instance = new JarAnalyzer();
@@ -148,14 +148,14 @@ public void testAddMatchingValues() throws Exception {
      * Test of getSupportedExtensions method, of class JarAnalyzer.
      */
     @Test
-    public void testAcceptSupportedExtensions() throws Exception {
+    void testAcceptSupportedExtensions() throws Exception {
         JarAnalyzer instance = new JarAnalyzer();
         instance.initialize(getSettings());
         instance.prepare(null);
         instance.setEnabled(true);
         String[] files = {"test.jar", "test.war"};
         for (String name : files) {
-            assertTrue(name, instance.accept(new File(name)));
+            assertTrue(instance.accept(new File(name)), name);
         }
     }
 
@@ -163,7 +163,7 @@ public void testAcceptSupportedExtensions() throws Exception {
      * Test of getName method, of class JarAnalyzer.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         JarAnalyzer instance = new JarAnalyzer();
         String expResult = "Jar Analyzer";
         String result = instance.getName();
@@ -171,7 +171,7 @@ public void testGetName() {
     }
 
     @Test
-    public void testParseManifest() throws Exception {
+    void testParseManifest() throws Exception {
         File file = BaseTest.getResourceAsFile(this, "xalan-2.7.0.jar");
         Dependency result = new Dependency(file);
         JarAnalyzer instance = new JarAnalyzer();
@@ -185,7 +185,7 @@ public void testParseManifest() throws Exception {
      * Test of getAnalysisPhase method, of class JarAnalyzer.
      */
     @Test
-    public void testGetAnalysisPhase() {
+    void testGetAnalysisPhase() {
         JarAnalyzer instance = new JarAnalyzer();
         AnalysisPhase expResult = AnalysisPhase.INFORMATION_COLLECTION;
         AnalysisPhase result = instance.getAnalysisPhase();
@@ -196,7 +196,7 @@ public void testGetAnalysisPhase() {
      * Test of getAnalyzerEnabledSettingKey method, of class JarAnalyzer.
      */
     @Test
-    public void testGetAnalyzerEnabledSettingKey() {
+    void testGetAnalyzerEnabledSettingKey() {
         JarAnalyzer instance = new JarAnalyzer();
         String expResult = Settings.KEYS.ANALYZER_JAR_ENABLED;
         String result = instance.getAnalyzerEnabledSettingKey();
@@ -204,7 +204,7 @@ public void testGetAnalyzerEnabledSettingKey() {
     }
 
     @Test
-    public void testClassInformation() {
+    void testClassInformation() {
         JarAnalyzer.ClassNameInformation instance = new JarAnalyzer.ClassNameInformation("org/owasp/dependencycheck/analyzer/JarAnalyzer");
         assertEquals("org/owasp/dependencycheck/analyzer/JarAnalyzer", instance.getName());
         List<String> expected = Arrays.asList("owasp", "dependencycheck", "analyzer", "jaranalyzer");
@@ -213,7 +213,7 @@ public void testClassInformation() {
     }
 
     @Test
-    public void testAnalyzeDependency_SkipsMacOSMetaDataFile() throws Exception {
+    void testAnalyzeDependency_SkipsMacOSMetaDataFile() throws Exception {
         JarAnalyzer instance = new JarAnalyzer();
         Dependency macOSMetaDataFile = new Dependency();
 
@@ -232,7 +232,7 @@ public void testAnalyzeDependency_SkipsMacOSMetaDataFile() throws Exception {
     }
 
     @Test
-    public void testAnalyseDependency_SkipsNonZipFile() throws Exception {
+    void testAnalyseDependency_SkipsNonZipFile() throws Exception {
         JarAnalyzer instance = new JarAnalyzer();
         Dependency textFileWithJarExtension = new Dependency();
         textFileWithJarExtension
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/LibmanAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/LibmanAnalyzerTest.java
index 6feec92f2dc..54814d5abfa 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/LibmanAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/LibmanAnalyzerTest.java
@@ -17,9 +17,8 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.Before;
-import org.junit.Test;
-
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -28,18 +27,18 @@
 
 import java.io.File;
 
-import static junit.framework.TestCase.assertTrue;
-import static org.junit.Assert.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  * @author Arjen Korevaar
  */
-public class LibmanAnalyzerTest extends BaseTest {
+class LibmanAnalyzerTest extends BaseTest {
 
     private Engine engine;
     private LibmanAnalyzer analyzer;
 
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -54,7 +53,7 @@ public void setUp() throws Exception {
     }
 
     @Test
-    public void testGetAnalyzerName() {
+    void testGetAnalyzerName() {
         String expected = "Libman Analyzer";
         String actual = analyzer.getName();
 
@@ -62,14 +61,14 @@ public void testGetAnalyzerName() {
     }
 
     @Test
-    public void testSupportedFileNames() {
+    void testSupportedFileNames() {
         boolean condition = analyzer.accept(new File("libman.json"));
 
         assertTrue(condition);
     }
 
     @Test
-    public void testGetAnalyzerEnabledSettingKey() {
+    void testGetAnalyzerEnabledSettingKey() {
         String expected = Settings.KEYS.ANALYZER_LIBMAN_ENABLED;
         String actual = analyzer.getAnalyzerEnabledSettingKey();
 
@@ -77,7 +76,7 @@ public void testGetAnalyzerEnabledSettingKey() {
     }
 
     @Test
-    public void testLibmanAnalysis() throws Exception {
+    void testLibmanAnalysis() throws Exception {
         try (Engine engine = new Engine(getSettings())) {
             File file = BaseTest.getResourceAsFile(this, "libman/libman.json");
             Dependency dependency = new Dependency(file);
@@ -118,7 +117,7 @@ public void testLibmanAnalysis() throws Exception {
                 }
             }
 
-            assertEquals("4 dependencies should be found", 4, count);
+            assertEquals(4, count, "4 dependencies should be found");
         }
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/MSBuildProjectAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/MSBuildProjectAnalyzerTest.java
index fd4b560e598..2b09483d30e 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/MSBuildProjectAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/MSBuildProjectAnalyzerTest.java
@@ -17,26 +17,27 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Evidence;
 import org.owasp.dependencycheck.dependency.EvidenceType;
 
 import java.io.File;
 import java.util.stream.Collectors;
 
-import static junit.framework.TestCase.assertTrue;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.owasp.dependencycheck.analyzer.NuspecAnalyzer.DEPENDENCY_ECOSYSTEM;
 
-public class MSBuildProjectAnalyzerTest extends BaseTest {
+class MSBuildProjectAnalyzerTest extends BaseTest {
 
     private MSBuildProjectAnalyzer instance;
 
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -48,24 +49,24 @@ public void setUp() throws Exception {
     }
 
     @Test
-    public void testGetAnalyzerName() {
+    void testGetAnalyzerName() {
         assertEquals("MSBuild Project Analyzer", instance.getName());
     }
 
     @Test
-    public void testSupportsFileExtensions() {
+    void testSupportsFileExtensions() {
         assertTrue(instance.accept(new File("test.csproj")));
         assertTrue(instance.accept(new File("test.vbproj")));
         assertFalse(instance.accept(new File("test.nuspec")));
     }
 
     @Test
-    public void testGetAnalysisPhaze() {
+    void testGetAnalysisPhaze() {
         assertEquals(AnalysisPhase.INFORMATION_COLLECTION, instance.getAnalysisPhase());
     }
 
     @Test
-    public void testMSBuildProjectAnalysis() throws Exception {
+    void testMSBuildProjectAnalysis() throws Exception {
 
         try (Engine engine = new Engine(getSettings())) {
             File file = BaseTest.getResourceAsFile(this, "msbuild/test.csproj");
@@ -77,7 +78,7 @@ public void testMSBuildProjectAnalysis() throws Exception {
             analyzer.setEnabled(true);
             analyzer.analyze(toScan, engine);
 
-            assertEquals("5 dependencies should be found", 5, engine.getDependencies().length);
+            assertEquals(5, engine.getDependencies().length, "5 dependencies should be found");
 
             int foundCount = 0;
 
@@ -120,7 +121,7 @@ public void testMSBuildProjectAnalysis() throws Exception {
                             foundCount++;
                             assertTrue(result.getEvidence(EvidenceType.VENDOR).toString().contains("NodaTime"));
                             assertTrue(result.getEvidence(EvidenceType.PRODUCT).toString().contains("NodaTime"));
-                            assertTrue("Expected 3.0.0; contained: " + result.getEvidence(EvidenceType.VERSION).stream().map(e -> e.toString()).collect(Collectors.joining(",", "{", "}")), result.getEvidence(EvidenceType.VERSION).toString().contains("3.0.0"));
+                            assertTrue(result.getEvidence(EvidenceType.VERSION).toString().contains("3.0.0"), "Expected 3.0.0; contained: " + result.getEvidence(EvidenceType.VERSION).stream().map(Evidence::toString).collect(Collectors.joining(",", "{", "}")));
                             break;
                         default:
                             break;
@@ -128,12 +129,12 @@ public void testMSBuildProjectAnalysis() throws Exception {
                 }
             }
 
-            assertEquals("5 expected dependencies should be found", 5, foundCount);
+            assertEquals(5, foundCount, "5 expected dependencies should be found");
         }
     }
 
     @Test
-    public void testMSBuildProjectAnalysis_WithImports() throws Exception {
+    void testMSBuildProjectAnalysis_WithImports() throws Exception {
         testMSBuildProjectAnalysisWithImport("msbuild/ProjectA/ProjectA.csproj", "3.0.0", "1.0.0");
         testMSBuildProjectAnalysisWithImport("msbuild/ProjectB/ProjectB.csproj", "3.0.0", "2.0.0");
         testMSBuildProjectAnalysisWithImport("msbuild/ProjectC/ProjectC.csproj", "3.0.0", "3.0.0");
@@ -154,7 +155,7 @@ public void testMSBuildProjectAnalysisWithImport(String path, String nodaVersion
             analyzer.setEnabled(true);
             analyzer.analyze(toScan, engine);
 
-            assertEquals("2 dependencies should be found", 2, engine.getDependencies().length);
+            assertEquals(2, engine.getDependencies().length, "2 dependencies should be found");
 
             int foundCount = 0;
 
@@ -168,13 +169,13 @@ public void testMSBuildProjectAnalysisWithImport(String path, String nodaVersion
                             foundCount++;
                             assertTrue(result.getEvidence(EvidenceType.VENDOR).toString().contains("Humanizer"));
                             assertTrue(result.getEvidence(EvidenceType.PRODUCT).toString().contains("Humanizer"));
-                            assertTrue("Expected " + humanizerVersion + "; contained: " + result.getEvidence(EvidenceType.VERSION).stream().map(e -> e.toString()).collect(Collectors.joining(",", "{", "}")), result.getEvidence(EvidenceType.VERSION).toString().contains(humanizerVersion));
+                            assertTrue(result.getEvidence(EvidenceType.VERSION).toString().contains(humanizerVersion), "Expected " + humanizerVersion + "; contained: " + result.getEvidence(EvidenceType.VERSION).stream().map(Evidence::toString).collect(Collectors.joining(",", "{", "}")));
                             break;
                         case "NodaTime":
                             foundCount++;
                             assertTrue(result.getEvidence(EvidenceType.VENDOR).toString().contains("NodaTime"));
                             assertTrue(result.getEvidence(EvidenceType.PRODUCT).toString().contains("NodaTime"));
-                            assertTrue("Expected " + nodaVersion + "; contained: " + result.getEvidence(EvidenceType.VERSION).stream().map(e -> e.toString()).collect(Collectors.joining(",", "{", "}")), result.getEvidence(EvidenceType.VERSION).toString().contains(nodaVersion));
+                            assertTrue(result.getEvidence(EvidenceType.VERSION).toString().contains(nodaVersion), "Expected " + nodaVersion + "; contained: " + result.getEvidence(EvidenceType.VERSION).stream().map(Evidence::toString).collect(Collectors.joining(",", "{", "}")));
                             break;
                         default:
                             break;
@@ -182,7 +183,7 @@ public void testMSBuildProjectAnalysisWithImport(String path, String nodaVersion
                 }
             }
 
-            assertEquals("2 expected dependencies should be found", 2, foundCount);
+            assertEquals(2, foundCount, "2 expected dependencies should be found");
         }
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/NodeAuditAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/NodeAuditAnalyzerIT.java
index fa4fd775a81..6dfb02c8a28 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/NodeAuditAnalyzerIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/NodeAuditAnalyzerIT.java
@@ -1,23 +1,24 @@
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
-import static org.hamcrest.CoreMatchers.is;
-import static org.junit.Assert.*;
-import org.junit.Assume;
-import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.EvidenceType;
 import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 
-public class NodeAuditAnalyzerIT extends BaseTest {
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assumptions.assumeTrue;
+
+class NodeAuditAnalyzerIT extends BaseTest {
 
     @Test
-    public void testAnalyzePackage() throws AnalysisException, InitializationException, InvalidSettingException {
-        Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED), is(true));
+    void testAnalyzePackage() throws AnalysisException, InitializationException, InvalidSettingException {
+        assumeTrue(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED));
         try (Engine engine = new Engine(getSettings())) {
             NodeAuditAnalyzer analyzer = new NodeAuditAnalyzer();
             analyzer.setFilesMatched(true);
@@ -26,7 +27,7 @@ public void testAnalyzePackage() throws AnalysisException, InitializationExcepti
             final Dependency toScan = new Dependency(BaseTest.getResourceAsFile(this, "nodeaudit/package-lock.json"));
             analyzer.analyze(toScan, engine);
             boolean found = false;
-            assertTrue("More then 1 dependency should be identified", 1 < engine.getDependencies().length);
+            assertTrue(1 < engine.getDependencies().length, "More then 1 dependency should be identified");
             for (Dependency result : engine.getDependencies()) {
                 if ("package-lock.json?uglify-js".equals(result.getFileName())) {
                     found = true;
@@ -36,13 +37,13 @@ public void testAnalyzePackage() throws AnalysisException, InitializationExcepti
                     assertTrue(result.isVirtual());
                 }
             }
-            assertTrue("Uglify was not found", found);
+            assertTrue(found, "Uglify was not found");
         }
     }
 
     @Test
-    public void testAnalyzeEmpty() throws AnalysisException, InitializationException, InvalidSettingException {
-        Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED), is(true));
+    void testAnalyzeEmpty() throws AnalysisException, InitializationException, InvalidSettingException {
+        assumeTrue(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED));
         try (Engine engine = new Engine(getSettings())) {
             NodeAuditAnalyzer analyzer = new NodeAuditAnalyzer();
             analyzer.setFilesMatched(true);
@@ -58,8 +59,8 @@ public void testAnalyzeEmpty() throws AnalysisException, InitializationException
     }
 
     @Test
-    public void testAnalyzePackageJsonInNodeModulesDirectory() throws AnalysisException, InitializationException, InvalidSettingException {
-        Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED), is(true));
+    void testAnalyzePackageJsonInNodeModulesDirectory() throws AnalysisException, InitializationException, InvalidSettingException {
+        assumeTrue(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED));
         try (Engine engine = new Engine(getSettings())) {
             NodeAuditAnalyzer analyzer = new NodeAuditAnalyzer();
             analyzer.setFilesMatched(true);
@@ -68,7 +69,7 @@ public void testAnalyzePackageJsonInNodeModulesDirectory() throws AnalysisExcept
             final Dependency toScan = new Dependency(BaseTest.getResourceAsFile(this, "nodejs/node_modules/dns-sync/package.json"));
             engine.addDependency(toScan);
             analyzer.analyze(toScan, engine);
-            assertEquals("No dependencies should exist", 0, engine.getDependencies().length);
+            assertEquals(0, engine.getDependencies().length, "No dependencies should exist");
         }
     }
 
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/NodeAuditAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/NodeAuditAnalyzerTest.java
index 5fe4caef275..bacb52681a2 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/NodeAuditAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/NodeAuditAnalyzerTest.java
@@ -1,21 +1,23 @@
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
+
 import java.io.File;
+
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
 
-public class NodeAuditAnalyzerTest extends BaseTest {
+class NodeAuditAnalyzerTest extends BaseTest {
 
     @Test
-    public void testGetName() {
+    void testGetName() {
         NodeAuditAnalyzer analyzer = new NodeAuditAnalyzer();
         assertThat(analyzer.getName(), is("Node Audit Analyzer"));
     }
 
     @Test
-    public void testSupportsFiles() {
+    void testSupportsFiles() {
         NodeAuditAnalyzer analyzer = new NodeAuditAnalyzer();
         assertThat(analyzer.accept(new File("package-lock.json")), is(true));
         assertThat(analyzer.accept(new File("npm-shrinkwrap.json")), is(true));
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java
index c05193b80f4..b202b7f7ee6 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java
@@ -17,33 +17,34 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.EvidenceType;
+import org.owasp.dependencycheck.exception.InitializationException;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
 
 import java.io.File;
 
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.Assert.*;
-
-import org.junit.Assume;
-import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.dependency.EvidenceType;
-import org.owasp.dependencycheck.exception.InitializationException;
-import org.owasp.dependencycheck.utils.InvalidSettingException;
-import org.owasp.dependencycheck.utils.Settings;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
+import static org.junit.jupiter.api.Assumptions.assumeTrue;
 
 /**
  * Unit tests for NodePackageAnalyzer.
  *
  * @author Dale Visser
  */
-public class NodePackageAnalyzerTest extends BaseTest {
+class NodePackageAnalyzerTest extends BaseTest {
 
     /**
      * The analyzer to test.
@@ -89,7 +90,7 @@ private NodePackageAnalyzer getNodePackageAnalyzer(Engine engine) {
      *
      * @throws Exception thrown if there is a problem
      */
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -115,7 +116,7 @@ public void setUp() throws Exception {
      *
      * @throws Exception thrown if there is a problem
      */
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         if (getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED)) {
@@ -130,9 +131,9 @@ public void tearDown() throws Exception {
      * Test of getName method, of class PythonDistributionAnalyzer.
      */
     @Test
-    public void testGetName() throws InvalidSettingException {
-        Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED), is(true));
-        Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED), is(true));
+    void testGetName() throws InvalidSettingException {
+        assumeTrue(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED));
+        assumeTrue(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED));
         assertThat(analyzer.getName(), is("Node.js Package Analyzer"));
     }
 
@@ -140,9 +141,9 @@ public void testGetName() throws InvalidSettingException {
      * Test of supportsExtension method, of class PythonDistributionAnalyzer.
      */
     @Test
-    public void testSupportsFiles() throws InvalidSettingException {
-        Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED), is(true));
-        Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED), is(true));
+    void testSupportsFiles() throws InvalidSettingException {
+        assumeTrue(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED));
+        assumeTrue(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED));
         assertThat(analyzer.accept(new File("package-lock.json")), is(true));
         assertThat(analyzer.accept(new File("npm-shrinkwrap.json")), is(true));
     }
@@ -153,9 +154,9 @@ public void testSupportsFiles() throws InvalidSettingException {
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testAnalyzeShrinkwrapJson() throws AnalysisException, InvalidSettingException {
-        Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED), is(true));
-        Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED), is(true));
+    void testAnalyzeShrinkwrapJson() throws AnalysisException, InvalidSettingException {
+        assumeTrue(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED));
+        assumeTrue(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED));
         final Dependency toScan = new Dependency(BaseTest.getResourceAsFile(this,
                 "nodejs/npm-shrinkwrap.json"));
         final Dependency toCombine = new Dependency(BaseTest.getResourceAsFile(this,
@@ -206,9 +207,9 @@ private void testLock() {
             }
         }
 
-        assertTrue("need to contain braces", bracesFound);
+        assertTrue(bracesFound, "need to contain braces");
         //check if dependencies of dependencies are imported
-        assertTrue("need to contain expand-range (dependency of braces)", expandRangeFound);
+        assertTrue(expandRangeFound, "need to contain expand-range (dependency of braces)");
 
         final String vendorString = result.getEvidence(EvidenceType.VENDOR).toString();
         assertThat(vendorString, containsString("Sanjeev Koranga"));
@@ -232,9 +233,9 @@ private void testLock() {
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testAnalyzePackageJsonWithShrinkwrap() throws AnalysisException, InvalidSettingException {
-        Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED), is(true));
-        Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED), is(true));
+    void testAnalyzePackageJsonWithShrinkwrap() throws AnalysisException, InvalidSettingException {
+        assumeTrue(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED));
+        assumeTrue(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED));
         final Dependency packageJson = new Dependency(BaseTest.getResourceAsFile(this,
                 "nodejs/package.json"));
         final Dependency shrinkwrap = new Dependency(BaseTest.getResourceAsFile(this,
@@ -256,16 +257,16 @@ public void testAnalyzePackageJsonWithShrinkwrap() throws AnalysisException, Inv
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testWithoutLock() throws AnalysisException, InvalidSettingException {
-        Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED), is(true));
-        Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED), is(true));
+    void testWithoutLock() throws AnalysisException, InvalidSettingException {
+        assumeTrue(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED));
+        assumeTrue(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED));
         final Dependency packageJson = new Dependency(BaseTest.getResourceAsFile(this,
                 "nodejs/no_lock/package.json"));
         engine.addDependency(packageJson);
         analyzer.analyze(packageJson, engine);
 
         //final boolean isMac = !System.getProperty("os.name").toLowerCase().contains("mac");
-        assertEquals("Expected 1 dependencies", 1, engine.getDependencies().length);
+        assertEquals(1, engine.getDependencies().length, "Expected 1 dependencies");
     }
 
     /**
@@ -274,9 +275,9 @@ public void testWithoutLock() throws AnalysisException, InvalidSettingException
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testPackageLockV2() throws AnalysisException, InvalidSettingException {
-        Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED), is(true));
-        Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED), is(true));
+    void testPackageLockV2() throws AnalysisException, InvalidSettingException {
+        assumeTrue(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED));
+        assumeTrue(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED));
         final Dependency packageJson = new Dependency(BaseTest.getResourceAsFile(this,
                 "nodejs/test_lockv2/package.json"));
         final Dependency packageLockJson = new Dependency(BaseTest.getResourceAsFile(this,
@@ -284,9 +285,9 @@ public void testPackageLockV2() throws AnalysisException, InvalidSettingExceptio
         engine.addDependency(packageJson);
         engine.addDependency(packageLockJson);
         analyzer.analyze(packageJson, engine);
-        assertEquals("Expected 1 dependencies", 1, engine.getDependencies().length);
+        assertEquals(1, engine.getDependencies().length, "Expected 1 dependencies");
         analyzer.analyze(packageLockJson, engine);
-        assertEquals("Expected 1 dependencies", 6, engine.getDependencies().length);
+        assertEquals(6, engine.getDependencies().length, "Expected 1 dependencies");
     }
 
     /**
@@ -295,9 +296,9 @@ public void testPackageLockV2() throws AnalysisException, InvalidSettingExceptio
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testPackageLockV3() throws AnalysisException, InvalidSettingException {
-        Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED), is(true));
-        Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED), is(true));
+    void testPackageLockV3() throws AnalysisException, InvalidSettingException {
+        assumeTrue(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED));
+        assumeTrue(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_AUDIT_ENABLED));
         final Dependency packageJson = new Dependency(BaseTest.getResourceAsFile(this,
                 "nodejs/test_lockv3/package.json"));
         final Dependency packageLockJson = new Dependency(BaseTest.getResourceAsFile(this,
@@ -305,9 +306,9 @@ public void testPackageLockV3() throws AnalysisException, InvalidSettingExceptio
         engine.addDependency(packageJson);
         engine.addDependency(packageLockJson);
         analyzer.analyze(packageJson, engine);
-        assertEquals("Expected 1 dependencies", 1, engine.getDependencies().length);
+        assertEquals(1, engine.getDependencies().length, "Expected 1 dependencies");
         analyzer.analyze(packageLockJson, engine);
-        assertEquals("Expected 1 dependencies", 6, engine.getDependencies().length);
+        assertEquals(6, engine.getDependencies().length, "Expected 1 dependencies");
     }
 
     /**
@@ -318,8 +319,8 @@ public void testPackageLockV3() throws AnalysisException, InvalidSettingExceptio
      * @throws AnalysisException if there was a problem with the analysis
      */
     @Test
-    public void testLocalPackageDependency() throws AnalysisException, InvalidSettingException {
-        Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED), is(true));
+    void testLocalPackageDependency() throws AnalysisException, InvalidSettingException {
+        assumeTrue(getSettings().getBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED));
         final Dependency packageJson = new Dependency(BaseTest.getResourceAsFile(this,
                 "nodejs/local_package/package.json"));
         final Dependency packageLockJson = new Dependency(BaseTest.getResourceAsFile(this,
@@ -327,8 +328,8 @@ public void testLocalPackageDependency() throws AnalysisException, InvalidSettin
         engine.addDependency(packageJson);
         engine.addDependency(packageLockJson);
         analyzer.analyze(packageJson, engine);
-        assertEquals("Expected 1 dependencies", 1, engine.getDependencies().length);
+        assertEquals(1, engine.getDependencies().length, "Expected 1 dependencies");
         analyzer.analyze(packageLockJson, engine);
-        assertEquals("Expected 2 dependencies", 2, engine.getDependencies().length);
+        assertEquals(2, engine.getDependencies().length, "Expected 2 dependencies");
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/NpmCPEAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/NpmCPEAnalyzerIT.java
index 94aa6bbff6b..2d00812e37b 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/NpmCPEAnalyzerIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/NpmCPEAnalyzerIT.java
@@ -17,20 +17,21 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import static org.junit.Assert.assertEquals;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
-import static org.junit.Assert.assertTrue;
 import org.owasp.dependencycheck.dependency.EvidenceType;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 /**
  *
  * @author Jeremy Long
  */
-public class NpmCPEAnalyzerIT extends BaseDBTestCase {
+class NpmCPEAnalyzerIT extends BaseDBTestCase {
 
     /**
      * Test of analyzeDependency method, of class CPEAnalyzer.
@@ -38,7 +39,7 @@ public class NpmCPEAnalyzerIT extends BaseDBTestCase {
      * @throws Exception is thrown when an exception occurs
      */
     @Test
-    public void testAnalyzeDependency() throws Exception {
+    void testAnalyzeDependency() throws Exception {
 
         NpmCPEAnalyzer instance = new NpmCPEAnalyzer();
         try (Engine engine = new Engine(getSettings())) {
@@ -82,11 +83,11 @@ private void callAnalyzeDependency(String vendor, String product, String version
             System.out.println(id.getValue());
             return expectedCpe.equals(id.getValue());
         });
-        assertTrue(String.format("%s:%s:%s identifier not found", vendor, product, version), found);
+        assertTrue(found, String.format("%s:%s:%s identifier not found", vendor, product, version));
     }
 
     @Test
-    public void testAnalyzeDependencyNoMatch() throws Exception {
+    void testAnalyzeDependencyNoMatch() throws Exception {
 
         NpmCPEAnalyzer instance = new NpmCPEAnalyzer();
         try (Engine engine = new Engine(getSettings())) {
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/NpmCPEAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/NpmCPEAnalyzerTest.java
index 86294c9d534..f20e68d5bb4 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/NpmCPEAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/NpmCPEAnalyzerTest.java
@@ -17,22 +17,23 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.Test;
-import static org.junit.Assert.*;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.utils.Settings;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
 /**
  *
  * @author jeremy long
  */
-public class NpmCPEAnalyzerTest extends BaseDBTestCase {
+class NpmCPEAnalyzerTest extends BaseDBTestCase {
 
     /**
      * Test of getName method, of class CPEAnalyzer.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         NpmCPEAnalyzer instance = new NpmCPEAnalyzer();
         String expResult = "NPM CPE Analyzer";
         String result = instance.getName();
@@ -43,7 +44,7 @@ public void testGetName() {
      * Test of getAnalyzerEnabledSettingKey method, of class CPEAnalyzer.
      */
     @Test
-    public void testGetAnalyzerEnabledSettingKey() {
+    void testGetAnalyzerEnabledSettingKey() {
         NpmCPEAnalyzer instance = new NpmCPEAnalyzer();
         String expResult = Settings.KEYS.ANALYZER_NPM_CPE_ENABLED;
         String result = instance.getAnalyzerEnabledSettingKey();
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzerTest.java
index 884f329fb5f..1e405150871 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/NugetconfAnalyzerTest.java
@@ -17,8 +17,8 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -26,16 +26,16 @@
 
 import java.io.File;
 
-import static junit.framework.TestCase.assertTrue;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.owasp.dependencycheck.analyzer.NuspecAnalyzer.DEPENDENCY_ECOSYSTEM;
 
-public class NugetconfAnalyzerTest extends BaseTest {
+class NugetconfAnalyzerTest extends BaseTest {
 
     private NugetconfAnalyzer instance;
 
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -46,18 +46,18 @@ public void setUp() throws Exception {
     }
 
     @Test
-    public void testGetAnalyzerName() {
+    void testGetAnalyzerName() {
         assertEquals("Nugetconf Analyzer", instance.getName());
     }
 
     @Test
-    public void testSupportedFileNames() {
+    void testSupportedFileNames() {
         assertTrue(instance.accept(new File("packages.config")));
         assertFalse(instance.accept(new File("packages.json")));
     }
 
     @Test
-    public void testNugetconfAnalysis() throws Exception {
+    void testNugetconfAnalysis() throws Exception {
 
         try (Engine engine = new Engine(getSettings())) {
             File file = BaseTest.getResourceAsFile(this, "nugetconf/packages.config");
@@ -99,12 +99,12 @@ public void testNugetconfAnalysis() throws Exception {
                         assertTrue(result.getEvidence(EvidenceType.PRODUCT).toString().contains("Newtonsoft.Json"));
                         assertTrue(result.getEvidence(EvidenceType.VERSION).toString().contains("10.0.3"));
                         break;
-                    
+
                     default :
                         break;
                     }
                 }
-            assertEquals("4 dependencies should be found", 4, foundCount);
+            assertEquals(4, foundCount, "4 dependencies should be found");
         }
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzerTest.java
index 12dc3eaf64d..d9a57b2d383 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzerTest.java
@@ -17,24 +17,23 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.dependency.Evidence;
+import org.owasp.dependencycheck.dependency.EvidenceType;
 
 import java.io.File;
-import org.owasp.dependencycheck.dependency.EvidenceType;
 
-public class NuspecAnalyzerTest extends BaseTest {
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+class NuspecAnalyzerTest extends BaseTest {
 
     private NuspecAnalyzer instance;
 
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -45,23 +44,23 @@ public void setUp() throws Exception {
     }
 
     @Test
-    public void testGetAnalyzerName() {
+    void testGetAnalyzerName() {
         assertEquals("Nuspec Analyzer", instance.getName());
     }
 
     @Test
-    public void testSupportsFileExtensions() {
+    void testSupportsFileExtensions() {
         assertTrue(instance.accept(new File("test.nuspec")));
         assertFalse(instance.accept(new File("test.nupkg")));
     }
 
     @Test
-    public void testGetAnalysisPhaze() {
+    void testGetAnalysisPhaze() {
         assertEquals(AnalysisPhase.INFORMATION_COLLECTION, instance.getAnalysisPhase());
     }
 
     @Test
-    public void testNuspecAnalysis() throws Exception {
+    void testNuspecAnalysis() throws Exception {
 
         File file = BaseTest.getResourceAsFile(this, "nuspec/test.nuspec");
         Dependency result = new Dependency(file);
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java
index d6749e03f90..a9b14445a9a 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java
@@ -17,27 +17,27 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.EvidenceType;
 
 import java.io.File;
 
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import org.owasp.dependencycheck.dependency.EvidenceType;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  * Unit tests for OpenSSLAnalyzerAnalyzer.
  *
  * @author Dale Visser
  */
-public class OpenSSLAnalyzerTest extends BaseTest {
+class OpenSSLAnalyzerTest extends BaseTest {
 
     /**
      * The package analyzer to test.
@@ -49,7 +49,7 @@ public class OpenSSLAnalyzerTest extends BaseTest {
      *
      * @throws Exception if there is a problem
      */
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -64,7 +64,7 @@ public void setUp() throws Exception {
      *
      * @throws Exception if there is a problem
      */
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         analyzer.close();
@@ -75,21 +75,21 @@ public void tearDown() throws Exception {
      * Test of getName method, of class OpenSSLAnalyzer.
      */
     @Test
-    public void testGetName() {
-        assertEquals("Analyzer name wrong.", "OpenSSL Source Analyzer", analyzer.getName());
+    void testGetName() {
+        assertEquals("OpenSSL Source Analyzer", analyzer.getName(), "Analyzer name wrong.");
     }
 
     /**
      * Test of supportsExtension method, of class PythonPackageAnalyzer.
      */
     @Test
-    public void testAccept() {
-        assertTrue("Should support files named \"opensslv.h\".",
-                analyzer.accept(new File("opensslv.h")));
+    void testAccept() {
+        assertTrue(analyzer.accept(new File("opensslv.h")),
+                "Should support files named \"opensslv.h\".");
     }
 
     @Test
-    public void testVersionConstantExamples() {
+    void testVersionConstantExamples() {
         final long[] constants = {0x1000203fL, 0x00903000L, 0x00903001L, 0x00903002L, 0x0090300fL, 0x0090301fL, 0x0090400fL, 0x102031afL};
         final String[] versions = {"1.0.2c",
             "0.9.3-dev",
@@ -106,7 +106,7 @@ public void testVersionConstantExamples() {
     }
 
     @Test
-    public void testOpenSSLVersionHeaderFile() throws AnalysisException {
+    void testOpenSSLVersionHeaderFile() throws AnalysisException {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(
                 this,
                 "openssl/opensslv.h"));
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
index 641f9e5a31e..d1d615978b9 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
@@ -1,20 +1,6 @@
 package org.owasp.dependencycheck.analyzer;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-
-import java.util.Collections;
-import java.util.List;
-import java.util.Map;
-import java.util.concurrent.ExecutionException;
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
-import java.util.concurrent.Future;
-
-import java.net.SocketTimeoutException;
-
-import org.junit.Assert;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
@@ -23,16 +9,28 @@
 import org.owasp.dependencycheck.dependency.naming.Identifier;
 import org.owasp.dependencycheck.dependency.naming.PurlIdentifier;
 import org.owasp.dependencycheck.utils.Settings;
-
 import org.sonatype.goodies.packageurl.PackageUrl;
 import org.sonatype.ossindex.service.api.componentreport.ComponentReport;
 import org.sonatype.ossindex.service.client.OssindexClient;
 import org.sonatype.ossindex.service.client.transport.Transport;
 
-public class OssIndexAnalyzerTest extends BaseTest {
+import java.net.SocketTimeoutException;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
+
+class OssIndexAnalyzerTest extends BaseTest {
 
     @Test
-    public void should_enrich_be_included_in_mutex_to_prevent_NPE()
+    void should_enrich_be_included_in_mutex_to_prevent_NPE()
             throws Exception {
 
         // Given
@@ -96,7 +94,7 @@ void awaitPendingClosure() throws ExecutionException, InterruptedException {
     }
 
     @Test
-    public void should_analyzeDependency_return_a_dedicated_error_message_when_403_response_from_sonatype() throws Exception {
+    void should_analyzeDependency_return_a_dedicated_error_message_when_403_response_from_sonatype() throws Exception {
         // Given
         OssIndexAnalyzer analyzer = new OssIndexAnalyzerThrowing403();
         analyzer.initialize(getSettings());
@@ -123,12 +121,12 @@ public void should_analyzeDependency_return_a_dedicated_error_message_when_403_r
         analyzer.close();
     }
 
-    
+
     @Test
-    public void should_analyzeDependency_only_warn_when_transport_error_from_sonatype() throws Exception {
+    void should_analyzeDependency_only_warn_when_transport_error_from_sonatype() throws Exception {
         // Given
         OssIndexAnalyzer analyzer = new OssIndexAnalyzerThrowing502();
-        
+
         getSettings().setBoolean(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, true);
         analyzer.initialize(getSettings());
 
@@ -139,22 +137,21 @@ public void should_analyzeDependency_only_warn_when_transport_error_from_sonatyp
         dependency.addSoftwareIdentifier(identifier);
         Settings settings = getSettings();
         Engine engine = new Engine(settings);
-        engine.setDependencies(Collections.singletonList(dependency));
 
         // When
-        try {
+        try (engine) {
+            engine.setDependencies(Collections.singletonList(dependency));
             analyzer.analyzeDependency(dependency, engine);
         } catch (AnalysisException e) {
-            Assert.fail("Analysis exception thrown upon remote error although only a warning should have been logged");
+            fail("Analysis exception thrown upon remote error although only a warning should have been logged");
         } finally {
             analyzer.close();
-            engine.close();
         }
     }
 
 
     @Test
-    public void should_analyzeDependency_only_warn_when_socket_error_from_sonatype() throws Exception {
+    void should_analyzeDependency_only_warn_when_socket_error_from_sonatype() throws Exception {
         // Given
         OssIndexAnalyzer analyzer = new OssIndexAnalyzerThrowingSocketTimeout();
 
@@ -168,22 +165,21 @@ public void should_analyzeDependency_only_warn_when_socket_error_from_sonatype()
         dependency.addSoftwareIdentifier(identifier);
         Settings settings = getSettings();
         Engine engine = new Engine(settings);
-        engine.setDependencies(Collections.singletonList(dependency));
 
         // When
-        try {
+        try (engine) {
+            engine.setDependencies(Collections.singletonList(dependency));
             analyzer.analyzeDependency(dependency, engine);
         } catch (AnalysisException e) {
-            Assert.fail("Analysis exception thrown upon remote error although only a warning should have been logged");
+            fail("Analysis exception thrown upon remote error although only a warning should have been logged");
         } finally {
             analyzer.close();
-            engine.close();
         }
     }
 
 
     @Test
-    public void should_analyzeDependency_fail_when_socket_error_from_sonatype() throws Exception {
+    void should_analyzeDependency_fail_when_socket_error_from_sonatype() throws Exception {
         // Given
         OssIndexAnalyzer analyzer = new OssIndexAnalyzerThrowingSocketTimeout();
 
@@ -234,7 +230,7 @@ public ComponentReport requestComponentReport(PackageUrl coordinates) throws Exc
         }
 
         @Override
-        public void close() throws Exception {
+        public void close() {
 
         }
     }
@@ -259,7 +255,7 @@ public ComponentReport requestComponentReport(PackageUrl coordinates) throws Exc
         }
 
         @Override
-        public void close() throws Exception {
+        public void close() {
 
         }
     }
@@ -284,7 +280,7 @@ public ComponentReport requestComponentReport(PackageUrl coordinates) throws Exc
         }
 
         @Override
-        public void close() throws Exception {
+        public void close() {
 
         }
     }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/PEAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/PEAnalyzerTest.java
index 441ff498647..794c475e863 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/PEAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/PEAnalyzerTest.java
@@ -17,16 +17,10 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import java.io.File;
-import org.junit.After;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.analyzer.exception.UnexpectedAnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -35,13 +29,18 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.io.File;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 /**
  * Tests for the PEAnalyzer.
  *
  * @author Jeremy Long
  *
  */
-public class PEAnalyzerTest extends BaseTest {
+class PEAnalyzerTest extends BaseTest {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(PEAnalyzerTest.class);
 
@@ -54,7 +53,7 @@ public class PEAnalyzerTest extends BaseTest {
      *
      * @throws Exception if anything goes sideways
      */
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -68,12 +67,12 @@ public void setUp() throws Exception {
      * Tests to make sure the name is correct.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         assertEquals("PE Analyzer", analyzer.getName());
     }
 
     @Test
-    public void testAnalysis() throws Exception {
+    void testAnalysis() throws Exception {
         File f = BaseTest.getResourceAsFile(this, "log4net.dll");
 
         Dependency d = new Dependency(f);
@@ -85,7 +84,7 @@ public void testAnalysis() throws Exception {
         assertEquals("log4net", d.getName());
     }
 
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         try {
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/PerlCpanfileAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/PerlCpanfileAnalyzerTest.java
index f95c64ff916..4ff1d2f9195 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/PerlCpanfileAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/PerlCpanfileAnalyzerTest.java
@@ -17,29 +17,30 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import java.util.Arrays;
-import java.util.List;
-import org.junit.Test;
-import static org.junit.Assert.*;
-
-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
-import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
 
+import java.util.Arrays;
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
 /**
  *
  * @author jeremy long
  */
 @SuppressWarnings("unchecked")
-public class PerlCpanfileAnalyzerTest extends BaseTest {
+class PerlCpanfileAnalyzerTest extends BaseTest {
 
     /**
      * Test of getName method, of class PerlCpanfileAnalyzer.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         PerlCpanfileAnalyzer instance = new PerlCpanfileAnalyzer();
         String expResult = "Perl cpanfile Analyzer";
         String result = instance.getName();
@@ -50,7 +51,7 @@ public void testGetName() {
      * Test of getAnalysisPhase method, of class PerlCpanfileAnalyzer.
      */
     @Test
-    public void testGetAnalysisPhase() {
+    void testGetAnalysisPhase() {
         PerlCpanfileAnalyzer instance = new PerlCpanfileAnalyzer();
         AnalysisPhase expResult = AnalysisPhase.INFORMATION_COLLECTION;
         AnalysisPhase result = instance.getAnalysisPhase();
@@ -62,7 +63,7 @@ public void testGetAnalysisPhase() {
      * PerlCpanfileAnalyzer.
      */
     @Test
-    public void testGetAnalyzerEnabledSettingKey() {
+    void testGetAnalyzerEnabledSettingKey() {
         PerlCpanfileAnalyzer instance = new PerlCpanfileAnalyzer();
         String expResult = Settings.KEYS.ANALYZER_CPANFILE_ENABLED;
         String result = instance.getAnalyzerEnabledSettingKey();
@@ -70,16 +71,14 @@ public void testGetAnalyzerEnabledSettingKey() {
     }
 
     @Test
-    public void testProcessFileContents() throws AnalysisException {
+    void testProcessFileContents() throws AnalysisException {
         Dependency d = new Dependency();
-        List<String> dependencyLines = Arrays.asList(new String[]{
-            "requires 'Plack', '1.0'",
-            "requires 'JSON', '>= 2.00, < 2.80'",
-            "requires 'Mojolicious::Plugin::ZAPI' => '>= 2.015",
-            "requires 'Hash::MoreUtils' => '>= 0.05",
-            "requires 'JSON::MaybeXS' => '>= 1.002004'",
-            "requires 'Test::MockModule'"
-        });
+        List<String> dependencyLines = Arrays.asList("requires 'Plack', '1.0'",
+                "requires 'JSON', '>= 2.00, < 2.80'",
+                "requires 'Mojolicious::Plugin::ZAPI' => '>= 2.015",
+                "requires 'Hash::MoreUtils' => '>= 0.05",
+                "requires 'JSON::MaybeXS' => '>= 1.002004'",
+                "requires 'Test::MockModule'");
         PerlCpanfileAnalyzer instance = new PerlCpanfileAnalyzer();
         Engine engine = new Engine(getSettings());
         instance.processFileContents(dependencyLines, "./cpanfile", engine);
@@ -88,10 +87,9 @@ public void testProcessFileContents() throws AnalysisException {
     }
 
     @Test
-    public void testProcessSingleFileContents() throws AnalysisException {
+    void testProcessSingleFileContents() throws AnalysisException {
         Dependency d = new Dependency();
-        List<String> dependencyLines = Arrays.asList(new String[]{
-            "requires 'JSON', '>= 2.00, < 2.80'",});
+        List<String> dependencyLines = Arrays.asList("requires 'JSON', '>= 2.00, < 2.80'");
         PerlCpanfileAnalyzer instance = new PerlCpanfileAnalyzer();
         Engine engine = new Engine(getSettings());
         instance.processFileContents(dependencyLines, "./cpanfile", engine);
@@ -104,10 +102,9 @@ public void testProcessSingleFileContents() throws AnalysisException {
     }
 
     @Test
-    public void testProcessDefaultZero() throws AnalysisException {
+    void testProcessDefaultZero() throws AnalysisException {
         Dependency d = new Dependency();
-        List<String> dependencyLines = Arrays.asList(new String[]{
-            "requires 'JSON'",});
+        List<String> dependencyLines = Arrays.asList("requires 'JSON'");
         PerlCpanfileAnalyzer instance = new PerlCpanfileAnalyzer();
         Engine engine = new Engine(getSettings());
         instance.processFileContents(dependencyLines, "./cpanfile", engine);
@@ -121,24 +118,24 @@ public void testProcessDefaultZero() throws AnalysisException {
 
     @Test
     @SuppressWarnings("unchecked")
-    public void testPrepareContent() {
+    void testPrepareContent() {
         PerlCpanfileAnalyzer instance = new PerlCpanfileAnalyzer();
         String content = "requires 'JSON'; #any version";
-        List<String> expResult = Arrays.asList(new String[]{"requires 'JSON'"});
+        List<String> expResult = Arrays.asList("requires 'JSON'");
         List<String> result = instance.prepareContents(content);
         assertEquals(expResult, result);
 
         content = "requires 'JSON'; requires 'XML';";
-        expResult = Arrays.asList(new String[]{"requires 'JSON'", "requires 'XML'"});
+        expResult = Arrays.asList("requires 'JSON'", "requires 'XML'");
         result = instance.prepareContents(content);
         assertEquals(expResult, result);
         content = "requires 'JSON';\n     requires 'XML';";
-        expResult = Arrays.asList(new String[]{"requires 'JSON'", "requires 'XML'"});
+        expResult = Arrays.asList("requires 'JSON'", "requires 'XML'");
         result = instance.prepareContents(content);
         assertEquals(expResult, result);
 
         content = "requires 'JSON';# requires 'XML';";
-        expResult = Arrays.asList(new String[]{"requires 'JSON'"});
+        expResult = Arrays.asList("requires 'JSON'");
         result = instance.prepareContents(content);
         assertEquals(expResult, result);
     }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzerTest.java
index c339e4234ae..873caae6545 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/PinnedMavenInstallAnalyzerTest.java
@@ -18,26 +18,25 @@
 package org.owasp.dependencycheck.analyzer;
 
 import org.apache.commons.lang3.ArrayUtils;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nvd.ecosystem.Ecosystem;
 import org.owasp.dependencycheck.dependency.Dependency;
 
 import java.io.File;
 
-import static org.hamcrest.CoreMatchers.equalTo;
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.Assert.*;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  * Unit tests for {@link PinnedMavenInstallAnalyzer}.
  */
-public class PinnedMavenInstallAnalyzerTest extends BaseDBTestCase {
+class PinnedMavenInstallAnalyzerTest extends BaseDBTestCase {
 
     /**
      * The analyzer to test.
@@ -49,7 +48,7 @@ public class PinnedMavenInstallAnalyzerTest extends BaseDBTestCase {
      *
      * @throws Exception thrown if there is a problem
      */
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -64,7 +63,7 @@ public void setUp() throws Exception {
      *
      * @throws Exception thrown if there is a problem
      */
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         analyzer.close();
@@ -72,19 +71,19 @@ public void tearDown() throws Exception {
     }
 
     @Test
-    public void testGetName() {
+    void testGetName() {
         assertEquals("Pinned Maven install Analyzer", analyzer.getName());
     }
 
     @Test
-    public void testSupportsFiles() {
+    void testSupportsFiles() {
         assertTrue(analyzer.accept(new File("install_maven.json")));
         assertTrue(analyzer.accept(new File("maven_install.json")));
         assertTrue(analyzer.accept(new File("maven_install_v010.json")));
         assertTrue(analyzer.accept(new File("maven_install_v2.json")));
         assertTrue(analyzer.accept(new File("rules_jvm_external_install.json")));
         assertTrue(analyzer.accept(new File("pinned_install_gplonly.json")));
-        assertFalse("should not accept Cloudflare install.json", analyzer.accept(new File("install.json")));
+        assertFalse(analyzer.accept(new File("install.json")), "should not accept Cloudflare install.json");
         assertFalse(analyzer.accept(new File("maven_install.txt")));
         assertFalse(analyzer.accept(new File("pinned.json")));
         assertFalse(analyzer.accept(new File("install.json.zip")));
@@ -94,7 +93,7 @@ public void testSupportsFiles() {
      * Tests that the analyzer correctly pulls dependencies out of a pinned v0.1.0 {@code maven_install.json}.
      */
     @Test
-    public void testAnalyzePinnedInstallJsonV010() throws Exception {
+    void testAnalyzePinnedInstallJsonV010() throws Exception {
         try (Engine engine = new Engine(getSettings())) {
             final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "maven_install_v010.json"));
             engine.addDependency(result);
@@ -109,7 +108,7 @@ public void testAnalyzePinnedInstallJsonV010() throws Exception {
                     assertEquals(Ecosystem.JAVA, d.getEcosystem());
                 }
             }
-            assertTrue("Expected to find com.google.errorprone:error_prone_annotations:2.3.4", found);
+            assertTrue(found, "Expected to find com.google.errorprone:error_prone_annotations:2.3.4");
         }
     }
 
@@ -117,7 +116,7 @@ public void testAnalyzePinnedInstallJsonV010() throws Exception {
      * Tests that the analyzer correctly pulls dependencies out of a pinned v2 {@code maven_install.json}.
      */
     @Test
-    public void testAnalyzePinnedInstallJsonV2() throws Exception {
+    void testAnalyzePinnedInstallJsonV2() throws Exception {
         try (Engine engine = new Engine(getSettings())) {
             final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "maven_install_v2.json"));
             engine.addDependency(result);
@@ -132,7 +131,7 @@ public void testAnalyzePinnedInstallJsonV2() throws Exception {
                     assertEquals(Ecosystem.JAVA, d.getEcosystem());
                 }
             }
-            assertTrue("Expected to find com.google.errorprone:error_prone_annotations:2.3.4", found);
+            assertTrue(found, "Expected to find com.google.errorprone:error_prone_annotations:2.3.4");
         }
     }
 
@@ -140,7 +139,7 @@ public void testAnalyzePinnedInstallJsonV2() throws Exception {
      * Tests that the analyzer ignores a Cloudflare-style {@code install.json}.
      */
     @Test
-    public void testAnalyzeOtherInstallJson() throws Exception {
+    void testAnalyzeOtherInstallJson() throws Exception {
         try (Engine engine = new Engine(getSettings())) {
             final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "install.json"));
             engine.addDependency(result);
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/PipAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/PipAnalyzerIT.java
index c2b8b6fa666..00b8d5697e3 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/PipAnalyzerIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/PipAnalyzerIT.java
@@ -1,27 +1,26 @@
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.After;
-import org.junit.Assume;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.EvidenceType;
 import org.owasp.dependencycheck.exception.InitializationException;
-import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import static org.junit.Assert.assertTrue;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assumptions.assumeTrue;
 
 /**
  *
  * @author anupamjuniwal
  */
-public class PipAnalyzerIT extends BaseTest {
+class PipAnalyzerIT extends BaseTest {
     private static final Logger LOGGER = LoggerFactory.getLogger(PipAnalyzerIT.class);
 
     /**
@@ -34,7 +33,7 @@ public class PipAnalyzerIT extends BaseTest {
      *
      * @throws Exception thrown if there is a problem
      */
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -49,7 +48,7 @@ public void setUp() throws Exception {
      *
      * @throws Exception thrown if there is a problem
      */
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         if (analyzer != null) {
@@ -66,13 +65,13 @@ public void tearDown() throws Exception {
      * @throws AnalysisException thrown if there is a problem
      */
     @Test
-    public void testAnalyzePipAnalyzer() throws AnalysisException{
+    void testAnalyzePipAnalyzer() throws AnalysisException{
         try (Engine engine = new Engine(getSettings())) {
             analyzer.prepare(engine);
             final Dependency toScan = new Dependency(BaseTest.getResourceAsFile(this, "requirements.txt"));
             analyzer.analyze(toScan, engine);
             boolean found = false;
-            assertTrue("More then 1 dependency should be identified", 1 < engine.getDependencies().length);
+            assertTrue(1 < engine.getDependencies().length, "More then 1 dependency should be identified");
             for (Dependency result : engine.getDependencies()) {
                 if ("PyYAML".equals(result.getName())) {
                     found = true;
@@ -82,10 +81,10 @@ public void testAnalyzePipAnalyzer() throws AnalysisException{
                     assertTrue(result.isVirtual());
                 }
             }
-            assertTrue("Expeced to find PyYAML", found);
+            assertTrue(found, "Expeced to find PyYAML");
         } catch (InitializationException ex) {
             //yarn is not installed - skip the test case.
-            Assume.assumeNoException(ex);
+            assumeTrue(false, ex.toString());
         }
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/PipAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/PipAnalyzerTest.java
index 331b13b115d..bbbf54679a0 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/PipAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/PipAnalyzerTest.java
@@ -17,9 +17,10 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
+import org.apache.commons.lang3.ArrayUtils;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
@@ -27,18 +28,17 @@
 import org.owasp.dependencycheck.dependency.Dependency;
 
 import java.io.File;
-import org.apache.commons.lang3.ArrayUtils;
 
-import static org.hamcrest.CoreMatchers.*;
+import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  * Unit tests for PipAnalyzerTest.
  */
-public class PipAnalyzerTest extends BaseDBTestCase {
+class PipAnalyzerTest extends BaseDBTestCase {
 
     /**
      * The analyzer to test.
@@ -50,7 +50,7 @@ public class PipAnalyzerTest extends BaseDBTestCase {
      *
      * @throws Exception thrown if there is a problem
      */
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -65,7 +65,7 @@ public void setUp() throws Exception {
      *
      * @throws Exception thrown if there is a problem
      */
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         analyzer.close();
@@ -76,7 +76,7 @@ public void tearDown() throws Exception {
      * Test of getName method, of class PipAnalyzer.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         assertEquals("pip Analyzer", analyzer.getName());
     }
 
@@ -84,7 +84,7 @@ public void testGetName() {
      * Test of supportsExtension method, of class PipAnalyzer.
      */
     @Test
-    public void testSupportsFiles() {
+    void testSupportsFiles() {
         assertTrue(analyzer.accept(new File("requirements.txt")));
         assertFalse(analyzer.accept(new File("requirements2.txt")));
         assertFalse(analyzer.accept(new File("requirements.py")));
@@ -97,7 +97,7 @@ public void testSupportsFiles() {
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testAnalyzePackageJson() throws Exception {
+    void testAnalyzePackageJson() throws Exception {
         try (Engine engine = new Engine(getSettings())) {
             final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "requirements.txt"));
             engine.addDependency(result);
@@ -120,8 +120,8 @@ public void testAnalyzePackageJson() throws Exception {
                     assertEquals(PythonDistributionAnalyzer.DEPENDENCY_ECOSYSTEM, d.getEcosystem());
                 }
             }
-            assertTrue("Expected to find PyYAML", foundPyYAML);
-            assertTrue("Expected to find cryptography", foundCryptography);
+            assertTrue(foundPyYAML, "Expected to find PyYAML");
+            assertTrue(foundCryptography, "Expected to find cryptography");
         }
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/PipfileAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/PipfileAnalyzerTest.java
index f19c62fad24..3c026897bcf 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/PipfileAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/PipfileAnalyzerTest.java
@@ -17,9 +17,10 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
+import org.apache.commons.lang3.ArrayUtils;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
@@ -27,18 +28,17 @@
 import org.owasp.dependencycheck.dependency.Dependency;
 
 import java.io.File;
-import org.apache.commons.lang3.ArrayUtils;
 
-import static org.hamcrest.CoreMatchers.*;
+import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  * Unit tests for PipAnalyzerTest.
  */
-public class PipfileAnalyzerTest extends BaseDBTestCase {
+class PipfileAnalyzerTest extends BaseDBTestCase {
 
     /**
      * The analyzer to test.
@@ -50,7 +50,7 @@ public class PipfileAnalyzerTest extends BaseDBTestCase {
      *
      * @throws Exception thrown if there is a problem
      */
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -65,7 +65,7 @@ public void setUp() throws Exception {
      *
      * @throws Exception thrown if there is a problem
      */
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         analyzer.close();
@@ -76,7 +76,7 @@ public void tearDown() throws Exception {
      * Test of getName method, of class PipAnalyzer.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         assertEquals("Pipfile Analyzer", analyzer.getName());
     }
 
@@ -84,7 +84,7 @@ public void testGetName() {
      * Test of supportsExtension method, of class PipAnalyzer.
      */
     @Test
-    public void testSupportsFiles() {
+    void testSupportsFiles() {
         assertTrue(analyzer.accept(new File("Pipfile")));
         assertFalse(analyzer.accept(new File("Pipfile.lock")));
     }
@@ -95,7 +95,7 @@ public void testSupportsFiles() {
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testAnalyzePackageJson() throws Exception {
+    void testAnalyzePackageJson() throws Exception {
         try (Engine engine = new Engine(getSettings())) {
             final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "Pipfile"));
             engine.addDependency(result);
@@ -118,8 +118,8 @@ public void testAnalyzePackageJson() throws Exception {
                     assertEquals(PythonDistributionAnalyzer.DEPENDENCY_ECOSYSTEM, d.getEcosystem());
                 }
             }
-            assertTrue("Expeced to find urllib3", foundUrllib3);
-            assertTrue("Expeced to find cryptography", foundCryptography);
+            assertTrue(foundUrllib3, "Expeced to find urllib3");
+            assertTrue(foundCryptography, "Expeced to find cryptography");
         }
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/PipfilelockAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/PipfilelockAnalyzerTest.java
index 7410909dbfe..33a5eae223a 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/PipfilelockAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/PipfilelockAnalyzerTest.java
@@ -17,28 +17,27 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
+import org.apache.commons.lang3.ArrayUtils;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 
 import java.io.File;
-import org.apache.commons.lang3.ArrayUtils;
 
-import static org.hamcrest.CoreMatchers.*;
+import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  * Unit tests for PipfilelockAnalyzerTest.
  */
-public class PipfilelockAnalyzerTest extends BaseDBTestCase {
+class PipfilelockAnalyzerTest extends BaseDBTestCase {
 
     /**
      * The analyzer to test.
@@ -50,7 +49,7 @@ public class PipfilelockAnalyzerTest extends BaseDBTestCase {
      *
      * @throws Exception thrown if there is a problem
      */
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -65,7 +64,7 @@ public void setUp() throws Exception {
      *
      * @throws Exception thrown if there is a problem
      */
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         analyzer.close();
@@ -76,7 +75,7 @@ public void tearDown() throws Exception {
      * Test of getName method, of class PipAnalyzer.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         assertEquals("Pipfile.lock Analyzer", analyzer.getName());
     }
 
@@ -84,13 +83,13 @@ public void testGetName() {
      * Test of supportsExtension method, of class PipAnalyzer.
      */
     @Test
-    public void testSupportsFiles() {
+    void testSupportsFiles() {
         assertFalse(analyzer.accept(new File("Pipfile")));
         assertTrue(analyzer.accept(new File("Pipfile.lock")));
     }
 
     @Test
-    public void testAnalyzePackageLock() throws Exception {
+    void testAnalyzePackageLock() throws Exception {
         try (Engine engine = new Engine(getSettings())) {
             final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "pip/Pipfile.lock"));
             engine.addDependency(result);
@@ -107,7 +106,7 @@ public void testAnalyzePackageLock() throws Exception {
                     break;
                 }
             }
-            assertTrue("Expeced to find urllib3", found);
+            assertTrue(found, "Expeced to find urllib3");
         }
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/PnpmAuditAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/PnpmAuditAnalyzerIT.java
index 1a896c01f3f..f3ec07d1563 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/PnpmAuditAnalyzerIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/PnpmAuditAnalyzerIT.java
@@ -1,7 +1,7 @@
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.Assume;
-import org.junit.Test;
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
@@ -9,14 +9,14 @@
 import org.owasp.dependencycheck.dependency.EvidenceType;
 import org.owasp.dependencycheck.exception.InitializationException;
 
-import static org.junit.Assert.assertTrue;
-import org.junit.Ignore;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assumptions.assumeTrue;
 
-public class PnpmAuditAnalyzerIT extends BaseTest {
+class PnpmAuditAnalyzerIT extends BaseTest {
 
     @Test
-    @Ignore("unfortunately pnpm and brew are somewhat broken on my machine atm...")
-    public void testAnalyzePackagePnpm() throws AnalysisException {
+    @Disabled("unfortunately pnpm and brew are somewhat broken on my machine atm...")
+    void testAnalyzePackagePnpm() throws AnalysisException {
 
         try (Engine engine = new Engine(getSettings())) {
             PnpmAuditAnalyzer analyzer = new PnpmAuditAnalyzer();
@@ -27,7 +27,7 @@ public void testAnalyzePackagePnpm() throws AnalysisException {
             final Dependency toScan = new Dependency(BaseTest.getResourceAsFile(this, "pnpmaudit/pnpm-lock.yaml"));
             analyzer.analyze(toScan, engine);
             boolean found = false;
-            assertTrue("More than 1 dependency should be identified", 1 < engine.getDependencies().length);
+            assertTrue(1 < engine.getDependencies().length, "More than 1 dependency should be identified");
             for (Dependency result : engine.getDependencies()) {
                 if ("pnpm-lock.yaml?dns-sync".equals(result.getFileName())) {
                     found = true;
@@ -36,10 +36,10 @@ public void testAnalyzePackagePnpm() throws AnalysisException {
                     assertTrue(result.isVirtual());
                 }
             }
-            assertTrue("dns-sync was not found", found);
+            assertTrue(found, "dns-sync was not found");
         } catch (InitializationException ex) {
             //yarn is not installed - skip the test case.
-            Assume.assumeNoException(ex);
+            assumeTrue(false, ex.toString());
         }
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/PnpmAuditAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/PnpmAuditAnalyzerTest.java
index 3a9382835f4..faf000c38a6 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/PnpmAuditAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/PnpmAuditAnalyzerTest.java
@@ -3,29 +3,24 @@
 import org.apache.commons.io.IOUtils;
 import org.json.JSONException;
 import org.json.JSONObject;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
-import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nodeaudit.Advisory;
 import org.owasp.dependencycheck.data.nodeaudit.NpmAuditParser;
-import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.utils.Settings;
 
 import java.io.File;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.util.List;
-import java.util.Properties;
 
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
 
-public class PnpmAuditAnalyzerTest extends BaseTest
+class PnpmAuditAnalyzerTest extends BaseTest
 {
 
     @Test
-    public void testNpmAuditParserCompatibility() throws IOException, JSONException
+    void testNpmAuditParserCompatibility() throws IOException, JSONException
     {
         NpmAuditParser npmAuditParser = new NpmAuditParser();
         JSONObject vulnsAuditJson = new JSONObject(IOUtils.toString(getResourceAsStream(this, "pnpmaudit/pnpm-audit.json"), StandardCharsets.UTF_8));
@@ -34,7 +29,7 @@ public void testNpmAuditParserCompatibility() throws IOException, JSONException
     }
 
     @Test
-    public void testSupportsFiles() {
+    void testSupportsFiles() {
         PnpmAuditAnalyzer analyzer = new PnpmAuditAnalyzer();
         assertThat(analyzer.accept(new File("package-lock.json")), is(false));
         assertThat(analyzer.accept(new File("npm-shrinkwrap.json")), is(false));
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/PoetryAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/PoetryAnalyzerTest.java
index faf7ee120ab..31d6d266dbf 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/PoetryAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/PoetryAnalyzerTest.java
@@ -15,28 +15,29 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import static org.hamcrest.CoreMatchers.is;
-import static org.hamcrest.CoreMatchers.equalTo;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.hamcrest.MatcherAssert.assertThat;
-
-import java.io.File;
-
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 
-public class PoetryAnalyzerTest extends BaseTest {
+import java.io.File;
+
+import static org.hamcrest.CoreMatchers.equalTo;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+class PoetryAnalyzerTest extends BaseTest {
 
     private PoetryAnalyzer analyzer;
     private Engine engine;
 
     @Override
-    @Before
+    @BeforeEach
     public void setUp() throws Exception {
         super.setUp();
         analyzer = new PoetryAnalyzer();
@@ -44,18 +45,19 @@ public void setUp() throws Exception {
     }
 
     @Test
-    public void testName() {
-        assertEquals("Analyzer name wrong.", "Poetry Analyzer",
-                analyzer.getName());
+    void testName() {
+        assertEquals("Poetry Analyzer",
+                analyzer.getName(),
+                "Analyzer name wrong.");
     }
 
     @Test
-    public void testSupportsFiles() {
+    void testSupportsFiles() {
         assertThat(analyzer.accept(new File("poetry.lock")), is(true));
     }
 
     @Test
-    public void testPoetryLock() throws AnalysisException {
+    void testPoetryLock() throws AnalysisException {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "poetry.lock"));
         analyzer.analyze(result, engine);
         assertEquals(88, engine.getDependencies().length);
@@ -68,27 +70,28 @@ public void testPoetryLock() throws AnalysisException {
                 assertEquals(PythonDistributionAnalyzer.DEPENDENCY_ECOSYSTEM, d.getEcosystem());
             }
         }
-        assertTrue("Expeced to find PyYAML", found);
+        assertTrue(found, "Expeced to find PyYAML");
     }
 
     @Test
-    public void testPyprojectToml() throws AnalysisException {
+    void testPyprojectToml() throws AnalysisException {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "python-myproject-toml/pyproject.toml"));
         //returns with no error.
         analyzer.analyze(result, engine);
     }
 
     @Test
-    public void testNodeGypToml() throws AnalysisException {
+    void testNodeGypToml() throws AnalysisException {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "node-gyp-toml/pyproject.toml"));
         //returns with no error.
         analyzer.analyze(result, engine);
     }
 
-    @Test(expected = AnalysisException.class)
-    public void testPoetryToml() throws AnalysisException {
+    @Test
+    void testPoetryToml() {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this, "python-poetry-toml/pyproject.toml"));
-        //causes an exception.
-        analyzer.analyze(result, engine);
+        assertThrows(AnalysisException.class, () ->
+            //causes an exception.
+            analyzer.analyze(result, engine));
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java
index 3a2ba7c8c1c..0266853e71b 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java
@@ -17,27 +17,27 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
+import org.owasp.dependencycheck.dependency.EvidenceType;
 
 import java.io.File;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-import org.owasp.dependencycheck.dependency.EvidenceType;
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  * Unit tests for PythonDistributionAnalyzer.
  *
  * @author Dale Visser
  */
-public class PythonDistributionAnalyzerTest extends BaseTest {
+class PythonDistributionAnalyzerTest extends BaseTest {
 
     /**
      * The analyzer to test.
@@ -49,7 +49,7 @@ public class PythonDistributionAnalyzerTest extends BaseTest {
      *
      * @throws Exception thrown if there is a problem
      */
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -64,7 +64,7 @@ public void setUp() throws Exception {
      *
      * @throws Exception thrown if there is a problem
      */
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         analyzer.close();
@@ -75,39 +75,36 @@ public void tearDown() throws Exception {
      * Test of getName method, of class PythonDistributionAnalyzer.
      */
     @Test
-    public void testGetName() {
-        assertEquals("Analyzer name wrong.", "Python Distribution Analyzer",
-                analyzer.getName());
+    void testGetName() {
+        assertEquals("Python Distribution Analyzer",
+                analyzer.getName(),
+                "Analyzer name wrong.");
     }
 
     /**
      * Test of supportsExtension method, of class PythonDistributionAnalyzer.
      */
     @Test
-    public void testSupportsFiles() {
-        assertTrue("Should support \"whl\" extension.",
-                analyzer.accept(new File("test.whl")));
-        assertTrue("Should support \"egg\" extension.",
-                analyzer.accept(new File("test.egg")));
-        assertTrue("Should support \"zip\" extension.",
-                analyzer.accept(new File("test.zip")));
-        assertTrue("Should support \"METADATA\" extension.",
-                analyzer.accept(new File("METADATA")));
-        assertTrue("Should support \"PKG-INFO\" extension.",
-                analyzer.accept(new File("PKG-INFO")));
+    void testSupportsFiles() {
+        assertTrue(analyzer.accept(new File("test.whl")),
+                "Should support \"whl\" extension.");
+        assertTrue(analyzer.accept(new File("test.egg")),
+                "Should support \"egg\" extension.");
+        assertTrue(analyzer.accept(new File("test.zip")),
+                "Should support \"zip\" extension.");
+        assertTrue(analyzer.accept(new File("METADATA")),
+                "Should support \"METADATA\" extension.");
+        assertTrue(analyzer.accept(new File("PKG-INFO")),
+                "Should support \"PKG-INFO\" extension.");
     }
 
     /**
      * Test of inspect method, of class PythonDistributionAnalyzer.
      */
     @Test
-    public void testAnalyzeWheel() {
-        try {
-            djangoAssertions(new Dependency(BaseTest.getResourceAsFile(this,
-                    "python/Django-1.7.2-py2.py3-none-any.whl")));
-        } catch (AnalysisException ex) {
-            fail(ex.getMessage());
-        }
+    void testAnalyzeWheel() {
+        assertDoesNotThrow(() -> djangoAssertions(new Dependency(BaseTest.getResourceAsFile(this,
+                "python/Django-1.7.2-py2.py3-none-any.whl"))));
     }
 
     /**
@@ -116,7 +113,7 @@ public void testAnalyzeWheel() {
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testAnalyzeSitePackage() throws AnalysisException {
+    void testAnalyzeSitePackage() throws AnalysisException {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(
                 this, "python/site-packages/Django-1.7.2.dist-info/METADATA"));
         djangoAssertions(result);
@@ -126,15 +123,15 @@ private void djangoAssertions(final Dependency result)
             throws AnalysisException {
         boolean found = false;
         analyzer.analyze(result, null);
-        assertTrue("Expected vendor evidence to contain \"djangoproject\".",
-                result.getEvidence(EvidenceType.VENDOR).toString().contains("djangoproject"));
+        assertTrue(result.getEvidence(EvidenceType.VENDOR).toString().contains("djangoproject"),
+                "Expected vendor evidence to contain \"djangoproject\".");
         for (final Evidence e : result.getEvidence(EvidenceType.VERSION)) {
             if ("Version".equals(e.getName()) && "1.7.2".equals(e.getValue())) {
                 found = true;
                 break;
             }
         }
-        assertTrue("Version 1.7.2 not found in Django dependency.", found);
+        assertTrue(found, "Version 1.7.2 not found in Django dependency.");
         assertEquals("1.7.2",result.getVersion());
         assertEquals("Django",result.getName());
         assertEquals("Django:1.7.2",result.getDisplayFileName());
@@ -142,55 +139,39 @@ private void djangoAssertions(final Dependency result)
     }
 
     @Test
-    public void testAnalyzeEggInfoFolder() {
-        try {
-            eggtestAssertions(this, "python/site-packages/EggTest.egg-info/PKG-INFO");
-        } catch (AnalysisException ex) {
-            fail(ex.getMessage());
-        }
+    void testAnalyzeEggInfoFolder() {
+        assertDoesNotThrow(() -> eggtestAssertions(this, "python/site-packages/EggTest.egg-info/PKG-INFO"));
     }
 
     @Test
-    public void testAnalyzeEggArchive() {
-        try {
-            eggtestAssertions(this, "python/dist/EggTest-0.0.1-py2.7.egg");
-        } catch (AnalysisException ex) {
-            fail(ex.getMessage());
-        }
+    void testAnalyzeEggArchive() {
+        assertDoesNotThrow(() -> eggtestAssertions(this, "python/dist/EggTest-0.0.1-py2.7.egg"));
     }
 
     @Test
-    public void testAnalyzeEggArchiveNamedZip() {
-        try {
-            eggtestAssertions(this, "python/dist/EggTest-0.0.1-py2.7.zip");
-        } catch (AnalysisException ex) {
-            fail(ex.getMessage());
-        }
+    void testAnalyzeEggArchiveNamedZip() {
+        assertDoesNotThrow(() -> eggtestAssertions(this, "python/dist/EggTest-0.0.1-py2.7.zip"));
     }
 
     @Test
-    public void testAnalyzeEggFolder() {
-        try {
-            eggtestAssertions(this, "python/site-packages/EggTest-0.0.1-py2.7.egg/EGG-INFO/PKG-INFO");
-        } catch (AnalysisException ex) {
-            fail(ex.getMessage());
-        }
+    void testAnalyzeEggFolder() {
+        assertDoesNotThrow(() -> eggtestAssertions(this, "python/site-packages/EggTest-0.0.1-py2.7.egg/EGG-INFO/PKG-INFO"));
     }
 
-    public void eggtestAssertions(Object context, final String resource) throws AnalysisException {
+    private void eggtestAssertions(Object context, final String resource) throws AnalysisException {
         boolean found = false;
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(
                 context, resource));
         analyzer.analyze(result, null);
-        assertTrue("Expected vendor evidence to contain \"example\".", result
-                .getEvidence(EvidenceType.VENDOR).toString().contains("example"));
+        assertTrue(result
+                .getEvidence(EvidenceType.VENDOR).toString().contains("example"), "Expected vendor evidence to contain \"example\".");
         for (final Evidence e : result.getEvidence(EvidenceType.VERSION)) {
             if ("0.0.1".equals(e.getValue())) {
                 found = true;
                 break;
             }
         }
-        assertTrue("Version 0.0.1 not found in EggTest dependency.", found);
+        assertTrue(found, "Version 0.0.1 not found in EggTest dependency.");
         assertEquals("0.0.1",result.getVersion());
         assertEquals("EggTest",result.getName());
         assertEquals("EggTest:0.0.1",result.getDisplayFileName());
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java
index 165db83cb49..2767701adaf 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java
@@ -17,26 +17,26 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
+import org.owasp.dependencycheck.dependency.EvidenceType;
 
 import java.io.File;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import org.owasp.dependencycheck.dependency.EvidenceType;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  * Unit tests for PythonPackageAnalyzer.
  *
  * @author Dale Visser
  */
-public class PythonPackageAnalyzerTest extends BaseTest {
+class PythonPackageAnalyzerTest extends BaseTest {
 
     /**
      * The package analyzer to test.
@@ -48,7 +48,7 @@ public class PythonPackageAnalyzerTest extends BaseTest {
      *
      * @throws Exception if there is a problem
      */
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -63,7 +63,7 @@ public void setUp() throws Exception {
      *
      * @throws Exception if there is a problem
      */
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         analyzer.close();
@@ -74,35 +74,36 @@ public void tearDown() throws Exception {
      * Test of getName method, of class PythonPackageAnalyzer.
      */
     @Test
-    public void testGetName() {
-        assertEquals("Analyzer name wrong.", "Python Package Analyzer",
-                analyzer.getName());
+    void testGetName() {
+        assertEquals("Python Package Analyzer",
+                analyzer.getName(),
+                "Analyzer name wrong.");
     }
 
     /**
      * Test of supportsExtension method, of class PythonPackageAnalyzer.
      */
     @Test
-    public void testSupportsFileExtension() {
-        assertTrue("Should support \"py\" extension.",
-                analyzer.accept(new File("test.py")));
+    void testSupportsFileExtension() {
+        assertTrue(analyzer.accept(new File("test.py")),
+                "Should support \"py\" extension.");
     }
 
     @Test
-    public void testAnalyzeSourceMetadata() throws AnalysisException {
+    void testAnalyzeSourceMetadata() throws AnalysisException {
         boolean found = false;
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(
                 this, "python/eggtest/__init__.py"));
         analyzer.analyze(result, null);
-        assertTrue("Expected vendor evidence to contain \"example\".", 
-                result.getEvidence(EvidenceType.VENDOR).toString().contains("example"));
+        assertTrue(result.getEvidence(EvidenceType.VENDOR).toString().contains("example"),
+                "Expected vendor evidence to contain \"example\".");
         for (final Evidence e : result.getEvidence(EvidenceType.VERSION)) {
             if ("0.0.1".equals(e.getValue())) {
                 found = true;
                 break;
             }
         }
-        assertTrue("Version 0.0.1 not found in EggTest dependency.", found);
+        assertTrue(found, "Version 0.0.1 not found in EggTest dependency.");
         assertEquals("0.0.1",result.getVersion());
         assertEquals("eggtest",result.getName());
         assertEquals("eggtest:0.0.1",result.getDisplayFileName());
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/RetireJsAnalyzerFiltersTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/RetireJsAnalyzerFiltersTest.java
index 0d7d249ed7e..9b9c24c6b62 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/RetireJsAnalyzerFiltersTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/RetireJsAnalyzerFiltersTest.java
@@ -17,20 +17,21 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.data.update.RetireJSDataSource;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
+
 import java.io.File;
 import java.util.List;
-import static org.junit.Assert.*;
-import org.owasp.dependencycheck.BaseDBTestCase;
-import org.owasp.dependencycheck.data.update.RetireJSDataSource;
 
-public class RetireJsAnalyzerFiltersTest extends BaseDBTestCase {
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+class RetireJsAnalyzerFiltersTest extends BaseDBTestCase {
 
     /**
      * Test of filters method.
@@ -38,7 +39,7 @@ public class RetireJsAnalyzerFiltersTest extends BaseDBTestCase {
      * @throws Exception is thrown when an exception occurs.
      */
     @Test
-    public void testFilters() throws Exception {
+    void testFilters() throws Exception {
 
         String[] filter = {"jQuery JavaScript Library"};
         getSettings().setArrayIfNotEmpty(Settings.KEYS.ANALYZER_RETIREJS_FILTERS, filter);
@@ -63,7 +64,7 @@ public void testFilters() throws Exception {
             //remove non-vulnerable
             file = BaseTest.getResourceAsFile(this, "javascript/custom.js");
             scanned = engine.scan(file);
-            assertTrue(scanned.size() == 1);
+            assertEquals(1, scanned.size());
             assertEquals(1, engine.getDependencies().length);
             analyzer.analyze(scanned.get(0), engine);
             assertEquals(0, engine.getDependencies().length);
@@ -71,7 +72,7 @@ public void testFilters() throws Exception {
             //kept because it is does not match the filter and is vulnerable
             file = BaseTest.getResourceAsFile(this, "javascript/ember.js");
             scanned = engine.scan(file);
-            assertTrue(scanned.size() == 1);
+            assertEquals(1, scanned.size());
             assertEquals(1, engine.getDependencies().length);
             analyzer.analyze(scanned.get(0), engine);
             assertEquals(1, engine.getDependencies().length);
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/RetireJsAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/RetireJsAnalyzerIT.java
index 913ae225548..b66467cdf6d 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/RetireJsAnalyzerIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/RetireJsAnalyzerIT.java
@@ -17,11 +17,13 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.data.update.RetireJSDataSource;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
 import org.owasp.dependencycheck.dependency.EvidenceType;
@@ -32,18 +34,15 @@
 
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-
-import org.owasp.dependencycheck.BaseDBTestCase;
-import org.owasp.dependencycheck.data.update.RetireJSDataSource;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
-public class RetireJsAnalyzerIT extends BaseDBTestCase {
+class RetireJsAnalyzerIT extends BaseDBTestCase {
 
     private RetireJsAnalyzer analyzer;
     private Engine engine;
 
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -57,7 +56,7 @@ public void setUp() throws Exception {
         analyzer.prepare(engine);
     }
 
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         analyzer.close();
@@ -66,7 +65,7 @@ public void tearDown() throws Exception {
     }
 
     @Test
-    public void testGetName() {
+    void testGetName() {
         assertThat(analyzer.getName(), is("RetireJS Analyzer"));
     }
 
@@ -74,11 +73,11 @@ public void testGetName() {
      * Test of getSupportedExtensions method.
      */
     @Test
-    public void testAcceptSupportedExtensions() throws Exception {
+    void testAcceptSupportedExtensions() {
         analyzer.setEnabled(true);
         String[] files = {"test.js", "test.min.js"};
         for (String name : files) {
-            assertTrue(name, analyzer.accept(new File(name)));
+            assertTrue(analyzer.accept(new File(name)), name);
         }
     }
 
@@ -86,7 +85,7 @@ public void testAcceptSupportedExtensions() throws Exception {
      * Test of getAnalysisPhase method.
      */
     @Test
-    public void testGetAnalysisPhase() {
+    void testGetAnalysisPhase() {
         AnalysisPhase expResult = AnalysisPhase.FINDING_ANALYSIS;
         AnalysisPhase result = analyzer.getAnalysisPhase();
         assertEquals(expResult, result);
@@ -96,7 +95,7 @@ public void testGetAnalysisPhase() {
      * Test of getAnalyzerEnabledSettingKey method.
      */
     @Test
-    public void testGetAnalyzerEnabledSettingKey() {
+    void testGetAnalyzerEnabledSettingKey() {
         String expResult = Settings.KEYS.ANALYZER_RETIREJS_ENABLED;
         String result = analyzer.getAnalyzerEnabledSettingKey();
         assertEquals(expResult, result);
@@ -108,7 +107,7 @@ public void testGetAnalyzerEnabledSettingKey() {
      * @throws Exception is thrown when an exception occurs.
      */
     @Test
-    public void testJquery() throws Exception {
+    void testJquery() throws Exception {
         File file = BaseTest.getResourceAsFile(this, "javascript/jquery-1.6.2.js");
         Dependency dependency = new Dependency(file);
         analyzer.analyze(dependency, engine);
@@ -138,7 +137,7 @@ public void testJquery() throws Exception {
      * @throws Exception is thrown when an exception occurs.
      */
     @Test
-    public void testAngular() throws Exception {
+    void testAngular() throws Exception {
         File file = BaseTest.getResourceAsFile(this, "javascript/angular.safe.js");
         Dependency dependency = new Dependency(file);
         analyzer.analyze(dependency, engine);
@@ -156,8 +155,8 @@ public void testAngular() throws Exception {
         assertEquals("version", version.getName());
         assertEquals("1.2.27", version.getValue());
 
-        assertTrue("At leats 6 vulnerabilities should be detected",
-                dependency.getVulnerabilities().size() >= 6);
+        assertTrue(dependency.getVulnerabilities().size() >= 6,
+                "At leats 6 vulnerabilities should be detected");
         assertTrue(dependency.getVulnerabilities().contains(new Vulnerability("Universal CSP bypass via add-on in Firefox")));
         assertTrue(dependency.getVulnerabilities().contains(new Vulnerability("XSS in $sanitize in Safari/Firefox")));
         assertTrue(dependency.getVulnerabilities().contains(new Vulnerability("DOS in $sanitize")));
@@ -170,7 +169,7 @@ public void testAngular() throws Exception {
      * @throws Exception is thrown when an exception occurs.
      */
     @Test
-    public void testEmber() throws Exception {
+    void testEmber() throws Exception {
         File file = BaseTest.getResourceAsFile(this, "javascript/ember.js");
         Dependency dependency = new Dependency(file);
         analyzer.analyze(dependency, engine);
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerIT.java
index 51ff3b93da1..1dd96d9d346 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerIT.java
@@ -17,39 +17,40 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import java.io.File;
-
-import org.junit.After;
-import org.junit.Assume;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.EvidenceType;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.exception.ExceptionCollection;
+import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.owasp.dependencycheck.data.update.exception.UpdateException;
-import org.owasp.dependencycheck.exception.InitializationException;
+
+import java.io.File;
+
 import static org.hamcrest.CoreMatchers.is;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotNull;
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-import org.owasp.dependencycheck.dependency.EvidenceType;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
+import static org.junit.jupiter.api.Assumptions.assumeTrue;
 
 /**
  * Unit tests for {@link RubyBundleAuditAnalyzer}.
  *
  * @author Dale Visser
  */
-public class RubyBundleAuditAnalyzerIT extends BaseDBTestCase {
+class RubyBundleAuditAnalyzerIT extends BaseDBTestCase {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(RubyBundleAuditAnalyzerIT.class);
 
@@ -63,7 +64,7 @@ public class RubyBundleAuditAnalyzerIT extends BaseDBTestCase {
      *
      * @throws Exception thrown if there is a problem
      */
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -80,7 +81,7 @@ public void setUp() throws Exception {
      *
      * @throws Exception thrown if there is a problem
      */
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         if (analyzer != null) {
@@ -94,7 +95,7 @@ public void tearDown() throws Exception {
      * Test Ruby Gemspec name.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         assertThat(analyzer.getName(), is("Ruby Bundle Audit Analyzer"));
     }
 
@@ -102,17 +103,16 @@ public void testGetName() {
      * Test Ruby Bundler Audit file support.
      */
     @Test
-    public void testSupportsFiles() {
+    void testSupportsFiles() {
         assertThat(analyzer.accept(new File("Gemfile.lock")), is(true));
     }
 
     /**
      * Test Ruby BundlerAudit analysis.
      *
-     * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testAnalysis() throws AnalysisException, DatabaseException {
+    void testAnalysis() throws DatabaseException {
         try (Engine engine = new Engine(getSettings())) {
             engine.openDatabase();
             analyzer.prepare(engine);
@@ -132,11 +132,11 @@ public void testAnalysis() throws AnalysisException, DatabaseException {
                     break;
                 }
             }
-            assertTrue("redcarpet was not identified", found);
+            assertTrue(found, "redcarpet was not identified");
 
         } catch (InitializationException | DatabaseException | AnalysisException e) {
             LOGGER.warn("Exception setting up RubyBundleAuditAnalyzer. Make sure Ruby gem bundle-audit is installed. You may also need to set property \"analyzer.bundle.audit.path\".");
-            Assume.assumeNoException("Exception setting up RubyBundleAuditAnalyzer; bundle audit may not be installed, or property \"analyzer.bundle.audit.path\" may not be set.", e);
+            assumeTrue(false, "Exception setting up RubyBundleAuditAnalyzer; bundle audit may not be installed, or property \"analyzer.bundle.audit.path\" may not be set: " + e);
         }
     }
 
@@ -144,7 +144,7 @@ public void testAnalysis() throws AnalysisException, DatabaseException {
      * Test Ruby addCriticalityToVulnerability
      */
     @Test
-    public void testAddCriticalityToVulnerability() throws AnalysisException, DatabaseException {
+    void testAddCriticalityToVulnerability() throws DatabaseException {
         try (Engine engine = new Engine(getSettings())) {
             engine.doUpdates(true);
             analyzer.prepare(engine);
@@ -162,20 +162,19 @@ public void testAddCriticalityToVulnerability() throws AnalysisException, Databa
                     break;
                 }
             }
-            assertTrue("CVE-2015-3225 was not found among the vulnerabilities",found);
+            assertTrue(found,"CVE-2015-3225 was not found among the vulnerabilities");
         } catch (InitializationException | DatabaseException | AnalysisException | UpdateException e) {
             LOGGER.warn("Exception setting up RubyBundleAuditAnalyzer. Make sure Ruby gem bundle-audit is installed. You may also need to set property \"analyzer.bundle.audit.path\".");
-            Assume.assumeNoException("Exception setting up RubyBundleAuditAnalyzer; bundle audit may not be installed, or property \"analyzer.bundle.audit.path\" may not be set.", e);
+            assumeTrue(false, "Exception setting up RubyBundleAuditAnalyzer; bundle audit may not be installed, or property \"analyzer.bundle.audit.path\" may not be set: " + e);
         }
     }
 
     /**
      * Test when Ruby bundle-audit is not available on the system.
      *
-     * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testInvalidBundleAudit() throws AnalysisException, DatabaseException {
+    void testInvalidBundleAudit() throws DatabaseException {
 
         String path = BaseTest.getResourceAsFile(this, "ruby/invalid-bundle-audit").getAbsolutePath();
         getSettings().setString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, path);
@@ -195,11 +194,10 @@ public void testInvalidBundleAudit() throws AnalysisException, DatabaseException
     /**
      * Test Ruby dependencies and their paths.
      *
-     * @throws AnalysisException is thrown when an exception occurs.
      * @throws DatabaseException thrown when an exception occurs
      */
     @Test
-    public void testDependenciesPath() throws AnalysisException, DatabaseException {
+    void testDependenciesPath() throws DatabaseException {
         try (Engine engine = new Engine(getSettings())) {
             try {
                 engine.scan(BaseTest.getResourceAsFile(this, "ruby/vulnerable/gems/rails-4.1.15/"));
@@ -208,7 +206,7 @@ public void testDependenciesPath() throws AnalysisException, DatabaseException {
                 LOGGER.error("NPE", ex);
                 fail(ex.getMessage());
             } catch (ExceptionCollection ex) {
-                Assume.assumeNoException("Exception setting up RubyBundleAuditAnalyzer; bundle audit may not be installed, or property \"analyzer.bundle.audit.path\" may not be set.", ex);
+                assumeTrue(false, "Exception setting up RubyBundleAuditAnalyzer; bundle audit may not be installed, or property \"analyzer.bundle.audit.path\" may not be set: " + ex);
                 return;
             }
             Dependency[] dependencies = engine.getDependencies();
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java
index ce4ef9e3019..a700672df2a 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzerTest.java
@@ -17,27 +17,27 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.EvidenceType;
 
 import java.io.File;
 
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.Assert.assertEquals;
-import org.owasp.dependencycheck.dependency.EvidenceType;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
  * Unit tests for {@link RubyBundlerAnalyzer}.
  *
  * @author Bianca Jiang
  */
-public class RubyBundlerAnalyzerTest extends BaseTest {
+class RubyBundlerAnalyzerTest extends BaseTest {
 
     /**
      * The analyzer to test.
@@ -49,7 +49,7 @@ public class RubyBundlerAnalyzerTest extends BaseTest {
      *
      * @throws Exception thrown if there is a problem
      */
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -64,7 +64,7 @@ public void setUp() throws Exception {
      *
      * @throws Exception thrown if there is a problem
      */
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         analyzer.close();
@@ -75,7 +75,7 @@ public void tearDown() throws Exception {
      * Test Analyzer name.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         assertThat(analyzer.getName(), is("Ruby Bundler Analyzer"));
     }
 
@@ -83,7 +83,7 @@ public void testGetName() {
      * Test Ruby Gemspec file support.
      */
     @Test
-    public void testSupportsFiles() {
+    void testSupportsFiles() {
         assertThat(analyzer.accept(new File("test.gemspec")), is(false));
         assertThat(analyzer.accept(new File("specifications" + File.separator + "test.gemspec")), is(true));
         assertThat(analyzer.accept(new File("gemspec.lock")), is(false));
@@ -95,7 +95,7 @@ public void testSupportsFiles() {
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testAnalyzeGemspec() throws AnalysisException {
+    void testAnalyzeGemspec() throws AnalysisException {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
                 "ruby/vulnerable/gems/rails-4.1.15/vendor/bundle/ruby/2.2.0/specifications/dalli-2.7.5.gemspec"));
         analyzer.analyze(result, null);
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java
index b5f68f6aa34..b0389cdcd9b 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java
@@ -17,27 +17,27 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.EvidenceType;
 
 import java.io.File;
 
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.Assert.assertEquals;
-import org.owasp.dependencycheck.dependency.EvidenceType;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
  * Unit tests for {@link RubyGemspecAnalyzer}.
  *
  * @author Dale Visser
  */
-public class RubyGemspecAnalyzerTest extends BaseTest {
+class RubyGemspecAnalyzerTest extends BaseTest {
 
     /**
      * The analyzer to test.
@@ -49,7 +49,7 @@ public class RubyGemspecAnalyzerTest extends BaseTest {
      *
      * @throws Exception thrown if there is a problem
      */
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -64,7 +64,7 @@ public void setUp() throws Exception {
      *
      * @throws Exception thrown if there is a problem
      */
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         analyzer.close();
@@ -75,7 +75,7 @@ public void tearDown() throws Exception {
      * Test Ruby Gemspec name.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         assertThat(analyzer.getName(), is("Ruby Gemspec Analyzer"));
     }
 
@@ -83,7 +83,7 @@ public void testGetName() {
      * Test Ruby Gemspec file support.
      */
     @Test
-    public void testSupportsFiles() {
+    void testSupportsFiles() {
         assertThat(analyzer.accept(new File("test.gemspec")), is(true));
         assertThat(analyzer.accept(new File("gemspec.lock")), is(false));
 //        assertThat(analyzer.accept(new File("Rakefile")), is(true));
@@ -95,7 +95,7 @@ public void testSupportsFiles() {
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testAnalyzePackageJson() throws AnalysisException {
+    void testAnalyzePackageJson() throws AnalysisException {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
                 "ruby/vulnerable/gems/specifications/rest-client-1.7.2.gemspec"));
         analyzer.analyze(result, null);
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java
index b807f564fe9..0bba3a585b9 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java
@@ -1,21 +1,21 @@
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.EvidenceType;
+
+import java.io.File;
 
 import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.CoreMatchers.equalTo;
-import static org.junit.Assert.assertTrue;
-
-import java.io.File;
-import org.owasp.dependencycheck.dependency.EvidenceType;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  * Unit tests for CocoaPodsAnalyzer, CarthageAnalyzer and SwiftPackageManagerAnalyzer.
@@ -24,7 +24,7 @@
  * @author Jorge Mendes
  * @author Alin Radut
  */
-public class SwiftAnalyzersTest extends BaseTest {
+class SwiftAnalyzersTest extends BaseTest {
 
     /**
      * The analyzer to test.
@@ -39,7 +39,7 @@ public class SwiftAnalyzersTest extends BaseTest {
      *
      * @throws Exception thrown if there is a problem
      */
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -69,7 +69,7 @@ public void setUp() throws Exception {
      *
      * @throws Exception thrown if there is a problem
      */
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         podsAnalyzer.close();
@@ -85,7 +85,7 @@ public void tearDown() throws Exception {
      * Test of getName method, of class CocoaPodsAnalyzer.
      */
     @Test
-    public void testPodsGetName() {
+    void testPodsGetName() {
         assertThat(podsAnalyzer.getName(), is("CocoaPods Package Analyzer"));
     }
 
@@ -93,7 +93,7 @@ public void testPodsGetName() {
      * Test of getName method, of class CarthageAnalyzer.
      */
     @Test
-    public void testCarthageGetName() {
+    void testCarthageGetName() {
         assertThat(carthageAnalyzer.getName(), is("Carthage Package Analyzer"));
     }
 
@@ -101,7 +101,7 @@ public void testCarthageGetName() {
      * Test of getName method, of class SwiftPackageManagerAnalyzer.
      */
     @Test
-    public void testSPMGetName() {
+    void testSPMGetName() {
         assertThat(spmAnalyzer.getName(), is("SWIFT Package Manager Analyzer"));
     }
 
@@ -109,7 +109,7 @@ public void testSPMGetName() {
      * Test of supportsFiles method, of class CocoaPodsAnalyzer.
      */
     @Test
-    public void testPodsSupportsFiles() {
+    void testPodsSupportsFiles() {
         assertThat(podsAnalyzer.accept(new File("test.podspec")), is(true));
         assertThat(podsAnalyzer.accept(new File("Podfile.lock")), is(true));
     }
@@ -118,7 +118,7 @@ public void testPodsSupportsFiles() {
      * Test of supportsFiles method, of class CocoaPodsAnalyzer.
      */
     @Test
-    public void testCarthageSupportsFiles() {
+    void testCarthageSupportsFiles() {
         assertThat(carthageAnalyzer.accept(new File("Cartfile.resolved")), is(true));
     }
 
@@ -126,7 +126,7 @@ public void testCarthageSupportsFiles() {
      * Test of supportsFiles method, of class SwiftPackageManagerAnalyzer.
      */
     @Test
-    public void testSPMSupportsFiles() {
+    void testSPMSupportsFiles() {
         assertThat(spmAnalyzer.accept(new File("Package.swift")), is(true));
         assertThat(sprAnalyzer.accept(new File("Package.resolved")), is(true));
     }
@@ -137,7 +137,7 @@ public void testSPMSupportsFiles() {
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testCocoaPodsPodfileAnalyzer() throws AnalysisException {
+    void testCocoaPodsPodfileAnalyzer() throws AnalysisException {
         final Engine engine = new Engine(getSettings());
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
                 "swift/cocoapods/Podfile.lock"));
@@ -165,7 +165,7 @@ public void testCocoaPodsPodfileAnalyzer() throws AnalysisException {
     }
 
     @Test
-    public void testCocoaPodsPodspecAnalyzer() throws AnalysisException {
+    void testCocoaPodsPodspecAnalyzer() throws AnalysisException {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
                 "swift/cocoapods/EasyPeasy.podspec"));
         podsAnalyzer.analyze(result, null);
@@ -188,7 +188,7 @@ public void testCocoaPodsPodspecAnalyzer() throws AnalysisException {
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testCarthageCartfileResolvedAnalyzer() throws AnalysisException {
+    void testCarthageCartfileResolvedAnalyzer() throws AnalysisException {
         final Engine engine = new Engine(getSettings());
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
                 "swift/carthage/Cartfile.resolved"));
@@ -221,7 +221,7 @@ public void testCarthageCartfileResolvedAnalyzer() throws AnalysisException {
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
-    public void testSPMAnalyzer() throws AnalysisException {
+    void testSPMAnalyzer() throws AnalysisException {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
                 "swift/Gloss/Package.swift"));
         spmAnalyzer.analyze(result, null);
@@ -234,7 +234,7 @@ public void testSPMAnalyzer() throws AnalysisException {
     }
 
     @Test
-    public void testSPMResolvedAnalyzerV1() throws AnalysisException {
+    void testSPMResolvedAnalyzerV1() throws AnalysisException {
         final Engine engine = new Engine(getSettings());
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
                 "swift/spm/Package.resolved"));
@@ -250,7 +250,7 @@ public void testSPMResolvedAnalyzerV1() throws AnalysisException {
     }
 
     @Test
-    public void testSPMResolvedAnalyzerV2() throws AnalysisException {
+    void testSPMResolvedAnalyzerV2() throws AnalysisException {
         final Engine engine = new Engine(getSettings());
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
                 "swift/spmV2/Package.resolved"));
@@ -266,7 +266,7 @@ public void testSPMResolvedAnalyzerV2() throws AnalysisException {
     }
 
     @Test
-    public void testSPMResolvedAnalyzerV3() throws AnalysisException {
+    void testSPMResolvedAnalyzerV3() throws AnalysisException {
         final Engine engine = new Engine(getSettings());
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
                 "swift/spmV3/Package.resolved"));
@@ -282,7 +282,7 @@ public void testSPMResolvedAnalyzerV3() throws AnalysisException {
     }
 
     @Test
-    public void testIsEnabledIsTrueByDefault() {
+    void testIsEnabledIsTrueByDefault() {
         assertTrue(spmAnalyzer.isEnabled());
         assertTrue(sprAnalyzer.isEnabled());
     }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/UnusedSuppressionRuleAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/UnusedSuppressionRuleAnalyzerTest.java
index 4eb933b8431..865e95f5c91 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/UnusedSuppressionRuleAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/UnusedSuppressionRuleAnalyzerTest.java
@@ -1,42 +1,42 @@
 package org.owasp.dependencycheck.analyzer;
 
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertEquals;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
-import static org.owasp.dependencycheck.analyzer.AbstractSuppressionAnalyzer.SUPPRESSION_OBJECT_KEY;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
-import static org.owasp.dependencycheck.analyzer.UnusedSuppressionRuleAnalyzer.EXCEPTION_MSG;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.naming.Identifier;
 import org.owasp.dependencycheck.dependency.naming.PurlIdentifier;
 import org.owasp.dependencycheck.utils.Settings;
-import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
 import org.owasp.dependencycheck.xml.suppression.PropertyType;
+import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
 
-public class UnusedSuppressionRuleAnalyzerTest extends BaseTest {
+import java.util.ArrayList;
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.owasp.dependencycheck.analyzer.AbstractSuppressionAnalyzer.SUPPRESSION_OBJECT_KEY;
+import static org.owasp.dependencycheck.analyzer.UnusedSuppressionRuleAnalyzer.EXCEPTION_MSG;
+
+class UnusedSuppressionRuleAnalyzerTest extends BaseTest {
 	private static final String NAME = "Unused Suppression Rule Analyzer";
 	private static final String PACKAGE_NAME = "CoolAsACucumber";
 	private static final String EXPECTED_EX = "should have thrown an AnalysisException";
 
     @Test
-    public void testGetName() {
+    void testGetName() {
         UnusedSuppressionRuleAnalyzer analyzer = new UnusedSuppressionRuleAnalyzer();
         assertEquals(NAME, analyzer.getName());
     }
 
     @Test
-    public void testException() throws Exception {
+    void testException() throws Exception {
 		boolean shouldFail = true;
 		Dependency dependency10 = getDependency("1.0");
 		Dependency dependency11 = getDependency("1.1");
-		
+
 		UnusedSuppressionRuleAnalyzer analyzer = getAnalyzer(shouldFail);
 		Engine engine = getEngine(true, false, dependency10, dependency11);
 		try {
@@ -45,7 +45,7 @@ public void testException() throws Exception {
 		} catch(AnalysisException ok){
 			assertEquals(String.format(EXCEPTION_MSG, 1), ok.getMessage());
 		}
-		
+
 		// no exception
 		shouldFail = false;
 		analyzer = getAnalyzer(shouldFail);
@@ -53,14 +53,14 @@ public void testException() throws Exception {
 		analyzer.analyzeDependency(dependency10, engine);
     	assertEquals(1, analyzer.getUnusedSuppressionRuleCount());
 	}
-	
+
     @Test
-    public void testCheckUnusedRules() throws Exception {
+    void testCheckUnusedRules() throws Exception {
 		// flag unset
 		boolean shouldFail = false;
 		Dependency dependency10 = getDependency("1.0");
 		Dependency dependency11 = getDependency("1.1");
-		
+
 		// a run without any suppression rule ➫ no unused suppression
 		checkUnusedRules(shouldFail, 0, false, false, dependency10);
 
@@ -70,7 +70,7 @@ public void testCheckUnusedRules() throws Exception {
 		// a run with the vulnerable package ➫ no unused suppression
 		checkUnusedRules(shouldFail, 0, true, true, dependency10, dependency11);
 
-			
+
 		// set flag
 		shouldFail = true;
 
@@ -83,31 +83,31 @@ public void testCheckUnusedRules() throws Exception {
 		// a run with the vulnerable package ➫ no unused suppression
 		checkUnusedRules(shouldFail, 0, true, true, dependency10, dependency11);
     }
-	
-	private void checkUnusedRules(boolean shouldFail, int expectedCount, 
+
+	private void checkUnusedRules(boolean shouldFail, int expectedCount,
 		boolean withSuppressionRules, boolean matching,
-		Dependency ... dependencies) throws Exception {
+		Dependency ... dependencies) {
         UnusedSuppressionRuleAnalyzer analyzer = getAnalyzer(shouldFail);
 		assertNotNull(analyzer);
 		Engine engine = getEngine(withSuppressionRules, matching, dependencies);
 		analyzer.checkUnusedRules(engine);
 		assertEquals(expectedCount, analyzer.getUnusedSuppressionRuleCount());
 	}
-	
-		
+
+
 	private Dependency getDependency(String type, String namespace, String name, String version) throws Exception {
         Dependency dependency = new Dependency();
 		Identifier id = new PurlIdentifier(type,namespace,name,version,Confidence.HIGHEST);
         dependency.addSoftwareIdentifier(id);
 		return dependency;
 	}
-	
+
 	private Dependency getDependency(String version) throws Exception {
 		return getDependency("maven", "test", PACKAGE_NAME, version);
-	}	
+	}
 
-	
-	private Engine getEngine(boolean hasSuppressionRules, boolean matching, Dependency ... dependencies) throws Exception {
+
+	private Engine getEngine(boolean hasSuppressionRules, boolean matching, Dependency ... dependencies) {
         Engine engine = new Engine(getSettings());
 		List<Dependency> dependencyList = new ArrayList<>();
 		if (dependencies!=null) {
@@ -121,20 +121,20 @@ private Engine getEngine(boolean hasSuppressionRules, boolean matching, Dependen
 		engine.putObject(SUPPRESSION_OBJECT_KEY,rules);
 		return engine;
 	}
-	
-	private UnusedSuppressionRuleAnalyzer getAnalyzer(boolean flag) throws AnalysisException {
+
+	private UnusedSuppressionRuleAnalyzer getAnalyzer(boolean flag) {
         UnusedSuppressionRuleAnalyzer analyzer = new UnusedSuppressionRuleAnalyzer();
 		assertNotNull(analyzer);
-		
+
 		Settings settings = getSettings();
         settings.setBoolean(Settings.KEYS.FAIL_ON_UNUSED_SUPPRESSION_RULE, flag);
         analyzer.initialize(settings);
         assertEquals(flag, analyzer.failsForUnusedSuppressionRule());
         assertEquals(0, analyzer.getUnusedSuppressionRuleCount());
-		
-		return analyzer;		
+
+		return analyzer;
 	}
-	
+
 	private SuppressionRule getSuppressionRule(boolean matching) {
         SuppressionRule instance = new SuppressionRule();
 		instance.addVulnerabilityName(getPropertyType("CVE-2023-5072", false, false));
@@ -144,7 +144,7 @@ private SuppressionRule getSuppressionRule(boolean matching) {
 		instance.setMatched(matching);
 		return instance;
     }
-	
+
 	private PropertyType getPropertyType(String value, boolean regex, boolean caseSensitive) {
 		PropertyType property = new PropertyType();
 		property.setValue(value);
@@ -152,6 +152,6 @@ private PropertyType getPropertyType(String value, boolean regex, boolean caseSe
 		property.setCaseSensitive(caseSensitive);
 		return property;
 	}
-	
+
 
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzerTest.java
index eabae8571c8..e9e348bd448 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzerTest.java
@@ -17,25 +17,27 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.Test;
-import static org.junit.Assert.*;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.EvidenceType;
 import org.owasp.dependencycheck.utils.Settings;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
+
 /**
  *
  * @author Jeremy Long
  */
-public class VersionFilterAnalyzerTest extends BaseTest {
+class VersionFilterAnalyzerTest extends BaseTest {
 
     /**
      * Test of getName method, of class VersionFilterAnalyzer.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
         String expResult = "Version Filter Analyzer";
         String result = instance.getName();
@@ -46,7 +48,7 @@ public void testGetName() {
      * Test of getAnalysisPhase method, of class VersionFilterAnalyzer.
      */
     @Test
-    public void testGetAnalysisPhase() {
+    void testGetAnalysisPhase() {
         VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
         instance.initialize(getSettings());
         AnalysisPhase expResult = AnalysisPhase.POST_INFORMATION_COLLECTION3;
@@ -59,7 +61,7 @@ public void testGetAnalysisPhase() {
      * VersionFilterAnalyzer.
      */
     @Test
-    public void testGetAnalyzerEnabledSettingKey() {
+    void testGetAnalyzerEnabledSettingKey() {
         VersionFilterAnalyzer instance = new VersionFilterAnalyzer();
         instance.initialize(getSettings());
         String expResult = Settings.KEYS.ANALYZER_VERSION_FILTER_ENABLED;
@@ -71,7 +73,7 @@ public void testGetAnalyzerEnabledSettingKey() {
      * Test of analyzeDependency method, of class VersionFilterAnalyzer.
      */
     @Test
-    public void testAnalyzeDependency() throws Exception {
+    void testAnalyzeDependency() throws Exception {
         Dependency dependency = new Dependency();
 
         dependency.addEvidence(EvidenceType.VERSION, "util", "version", "33.3", Confidence.HIGHEST);
@@ -112,7 +114,7 @@ public void testAnalyzeDependency() throws Exception {
      * Test of analyzeDependency method, of class VersionFilterAnalyzer.
      */
     @Test
-    public void testAnalyzeDependencyFilePom() throws Exception {
+    void testAnalyzeDependencyFilePom() throws Exception {
         Dependency dependency = new Dependency();
 
         dependency.addEvidence(EvidenceType.VERSION, "util", "version", "33.3", Confidence.HIGHEST);
@@ -149,7 +151,7 @@ public void testAnalyzeDependencyFilePom() throws Exception {
      * Test of analyzeDependency method, of class VersionFilterAnalyzer.
      */
     @Test
-    public void testAnalyzeDependencyFileManifest() throws Exception {
+    void testAnalyzeDependencyFileManifest() throws Exception {
         Dependency dependency = new Dependency();
 
         dependency.addEvidence(EvidenceType.VERSION, "util", "version", "33.3", Confidence.HIGHEST);
@@ -176,7 +178,7 @@ public void testAnalyzeDependencyFileManifest() throws Exception {
      * Test of analyzeDependency method, of class VersionFilterAnalyzer.
      */
     @Test
-    public void testAnalyzeDependencyPomManifest() throws Exception {
+    void testAnalyzeDependencyPomManifest() throws Exception {
         Dependency dependency = new Dependency();
 
         dependency.addEvidence(EvidenceType.VERSION, "util", "version", "33.3", Confidence.HIGHEST);
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIT.java
index 26d17183ffc..46f7e79e676 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIT.java
@@ -17,28 +17,30 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import java.io.File;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
+
+import java.io.File;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  * Testing the vulnerability suppression analyzer.
  *
  * @author Jeremy Long
  */
-public class VulnerabilitySuppressionAnalyzerIT extends BaseDBTestCase {
+class VulnerabilitySuppressionAnalyzerIT extends BaseDBTestCase {
 
     /**
      * Test of getName method, of class VulnerabilitySuppressionAnalyzer.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         VulnerabilitySuppressionAnalyzer instance = new VulnerabilitySuppressionAnalyzer();
         instance.initialize(getSettings());
         String expResult = "Vulnerability Suppression Analyzer";
@@ -51,7 +53,7 @@ public void testGetName() {
      * VulnerabilitySuppressionAnalyzer.
      */
     @Test
-    public void testGetAnalysisPhase() {
+    void testGetAnalysisPhase() {
         VulnerabilitySuppressionAnalyzer instance = new VulnerabilitySuppressionAnalyzer();
         instance.initialize(getSettings());
         AnalysisPhase expResult = AnalysisPhase.POST_FINDING_ANALYSIS;
@@ -63,7 +65,7 @@ public void testGetAnalysisPhase() {
      * Test of analyze method, of class VulnerabilitySuppressionAnalyzer.
      */
     @Test
-    public void testAnalyze() throws Exception {
+    void testAnalyze() throws Exception {
 
         File file = BaseTest.getResourceAsFile(this, "commons-fileupload-1.2.1.jar");
         File suppression = BaseTest.getResourceAsFile(this, "commons-fileupload-1.2.1.suppression.xml");
@@ -81,7 +83,7 @@ public void testAnalyze() throws Exception {
             cpeSize = dependency.getVulnerableSoftwareIdentifiers().size();
             assertTrue(cveSize > 0);
             assertTrue(cpeSize > 0);
-            
+
         }
         getSettings().setString(Settings.KEYS.SUPPRESSION_FILE, suppression.getAbsolutePath());
         try (Engine engine = new Engine(getSettings())) {
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzerIT.java
index dbaf0755458..98fd1afc218 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzerIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzerIT.java
@@ -17,32 +17,32 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.junit.Assume;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.EvidenceType;
 import org.owasp.dependencycheck.exception.InitializationException;
-import org.owasp.dependencycheck.utils.InvalidSettingException;
 
-import static org.junit.Assert.assertTrue;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assumptions.assumeTrue;
 
-public class YarnAuditAnalyzerIT extends BaseTest {
+class YarnAuditAnalyzerIT extends BaseTest {
 
     @Test
-    public void testAnalyzePackageYarnClassic() throws AnalysisException, InitializationException, InvalidSettingException {
+    void testAnalyzePackageYarnClassic() throws AnalysisException {
         testAnalyzePackageYarn("yarn/yarn-classic-audit/yarn.lock");
     }
 
     @Test
-    public void testAnalyzePackageYarnBerry() throws AnalysisException, InitializationException, InvalidSettingException {
+    void testAnalyzePackageYarnBerry() throws AnalysisException {
         testAnalyzePackageYarn("yarn/yarn-berry-audit/yarn.lock");
     }
 
     @Test
-    public void testAnalyzePackageYarnBerryNoVulnerability() throws AnalysisException, InitializationException, InvalidSettingException {
+    void testAnalyzePackageYarnBerryNoVulnerability() throws AnalysisException {
         //Assume.assumeThat(getSettings().getBoolean(Settings.KEYS.ANALYZER_YARN_AUDIT_ENABLED), is(true));
         try (Engine engine = new Engine(getSettings())) {
             var analyzer = new YarnAuditAnalyzer();
@@ -51,10 +51,10 @@ public void testAnalyzePackageYarnBerryNoVulnerability() throws AnalysisExceptio
             analyzer.prepare(engine);
             final Dependency toScan = new Dependency(BaseTest.getResourceAsFile(this, "yarn/yarn-berry-audit-no-vulnerability/yarn.lock"));
             analyzer.analyze(toScan, engine);
-            assertTrue("No dependency should be identified", engine.getDependencies().length == 0);
+            assertEquals(0, engine.getDependencies().length, "No dependency should be identified");
         } catch (InitializationException ex) {
             //yarn is not installed - skip the test case.
-            Assume.assumeNoException(ex);
+            assumeTrue(false, ex.toString());
         }
     }
 
@@ -68,20 +68,20 @@ private void testAnalyzePackageYarn(String yarnLockFile) throws AnalysisExceptio
             final Dependency toScan = new Dependency(BaseTest.getResourceAsFile(this, yarnLockFile));
             analyzer.analyze(toScan, engine);
             boolean found = false;
-            assertTrue("More then 1 dependency should be identified", 1 < engine.getDependencies().length);
+            assertTrue(1 < engine.getDependencies().length, "More then 1 dependency should be identified");
             for (Dependency result : engine.getDependencies()) {
                 if ("yarn.lock?uglify-js".equals(result.getFileName())) {
                     found = true;
                     assertTrue(result.getEvidence(EvidenceType.VENDOR).toString().contains("uglify-js"));
                     assertTrue(result.getEvidence(EvidenceType.PRODUCT).toString().contains("uglify-js"));
-                    assertTrue("Unable to find version 2.4.24: " + result.getEvidence(EvidenceType.VERSION).toString(), result.getEvidence(EvidenceType.VERSION).toString().contains("2.4.24"));
+                    assertTrue(result.getEvidence(EvidenceType.VERSION).toString().contains("2.4.24"), "Unable to find version 2.4.24: " + result.getEvidence(EvidenceType.VERSION).toString());
                     assertTrue(result.isVirtual());
                 }
             }
-            assertTrue("Uglify was not found", found);
+            assertTrue(found, "Uglify was not found");
         } catch (InitializationException ex) {
             //yarn is not installed - skip the test case.
-            Assume.assumeNoException(ex);
+            assumeTrue(false, ex.toString());
         }
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzerTest.java
index 029e7f294a0..8f34b7ceb97 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzerTest.java
@@ -1,23 +1,23 @@
 package org.owasp.dependencycheck.analyzer;
 
-import java.io.File;
-
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 
+import java.io.File;
+
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.MatcherAssert.assertThat;
 
-public class YarnAuditAnalyzerTest extends BaseTest {
+class YarnAuditAnalyzerTest extends BaseTest {
 
     @Test
-    public void testGetName() {
+    void testGetName() {
         YarnAuditAnalyzer analyzer = new YarnAuditAnalyzer();
         assertThat(analyzer.getName(), is("Yarn Audit Analyzer"));
     }
 
     @Test
-    public void testSupportsFiles() {
+    void testSupportsFiles() {
         YarnAuditAnalyzer analyzer = new YarnAuditAnalyzer();
         assertThat(analyzer.accept(new File("package-lock.json")), is(false));
         assertThat(analyzer.accept(new File("npm-shrinkwrap.json")), is(false));
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchIT.java b/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchIT.java
index 99b0e10706b..d7af9521183 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchIT.java
@@ -17,8 +17,8 @@
  */
 package org.owasp.dependencycheck.data.artifactory;
 
-import org.junit.Ignore;
-import org.junit.Test;
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
@@ -27,15 +27,15 @@
 import java.io.IOException;
 import java.util.List;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.fail;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.fail;
 
-@Ignore
-public class ArtifactorySearchIT {
+@Disabled
+class ArtifactorySearchIT {
 
 
     @Test
-    public void testWithRealInstanceUsingBearerToken() throws IOException {
+    void testWithRealInstanceUsingBearerToken() throws IOException {
         // Given
         Dependency dependency = new Dependency();
         dependency.setSha1sum("c5b4c491aecb72e7c32a78da0b5c6b9cda8dee0f");
@@ -63,7 +63,7 @@ public void testWithRealInstanceUsingBearerToken() throws IOException {
     }
 
     @Test
-    public void testWithRealInstanceAnonymous() throws IOException {
+    void testWithRealInstanceAnonymous() throws IOException {
         // Given
         Dependency dependency = new Dependency();
         dependency.setSha1sum("c5b4c491aecb72e7c32a78da0b5c6b9cda8dee0f");
@@ -82,7 +82,7 @@ public void testWithRealInstanceAnonymous() throws IOException {
     }
 
     @Test
-    public void testWithRealInstanceWithUserToken() throws IOException {
+    void testWithRealInstanceWithUserToken() throws IOException {
         // Given
         Dependency dependency = new Dependency();
         dependency.setSha1sum("0695b63d702f505b9b916e02272e3b6381bade7f");
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchResponseHandlerTest.java b/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchResponseHandlerTest.java
index 251b61a7fb6..0bdee41a09a 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchResponseHandlerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchResponseHandlerTest.java
@@ -23,8 +23,8 @@
 import ch.qos.logback.core.read.ListAppender;
 import org.apache.hc.core5.http.ClassicHttpResponse;
 import org.apache.hc.core5.http.HttpEntity;
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -36,21 +36,21 @@
 import java.nio.charset.StandardCharsets;
 import java.util.List;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.fail;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.fail;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
-public class ArtifactorySearchResponseHandlerTest extends BaseTest {
+class ArtifactorySearchResponseHandlerTest extends BaseTest {
 
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
     }
 
     @Test
-    public void shouldProcessCorrectlyArtifactoryAnswerWithoutSha256() throws IOException {
+    void shouldProcessCorrectlyArtifactoryAnswerWithoutSha256() throws IOException {
         // Given
         Dependency dependency = new Dependency();
         dependency.setSha1sum("2e66da15851f9f5b5079228f856c2f090ba98c38");
@@ -105,7 +105,7 @@ public void shouldProcessCorrectlyArtifactoryAnswerWithoutSha256() throws IOExce
     }
 
     @Test
-    public void shouldProcessCorrectlyArtifactoryAnswerWithMultipleMatches() throws IOException {
+    void shouldProcessCorrectlyArtifactoryAnswerWithMultipleMatches() throws IOException {
         // Given
         Dependency dependency = new Dependency();
         dependency.setSha1sum("94a9ce681a42d0352b3ad22659f67835e560d107");
@@ -146,7 +146,7 @@ public void shouldProcessCorrectlyArtifactoryAnswerWithMultipleMatches() throws
      * @throws IOException
      */
     @Test
-    public void shouldProcessCorrectlyForMissingXResultDetailHeader() throws IOException {
+    void shouldProcessCorrectlyForMissingXResultDetailHeader() throws IOException {
         // Inject logback ListAppender to capture test-logs from ArtifactorySearchResponseHandler
         final Logger sutLogger = (Logger) LoggerFactory.getLogger(ArtifactorySearchResponseHandler.class);
         final ListAppender<ILoggingEvent> listAppender = new ListAppender<>();
@@ -178,7 +178,7 @@ public void shouldProcessCorrectlyForMissingXResultDetailHeader() throws IOExcep
 
             // There should be a WARN-log for for each of the results regarding the absence of X-Result-Detail header driven attributes
             final List<ILoggingEvent> logsList = listAppender.list;
-            assertEquals("Number of log entries for the ArtifactorySearchResponseHandler", 2, logsList.size());
+            assertEquals(2, logsList.size(), "Number of log entries for the ArtifactorySearchResponseHandler");
 
             ILoggingEvent logEvent = logsList.get(0);
             assertEquals(Level.WARN, logEvent.getLevel());
@@ -201,7 +201,7 @@ public void shouldProcessCorrectlyForMissingXResultDetailHeader() throws IOExcep
     }
 
     @Test
-    public void shouldHandleNoMatches() throws IOException {
+    void shouldHandleNoMatches() throws IOException {
         // Given
         Dependency dependency = new Dependency();
         dependency.setSha1sum("94a9ce681a42d0352b3ad22659f67835e560d108");
@@ -289,7 +289,7 @@ private byte[] noXResultDetailHeaderResponse() {
     }
 
     @Test
-    public void shouldProcessCorrectlyArtifactoryAnswer() throws IOException {
+    void shouldProcessCorrectlyArtifactoryAnswer() throws IOException {
         // Given
         Dependency dependency = new Dependency();
         dependency.setSha1sum("c5b4c491aecb72e7c32a78da0b5c6b9cda8dee0f");
@@ -410,7 +410,7 @@ private String payloadWithSha256() {
     }
 
     @Test
-    public void shouldProcessCorrectlyArtifactoryAnswerMisMatchMd5() throws IOException {
+    void shouldProcessCorrectlyArtifactoryAnswerMisMatchMd5() throws IOException {
         // Given
         Dependency dependency = new Dependency();
         dependency.setSha1sum("c5b4c491aecb72e7c32a78da0b5c6b9cda8dee0f");
@@ -429,14 +429,14 @@ public void shouldProcessCorrectlyArtifactoryAnswerMisMatchMd5() throws IOExcept
             fail("MD5 mismatching should throw an exception!");
         } catch (FileNotFoundException e) {
             // Then
-            assertEquals("Artifact " + dependency.toString()
+            assertEquals("Artifact " + dependency
                     + " not found in Artifactory; discovered sha1 hits not recognized as matching maven artifacts", e.getMessage());
 
         }
     }
 
     @Test
-    public void shouldProcessCorrectlyArtifactoryAnswerMisMatchSha1() throws IOException {
+    void shouldProcessCorrectlyArtifactoryAnswerMisMatchSha1() throws IOException {
         // Given
         Dependency dependency = new Dependency();
         dependency.setSha1sum("c5b4c491aecb72e7c32a78da0b5c6b9cda8dee0e");
@@ -460,7 +460,7 @@ public void shouldProcessCorrectlyArtifactoryAnswerMisMatchSha1() throws IOExcep
     }
 
     @Test
-    public void shouldProcessCorrectlyArtifactoryAnswerMisMatchSha256() throws IOException {
+    void shouldProcessCorrectlyArtifactoryAnswerMisMatchSha256() throws IOException {
         // Given
         Dependency dependency = new Dependency();
         dependency.setSha1sum("c5b4c491aecb72e7c32a78da0b5c6b9cda8dee0f");
@@ -484,7 +484,7 @@ public void shouldProcessCorrectlyArtifactoryAnswerMisMatchSha256() throws IOExc
     }
 
     @Test
-    public void shouldThrowNotFoundWhenPatternCannotBeParsed() throws IOException {
+    void shouldThrowNotFoundWhenPatternCannotBeParsed() throws IOException {
         // Given
         Dependency dependency = new Dependency();
         dependency.setSha1sum("c5b4c491aecb72e7c32a78da0b5c6b9cda8dee0f");
@@ -509,7 +509,7 @@ public void shouldThrowNotFoundWhenPatternCannotBeParsed() throws IOException {
     }
 
     @Test
-    public void shouldSkipResultsWherePatternCannotBeParsed() throws IOException {
+    void shouldSkipResultsWherePatternCannotBeParsed() throws IOException {
         // Given
         Dependency dependency = new Dependency();
         dependency.setSha1sum("c5b4c491aecb72e7c32a78da0b5c6b9cda8dee0f");
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchTest.java b/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchTest.java
index 6ec808485b6..17438c3f2d5 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchTest.java
@@ -17,10 +17,10 @@
  */
 package org.owasp.dependencycheck.data.artifactory;
 
-import org.junit.AfterClass;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
@@ -28,17 +28,16 @@
 import java.io.IOException;
 import java.net.UnknownHostException;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
 
-public class ArtifactorySearchTest extends BaseTest {
+class ArtifactorySearchTest extends BaseTest {
     private static String httpsProxyHostOrig;
     private static String httpsPortOrig;
 
-    @BeforeClass
-    public static void tinkerProxies() {
+    @BeforeAll
+    static void tinkerProxies() {
         httpsProxyHostOrig = System.getProperty("https.proxyHost");
         if (httpsProxyHostOrig == null) {
             httpsProxyHostOrig = System.getenv("https.proxyHost");
@@ -51,8 +50,8 @@ public static void tinkerProxies() {
         System.setProperty("https.proxyPort", "");
     }
 
-    @AfterClass
-    public static void restoreProxies() {
+    @AfterAll
+    static void restoreProxies() {
         if (httpsProxyHostOrig != null) {
             System.setProperty("https.proxyHost", httpsProxyHostOrig);
         }
@@ -61,7 +60,7 @@ public static void restoreProxies() {
         }
     }
 
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -69,7 +68,7 @@ public void setUp() throws Exception {
 
 
     @Test
-    public void shouldFailWhenHostUnknown() throws IOException {
+    void shouldFailWhenHostUnknown() throws IOException {
         // Given
         Dependency dependency = new Dependency();
         dependency.setSha1sum("c5b4c491aecb72e7c32a78da0b5c6b9cda8dee0f");
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/cache/DataCacheFactoryTest.java b/core/src/test/java/org/owasp/dependencycheck/data/cache/DataCacheFactoryTest.java
index d16d877e550..636125d9569 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/cache/DataCacheFactoryTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/cache/DataCacheFactoryTest.java
@@ -17,26 +17,29 @@
  */
 package org.owasp.dependencycheck.data.cache;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.data.nexus.MavenArtifact;
+
 import java.io.File;
 import java.io.FilenameFilter;
 import java.io.IOException;
 import java.util.List;
-import org.junit.Test;
-import static org.junit.Assert.*;
-import org.owasp.dependencycheck.BaseTest;
-import org.owasp.dependencycheck.data.nexus.MavenArtifact;
+
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  *
  * @author Jeremy Long
  */
-public class DataCacheFactoryTest extends BaseTest {
+class DataCacheFactoryTest extends BaseTest {
 
     /**
      * Test of getCache method, of class DataCacheFactory.
      */
     @Test
-    public void testGetCache() throws IOException {
+    void testGetCache() throws IOException {
         DataCacheFactory instance = new DataCacheFactory(getSettings());
         DataCache<List<MavenArtifact>> result = instance.getCentralCache();
         assertNotNull(result);
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java b/core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java
index f82c6e91916..448d989fa72 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java
@@ -1,56 +1,58 @@
 package org.owasp.dependencycheck.data.central;
 
-import org.junit.Before;
-import org.junit.Test;
+import org.apache.commons.lang3.StringUtils;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 
 import java.io.IOException;
 import java.util.List;
-import org.apache.commons.lang3.StringUtils;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import org.junit.Assume;
-import org.owasp.dependencycheck.utils.Settings;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assumptions.assumeFalse;
 
 /**
  * Created by colezlaw on 10/13/14.
  */
-public class CentralSearchTest extends BaseTest {
+class CentralSearchTest extends BaseTest {
 
     private CentralSearch searcher;
 
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
         searcher = new CentralSearch(getSettings());
     }
 
-    @Test(expected = IllegalArgumentException.class)
-    public void testNullSha1() throws Exception {
-        searcher.searchSha1(null);
+    @Test
+    void testNullSha1() {
+        assertThrows(IllegalArgumentException.class, () ->
+            searcher.searchSha1(null));
     }
 
-    @Test(expected = IllegalArgumentException.class)
-    public void testMalformedSha1() throws Exception {
-        searcher.searchSha1("invalid");
+    @Test
+    void testMalformedSha1() {
+        assertThrows(IllegalArgumentException.class, () ->
+            searcher.searchSha1("invalid"));
     }
 
     // This test does generate network traffic and communicates with a host
     // you may not be able to reach. Remove the @Ignore annotation if you want to
     // test it anyway
     @Test
-    public void testValidSha1() throws Exception {
+    void testValidSha1() throws Exception {
         try {
         List<MavenArtifact> ma = searcher.searchSha1("9977a8d04e75609cf01badc4eb6a9c7198c4c5ea");
-        assertEquals("Incorrect group", "org.apache.maven.plugins", ma.get(0).getGroupId());
-        assertEquals("Incorrect artifact", "maven-compiler-plugin", ma.get(0).getArtifactId());
-        assertEquals("Incorrect version", "3.1", ma.get(0).getVersion());
+        assertEquals("org.apache.maven.plugins", ma.get(0).getGroupId(), "Incorrect group");
+        assertEquals("maven-compiler-plugin", ma.get(0).getArtifactId(), "Incorrect artifact");
+        assertEquals("3.1", ma.get(0).getVersion(), "Incorrect version");
                 } catch (IOException ex) {
             //we hit a failure state on the CI
-            Assume.assumeFalse(StringUtils.contains(ex.getMessage(), "Could not connect to MavenCentral"));
+            assumeFalse(StringUtils.contains(ex.getMessage(), "Could not connect to MavenCentral"));
             throw ex;
         }
     }
@@ -58,26 +60,28 @@ public void testValidSha1() throws Exception {
     // This test does generate network traffic and communicates with a host
     // you may not be able to reach. Remove the @Ignore annotation if you want to
     // test it anyway
-    @Test(expected = IOException.class)
-    public void testMissingSha1() throws Exception {
-        try {
-        searcher.searchSha1("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
-                } catch (IOException ex) {
-            //we hit a failure state on the CI
-            Assume.assumeFalse(StringUtils.contains(ex.getMessage(), "Could not connect to MavenCentral"));
-            throw ex;
-        }
+    @Test
+    void testMissingSha1() {
+        assertThrows(IOException.class, () -> {
+            try {
+                searcher.searchSha1("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
+            } catch (IOException ex) {
+                //we hit a failure state on the CI
+                assumeFalse(StringUtils.contains(ex.getMessage(), "Could not connect to MavenCentral"));
+                throw ex;
+            }
+        });
     }
 
     // This test should give us multiple results back from Central
     @Test
-    public void testMultipleReturns() throws Exception {
+    void testMultipleReturns() throws Exception {
         try {
             List<MavenArtifact> ma = searcher.searchSha1("94A9CE681A42D0352B3AD22659F67835E560D107");
             assertTrue(ma.size() > 1);
         } catch (IOException ex) {
             //we hit a failure state on the CI
-            Assume.assumeFalse(StringUtils.contains(ex.getMessage(), "Could not connect to MavenCentral"));
+            assumeFalse(StringUtils.contains(ex.getMessage(), "Could not connect to MavenCentral"));
             throw ex;
         }
     }
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/composer/ComposerLockParserTest.java b/core/src/test/java/org/owasp/dependencycheck/data/composer/ComposerLockParserTest.java
index 4a2e9bfe724..9fce09dffa1 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/composer/ComposerLockParserTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/composer/ComposerLockParserTest.java
@@ -17,24 +17,27 @@
  */
 package org.owasp.dependencycheck.data.composer;
 
-import org.junit.Before;
-import org.junit.Test;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseTest;
 
 import java.io.ByteArrayInputStream;
 import java.io.InputStream;
 import java.nio.charset.Charset;
 
-import static org.junit.Assert.*;
-import org.owasp.dependencycheck.BaseTest;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  * Created by colezlaw on 9/5/15.
  */
-public class ComposerLockParserTest extends BaseTest  {
+class ComposerLockParserTest extends BaseTest {
 
     private InputStream inputStream;
 
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -42,17 +45,17 @@ public void setUp() throws Exception {
     }
 
     @Test
-    public void testValidComposerLock() {
+    void testValidComposerLock() {
         ComposerLockParser clp = new ComposerLockParser(inputStream, false);
         clp.process();
         assertEquals(30, clp.getDependencies().size());
         assertTrue(clp.getDependencies().contains(new ComposerDependency("symfony", "translation", "2.7.3")));
         assertTrue(clp.getDependencies().contains(new ComposerDependency("vlucas", "phpdotenv", "1.1.1")));
     }
-    
-    
+
+
     @Test
-    public void testComposerLockSkipDev() {
+    void testComposerLockSkipDev() {
         ComposerLockParser clp = new ComposerLockParser(inputStream, true);
         clp.process();
         assertEquals(29, clp.getDependencies().size());
@@ -61,24 +64,24 @@ public void testComposerLockSkipDev() {
         assertFalse(clp.getDependencies().contains(new ComposerDependency("vlucas", "phpdotenv", "1.1.1")));
     }
 
-    @Test(expected = ComposerException.class)
-    public void testNotJSON() throws Exception {
+    @Test
+    void testNotJSON() {
         String input = "NOT VALID JSON";
         ComposerLockParser clp = new ComposerLockParser(new ByteArrayInputStream(input.getBytes(Charset.defaultCharset())), false);
-        clp.process();
+        assertThrows(ComposerException.class, clp::process);
     }
 
-    @Test(expected = ComposerException.class)
-    public void testNotComposer() throws Exception {
+    @Test
+    void testNotComposer() {
         String input = "[\"ham\",\"eggs\"]";
         ComposerLockParser clp = new ComposerLockParser(new ByteArrayInputStream(input.getBytes(Charset.defaultCharset())), false);
-        clp.process();
+        assertThrows(ComposerException.class, clp::process);
     }
 
-    @Test(expected = ComposerException.class)
-    public void testNotPackagesArray() throws Exception {
+    @Test
+    void testNotPackagesArray() {
         String input = "{\"packages\":\"eleventy\"}";
         ComposerLockParser clp = new ComposerLockParser(new ByteArrayInputStream(input.getBytes(Charset.defaultCharset())), false);
-        clp.process();
+        assertThrows(ComposerException.class, clp::process);
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndexTest.java b/core/src/test/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndexTest.java
index 6950e2c1526..49bdb4f36d9 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndexTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndexTest.java
@@ -20,23 +20,26 @@
 import org.apache.lucene.document.Document;
 import org.apache.lucene.search.Query;
 import org.apache.lucene.search.TopDocs;
-import org.junit.AfterClass;
-import org.junit.Before;
-import org.junit.Test;
-import static org.junit.Assert.*;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.Engine;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 /**
  *
  * @author jeremy long
  */
-public class CpeMemoryIndexTest extends BaseDBTestCase {
+class CpeMemoryIndexTest extends BaseDBTestCase {
 
     private static final CpeMemoryIndex instance = CpeMemoryIndex.getInstance();
     private static Engine engine = null;
 
-    @AfterClass
+    @AfterAll
     public static void tearDownClass() {
         if (instance.isOpen()) {
             instance.close();
@@ -46,7 +49,7 @@ public static void tearDownClass() {
         }
     }
 
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -61,7 +64,7 @@ public void setUp() throws Exception {
      * Test of getInstance method, of class CpeMemoryIndex.
      */
     @Test
-    public void testGetInstance() {
+    void testGetInstance() {
         CpeMemoryIndex result = CpeMemoryIndex.getInstance();
         assertNotNull(result);
     }
@@ -70,7 +73,7 @@ public void testGetInstance() {
      * Test of isOpen method, of class CpeMemoryIndex.
      */
     @Test
-    public void testIsOpen() {
+    void testIsOpen() {
         boolean expResult = true;
         boolean result = instance.isOpen();
         assertEquals(expResult, result);
@@ -80,7 +83,7 @@ public void testIsOpen() {
      * Test of search method, of class CpeMemoryIndex.
      */
     @Test
-    public void testSearch_String_int() throws Exception {
+    void testSearch_String_int() throws Exception {
         String searchString = "product:(commons) AND vendor:(apache)";
         int maxQueryResults = 3;
         TopDocs result = instance.search(searchString, maxQueryResults);
@@ -92,7 +95,7 @@ public void testSearch_String_int() throws Exception {
      * Test of parseQuery method, of class CpeMemoryIndex.
      */
     @Test
-    public void testParseQuery() throws Exception {
+    void testParseQuery() throws Exception {
         String searchString = "product:(resteasy) AND vendor:(red hat)";
 
         String expResult = "+product:resteasy +(vendor:red vendor:redhat vendor:hat)";
@@ -111,7 +114,7 @@ public void testParseQuery() throws Exception {
      * Test of search method, of class CpeMemoryIndex.
      */
     @Test
-    public void testSearch_Query_int() throws Exception {
+    void testSearch_Query_int() throws Exception {
         String searchString = "product:(commons) AND vendor:(apache)";
         Query query = instance.parseQuery(searchString);
         int maxQueryResults = 3;
@@ -123,7 +126,7 @@ public void testSearch_Query_int() throws Exception {
      * Test of getDocument method, of class CpeMemoryIndex.
      */
     @Test
-    public void testGetDocument() throws Exception {
+    void testGetDocument() throws Exception {
         String searchString = "product:(commons) AND vendor:(apache)";
         int maxQueryResults = 1;
         TopDocs docs = instance.search(searchString, maxQueryResults);
@@ -136,7 +139,7 @@ public void testGetDocument() throws Exception {
      * Test of numDocs method, of class CpeMemoryIndex.
      */
     @Test
-    public void testNumDocs() {
+    void testNumDocs() {
         int result = instance.numDocs();
         assertTrue(result > 100);
     }
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/cpe/IndexEntryTest.java b/core/src/test/java/org/owasp/dependencycheck/data/cpe/IndexEntryTest.java
index 68fd1fe993f..792e1c3c7e4 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/cpe/IndexEntryTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/cpe/IndexEntryTest.java
@@ -17,15 +17,16 @@
  */
 package org.owasp.dependencycheck.data.cpe;
 
-import org.junit.Assert;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
 /**
  *
  * @author Jeremy Long
  */
-public class IndexEntryTest extends BaseTest  {
+class IndexEntryTest extends BaseTest {
 
     /**
      * Test of setName method, of class IndexEntry.
@@ -33,13 +34,13 @@ public class IndexEntryTest extends BaseTest  {
      * @throws Exception is thrown when an exception occurs.
      */
     @Test
-    public void testSetName() throws Exception {
+    void testSetName() throws Exception {
         String name = "cpe:/a:apache:struts:1.1:rc2";
 
         IndexEntry instance = new IndexEntry();
         instance.parseName(name);
 
-        Assert.assertEquals("apache", instance.getVendor());
-        Assert.assertEquals("struts", instance.getProduct());
+        assertEquals("apache", instance.getVendor());
+        assertEquals("struts", instance.getProduct());
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/cwe/CweDBTest.java b/core/src/test/java/org/owasp/dependencycheck/data/cwe/CweDBTest.java
index d51f0539876..f28d9172565 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/cwe/CweDBTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/cwe/CweDBTest.java
@@ -17,23 +17,23 @@
  */
 package org.owasp.dependencycheck.data.cwe;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
-
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
+
 /**
  *
  * @author Jeremy Long
  */
-public class CweDBTest extends BaseTest {
+class CweDBTest extends BaseTest {
 
     /**
      * Test of getName method, of class CweDB.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         String cweId = "CWE-16";
         String expResult = "Configuration";
         String result = CweDB.getName(cweId);
@@ -48,7 +48,7 @@ public void testGetName() {
      * Test of getFullName method, of class CweDB.
      */
     @Test
-    public void testGetFullName() {
+    void testGetFullName() {
         String cweId = "CWE-16";
         String expResult = "CWE-16 Configuration";
         String result = CweDB.getFullName(cweId);
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/elixir/MixAuditJsonParserTest.java b/core/src/test/java/org/owasp/dependencycheck/data/elixir/MixAuditJsonParserTest.java
index 57de529e90e..3364da81c5d 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/elixir/MixAuditJsonParserTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/elixir/MixAuditJsonParserTest.java
@@ -1,17 +1,19 @@
 package org.owasp.dependencycheck.data.elixir;
 
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 
-import java.io.*;
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.FileReader;
 
-import static org.junit.Assert.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
-public class MixAuditJsonParserTest {
+class MixAuditJsonParserTest {
 
     @Test
-    public void testEmptyResult() throws AnalysisException, FileNotFoundException {
+    void testEmptyResult() throws AnalysisException, FileNotFoundException {
         MixAuditJsonParser parser;
 
         File jsonFixtureFile = BaseTest.getResourceAsFile(this, "elixir/mix_audit/empty.json");
@@ -20,11 +22,11 @@ public void testEmptyResult() throws AnalysisException, FileNotFoundException {
         parser = new MixAuditJsonParser(fir);
         parser.process();
 
-        assertEquals("results must be empty", 0, parser.getResults().size());
+        assertEquals(0, parser.getResults().size(), "results must be empty");
     }
 
     @Test
-    public void testSingleResult() throws AnalysisException, FileNotFoundException {
+    void testSingleResult() throws AnalysisException, FileNotFoundException {
         MixAuditJsonParser parser;
 
         File jsonFixtureFile = BaseTest.getResourceAsFile(this, "elixir/mix_audit/plug.json");
@@ -33,7 +35,7 @@ public void testSingleResult() throws AnalysisException, FileNotFoundException {
         parser = new MixAuditJsonParser(fir);
         parser.process();
 
-        assertEquals("must have 1 result", 1, parser.getResults().size());
+        assertEquals(1, parser.getResults().size(), "must have 1 result");
 
         MixAuditResult r = parser.getResults().get(0);
         assertEquals("dc96aba4-4462-4d3b-b73f-28b9349133d8", r.getId());
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/golang/GoModJsonParserTest.java b/core/src/test/java/org/owasp/dependencycheck/data/golang/GoModJsonParserTest.java
index e2536f98337..7abd6e68fb2 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/golang/GoModJsonParserTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/golang/GoModJsonParserTest.java
@@ -17,17 +17,19 @@
  */
 package org.owasp.dependencycheck.data.golang;
 
+import org.junit.jupiter.api.Test;
+
 import java.io.ByteArrayInputStream;
 import java.io.InputStream;
 import java.util.List;
-import org.junit.Test;
-import static org.junit.Assert.*;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
  *
  * @author jeremy
  */
-public class GoModJsonParserTest {
+class GoModJsonParserTest {
 
     final String issue2891 = "{\n"
             + "	\"Path\": \"cloud.google.com/go\",\n"
@@ -783,7 +785,7 @@ public class GoModJsonParserTest {
      * Test of process method, of class GoModJsonParser.
      */
     @Test
-    public void testProcess() throws Exception {
+    void testProcess() throws Exception {
         InputStream inputStream = new ByteArrayInputStream(issue2891.getBytes());
         List<GoModDependency> expResult = null;
         List<GoModDependency> result = GoModJsonParser.process(inputStream);
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/lucene/AlphaNumericFilterTest.java b/core/src/test/java/org/owasp/dependencycheck/data/lucene/AlphaNumericFilterTest.java
index 933255fa815..671ec4d9acf 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/lucene/AlphaNumericFilterTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/lucene/AlphaNumericFilterTest.java
@@ -17,29 +17,27 @@
  */
 package org.owasp.dependencycheck.data.lucene;
 
-import java.io.IOException;
 import org.apache.lucene.analysis.Analyzer;
-import org.apache.lucene.tests.analysis.BaseTokenStreamTestCase;
-import static org.apache.lucene.tests.analysis.BaseTokenStreamTestCase.checkOneTerm;
-import static org.apache.lucene.tests.analysis.BaseTokenStreamTestCase.checkRandomData;
-import org.apache.lucene.tests.analysis.MockTokenizer;
 import org.apache.lucene.analysis.Tokenizer;
 import org.apache.lucene.analysis.core.KeywordTokenizer;
-import static org.apache.lucene.tests.util.LuceneTestCase.RANDOM_MULTIPLIER;
-import static org.apache.lucene.tests.util.LuceneTestCase.random;
-import org.junit.Test;
-import static org.junit.Assert.*;
-import org.junit.Before;
+import org.apache.lucene.tests.analysis.BaseTokenStreamTestCase;
+import org.apache.lucene.tests.analysis.MockTokenizer;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 
 /**
  *
  * @author Jeremy Long
  */
-public class AlphaNumericFilterTest extends BaseTokenStreamTestCase {
+class AlphaNumericFilterTest extends BaseTokenStreamTestCase {
 
     private Analyzer analyzer;
 
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -54,11 +52,11 @@ protected Analyzer.TokenStreamComponents createComponents(String fieldName) {
 
     /**
      * Test of incrementToken method, of class AlphaNumericFilter.
-     * 
+     *
      * @throws Exception thrown if there is a problem
      */
     @Test
-    public void testIncrementToken() throws Exception {
+    void testIncrementToken() throws Exception {
         String[] expected = new String[6];
         expected[0] = "http";
         expected[1] = "www";
@@ -75,7 +73,7 @@ public void testIncrementToken() throws Exception {
      * @throws Exception thrown if there is a problem
      */
     @Test
-    public void testGarbage() throws Exception {
+    void testGarbage() throws Exception {
         String[] expected = new String[2];
         expected[0] = "test";
         expected[1] = "two";
@@ -88,12 +86,8 @@ public void testGarbage() throws Exception {
      * blast some random strings through the analyzer
      */
     @Test
-    public void testRandomStrings() {
-        try {
-            checkRandomData(random(), analyzer, 1000 * RANDOM_MULTIPLIER);
-        } catch (IOException ex) {
-            fail("Failed test random strings: " + ex.getMessage());
-        }
+    void testRandomStrings() {
+        assertDoesNotThrow(() -> checkRandomData(random(), analyzer, 1000 * RANDOM_MULTIPLIER), "Failed test random strings: ");
     }
 
     /**
@@ -103,7 +97,7 @@ public void testRandomStrings() {
      * @throws IOException
      */
     @Test
-    public void testEmptyTerm() throws IOException {
+    void testEmptyTerm() throws IOException {
         Analyzer a = new Analyzer() {
             @Override
             protected Analyzer.TokenStreamComponents createComponents(String fieldName) {
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzerTest.java
index fac0bf102b0..00ebb6f26f0 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzerTest.java
@@ -17,9 +17,6 @@
  */
 package org.owasp.dependencycheck.data.lucene;
 
-import java.io.File;
-import java.io.IOException;
-import java.util.HashMap;
 import org.apache.lucene.analysis.Analyzer;
 import org.apache.lucene.analysis.miscellaneous.PerFieldAnalyzerWrapper;
 import org.apache.lucene.analysis.standard.StandardAnalyzer;
@@ -37,21 +34,24 @@
 import org.apache.lucene.search.TopScoreDocCollector;
 import org.apache.lucene.store.Directory;
 import org.apache.lucene.store.MMapDirectory;
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseTest;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
+import java.io.File;
+import java.io.IOException;
+import java.util.HashMap;
 
-import org.junit.Test;
-import org.owasp.dependencycheck.BaseTest;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 
 /**
  *
  * @author Jeremy Long
  */
-public class FieldAnalyzerTest extends BaseTest {
+class FieldAnalyzerTest extends BaseTest {
 
     @Test
-    public void testAnalyzers() throws Exception {
+    void testAnalyzers() throws Exception {
 
         Analyzer analyzer = new SearchFieldAnalyzer();
         File temp = getSettings().getTempDirectory();
@@ -92,7 +92,7 @@ public void testAnalyzers() throws Exception {
         searcher.search(q, collector);
         ScoreDoc[] hits = collector.topDocs().scoreDocs;
 
-        assertEquals("Did not find 1 document?", 1, hits.length);
+        assertEquals(1, hits.length, "Did not find 1 document?");
         assertEquals("springframework", searcher.doc(hits[0].doc).get(field1));
         assertEquals("springsource", searcher.doc(hits[0].doc).get(field2));
 
@@ -100,7 +100,7 @@ public void testAnalyzers() throws Exception {
 
         reset(searchAnalyzerProduct, searchAnalyzerVendor);
         Query q2 = parser.parse(querystr);
-        assertFalse("second parsing contains previousWord from the TokenPairConcatenatingFilter", q2.toString().contains("core"));
+        assertFalse(q2.toString().contains("core"), "second parsing contains previousWord from the TokenPairConcatenatingFilter");
 
         querystr = "product:(  x-stream^5 )  AND  vendor:(  thoughtworks.xstream )";
         reset(searchAnalyzerProduct, searchAnalyzerVendor);
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/lucene/LuceneUtilsTest.java b/core/src/test/java/org/owasp/dependencycheck/data/lucene/LuceneUtilsTest.java
index 88a6b2c219d..3c708f91f1a 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/lucene/LuceneUtilsTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/lucene/LuceneUtilsTest.java
@@ -17,24 +17,24 @@
  */
 package org.owasp.dependencycheck.data.lucene;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 /**
  *
  * @author Jeremy Long
  */
-public class LuceneUtilsTest extends BaseTest {
+class LuceneUtilsTest extends BaseTest {
 
     /**
      * Test of appendEscapedLuceneQuery method, of class LuceneUtils.
      */
     @Test
-    public void testAppendEscapedLuceneQuery() {
+    void testAppendEscapedLuceneQuery() {
         StringBuilder buf = new StringBuilder();
         CharSequence text = "test encoding + - & | ! ( ) { } [ ] ^ \" ~ * ? : \\";
         String expResult = "test encoding \\+ \\- \\& \\| \\! \\( \\) \\{ \\} \\[ \\] \\^ \\\" \\~ \\* \\? \\: \\\\";
@@ -46,7 +46,7 @@ public void testAppendEscapedLuceneQuery() {
      * Test of appendEscapedLuceneQuery method, of class LuceneUtils.
      */
     @Test
-    public void testAppendEscapedLuceneQuery_null() {
+    void testAppendEscapedLuceneQuery_null() {
         StringBuilder buf = new StringBuilder();
         CharSequence text = null;
         LuceneUtils.appendEscapedLuceneQuery(buf, text);
@@ -57,7 +57,7 @@ public void testAppendEscapedLuceneQuery_null() {
      * Test of escapeLuceneQuery method, of class LuceneUtils.
      */
     @Test
-    public void testEscapeLuceneQuery() {
+    void testEscapeLuceneQuery() {
         CharSequence text = "test encoding + - & | ! ( ) { } [ ] ^ \" ~ * ? : \\";
         String expResult = "test encoding \\+ \\- \\& \\| \\! \\( \\) \\{ \\} \\[ \\] \\^ \\\" \\~ \\* \\? \\: \\\\";
         String result = LuceneUtils.escapeLuceneQuery(text);
@@ -68,7 +68,7 @@ public void testEscapeLuceneQuery() {
      * Test of escapeLuceneQuery method, of class LuceneUtils.
      */
     @Test
-    public void testEscapeLuceneQuery_null() {
+    void testEscapeLuceneQuery_null() {
         CharSequence text = null;
         String expResult = null;
         String result = LuceneUtils.escapeLuceneQuery(text);
@@ -76,13 +76,13 @@ public void testEscapeLuceneQuery_null() {
     }
 
     @Test
-    public void testIsKeyword() {
-        assertTrue("'AND' is a keyword and should return true", LuceneUtils.isKeyword("And"));
-        assertTrue("'OR' is a keyword and should return true", LuceneUtils.isKeyword("OR"));
-        assertTrue("'NOT' is a keyword and should return true", LuceneUtils.isKeyword("nOT"));
-        assertTrue("'TO' is being considered a keyword and should return true", LuceneUtils.isKeyword("TO"));
-        assertTrue("'+' is being considered a keyword and should return true", LuceneUtils.isKeyword("+"));
-        assertTrue("'-' is being considered a keyword and should return true", LuceneUtils.isKeyword("-"));
-        assertFalse("'the' is not a keyword and should return false", LuceneUtils.isKeyword("test"));
+    void testIsKeyword() {
+        assertTrue(LuceneUtils.isKeyword("And"), "'AND' is a keyword and should return true");
+        assertTrue(LuceneUtils.isKeyword("OR"), "'OR' is a keyword and should return true");
+        assertTrue(LuceneUtils.isKeyword("nOT"), "'NOT' is a keyword and should return true");
+        assertTrue(LuceneUtils.isKeyword("TO"), "'TO' is being considered a keyword and should return true");
+        assertTrue(LuceneUtils.isKeyword("+"), "'+' is being considered a keyword and should return true");
+        assertTrue(LuceneUtils.isKeyword("-"), "'-' is being considered a keyword and should return true");
+        assertFalse(LuceneUtils.isKeyword("test"), "'the' is not a keyword and should return false");
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/lucene/SearchFieldAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/data/lucene/SearchFieldAnalyzerTest.java
index 348ad0219b5..5dbfbf54f51 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/lucene/SearchFieldAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/lucene/SearchFieldAnalyzerTest.java
@@ -18,20 +18,21 @@
 package org.owasp.dependencycheck.data.lucene;
 
 import org.apache.lucene.analysis.CharArraySet;
-import org.junit.Test;
-import static org.junit.Assert.*;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  *
  * @author jeremy long
  */
-public class SearchFieldAnalyzerTest {
+class SearchFieldAnalyzerTest {
 
     /**
      * Test of getStopWords method, of class SearchFieldAnalyzer.
      */
     @Test
-    public void testGetStopWords() {
+    void testGetStopWords() {
         CharArraySet result = SearchFieldAnalyzer.getStopWords();
         assertTrue(result.size() > 20);
         assertTrue(result.contains("software"));
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilterTest.java b/core/src/test/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilterTest.java
index 49aedacabf4..293aa94599a 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilterTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilterTest.java
@@ -17,22 +17,21 @@
  */
 package org.owasp.dependencycheck.data.lucene;
 
-import java.io.IOException;
 import org.apache.lucene.analysis.Analyzer;
-import org.apache.lucene.tests.analysis.BaseTokenStreamTestCase;
-import static org.apache.lucene.tests.analysis.BaseTokenStreamTestCase.checkOneTerm;
-import org.apache.lucene.tests.analysis.MockTokenizer;
 import org.apache.lucene.analysis.Tokenizer;
 import org.apache.lucene.analysis.core.KeywordTokenizer;
-import static org.junit.Assert.fail;
-import org.junit.Before;
-import org.junit.Test;
+import org.apache.lucene.tests.analysis.BaseTokenStreamTestCase;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 
 /**
  *
  * @author Jeremy Long
  */
-public class TokenPairConcatenatingFilterTest extends BaseTokenStreamTestCase {
+class TokenPairConcatenatingFilterTest extends BaseTokenStreamTestCase {
 
 //    private Analyzer analyzer;
 //
@@ -81,7 +80,7 @@ public class TokenPairConcatenatingFilterTest extends BaseTokenStreamTestCase {
      * @throws IOException
      */
     @Test
-    public void testEmptyTerm() {
+    void testEmptyTerm() {
         Analyzer a = new Analyzer() {
             @Override
             protected Analyzer.TokenStreamComponents createComponents(String fieldName) {
@@ -89,10 +88,6 @@ protected Analyzer.TokenStreamComponents createComponents(String fieldName) {
                 return new Analyzer.TokenStreamComponents(tokenizer, new TokenPairConcatenatingFilter(tokenizer));
             }
         };
-        try {
-            checkOneTerm(a, "", "");
-        } catch (IOException ex) {
-            fail("Failed test random strings: " + ex.getMessage());
-        }
+        assertDoesNotThrow(() -> checkOneTerm(a, "", ""), "Failed test random strings: ");
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilterTest.java b/core/src/test/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilterTest.java
index fd25509743a..4393fd0d8b5 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilterTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilterTest.java
@@ -17,37 +17,36 @@
  */
 package org.owasp.dependencycheck.data.lucene;
 
-import java.io.IOException;
 import org.apache.lucene.analysis.Analyzer;
-import org.apache.lucene.tests.analysis.BaseTokenStreamTestCase;
-import org.apache.lucene.tests.analysis.MockTokenizer;
 import org.apache.lucene.analysis.Tokenizer;
 import org.apache.lucene.analysis.core.KeywordTokenizer;
-import org.junit.Test;
+import org.apache.lucene.tests.analysis.BaseTokenStreamTestCase;
+import org.apache.lucene.tests.analysis.MockTokenizer;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 
 /**
  *
  * @author Jeremy Long
  */
-public class UrlTokenizingFilterTest extends BaseTokenStreamTestCase {
+class UrlTokenizingFilterTest extends BaseTokenStreamTestCase {
 
-    private final Analyzer analyzer;
-
-    public UrlTokenizingFilterTest() {
-        analyzer = new Analyzer() {
+    private final Analyzer analyzer = new Analyzer() {
             @Override
             protected TokenStreamComponents createComponents(String fieldName) {
                 Tokenizer source = new MockTokenizer(MockTokenizer.WHITESPACE, false);
                 return new TokenStreamComponents(source, new UrlTokenizingFilter(source));
             }
         };
-    }
 
     /**
      * test some example domains
      */
     @Test
-    public void testExamples() throws IOException {
+    void testExamples() throws IOException {
         String[] expected = new String[2];
         expected[0] = "domain";
         expected[1] = "test";
@@ -61,12 +60,8 @@ public void testExamples() throws IOException {
      * blast some random strings through the analyzer
      */
     @Test
-    public void testRandomStrings() {
-        try {
-            checkRandomData(random(), analyzer, 1000 * RANDOM_MULTIPLIER);
-        } catch (IOException ex) {
-            fail("Failed test random strings: " + ex.getMessage());
-        }
+    void testRandomStrings() {
+        assertDoesNotThrow(() -> checkRandomData(random(), analyzer, 1000 * RANDOM_MULTIPLIER), "Failed test random strings: ");
     }
 
     /**
@@ -76,7 +71,7 @@ public void testRandomStrings() {
      * @throws IOException
      */
     @Test
-    public void testEmptyTerm() throws IOException {
+    void testEmptyTerm() throws IOException {
         Analyzer a = new Analyzer() {
             @Override
             protected TokenStreamComponents createComponents(String fieldName) {
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nexus/MavenArtifactTest.java b/core/src/test/java/org/owasp/dependencycheck/data/nexus/MavenArtifactTest.java
index 800b8fa5c1b..f45c765680d 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/nexus/MavenArtifactTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/nexus/MavenArtifactTest.java
@@ -1,14 +1,14 @@
 package org.owasp.dependencycheck.data.nexus;
 
-import org.junit.Test;
-
-import static org.junit.Assert.assertEquals;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 
-public class MavenArtifactTest extends BaseTest {
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+class MavenArtifactTest extends BaseTest {
 
     @Test
-    public void getPomUrl() {
+    void getPomUrl() {
         // Given
         final MavenArtifact mavenArtifact = new MavenArtifact("com.google.code.gson", "gson", "2.1",
                 "https://artifactory.techno.ingenico.com/artifactory/jcenter-cache/com/google/code/gson/gson/2.1/gson-2.1.jar", MavenArtifact.derivePomUrl("gson", "2.1",
@@ -21,7 +21,7 @@ public void getPomUrl() {
     }
 
     @Test
-    public void getPomUrlWithQualifier() {
+    void getPomUrlWithQualifier() {
         // Given
         final MavenArtifact mavenArtifact = new MavenArtifact("com.google.code.gson", "gson", "2.8.5",
                 "https://artifactory.techno.ingenico.com/artifactory/repo1-cache/com/google/code/gson/gson/2.8.5/gson-2.8.5-sources.jar", MavenArtifact.derivePomUrl("gson", "2.8.5",
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusV2SearchTest.java b/core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusV2SearchTest.java
index 8bc0a9fde81..b00985a6025 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusV2SearchTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusV2SearchTest.java
@@ -17,24 +17,27 @@
  */
 package org.owasp.dependencycheck.data.nexus;
 
-import java.io.FileNotFoundException;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotNull;
-import org.junit.Assume;
-import org.junit.Before;
-import org.junit.Ignore;
-import org.junit.Test;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-public class NexusV2SearchTest extends BaseTest {
+import java.io.FileNotFoundException;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assumptions.assumeTrue;
+
+class NexusV2SearchTest extends BaseTest {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(NexusV2SearchTest.class);
     private NexusV2Search searcher;
 
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -45,40 +48,43 @@ public void setUp() throws Exception {
         String nexusUrl = sett.getString(Settings.KEYS.ANALYZER_NEXUS_URL);
         LOGGER.debug(nexusUrl);
         searcher = new NexusV2Search(sett, false);
-        Assume.assumeTrue(searcher.preflightRequest());
+        assumeTrue(searcher.preflightRequest());
     }
 
-    @Test(expected = IllegalArgumentException.class)
-    @Ignore
-    public void testNullSha1() throws Exception {
-        searcher.searchSha1(null);
+    @Test
+    @Disabled
+    void testNullSha1() {
+        assertThrows(IllegalArgumentException.class, () ->
+            searcher.searchSha1(null));
     }
 
-    @Test(expected = IllegalArgumentException.class)
-    @Ignore
-    public void testMalformedSha1() throws Exception {
-        searcher.searchSha1("invalid");
+    @Test
+    @Disabled
+    void testMalformedSha1() {
+        assertThrows(IllegalArgumentException.class, () ->
+            searcher.searchSha1("invalid"));
     }
 
     // This test does generate network traffic and communicates with a host
     // you may not be able to reach. Remove the @Ignore annotation if you want to
     // test it anyway
     @Test
-    @Ignore
-    public void testValidSha1() throws Exception {
+    @Disabled
+    void testValidSha1() throws Exception {
         MavenArtifact ma = searcher.searchSha1("9977a8d04e75609cf01badc4eb6a9c7198c4c5ea");
-        assertEquals("Incorrect group", "org.apache.maven.plugins", ma.getGroupId());
-        assertEquals("Incorrect artifact", "maven-compiler-plugin", ma.getArtifactId());
-        assertEquals("Incorrect version", "3.1", ma.getVersion());
-        assertNotNull("URL Should not be null", ma.getArtifactUrl());
+        assertEquals("org.apache.maven.plugins", ma.getGroupId(), "Incorrect group");
+        assertEquals("maven-compiler-plugin", ma.getArtifactId(), "Incorrect artifact");
+        assertEquals("3.1", ma.getVersion(), "Incorrect version");
+        assertNotNull(ma.getArtifactUrl(), "URL Should not be null");
     }
 
     // This test does generate network traffic and communicates with a host
     // you may not be able to reach. Remove the @Ignore annotation if you want to
     // test it anyway
-    @Test(expected = FileNotFoundException.class)
-    @Ignore
-    public void testMissingSha1() throws Exception {
-        searcher.searchSha1("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
+    @Test
+    @Disabled
+    void testMissingSha1() {
+        assertThrows(FileNotFoundException.class, () ->
+            searcher.searchSha1("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"));
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusV3SearchTest.java b/core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusV3SearchTest.java
index 166748899fc..7987fc079f2 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusV3SearchTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusV3SearchTest.java
@@ -17,10 +17,9 @@
  */
 package org.owasp.dependencycheck.data.nexus;
 
-import org.junit.Assume;
-import org.junit.Before;
-import org.junit.Ignore;
-import org.junit.Test;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
@@ -28,15 +27,17 @@
 
 import java.io.FileNotFoundException;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assumptions.assumeTrue;
 
-public class NexusV3SearchTest extends BaseTest {
+class NexusV3SearchTest extends BaseTest {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(NexusV3SearchTest.class);
     private NexusV3Search searcher;
 
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -48,40 +49,43 @@ public void setUp() throws Exception {
 
         LOGGER.debug(nexusUrl);
         searcher = new NexusV3Search(sett, false);
-        Assume.assumeTrue(searcher.preflightRequest());
+        assumeTrue(searcher.preflightRequest());
     }
 
-    @Test(expected = IllegalArgumentException.class)
-    @Ignore
-    public void testNullSha1() throws Exception {
-        searcher.searchSha1(null);
+    @Test
+    @Disabled
+    void testNullSha1() {
+        assertThrows(IllegalArgumentException.class, () ->
+            searcher.searchSha1(null));
     }
 
-    @Test(expected = IllegalArgumentException.class)
-    @Ignore
-    public void testMalformedSha1() throws Exception {
-        searcher.searchSha1("invalid");
+    @Test
+    @Disabled
+    void testMalformedSha1() {
+        assertThrows(IllegalArgumentException.class, () ->
+            searcher.searchSha1("invalid"));
     }
 
     // This test does generate network traffic and communicates with a host
     // you may not be able to reach. Remove the @Ignore annotation if you want to
     // test it anyway
     @Test
-    @Ignore
-    public void testValidSha1() throws Exception {
+    @Disabled
+    void testValidSha1() throws Exception {
         MavenArtifact ma = searcher.searchSha1("9977a8d04e75609cf01badc4eb6a9c7198c4c5ea");
-        assertEquals("Incorrect group", "org.apache.maven.plugins", ma.getGroupId());
-        assertEquals("Incorrect artifact", "maven-compiler-plugin", ma.getArtifactId());
-        assertEquals("Incorrect version", "3.1", ma.getVersion());
-        assertNotNull("URL Should not be null", ma.getArtifactUrl());
+        assertEquals("org.apache.maven.plugins", ma.getGroupId(), "Incorrect group");
+        assertEquals("maven-compiler-plugin", ma.getArtifactId(), "Incorrect artifact");
+        assertEquals("3.1", ma.getVersion(), "Incorrect version");
+        assertNotNull(ma.getArtifactUrl(), "URL Should not be null");
     }
 
     // This test does generate network traffic and communicates with a host
     // you may not be able to reach. Remove the @Ignore annotation if you want to
     // test it anyway
-    @Test(expected = FileNotFoundException.class)
-    @Ignore
-    public void testMissingSha1() throws Exception {
-        searcher.searchSha1("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
+    @Test
+    @Disabled
+    void testMissingSha1() {
+        assertThrows(FileNotFoundException.class, () ->
+            searcher.searchSha1("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"));
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nodeaudit/NodeAuditSearchTest.java b/core/src/test/java/org/owasp/dependencycheck/data/nodeaudit/NodeAuditSearchTest.java
index 05409907069..18a4ee726c4 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/nodeaudit/NodeAuditSearchTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/nodeaudit/NodeAuditSearchTest.java
@@ -18,45 +18,30 @@
 package org.owasp.dependencycheck.data.nodeaudit;
 
 import org.owasp.dependencycheck.BaseTest;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import jakarta.json.Json;
-import jakarta.json.JsonObject;
-import jakarta.json.JsonObjectBuilder;
-import jakarta.json.JsonReader;
-import java.io.InputStream;
-import java.util.List;
-import static org.junit.Assume.assumeFalse;
-import org.owasp.dependencycheck.utils.URLConnectionFailureException;
 
-public class NodeAuditSearchTest extends BaseTest {
+class NodeAuditSearchTest extends BaseTest {
 
 // Tested as part of the NodeAuditAnalyzerIT.  Adding this test can cause build failures due to an external service.
 //    private static final Logger LOGGER = LoggerFactory.getLogger(NodeAuditSearchTest.class);
 //    private NodeAuditSearch searcher;
 //
-//    @Before
+//    @BeforeEach
 //    @Override
-//    public void setUp() throws Exception {
+//    void setUp() throws Exception {
 //        super.setUp();
 //        searcher = new NodeAuditSearch(getSettings());
 //    }
 //
 //    @Test
-//    public void testNodeAuditSearchPositive() throws Exception {
+//    void testNodeAuditSearchPositive() throws Exception {
 //        InputStream in = BaseTest.getResourceAsStream(this, "nodeaudit/package-lock.json");
 //        try (JsonReader jsonReader = Json.createReader(in)) {
 //            final JsonObject packageJson = jsonReader.readObject();
 //            final JsonObject payload = SanitizePackage.sanitize(packageJson);
 //            final List<Advisory> advisories = searcher.submitPackage(payload);
-//            Assert.assertTrue(advisories.size() > 0);
-//        } catch (Exception ex) {
-//            assumeFalse(ex instanceof URLConnectionFailureException
-//                    && ex.getMessage().contains("Unable to connect to "));
-//            throw ex;
+//            URLConnectionFailureException ex = assertThrows(URLConnectionFailureException.class,
+//                    () -> searcher.submitPackage(payload));
+//            assumeFalse(ex.getMessage().contains("Unable to connect to "));
 //        }
 //
 //        //this should result in a cache hit
@@ -64,25 +49,20 @@ public class NodeAuditSearchTest extends BaseTest {
 //        try (JsonReader jsonReader = Json.createReader(in)) {
 //            final JsonObject packageJson = jsonReader.readObject();
 //            final JsonObject payload = SanitizePackage.sanitize(packageJson);
-//            final List<Advisory> advisories = searcher.submitPackage(payload);
-//            Assert.assertTrue(advisories.size() > 0);
-//        } catch (Exception ex) {
-//            assumeFalse(ex instanceof URLConnectionFailureException
-//                    && ex.getMessage().contains("Unable to connect to "));
-//            throw ex;
+//            URLConnectionFailureException ex = assertThrows(URLConnectionFailureException.class,
+//                    () -> searcher.submitPackage(payload));
+//            assumeFalse(ex.getMessage().contains("Unable to connect to "));
 //        }
 //    }
-//    @Test(expected = AnalysisException.class)
-//    public void testNodeAuditSearchNegative() throws Exception {
+//
+//    void testNodeAuditSearchNegative() throws Exception {
 //        InputStream in = BaseTest.getResourceAsStream(this, "nodeaudit/package.json");
 //        try (JsonReader jsonReader = Json.createReader(in)) {
 //            final JsonObject packageJson = jsonReader.readObject();
 //            final JsonObject sanitizedJson = SanitizePackage.sanitize(packageJson);
-//            searcher.submitPackage(sanitizedJson);
-//        } catch (Exception ex) {
-//            assumeFalse(ex instanceof URLConnectionFailureException
-//                    && ex.getMessage().contains("Unable to connect to "));
-//            throw ex;
+//            URLConnectionFailureException ex = assertThrows(URLConnectionFailureException.class,
+//                    () -> searcher.submitPackage(sanitizedJson));
+//            assumeFalse(ex.getMessage().contains("Unable to connect to "));
 //        }
 //    }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nodeaudit/NpmPayloadBuilderTest.java b/core/src/test/java/org/owasp/dependencycheck/data/nodeaudit/NpmPayloadBuilderTest.java
index 667be558c32..59c612e6f2e 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/nodeaudit/NpmPayloadBuilderTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/nodeaudit/NpmPayloadBuilderTest.java
@@ -17,24 +17,25 @@
  */
 package org.owasp.dependencycheck.data.nodeaudit;
 
-import java.io.InputStream;
-
-import org.junit.Assert;
-import org.junit.Test;
-
 import jakarta.json.Json;
 import jakarta.json.JsonObject;
 import jakarta.json.JsonObjectBuilder;
 import jakarta.json.JsonReader;
 import org.apache.commons.collections4.MultiValuedMap;
 import org.apache.commons.collections4.multimap.HashSetValuedHashMap;
-
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 
-public class NpmPayloadBuilderTest {
+import java.io.InputStream;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+class NpmPayloadBuilderTest {
 
     @Test
-    public void testSanitizer() {
+    void testSanitizer() {
         JsonObjectBuilder builder = Json.createObjectBuilder()
                 .add("name", "my app")
                 .add("version", "1.0.0")
@@ -61,26 +62,26 @@ public void testSanitizer() {
         final MultiValuedMap<String, String> dependencyMap = new HashSetValuedHashMap<>();
         JsonObject sanitized = NpmPayloadBuilder.build(packageJson, dependencyMap, false);
 
-        Assert.assertTrue(sanitized.containsKey("name"));
-        Assert.assertTrue(sanitized.containsKey("version"));
-        Assert.assertTrue(sanitized.containsKey("dependencies"));
-        Assert.assertTrue(sanitized.containsKey("requires"));
+        assertTrue(sanitized.containsKey("name"));
+        assertTrue(sanitized.containsKey("version"));
+        assertTrue(sanitized.containsKey("dependencies"));
+        assertTrue(sanitized.containsKey("requires"));
 
         JsonObject dependencies = sanitized.getJsonObject("dependencies");
-        Assert.assertTrue(dependencies.containsKey("node_modules/jest-resolve"));
+        assertTrue(dependencies.containsKey("node_modules/jest-resolve"));
 
         JsonObject requires = sanitized.getJsonObject("requires");
-        Assert.assertTrue(requires.containsKey("abbrev"));
-        Assert.assertEquals("^1.1.1", requires.getString("abbrev"));
-        Assert.assertEquals("*", requires.getString("node_modules/jest-resolve"));
+        assertTrue(requires.containsKey("abbrev"));
+        assertEquals("^1.1.1", requires.getString("abbrev"));
+        assertEquals("*", requires.getString("node_modules/jest-resolve"));
 
-        Assert.assertFalse(sanitized.containsKey("lockfileVersion"));
-        Assert.assertFalse(sanitized.containsKey("random"));
+        assertFalse(sanitized.containsKey("lockfileVersion"));
+        assertFalse(sanitized.containsKey("random"));
     }
 
 
     @Test
-    public void testSkippedDependencies() {
+    void testSkippedDependencies() {
         JsonObjectBuilder builder = Json.createObjectBuilder()
                 .add("name", "my app")
                 .add("version", "1.0.0")
@@ -110,47 +111,47 @@ public void testSkippedDependencies() {
         final MultiValuedMap<String, String> dependencyMap = new HashSetValuedHashMap<>();
         JsonObject sanitized = NpmPayloadBuilder.build(packageJson, dependencyMap, false);
 
-        Assert.assertTrue(sanitized.containsKey("name"));
-        Assert.assertTrue(sanitized.containsKey("version"));
-        Assert.assertTrue(sanitized.containsKey("dependencies"));
-        Assert.assertTrue(sanitized.containsKey("requires"));
+        assertTrue(sanitized.containsKey("name"));
+        assertTrue(sanitized.containsKey("version"));
+        assertTrue(sanitized.containsKey("dependencies"));
+        assertTrue(sanitized.containsKey("requires"));
 
         JsonObject requires = sanitized.getJsonObject("requires");
-        Assert.assertTrue(requires.containsKey("abbrev"));
-        Assert.assertEquals("^1.1.1", requires.getString("abbrev"));
+        assertTrue(requires.containsKey("abbrev"));
+        assertEquals("^1.1.1", requires.getString("abbrev"));
 
         //local and alias need to be skipped
-        Assert.assertFalse(requires.containsKey("react-dom"));
-        Assert.assertFalse(requires.containsKey("fake_submodule"));
+        assertFalse(requires.containsKey("react-dom"));
+        assertFalse(requires.containsKey("fake_submodule"));
 
-        Assert.assertFalse(sanitized.containsKey("lockfileVersion"));
-        Assert.assertFalse(sanitized.containsKey("random"));
+        assertFalse(sanitized.containsKey("lockfileVersion"));
+        assertFalse(sanitized.containsKey("random"));
     }
 
     @Test
-    public void testSanitizePackage() {
+    void testSanitizePackage() {
         InputStream in = BaseTest.getResourceAsStream(this, "nodeaudit/package-lock.json");
         final MultiValuedMap<String, String> dependencyMap = new HashSetValuedHashMap<>();
         try (JsonReader jsonReader = Json.createReader(in)) {
             JsonObject packageJson = jsonReader.readObject();
             JsonObject sanitized = NpmPayloadBuilder.build(packageJson, dependencyMap, false);
 
-            Assert.assertTrue(sanitized.containsKey("name"));
-            Assert.assertTrue(sanitized.containsKey("version"));
-            Assert.assertTrue(sanitized.containsKey("dependencies"));
-            Assert.assertTrue(sanitized.containsKey("requires"));
+            assertTrue(sanitized.containsKey("name"));
+            assertTrue(sanitized.containsKey("version"));
+            assertTrue(sanitized.containsKey("dependencies"));
+            assertTrue(sanitized.containsKey("requires"));
 
             JsonObject requires = sanitized.getJsonObject("requires");
-            Assert.assertTrue(requires.containsKey("bcrypt-nodejs"));
-            Assert.assertEquals("^0.0.3", requires.getString("bcrypt-nodejs"));
+            assertTrue(requires.containsKey("bcrypt-nodejs"));
+            assertEquals("^0.0.3", requires.getString("bcrypt-nodejs"));
 
-            Assert.assertFalse(sanitized.containsKey("lockfileVersion"));
-            Assert.assertFalse(sanitized.containsKey("random"));
+            assertFalse(sanitized.containsKey("lockfileVersion"));
+            assertFalse(sanitized.containsKey("random"));
         }
     }
 
     @Test
-    public void testPayloadWithLockAndPackage() {
+    void testPayloadWithLockAndPackage() {
         InputStream lock = BaseTest.getResourceAsStream(this, "nodeaudit/package-lock.json");
         InputStream json = BaseTest.getResourceAsStream(this, "nodeaudit/package.json");
         final MultiValuedMap<String, String> dependencyMap = new HashSetValuedHashMap<>();
@@ -159,26 +160,26 @@ public void testPayloadWithLockAndPackage() {
             JsonObject lockJson =    lockReader.readObject();
             JsonObject sanitized = NpmPayloadBuilder.build(lockJson, packageJson, dependencyMap, false);
 
-            Assert.assertTrue(sanitized.containsKey("name"));
-            Assert.assertTrue(sanitized.containsKey("version"));
-            Assert.assertTrue(sanitized.containsKey("dependencies"));
-            Assert.assertTrue(sanitized.containsKey("requires"));
+            assertTrue(sanitized.containsKey("name"));
+            assertTrue(sanitized.containsKey("version"));
+            assertTrue(sanitized.containsKey("dependencies"));
+            assertTrue(sanitized.containsKey("requires"));
 
             JsonObject requires = sanitized.getJsonObject("requires");
-            Assert.assertTrue(requires.containsKey("bcrypt-nodejs"));
-            Assert.assertEquals("0.0.3", requires.getString("bcrypt-nodejs"));
+            assertTrue(requires.containsKey("bcrypt-nodejs"));
+            assertEquals("0.0.3", requires.getString("bcrypt-nodejs"));
 
-            Assert.assertFalse(sanitized.containsKey("lockfileVersion"));
-            Assert.assertFalse(sanitized.containsKey("random"));
+            assertFalse(sanitized.containsKey("lockfileVersion"));
+            assertFalse(sanitized.containsKey("random"));
 
-            Assert.assertTrue(sanitized.containsKey("name"));
-            Assert.assertTrue(sanitized.containsKey("version"));
-            Assert.assertTrue(sanitized.containsKey("dependencies"));
-            Assert.assertTrue(sanitized.containsKey("requires"));
+            assertTrue(sanitized.containsKey("name"));
+            assertTrue(sanitized.containsKey("version"));
+            assertTrue(sanitized.containsKey("dependencies"));
+            assertTrue(sanitized.containsKey("requires"));
 
             //local and alias need to be skipped
-            Assert.assertFalse(requires.containsKey("react-dom"));
-            Assert.assertFalse(requires.containsKey("fake_submodule"));
+            assertFalse(requires.containsKey("react-dom"));
+            assertFalse(requires.containsKey("fake_submodule"));
         }
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParserTest.java b/core/src/test/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParserTest.java
index ca3d2385cc1..01351bff062 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParserTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParserTest.java
@@ -17,19 +17,22 @@
  */
 package org.owasp.dependencycheck.data.nuget;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseTest;
+
 import java.io.ByteArrayOutputStream;
 import java.io.InputStream;
 import java.io.PrintStream;
-import static org.junit.Assert.assertEquals;
-import org.junit.Test;
-import org.owasp.dependencycheck.BaseTest;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 /**
  *
  * @author colezlaw
  *
  */
-public class XPathNuspecParserTest extends BaseTest {
+class XPathNuspecParserTest extends BaseTest {
 
     /**
      * Test all the valid components.
@@ -37,7 +40,7 @@ public class XPathNuspecParserTest extends BaseTest {
      * @throws Exception if anything goes sideways.
      */
     @Test
-    public void testGoodDocument() throws Exception {
+    void testGoodDocument() throws Exception {
         XPathNuspecParser parser = new XPathNuspecParser();
         //InputStream is = XPathNuspecParserTest.class.getClassLoader().getResourceAsStream("log4net.2.0.3.nuspec");
         InputStream is = BaseTest.getResourceAsStream(this, "log4net.2.0.3.nuspec");
@@ -55,17 +58,15 @@ public void testGoodDocument() throws Exception {
      *
      * @throws Exception we expect this.
      */
-    @Test(expected = NuspecParseException.class)
-    public void testMissingDocument() throws Exception {
+    @Test
+    void testMissingDocument() {
         XPathNuspecParser parser = new XPathNuspecParser();
-        //InputStream is = XPathNuspecParserTest.class.getClassLoader().getResourceAsStream("dependencycheck.properties");
         InputStream is = BaseTest.getResourceAsStream(this, "dependencycheck.properties");
-
-        //hide the fatal message from the core parser
         final ByteArrayOutputStream myOut = new ByteArrayOutputStream();
         System.setErr(new PrintStream(myOut));
+        assertThrows(NuspecParseException.class, () ->
 
-        parser.parse(is);
+            parser.parse(is));
     }
 
     /**
@@ -73,11 +74,11 @@ public void testMissingDocument() throws Exception {
      *
      * @throws Exception we expect this.
      */
-    @Test(expected = NuspecParseException.class)
-    public void testNotNuspec() throws Exception {
+    @Test
+    void testNotNuspec() {
         XPathNuspecParser parser = new XPathNuspecParser();
-        //InputStream is = XPathNuspecParserTest.class.getClassLoader().getResourceAsStream("suppressions.xml");
         InputStream is = BaseTest.getResourceAsStream(this, "suppressions.xml");
-        parser.parse(is);
+        assertThrows(NuspecParseException.class, () ->
+            parser.parse(is));
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nvd/ecosystem/CveEcosystemMapperTest.java b/core/src/test/java/org/owasp/dependencycheck/data/nvd/ecosystem/CveEcosystemMapperTest.java
index fa0e26a685a..4d2ce4615e4 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/nvd/ecosystem/CveEcosystemMapperTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/nvd/ecosystem/CveEcosystemMapperTest.java
@@ -19,28 +19,30 @@
 
 import io.github.jeremylong.openvulnerability.client.nvd.Config;
 import io.github.jeremylong.openvulnerability.client.nvd.CpeMatch;
-import java.util.ArrayList;
-import java.util.List;
-import org.junit.Test;
-import static org.junit.Assert.*;
-import org.owasp.dependencycheck.analyzer.JarAnalyzer;
-
-import io.github.jeremylong.openvulnerability.client.nvd.DefCveItem;
 import io.github.jeremylong.openvulnerability.client.nvd.CveItem;
+import io.github.jeremylong.openvulnerability.client.nvd.DefCveItem;
 import io.github.jeremylong.openvulnerability.client.nvd.LangString;
 import io.github.jeremylong.openvulnerability.client.nvd.Node;
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.analyzer.JarAnalyzer;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
 
 /**
  *
  * @author Jeremy Long
  */
-public class CveEcosystemMapperTest {
+class CveEcosystemMapperTest {
 
     /**
      * Test of getEcosystem method, of class CveEcosystemMapper.
      */
     @Test
-    public void testGetEcosystem() {
+    void testGetEcosystem() {
         CveEcosystemMapper mapper = new CveEcosystemMapper();
         String value = "There is a vulnerability in some.java file";
         assertEquals(JarAnalyzer.DEPENDENCY_ECOSYSTEM, mapper.getEcosystem(asCve(value)));
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nvd/ecosystem/DescriptionEcosystemMapperTest.java b/core/src/test/java/org/owasp/dependencycheck/data/nvd/ecosystem/DescriptionEcosystemMapperTest.java
index 4d7825e6312..6531d11c5af 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/nvd/ecosystem/DescriptionEcosystemMapperTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/nvd/ecosystem/DescriptionEcosystemMapperTest.java
@@ -1,8 +1,10 @@
 package org.owasp.dependencycheck.data.nvd.ecosystem;
 
 import io.github.jeremylong.openvulnerability.client.nvd.CveItem;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
+import io.github.jeremylong.openvulnerability.client.nvd.DefCveItem;
+import io.github.jeremylong.openvulnerability.client.nvd.LangString;
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.analyzer.JarAnalyzer;
 
 import java.io.BufferedReader;
 import java.io.File;
@@ -10,19 +12,16 @@
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
 
-import org.junit.Test;
-import org.owasp.dependencycheck.analyzer.JarAnalyzer;
-import io.github.jeremylong.openvulnerability.client.nvd.DefCveItem;
-import io.github.jeremylong.openvulnerability.client.nvd.LangString;
-import java.time.LocalDate;
-import java.util.ArrayList;
-import java.util.List;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
 
-public class DescriptionEcosystemMapperTest {
+class DescriptionEcosystemMapperTest {
 
     private static final String POSTFIX = ".ecosystem.txt";
 
@@ -44,19 +43,19 @@ protected static Map<String, File> getEcosystemFiles() throws IOException {
     }
 
     @Test
-    public void testDescriptionEcosystemMapper() throws IOException {
+    void testDescriptionEcosystemMapper() throws IOException {
         DescriptionEcosystemMapper mapper = new DescriptionEcosystemMapper();
         Map<String, File> ecosystemFiles = getEcosystemFiles();
         for (Entry<String, File> entry : ecosystemFiles.entrySet()) {
             try (BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(new FileInputStream(entry.getValue()), StandardCharsets.UTF_8))) {
                 String description;
                 while ((description = bufferedReader.readLine()) != null) {
-                    if (description.length() > 0 && !description.startsWith("#")) {
+                    if (!description.isEmpty() && !description.startsWith("#")) {
                         String ecosystem = mapper.getEcosystem(asCve(description));
                         if (entry.getKey().equals("null")) {
-                            assertNull(description, ecosystem);
+                            assertNull(ecosystem, description);
                         } else {
-                            assertEquals(description, entry.getKey(), ecosystem);
+                            assertEquals(entry.getKey(), ecosystem, description);
                         }
                     }
                 }
@@ -65,42 +64,42 @@ public void testDescriptionEcosystemMapper() throws IOException {
     }
 
     @Test
-    public void testScoring() throws IOException {
+    void testScoring() {
         DescriptionEcosystemMapper mapper = new DescriptionEcosystemMapper();
         String value = "a.cpp b.java c.java";
         assertEquals(JarAnalyzer.DEPENDENCY_ECOSYSTEM, mapper.getEcosystem(asCve(value)));
     }
 
     @Test
-    public void testJspLinksDoNotCountScoring() throws IOException {
+    void testJspLinksDoNotCountScoring() {
         DescriptionEcosystemMapper mapper = new DescriptionEcosystemMapper();
         String value = "Read more at https://domain/help.jsp.";
         assertNull(mapper.getEcosystem(asCve(value)));
     }
 
     @Test
-    public void testSubsetFileExtensionsDoNotMatch() throws IOException {
+    void testSubsetFileExtensionsDoNotMatch() {
         DescriptionEcosystemMapper mapper = new DescriptionEcosystemMapper();
         String value = "Read more at index.html."; // i.e. does not match .h
         assertNull(mapper.getEcosystem(asCve(value)));
     }
 
     @Test
-    public void testSubsetKeywordsDoNotMatch() throws IOException {
+    void testSubsetKeywordsDoNotMatch() {
         DescriptionEcosystemMapper mapper = new DescriptionEcosystemMapper();
         String value = "Wonder if java senses the gc."; // i.e. does not match 'java se'
         assertNull(mapper.getEcosystem(asCve(value)));
     }
 
     @Test
-    public void testPhpLinksDoNotCountScoring() throws IOException {
+    void testPhpLinksDoNotCountScoring() {
         DescriptionEcosystemMapper mapper = new DescriptionEcosystemMapper();
         String value = "Read more at https://domain/help.php.";
         assertNull(mapper.getEcosystem(asCve(value)));
     }
 
     private DefCveItem asCve(String description) {
-        
+
         List<LangString> descriptions = new ArrayList<>();
         LangString desc = new LangString("en",description);
         descriptions.add(desc);
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nvd/ecosystem/UrlEcosystemMapperTest.java b/core/src/test/java/org/owasp/dependencycheck/data/nvd/ecosystem/UrlEcosystemMapperTest.java
index ebe4267470d..77e42e2d660 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/nvd/ecosystem/UrlEcosystemMapperTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/nvd/ecosystem/UrlEcosystemMapperTest.java
@@ -3,38 +3,39 @@
 import io.github.jeremylong.openvulnerability.client.nvd.CveItem;
 import io.github.jeremylong.openvulnerability.client.nvd.DefCveItem;
 import io.github.jeremylong.openvulnerability.client.nvd.Reference;
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.analyzer.PythonPackageAnalyzer;
+
 import java.util.ArrayList;
 import java.util.List;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
 
-import org.junit.Test;
-import org.owasp.dependencycheck.analyzer.PythonPackageAnalyzer;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
 
 
-public class UrlEcosystemMapperTest {
+class UrlEcosystemMapperTest {
 
     @Test
-    public void testUrlHostEcosystemMapper() {
-        
+    void testUrlHostEcosystemMapper() {
+
         UrlEcosystemMapper mapper = new UrlEcosystemMapper();
-        
+
         assertEquals(PythonPackageAnalyzer.DEPENDENCY_ECOSYSTEM, mapper.getEcosystem(asCve("https://python.org/path")));
     }
 
     private DefCveItem asCve(String url) {
-        
+
         List<Reference> references  = new ArrayList<>();
         Reference ref = new Reference(url, null, null);
         references.add(ref);
         CveItem cveItem = new CveItem(null, null, null, null, null, null, null, null, null, null, null, null, null, null, references, null, null, null, null);
         DefCveItem defCveItem = new DefCveItem(cveItem);
-        
+
         return defCveItem;
     }
 
     @Test
-    public void testGetEcosystemMustHandleNullCveReferences() {
+    void testGetEcosystemMustHandleNullCveReferences() {
         // Given
         UrlEcosystemMapper mapper = new UrlEcosystemMapper();
 
@@ -49,7 +50,7 @@ public void testGetEcosystemMustHandleNullCveReferences() {
     }
 
     @Test
-    public void testGetEcosystemMustHandleNullCve() {
+    void testGetEcosystemMustHandleNullCve() {
         // Given
         UrlEcosystemMapper mapper = new UrlEcosystemMapper();
 
@@ -63,7 +64,7 @@ public void testGetEcosystemMustHandleNullCve() {
     }
 
     @Test
-    public void testGetEcosystemMustHandleNullCveItem() {
+    void testGetEcosystemMustHandleNullCveItem() {
         // Given
         UrlEcosystemMapper mapper = new UrlEcosystemMapper();
 
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIT.java b/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIT.java
index 70a321a21c2..376ddd217b0 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIT.java
@@ -17,37 +17,38 @@
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
-import java.sql.SQLException;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
+import org.owasp.dependencycheck.data.update.cpe.CpePlus;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-import org.junit.After;
-import org.junit.Test;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertNull;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-import org.junit.Before;
-import org.owasp.dependencycheck.data.update.cpe.CpePlus;
 import org.owasp.dependencycheck.dependency.VulnerableSoftwareBuilder;
 import us.springett.parsers.cpe.Cpe;
 import us.springett.parsers.cpe.CpeBuilder;
 import us.springett.parsers.cpe.values.LogicalValue;
 import us.springett.parsers.cpe.values.Part;
 
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 /**
  *
  * @author Jeremy Long
  */
-public class CveDBIT extends BaseDBTestCase {
+class CveDBIT extends BaseDBTestCase {
 
     private CveDB instance = null;
 
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -55,7 +56,7 @@ public void setUp() throws Exception {
         instance.open();
     }
 
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         instance.close();
@@ -67,7 +68,7 @@ public void tearDown() throws Exception {
      * Test of getCPEs method, of class CveDB.
      */
     @Test
-    public void testGetCPEs() throws Exception {
+    void testGetCPEs() {
         String vendor = "apache";
         String product = "struts";
         Set<CpePlus> result = instance.getCPEs(vendor, product);
@@ -78,7 +79,7 @@ public void testGetCPEs() throws Exception {
      * Test of getVulnerability method, of class CveDB.
      */
     @Test
-    public void testgetVulnerability() throws Exception {
+    void testgetVulnerability() {
         Vulnerability result = instance.getVulnerability("CVE-2014-0094");
         assertTrue(result.getDescription().startsWith("The ParametersInterceptor in Apache Struts"));
     }
@@ -87,7 +88,7 @@ public void testgetVulnerability() throws Exception {
      * Test of getVulnerabilities method, of class CveDB.
      */
     @Test
-    public void testGetVulnerabilities() throws Exception {
+    void testGetVulnerabilities() throws Exception {
 
         CpeBuilder builder = new CpeBuilder();
         Cpe cpe = builder.part(Part.APPLICATION).vendor("apache").product("struts").version("2.1.2").build();
@@ -107,7 +108,7 @@ public void testGetVulnerabilities() throws Exception {
                 break;
             }
         }
-        assertTrue("Expected " + expected + ", but was not identified", found);
+        assertTrue(found, "Expected " + expected + ", but was not identified");
 
         found = false;
         expected = "CVE-2014-0096";
@@ -117,11 +118,11 @@ public void testGetVulnerabilities() throws Exception {
                 break;
             }
         }
-        assertTrue("Expected " + expected + ", but was not identified", found);
+        assertTrue(found, "Expected " + expected + ", but was not identified");
 
         cpe = builder.part(Part.APPLICATION).vendor("jenkins").product("mailer").version("1.13").build();
         results = instance.getVulnerabilities(cpe);
-        assertTrue(results.size() >= 1);
+        assertFalse(results.isEmpty());
 
         found = false;
         expected = "CVE-2017-2651";
@@ -131,11 +132,11 @@ public void testGetVulnerabilities() throws Exception {
                 break;
             }
         }
-        assertTrue("Expected " + expected + ", but was not identified", found);
+        assertTrue(found, "Expected " + expected + ", but was not identified");
 
         cpe = builder.part(Part.APPLICATION).vendor("fasterxml").product("jackson-databind").version("2.8.1").build();
         results = instance.getVulnerabilities(cpe);
-        assertTrue(results.size() >= 1);
+        assertFalse(results.isEmpty());
 
         found = false;
         expected = "CVE-2017-15095";
@@ -145,14 +146,14 @@ public void testGetVulnerabilities() throws Exception {
                 break;
             }
         }
-        assertTrue("Expected " + expected + ", but was not identified", found);
+        assertTrue(found, "Expected " + expected + ", but was not identified");
     }
 
     /**
      * Test of getMatchingSoftware method, of class CveDB.
      */
     @Test
-    public void testGetMatchingSoftware() throws Exception {
+    void testGetMatchingSoftware() throws Exception {
 
         VulnerableSoftwareBuilder vsBuilder = new VulnerableSoftwareBuilder();
         Set<VulnerableSoftware> software = new HashSet<>();
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySqlIT.java b/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySqlIT.java
index e9f6bb111ae..89fb93f371e 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySqlIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySqlIT.java
@@ -17,31 +17,30 @@
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
-import java.sql.SQLException;
-import java.util.List;
-import java.util.Set;
-import org.junit.After;
-
-import org.junit.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
-import org.owasp.dependencycheck.dependency.Vulnerability;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-import org.junit.Before;
 import org.owasp.dependencycheck.data.update.cpe.CpePlus;
+import org.owasp.dependencycheck.dependency.Vulnerability;
 import us.springett.parsers.cpe.Cpe;
 import us.springett.parsers.cpe.CpeBuilder;
 import us.springett.parsers.cpe.values.Part;
 
+import java.util.List;
+import java.util.Set;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 /**
  *
  * @author Jeremy Long
  */
-public class CveDBMySqlIT extends BaseTest {
+class CveDBMySqlIT extends BaseTest {
 
     private CveDB instance = null;
 
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -49,23 +48,23 @@ public void setUp() throws Exception {
         instance.open();
     }
 
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         instance.close();
         super.tearDown();
-    }   
+    }
 
     /**
      * Test of getCPEs method, of class CveDB.
      */
     @Test
-    public void testGetCPEs() throws Exception {
+    void testGetCPEs() {
         try {
             String vendor = "apache";
             String product = "struts";
             Set<CpePlus> result = instance.getCPEs(vendor, product);
-            assertTrue("Has data been loaded into the MySQL DB? if not consider using the CLI to populate it", result.size() > 5);
+            assertTrue(result.size() > 5, "Has data been loaded into the MySQL DB? if not consider using the CLI to populate it");
         } catch (Exception ex) {
             System.out.println("Unable to access the My SQL database; verify that the db server is running and that the schema has been generated");
             throw ex;
@@ -76,7 +75,7 @@ public void testGetCPEs() throws Exception {
      * Test of getVulnerabilities method, of class CveDB.
      */
     @Test
-    public void testGetVulnerabilities() throws Exception {
+    void testGetVulnerabilities() throws Exception {
         CpeBuilder builder = new CpeBuilder();
         Cpe cpe = builder.part(Part.APPLICATION).vendor("apache").product("struts").version("2.1.2").build();
         try {
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperatorTest.java b/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperatorTest.java
index f14c057f472..ceaf908d08c 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperatorTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperatorTest.java
@@ -28,25 +28,26 @@
 import io.github.jeremylong.openvulnerability.client.nvd.Reference;
 import io.github.jeremylong.openvulnerability.client.nvd.VendorComment;
 import io.github.jeremylong.openvulnerability.client.nvd.Weakness;
+import org.junit.jupiter.api.Test;
+
 import java.time.LocalDate;
 import java.time.ZonedDateTime;
 import java.util.ArrayList;
 import java.util.List;
-import org.junit.Test;
 
-import static org.junit.Assert.*;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
  *
  * @author jeremy
  */
-public class CveItemOperatorTest {
+class CveItemOperatorTest {
 
     /**
      * Test of testCveCpeStartWithFilter method, of class CveItemOperator.
      */
     @Test
-    public void testTestCveCpeStartWithFilter() {
+    void testTestCveCpeStartWithFilter() {
 
         ZonedDateTime published = ZonedDateTime.now();
         ZonedDateTime lastModified = ZonedDateTime.now();
@@ -73,7 +74,7 @@ public void testTestCveCpeStartWithFilter() {
         nodes.add(first);
         nodes.add(second);
         nodes.add(third);
-        
+
         Config c = new Config(Config.Operator.AND, null, nodes);
         configurations.add(c);
         List<VendorComment> vendorComments = null;
@@ -91,7 +92,7 @@ public void testTestCveCpeStartWithFilter() {
     }
 
     @Test
-    public void testTestCveCpeStartWithFilterForConfigurationWithoutCpeMatches() {
+    void testTestCveCpeStartWithFilterForConfigurationWithoutCpeMatches() {
         ZonedDateTime published = ZonedDateTime.now();
         ZonedDateTime lastModified = ZonedDateTime.now();
         LocalDate cisaExploitAdd = null;
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabaseManagerTest.java b/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabaseManagerTest.java
index 717375b48ac..42252b93ec7 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabaseManagerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabaseManagerTest.java
@@ -15,18 +15,19 @@
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseDBTestCase;
+
 import java.sql.Connection;
 import java.sql.SQLException;
 
-import org.junit.Test;
-import static org.junit.Assert.*;
-import org.owasp.dependencycheck.BaseDBTestCase;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
 
 /**
  *
  * @author jeremy long
  */
-public class DatabaseManagerTest extends BaseDBTestCase {
+class DatabaseManagerTest extends BaseDBTestCase {
 
     /**
      * Test of initialize method, of class DatabaseManager.
@@ -34,7 +35,7 @@ public class DatabaseManagerTest extends BaseDBTestCase {
      * @throws org.owasp.dependencycheck.data.nvdcve.DatabaseException
      */
     @Test
-    public void testInitialize() throws DatabaseException, SQLException {
+    void testInitialize() throws DatabaseException, SQLException {
         DatabaseManager factory = new DatabaseManager(getSettings());
         factory.open();
         try (Connection result = factory.getConnection()) {
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIT.java b/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIT.java
index 324c090a342..3e2688e943d 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIT.java
@@ -17,24 +17,27 @@
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
+
 import java.util.Properties;
-import org.junit.After;
-import static org.junit.Assert.assertEquals;
-import org.junit.Test;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertTrue;
-import org.junit.Before;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  *
  * @author Jeremy Long
  */
-public class DatabasePropertiesIT extends BaseDBTestCase {
+class DatabasePropertiesIT extends BaseDBTestCase {
 
     private CveDB cveDb = null;
 
-    @Before
+    @BeforeEach
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -42,7 +45,7 @@ public void setUp() throws Exception {
         cveDb.open();
     }
 
-    @After
+    @AfterEach
     @Override
     public void tearDown() throws Exception {
         cveDb.close();
@@ -53,7 +56,7 @@ public void tearDown() throws Exception {
      * Test of isEmpty method, of class DatabaseProperties.
      */
     @Test
-    public void testIsEmpty() throws Exception {
+    void testIsEmpty() {
         DatabaseProperties prop = cveDb.getDatabaseProperties();
         assertNotNull(prop);
         //no exception means the call worked... whether or not it is empty depends on if the db is new
@@ -64,7 +67,7 @@ public void testIsEmpty() throws Exception {
      * Test of save method, of class DatabaseProperties.
      */
     @Test
-    public void testSave() throws Exception {
+    void testSave() {
         String key = "test";
         String value = "something";
         String expected = "something";
@@ -74,12 +77,12 @@ public void testSave() throws Exception {
         String results = instance.getProperty(key);
         assertEquals(expected, results);
     }
-    
+
     /**
      * Test of getProperty method, of class DatabaseProperties.
      */
     @Test
-    public void testGetProperty_String_String() throws Exception {
+    void testGetProperty_String_String() {
         String key = "doesn't exist";
         String defaultValue = "default";
         DatabaseProperties instance = cveDb.getDatabaseProperties();
@@ -92,13 +95,13 @@ public void testGetProperty_String_String() throws Exception {
      * Test of getProperty method, of class DatabaseProperties.
      */
     @Test
-    public void testGetProperty_String() throws DatabaseException {
+    void testGetProperty_String() throws DatabaseException {
         String key = "version";
         DatabaseProperties instance = cveDb.getDatabaseProperties();
         String result = instance.getProperty(key);
-        
+
         int major = Integer.parseInt(result.substring(0, result.indexOf('.')));
-       
+
         assertTrue(major >= 5);
     }
 
@@ -106,10 +109,10 @@ public void testGetProperty_String() throws DatabaseException {
      * Test of getProperties method, of class DatabaseProperties.
      */
     @Test
-    public void testGetProperties() throws DatabaseException {
+    void testGetProperties() throws DatabaseException {
         DatabaseProperties instance = cveDb.getDatabaseProperties();
         Properties result = instance.getProperties();
-        assertTrue(result.size() > 0);
+        assertFalse(result.isEmpty());
         cveDb.close();
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DriverLoaderTest.java b/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DriverLoaderTest.java
index 22979181df6..ee77e88bc75 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DriverLoaderTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DriverLoaderTest.java
@@ -17,23 +17,24 @@
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseTest;
+
 import java.io.File;
 import java.sql.Driver;
 import java.sql.DriverManager;
 import java.sql.SQLException;
 
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
-import org.junit.Test;
-import org.owasp.dependencycheck.BaseTest;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
 
 /**
  *
  * @author Jeremy Long
  */
-public class DriverLoaderTest extends BaseTest {
+class DriverLoaderTest extends BaseTest {
 
     /**
      * Test of load method, of class DriverLoader.
@@ -42,7 +43,7 @@ public class DriverLoaderTest extends BaseTest {
      * the driver
      */
     @Test
-    public void testLoad_String() throws SQLException {
+    void testLoad_String() throws SQLException {
         String className = "org.h2.Driver";
         Driver d = null;
         try {
@@ -60,23 +61,24 @@ public void testLoad_String() throws SQLException {
      * Test of load method, of class DriverLoader; expecting an exception due to
      * a bad driver class name.
      */
-    @Test(expected = DriverLoadException.class)
-    public void testLoad_String_ex() throws Exception {
+    @Test
+    void testLoad_String_ex() {
         final String className = "bad.Driver";
-        DriverLoader.load(className);
+        assertThrows(DriverLoadException.class, () ->
+            DriverLoader.load(className));
     }
 
     /**
      * Test of load method, of class DriverLoader.
      */
     @Test
-    public void testLoad_String_String() throws Exception {
+    void testLoad_String_String() throws Exception {
         String className = "com.mysql.jdbc.Driver";
         //we know this is in target/test-classes
         //File testClassPath = (new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath())).getParentFile();
         File testClassPath = BaseTest.getResourceAsFile(this, "org.mortbay.jetty.jar").getParentFile();
         File driver = new File(testClassPath, "../../src/test/resources/mysql-connector-java-5.1.27-bin.jar");
-        assertTrue("MySQL Driver JAR file not found in src/test/resources?", driver.isFile());
+        assertTrue(driver.isFile(), "MySQL Driver JAR file not found in src/test/resources?");
 
         Driver d = null;
         try {
@@ -94,7 +96,7 @@ public void testLoad_String_String() throws Exception {
      * Test of load method, of class DriverLoader.
      */
     @Test
-    public void testLoad_String_String_multiple_paths()  {
+    void testLoad_String_String_multiple_paths() {
         final String className = "com.mysql.jdbc.Driver";
         //we know this is in target/test-classes
         //final File testClassPath = (new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath())).getParentFile();
@@ -122,28 +124,25 @@ public void testLoad_String_String_multiple_paths()  {
     /**
      * Test of load method, of class DriverLoader with an incorrect class name.
      */
-    @Test(expected = DriverLoadException.class)
-    public void testLoad_String_String_badClassName() throws Exception {
+    @Test
+    void testLoad_String_String_badClassName() {
         String className = "com.mybad.jdbc.Driver";
-        //we know this is in target/test-classes
-        //File testClassPath = (new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath())).getParentFile();
         File testClassPath = BaseTest.getResourceAsFile(this, "org.mortbay.jetty.jar").getParentFile();
         File driver = new File(testClassPath, "../../src/test/resources/mysql-connector-java-5.1.27-bin.jar");
-        assertTrue("MySQL Driver JAR file not found in src/test/resources?", driver.isFile());
-
-        DriverLoader.load(className, driver.getAbsolutePath());
+        assertTrue(driver.isFile(), "MySQL Driver JAR file not found in src/test/resources?");
+        assertThrows(DriverLoadException.class, () ->
+            DriverLoader.load(className, driver.getAbsolutePath()));
     }
 
     /**
      * Test of load method, of class DriverLoader with an incorrect class path.
      */
-    @Test(expected = DriverLoadException.class)
-    public void testLoad_String_String_badPath() throws Exception {
+    @Test
+    void testLoad_String_String_badPath() {
         String className = "com.mysql.jdbc.Driver";
-        //we know this is in target/test-classes
-        //File testClassPath = (new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath())).getParentFile();
         File testClassPath = BaseTest.getResourceAsFile(this, "org.mortbay.jetty.jar").getParentFile();
         File driver = new File(testClassPath, "../../src/test/bad/mysql-connector-java-5.1.27-bin.jar");
-        DriverLoader.load(className, driver.getAbsolutePath());
+        assertThrows(DriverLoadException.class, () ->
+            DriverLoader.load(className, driver.getAbsolutePath()));
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/update/EngineVersionCheckTest.java b/core/src/test/java/org/owasp/dependencycheck/data/update/EngineVersionCheckTest.java
index 10be1c564cf..50eb04f49ff 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/update/EngineVersionCheckTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/update/EngineVersionCheckTest.java
@@ -15,32 +15,32 @@
  */
 package org.owasp.dependencycheck.data.update;
 
-import java.time.LocalDate;
-import java.time.ZoneId;
-import java.time.format.DateTimeFormatter;
-import java.time.temporal.TemporalAccessor;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.Mockito.doAnswer;
-
-import org.junit.Test;
-import org.junit.runner.RunWith;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.Spy;
-import org.mockito.junit.MockitoJUnitRunner;
+import org.mockito.junit.jupiter.MockitoExtension;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 
+import java.time.LocalDate;
+import java.time.ZoneId;
+import java.time.format.DateTimeFormatter;
+import java.time.temporal.TemporalAccessor;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.doAnswer;
+
 /**
  * @author Jeremy Long
  */
-@RunWith(MockitoJUnitRunner.class)
-public class EngineVersionCheckTest extends BaseTest {
+@ExtendWith(MockitoExtension.class)
+class EngineVersionCheckTest extends BaseTest {
 
     @Mock
     private CveDB cveDb;
@@ -53,7 +53,7 @@ public class EngineVersionCheckTest extends BaseTest {
      * Test of shouldUpdate method, of class EngineVersionCheck.
      */
     @Test
-    public void testShouldUpdate() throws Exception {
+    void testShouldUpdate() throws Exception {
 
         doAnswer(invocation -> null).when(dbProperties).save(anyString(), anyString());
 
@@ -128,7 +128,7 @@ public void testShouldUpdate() throws Exception {
      * Test of getCurrentReleaseVersion method, of class EngineVersionCheck.
      */
     @Test
-    public void testGetCurrentReleaseVersion() {
+    void testGetCurrentReleaseVersion() {
         EngineVersionCheck instance = new EngineVersionCheck(getSettings());
         DependencyVersion minExpResult = new DependencyVersion("1.2.6");
         String release = instance.getCurrentReleaseVersion();
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/update/NvdApiDataSourceTest.java b/core/src/test/java/org/owasp/dependencycheck/data/update/NvdApiDataSourceTest.java
index 73efe5bb01e..ae73fac49df 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/update/NvdApiDataSourceTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/update/NvdApiDataSourceTest.java
@@ -17,28 +17,22 @@
  */
 package org.owasp.dependencycheck.data.update;
 
-import java.time.ZonedDateTime;
-import java.util.Map;
-import java.util.Properties;
-import org.junit.After;
-import org.junit.AfterClass;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-import static org.junit.Assert.*;
-import org.owasp.dependencycheck.Engine;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
 
 /**
  *
  * @author Jeremy Long
  */
-public class NvdApiDataSourceTest {
+class NvdApiDataSourceTest {
 
     /**
      * Test of extractUrlData method, of class NvdApiDataSource.
      */
     @Test
-    public void testExtractUrlData() {
+    void testExtractUrlData() {
         String nvdDataFeedUrl = "https://internal.server/nist/nvdcve-{0}.json.gz";
         NvdApiDataSource instance = new NvdApiDataSource();
         String expectedUrl = "https://internal.server/nist/";
@@ -51,7 +45,7 @@ public void testExtractUrlData() {
 
         assertEquals(expectedUrl, result.getUrl());
         assertNull(result.getPattern());
-        
+
         nvdDataFeedUrl = "https://internal.server/nist";
         expectedUrl = "https://internal.server/nist/";
         result = instance.extractUrlData(nvdDataFeedUrl);
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/update/cisa/KnownExploitedVulnerabilityParserTest.java b/core/src/test/java/org/owasp/dependencycheck/data/update/cisa/KnownExploitedVulnerabilityParserTest.java
index e69658be19e..41ea0fda7f8 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/update/cisa/KnownExploitedVulnerabilityParserTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/update/cisa/KnownExploitedVulnerabilityParserTest.java
@@ -17,24 +17,26 @@
  */
 package org.owasp.dependencycheck.data.update.cisa;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema;
+
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.InputStream;
-import org.junit.Test;
-import static org.junit.Assert.*;
-import org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
  *
  * @author jeremy
  */
-public class KnownExploitedVulnerabilityParserTest {
+class KnownExploitedVulnerabilityParserTest {
 
     /**
      * Test of parse method, of class KnownExploitedVulnerabilityParser.
      */
     @Test
-    public void testParse() throws Exception {
+    void testParse() throws Exception {
         File file = new File("./src/test/resources/update/cisa/known_exploited_vulnerabilities.json");
         try (InputStream in = new FileInputStream(file)) {
             KnownExploitedVulnerabilityParser instance = new KnownExploitedVulnerabilityParser();
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/update/cpe/CpeEcosystemCacheTest.java b/core/src/test/java/org/owasp/dependencycheck/data/update/cpe/CpeEcosystemCacheTest.java
index 9285c216e24..982f4388792 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/update/cpe/CpeEcosystemCacheTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/update/cpe/CpeEcosystemCacheTest.java
@@ -17,27 +17,28 @@
  */
 package org.owasp.dependencycheck.data.update.cpe;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.utils.Pair;
+
 import java.util.HashMap;
 import java.util.Map;
-import org.junit.After;
-import org.junit.AfterClass;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-import static org.junit.Assert.*;
-import org.owasp.dependencycheck.utils.Pair;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  *
  * @author Jeremy Long
  */
-public class CpeEcosystemCacheTest {
+class CpeEcosystemCacheTest {
 
     /**
      * Test of getEcosystem method, of class CpeEcosystemCache.
      */
     @Test
-    public void testGetEcosystem() {
+    void testGetEcosystem() {
         Pair<String, String> key = new Pair<>("apache", "zookeeper");
         Map<Pair<String, String>, String> map = new HashMap<>();
         map.put(key, "java");
@@ -46,28 +47,28 @@ public void testGetEcosystem() {
         String expected = "java";
         String result = CpeEcosystemCache.getEcosystem("apache", "zookeeper", null);
         assertEquals(expected, result);
-        
+
         //changes to MULTIPLE = which is returned as null
         result = CpeEcosystemCache.getEcosystem("apache", "zookeeper", "c++");
         assertNull(result);
-        
+
         result = CpeEcosystemCache.getEcosystem("pivotal", "spring-framework", null);
         assertNull(result);
-        
+
         expected = "java";
         result = CpeEcosystemCache.getEcosystem("pivotal", "spring-framework", "java");
         assertEquals(expected, result);
-        
+
         expected = "java";
         result = CpeEcosystemCache.getEcosystem("pivotal", "spring-framework", "java");
         assertEquals(expected, result);
-        
+
         result = CpeEcosystemCache.getEcosystem("microsoft", "word", null );
         assertNull(result);
-        
+
         result = CpeEcosystemCache.getEcosystem("microsoft", "word", null );
         assertNull(result);
-        
+
         result = CpeEcosystemCache.getEcosystem("microsoft", "word", "" );
         assertNull(result);
     }
@@ -76,7 +77,7 @@ public void testGetEcosystem() {
      * Test of setCache method, of class CpeEcosystemCache.
      */
     @Test
-    public void testSetCache() {
+    void testSetCache() {
         Map<Pair<String, String>, String> map = new HashMap<>();
         CpeEcosystemCache.setCache(map);
         assertTrue(CpeEcosystemCache.isEmpty());
@@ -93,7 +94,7 @@ public void testSetCache() {
      * Test of getChanged method, of class CpeEcosystemCache.
      */
     @Test
-    public void testGetChanged() {
+    void testGetChanged() {
         Pair<String, String> key = new Pair<>("apache", "zookeeper");
         Map<Pair<String, String>, String> map = new HashMap<>();
         map.put(key, "java");
@@ -120,7 +121,7 @@ public void testGetChanged() {
      * Test of isEmpty method, of class CpeEcosystemCache.
      */
     @Test
-    public void testIsEmpty() {
+    void testIsEmpty() {
         Map<Pair<String, String>, String> map = new HashMap<>();
         CpeEcosystemCache.setCache(map);
         boolean expResult = true;
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/update/nvd/api/NvdApiProcessorTest.java b/core/src/test/java/org/owasp/dependencycheck/data/update/nvd/api/NvdApiProcessorTest.java
index 60e474ad683..23f13135981 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/update/nvd/api/NvdApiProcessorTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/update/nvd/api/NvdApiProcessorTest.java
@@ -16,26 +16,25 @@
 package org.owasp.dependencycheck.data.update.nvd.api;
 
 import com.fasterxml.jackson.core.JsonParseException;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
-import org.owasp.dependencycheck.utils.Settings;
 
 import java.io.File;
 import java.io.FileWriter;
 import java.io.IOException;
 import java.nio.file.NoSuchFileException;
 
-import static org.junit.Assert.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 /**
  *
  * @author Jeremy Long
  */
-public class NvdApiProcessorTest extends BaseTest {
+class NvdApiProcessorTest extends BaseTest {
 
     @Test
-    public void doesNotExistFile() throws Exception {
+    void doesNotExistFile() {
         try (CveDB cve = new CveDB(getSettings())) {
             File file = new File("does_not_exist");
             NvdApiProcessor processor = new NvdApiProcessor(null, file);
@@ -44,7 +43,7 @@ public void doesNotExistFile() throws Exception {
     }
 
     @Test
-    public void unspecifiedFileName() throws Exception {
+    void unspecifiedFileName() throws Exception {
         try (CveDB cve = new CveDB(getSettings())) {
             File file = File.createTempFile("test", "test");
             writeFileString(file, "");
@@ -54,7 +53,7 @@ public void unspecifiedFileName() throws Exception {
     }
 
     @Test
-    public void invalidFileContent() throws Exception {
+    void invalidFileContent() throws Exception {
         try (CveDB cve = new CveDB(getSettings())) {
             File file = File.createTempFile("test", "test.json");
             // invalid content (broken array)
@@ -65,7 +64,7 @@ public void invalidFileContent() throws Exception {
     }
 
     @Test
-    public void processValidStructure() throws Exception {
+    void processValidStructure() throws Exception {
         try (CveDB cve = new CveDB(getSettings())) {
             File file = File.createTempFile("test", "test.json");
             writeFileString(file, "[]");
diff --git a/core/src/test/java/org/owasp/dependencycheck/dependency/CweSetTest.java b/core/src/test/java/org/owasp/dependencycheck/dependency/CweSetTest.java
index 81bb9fee6b4..943190af0c0 100644
--- a/core/src/test/java/org/owasp/dependencycheck/dependency/CweSetTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/dependency/CweSetTest.java
@@ -17,24 +17,28 @@
  */
 package org.owasp.dependencycheck.dependency;
 
+import org.junit.jupiter.api.Test;
+
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Set;
 import java.util.stream.Collectors;
-import org.junit.Test;
-import static org.junit.Assert.*;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  *
  * @author jeremy
  */
-public class CweSetTest {
+class CweSetTest {
 
     /**
      * Test of getEntries method, of class CweSet.
      */
     @Test
-    public void testGetEntries() {
+    void testGetEntries() {
         CweSet instance = new CweSet();
         Set<String> result = instance.getEntries();
         assertTrue(result.isEmpty());
@@ -44,7 +48,7 @@ public void testGetEntries() {
      * Test of addCwe method, of class CweSet.
      */
     @Test
-    public void testAddCwe() {
+    void testAddCwe() {
         System.out.println("addCwe");
         String cwe = "CWE-89";
         CweSet instance = new CweSet();
@@ -56,7 +60,7 @@ public void testAddCwe() {
      * Test of toString method, of class CweSet.
      */
     @Test
-    public void testToString() {
+    void testToString() {
         CweSet instance = new CweSet();
         instance.addCwe("CWE-79");
         String expResult = "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')";
@@ -68,7 +72,7 @@ public void testToString() {
      * Test of stream method, of class CweSet.
      */
     @Test
-    public void testStream() {
+    void testStream() {
         CweSet instance = new CweSet();
         instance.addCwe("79");
         String expResult = "79";
@@ -80,7 +84,7 @@ public void testStream() {
      * Test of getFullCwes method, of class CweSet.
      */
     @Test
-    public void testGetFullCwes() {
+    void testGetFullCwes() {
         CweSet instance = new CweSet();
         instance.addCwe("CWE-89");
         instance.addCwe("CWE-79");
@@ -89,8 +93,8 @@ public void testGetFullCwes() {
         expResult.put("CWE-89", "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')");
         Map<String, String> result = instance.getFullCwes();
         for (Map.Entry<String,String> entry : expResult.entrySet()) {
-            assertTrue(result.get(entry.getKey()).equals(entry.getValue()));
+            assertEquals(result.get(entry.getKey()), entry.getValue());
         }
     }
-    
+
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java b/core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java
index 612b408e718..fdb21b378b8 100644
--- a/core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java
@@ -17,35 +17,35 @@
  */
 package org.owasp.dependencycheck.dependency;
 
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
-
-import java.io.File;
-import java.util.HashSet;
-import java.util.Set;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertNull;
-import static org.junit.Assert.assertTrue;
 import org.owasp.dependencycheck.dependency.naming.CpeIdentifier;
 import org.owasp.dependencycheck.dependency.naming.Identifier;
 import us.springett.parsers.cpe.Cpe;
 import us.springett.parsers.cpe.CpeBuilder;
 import us.springett.parsers.cpe.values.Part;
 
+import java.io.File;
+import java.util.HashSet;
+import java.util.Set;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 /**
  * @author Jeremy Long
  */
-public class DependencyTest extends BaseTest {
+class DependencyTest extends BaseTest {
 
     /**
      * Test of getFileName method, of class Dependency.
      */
     @Test
-    public void testGetFileName() {
+    void testGetFileName() {
         Dependency instance = new Dependency();
         String expResult = "filename";
         instance.setFileName(expResult);
@@ -57,7 +57,7 @@ public void testGetFileName() {
      * Test of setFileName method, of class Dependency.
      */
     @Test
-    public void testSetFileName() {
+    void testSetFileName() {
         String fileName = "file.tar";
         Dependency instance = new Dependency();
         instance.setFileName(fileName);
@@ -68,7 +68,7 @@ public void testSetFileName() {
      * Test of setActualFilePath method, of class Dependency.
      */
     @Test
-    public void testSetActualFilePath() {
+    void testSetActualFilePath() {
         String expectedPath = "file.tar";
         String actualPath = "file.tar";
         Dependency instance = new Dependency();
@@ -81,7 +81,7 @@ public void testSetActualFilePath() {
      * Test of getActualFilePath method, of class Dependency.
      */
     @Test
-    public void testGetActualFilePath() {
+    void testGetActualFilePath() {
         Dependency instance = new Dependency();
         String expResult = "file.tar";
         instance.setSha1sum("non-null value");
@@ -94,7 +94,7 @@ public void testGetActualFilePath() {
      * Test of setFilePath method, of class Dependency.
      */
     @Test
-    public void testSetFilePath() {
+    void testSetFilePath() {
         String filePath = "file.tar";
         Dependency instance = new Dependency();
         instance.setFilePath(filePath);
@@ -105,7 +105,7 @@ public void testSetFilePath() {
      * Test of getFilePath method, of class Dependency.
      */
     @Test
-    public void testGetFilePath() {
+    void testGetFilePath() {
         Dependency instance = new Dependency();
         String expResult = "file.tar";
         instance.setFilePath(expResult);
@@ -117,7 +117,7 @@ public void testGetFilePath() {
      * Test of getMd5sum method, of class Dependency.
      */
     @Test
-    public void testGetMd5sum() {
+    void testGetMd5sum() {
         //File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
         File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
 
@@ -133,7 +133,7 @@ public void testGetMd5sum() {
      * Test of setMd5sum method, of class Dependency.
      */
     @Test
-    public void testSetMd5sum() {
+    void testSetMd5sum() {
         String md5sum = "test";
         Dependency instance = new Dependency();
         instance.setMd5sum(md5sum);
@@ -144,7 +144,7 @@ public void testSetMd5sum() {
      * Test of getSha1sum method, of class Dependency.
      */
     @Test
-    public void testGetSha1sum() {
+    void testGetSha1sum() {
         //File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
         File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
         Dependency instance = new Dependency(file);
@@ -158,7 +158,7 @@ public void testGetSha1sum() {
      * Test of getSha256sum method, of class Dependency.
      */
     @Test
-    public void testGetSha256sum() {
+    void testGetSha256sum() {
         File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
         Dependency instance = new Dependency(file);
         String expResult = "5c1847a10800027254fcd0073385cceb46b1dacee061f3cd465e314bec592e81";
@@ -170,7 +170,7 @@ public void testGetSha256sum() {
      * Test of setSha1sum method, of class Dependency.
      */
     @Test
-    public void testSetSha1sum() {
+    void testSetSha1sum() {
         String sha1sum = "test";
         Dependency instance = new Dependency();
         instance.setSha1sum(sha1sum);
@@ -181,7 +181,7 @@ public void testSetSha1sum() {
      * Test of setSha256sum method, of class Dependency.
      */
     @Test
-    public void testSetSha256sum() {
+    void testSetSha256sum() {
         String sha256sum = "test";
         Dependency instance = new Dependency();
         instance.setSha256sum(sha256sum);
@@ -192,7 +192,7 @@ public void testSetSha256sum() {
      * Test of getSoftwareIdentifiers method, of class Dependency.
      */
     @Test
-    public void testGetSoftwareIdentifiers() {
+    void testGetSoftwareIdentifiers() {
         Dependency instance = new Dependency();
         Set<Identifier> result = instance.getSoftwareIdentifiers();
 
@@ -203,7 +203,7 @@ public void testGetSoftwareIdentifiers() {
      * Test of addSoftwareIdentifiers method, of class Dependency.
      */
     @Test
-    public void testAddSoftwareIdentifiers() {
+    void testAddSoftwareIdentifiers() {
         Set<Identifier> identifiers = new HashSet<>();
         Dependency instance = new Dependency();
         instance.addSoftwareIdentifiers(identifiers);
@@ -214,7 +214,7 @@ public void testAddSoftwareIdentifiers() {
      * Test of addVulnerableSoftwareIdentifier method, of class Dependency.
      */
     @Test
-    public void testAddVulnerableSoftwareIdentifier() throws Exception {
+    void testAddVulnerableSoftwareIdentifier() throws Exception {
         CpeBuilder builder = new CpeBuilder();
         Cpe cpe = builder.part(Part.APPLICATION).vendor("apache").product("struts").version("2.1.2").build();
         CpeIdentifier id = new CpeIdentifier(cpe, Confidence.HIGHEST);
@@ -225,14 +225,14 @@ public void testAddVulnerableSoftwareIdentifier() throws Exception {
         Dependency instance = new Dependency();
         instance.addVulnerableSoftwareIdentifier(id);
         assertEquals(1, instance.getVulnerableSoftwareIdentifiers().size());
-        assertTrue("Identifier doesn't contain expected result.", instance.getVulnerableSoftwareIdentifiers().contains(expResult));
+        assertTrue(instance.getVulnerableSoftwareIdentifiers().contains(expResult), "Identifier doesn't contain expected result.");
     }
 
     /**
      * Test of getEvidence method, of class Dependency.
      */
     @Test
-    public void testGetEvidence() {
+    void testGetEvidence() {
         Dependency instance = new Dependency();
         Set<Evidence> result = instance.getEvidence(EvidenceType.VENDOR);
         assertNotNull(result);
@@ -246,7 +246,7 @@ public void testGetEvidence() {
      * Test of addAsEvidence method, of class Dependency.
      */
     @Test
-    public void testAddAsEvidence() {
+    void testAddAsEvidence() {
         Dependency instance = new Dependency();
         MavenArtifact mavenArtifact = new MavenArtifact("group", "artifact", "version", "url");
         instance.addAsEvidence("pom", mavenArtifact, Confidence.HIGH);
@@ -259,12 +259,12 @@ public void testAddAsEvidence() {
      * Test of addAsEvidence method, of class Dependency.
      */
     @Test
-    public void testAddAsEvidenceWithEmptyArtifact() {
+    void testAddAsEvidenceWithEmptyArtifact() {
         Dependency instance = new Dependency();
         MavenArtifact mavenArtifact = new MavenArtifact(null, null, null, null);
         instance.addAsEvidence("pom", mavenArtifact, Confidence.HIGH);
         assertFalse(instance.getEvidence(EvidenceType.VENDOR).stream().anyMatch(e -> e.getConfidence() == Confidence.HIGH));
-        assertTrue(instance.size() == 0);
+        assertEquals(0, instance.size());
         assertTrue(instance.getSoftwareIdentifiers().isEmpty());
     }
 
@@ -272,12 +272,12 @@ public void testAddAsEvidenceWithEmptyArtifact() {
      * Test of addAsEvidence method, of class Dependency.
      */
     @Test
-    public void testAddAsEvidenceWithExisting() {
+    void testAddAsEvidenceWithExisting() {
         Dependency instance = new Dependency();
         MavenArtifact mavenArtifact = new MavenArtifact("group", "artifact", "version", null);
         instance.addAsEvidence("pom", mavenArtifact, Confidence.HIGH);
         assertTrue(instance.getEvidence(EvidenceType.VENDOR).stream().anyMatch(e -> e.getConfidence() == Confidence.HIGH));
-        assertTrue(instance.size() == 4);
+        assertEquals(4, instance.size());
         assertFalse(instance.getSoftwareIdentifiers().isEmpty());
 
         instance.getSoftwareIdentifiers().forEach((i) -> assertNull(i.getUrl()));
@@ -285,7 +285,7 @@ public void testAddAsEvidenceWithExisting() {
         mavenArtifact = new MavenArtifact("group", "artifact", "version", "url");
         instance.addAsEvidence("pom", mavenArtifact, Confidence.HIGH);
         assertTrue(instance.getEvidence(EvidenceType.VENDOR).stream().anyMatch(e -> e.getConfidence() == Confidence.HIGH));
-        assertTrue(instance.size() == 4);
+        assertEquals(4, instance.size());
         assertFalse(instance.getSoftwareIdentifiers().isEmpty());
 
         instance.getSoftwareIdentifiers().forEach((i) -> assertNotNull(i.getUrl()));
diff --git a/core/src/test/java/org/owasp/dependencycheck/dependency/EvidenceTest.java b/core/src/test/java/org/owasp/dependencycheck/dependency/EvidenceTest.java
index c3526918d16..dffa447fd9c 100644
--- a/core/src/test/java/org/owasp/dependencycheck/dependency/EvidenceTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/dependency/EvidenceTest.java
@@ -17,25 +17,27 @@
  */
 package org.owasp.dependencycheck.dependency;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseTest;
+
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.is;
-import org.junit.Test;
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import org.owasp.dependencycheck.BaseTest;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  *
  * @author Jeremy Long
  */
-public class EvidenceTest extends BaseTest {
+class EvidenceTest extends BaseTest {
 
     /**
      * Test of equals method, of class Evidence.
      */
     @Test
-    public void testEquals() {
+    void testEquals() {
         Evidence that0 = new Evidence("file", "name", "guice-3.0", Confidence.HIGHEST);
         Evidence that1 = new Evidence("jar", "package name", "dependency", Confidence.HIGHEST);
         Evidence that2 = new Evidence("jar", "package name", "google", Confidence.HIGHEST);
@@ -47,19 +49,19 @@ public void testEquals() {
         Evidence that8 = new Evidence("Manifest", "Implementation-Title", "Spring Framework", Confidence.HIGH);
 
         Evidence instance = new Evidence("Manifest", "Implementation-Title", "Spring Framework", Confidence.HIGH);
-        assertFalse(instance.equals(that0));
-        assertFalse(instance.equals(that1));
-        assertFalse(instance.equals(that2));
-        assertFalse(instance.equals(that3));
-        assertFalse(instance.equals(that4));
-        assertFalse(instance.equals(that5));
-        assertFalse(instance.equals(that6));
-        assertFalse(instance.equals(that7));
-        assertTrue(instance.equals(that8));
+        assertNotEquals(instance, that0);
+        assertNotEquals(instance, that1);
+        assertNotEquals(instance, that2);
+        assertNotEquals(instance, that3);
+        assertNotEquals(instance, that4);
+        assertNotEquals(instance, that5);
+        assertNotEquals(instance, that6);
+        assertNotEquals(instance, that7);
+        assertEquals(instance, that8);
     }
 
     @Test
-    public void testHashcodeContract() throws Exception {
+    void testHashcodeContract() {
         final Evidence titleCase = new Evidence("Manifest", "Implementation-Title", "Spring Framework", Confidence.HIGH);
         final Evidence lowerCase = new Evidence("manifest", "implementation-title", "spring framework", Confidence.HIGH);
         assertThat(titleCase, is(equalTo(lowerCase)));
@@ -70,7 +72,7 @@ public void testHashcodeContract() throws Exception {
      * Test of compareTo method, of class Evidence.
      */
     @Test
-    public void testCompareTo() {
+    void testCompareTo() {
         Evidence that0 = new Evidence("file", "name", "guice-3.0", Confidence.HIGHEST);
         Evidence that1 = new Evidence("jar", "package name", "dependency", Confidence.HIGHEST);
         Evidence that2 = new Evidence("jar", "package name", "google", Confidence.HIGHEST);
@@ -110,7 +112,7 @@ public void testCompareTo() {
         assertTrue(result > 0);
 
         result = instance.compareTo(that8);
-        assertTrue(result == 0);
+        assertEquals(0, result);
 
         result = instance.compareTo(that9);
         assertTrue(result < 0);
diff --git a/core/src/test/java/org/owasp/dependencycheck/dependency/VulnerabilityTest.java b/core/src/test/java/org/owasp/dependencycheck/dependency/VulnerabilityTest.java
index 0408717eac1..fb732db15a4 100644
--- a/core/src/test/java/org/owasp/dependencycheck/dependency/VulnerabilityTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/dependency/VulnerabilityTest.java
@@ -22,11 +22,7 @@
 import io.github.jeremylong.openvulnerability.client.nvd.CvssV2Data;
 import io.github.jeremylong.openvulnerability.client.nvd.CvssV3;
 import io.github.jeremylong.openvulnerability.client.nvd.CvssV3Data;
-import static org.junit.Assert.assertArrayEquals;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import us.springett.parsers.cpe.exceptions.CpeValidationException;
 
@@ -35,17 +31,21 @@
 import java.util.List;
 import java.util.TreeSet;
 
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 /**
  * @author Jens Hausherr, Hans Aikema
  */
-public class VulnerabilityTest extends BaseTest {
+class VulnerabilityTest extends BaseTest {
 
     /**
      * Test of addVulnerableSoftware method, of class VulnerableSoftware.
      * @throws CpeValidationException
      */
     @Test
-    public void testDuplicateVersions() throws CpeValidationException {
+    void testDuplicateVersions() throws CpeValidationException {
         Vulnerability obj = new Vulnerability();
         VulnerableSoftwareBuilder builder = new VulnerableSoftwareBuilder();
         obj.addVulnerableSoftware(builder.vendor("owasp").product("dependency-check").version("3.0.0").build());
@@ -59,7 +59,7 @@ public void testDuplicateVersions() throws CpeValidationException {
      * Test of compareTo
      */
     @Test
-    public void compareTo_proper_sorting() {
+    void compareTo_proper_sorting() {
         // vulnerabilities take a name in reverse alphabetical order of expected sorting sequence
         // this way we ensure that the validated sorting was indeed due to the decreasing order of
         // severity and not by coincidence due to equal severity + alphabetical order on name.
@@ -112,28 +112,28 @@ public void compareTo_proper_sorting() {
         unscoredMedium.setUnscoredSeverity("meDiUm");
 
 
-        assertTrue("V2 HIGH 9.9 to V2 HIGH 9.0, 9.9 should be most severe", cvssV2Only99.compareTo(cvssV2Only90) < 0);
-        assertTrue("V2 HIGH 9.9 to V3 CRIT 9.0 should make V3 9.0 should be most severe to retain the CRITICAL rating",
-                   cvssV3Only90.compareTo(cvssV2Only99) < 0);
-        assertTrue("V3 CRIT 9.9 to V3 CRIT 9.0, 9.9 should be most severe", cvssV3OnlyCritHigh.compareTo(cvssV3Only90) < 0);
-        assertTrue("V3 CRIT 9.0 to V3 HIGH 8.0 V2 HIGH 9.9, V3 9.0 should be most severe",
-                   cvssV3Only90.compareTo(cvssV3_80v2_99) < 0);
-        assertTrue("CVSS v3 CRITICAL should be smaller (more severe) than unscored critical",
-                   cvssV3Only90.compareTo(unscoredCritical) < 0);
-        assertTrue("unscored critical should be smaller (more severe) than CVSS v2 HIGH 10.0 should be larger (less severe)",
-                   unscoredCritical.compareTo(cvssV2Only10_0) < 0);
-        assertTrue("CVSS v3 CRITICAL should be smaller (more severe) than unscored assumed critical",
-                   cvssV3Only90.compareTo(unscoredAssumedCritical) < 0);
-        assertTrue("Unscored CRITICAL should be smaller (more severe) than unscored assumed critical",
-                   unscoredCritical.compareTo(unscoredAssumedCritical) < 0);
-        assertTrue("unscored assumed critical should be smaller (more severe) than CVSS v2 HIGH 10.0",
-                   unscoredAssumedCritical.compareTo(cvssV2Only10_0) < 0);
-        assertTrue("unscored assumed critical should be smaller (more severe) CVSS v2 9.9 v3 8.0 (HIGH)",
-                   unscoredAssumedCritical.compareTo(cvssV3_80v2_99) < 0);
-        assertTrue("CVSS v3 score should be considered over V2 score; alphabetical sort determines final sequence",
-                   cvssV3_89v2_90.compareTo(cvssV3_89v2_99) < 0);
-        assertTrue("CVSS v3 medium top-range score should be smaller (more severe) than unscored medium",
-                   v3Medium69.compareTo(unscoredMedium) < 0);
+        assertTrue(cvssV2Only99.compareTo(cvssV2Only90) < 0, "V2 HIGH 9.9 to V2 HIGH 9.0, 9.9 should be most severe");
+        assertTrue(cvssV3Only90.compareTo(cvssV2Only99) < 0,
+                   "V2 HIGH 9.9 to V3 CRIT 9.0 should make V3 9.0 should be most severe to retain the CRITICAL rating");
+        assertTrue(cvssV3OnlyCritHigh.compareTo(cvssV3Only90) < 0, "V3 CRIT 9.9 to V3 CRIT 9.0, 9.9 should be most severe");
+        assertTrue(cvssV3Only90.compareTo(cvssV3_80v2_99) < 0,
+                   "V3 CRIT 9.0 to V3 HIGH 8.0 V2 HIGH 9.9, V3 9.0 should be most severe");
+        assertTrue(cvssV3Only90.compareTo(unscoredCritical) < 0,
+                   "CVSS v3 CRITICAL should be smaller (more severe) than unscored critical");
+        assertTrue(unscoredCritical.compareTo(cvssV2Only10_0) < 0,
+                   "unscored critical should be smaller (more severe) than CVSS v2 HIGH 10.0 should be larger (less severe)");
+        assertTrue(cvssV3Only90.compareTo(unscoredAssumedCritical) < 0,
+                   "CVSS v3 CRITICAL should be smaller (more severe) than unscored assumed critical");
+        assertTrue(unscoredCritical.compareTo(unscoredAssumedCritical) < 0,
+                   "Unscored CRITICAL should be smaller (more severe) than unscored assumed critical");
+        assertTrue(unscoredAssumedCritical.compareTo(cvssV2Only10_0) < 0,
+                   "unscored assumed critical should be smaller (more severe) than CVSS v2 HIGH 10.0");
+        assertTrue(unscoredAssumedCritical.compareTo(cvssV3_80v2_99) < 0,
+                   "unscored assumed critical should be smaller (more severe) CVSS v2 9.9 v3 8.0 (HIGH)");
+        assertTrue(cvssV3_89v2_90.compareTo(cvssV3_89v2_99) < 0,
+                   "CVSS v3 score should be considered over V2 score; alphabetical sort determines final sequence");
+        assertTrue(v3Medium69.compareTo(unscoredMedium) < 0,
+                   "CVSS v3 medium top-range score should be smaller (more severe) than unscored medium");
 
         List<Vulnerability> vulns = Arrays.asList(cvssV2Only99, cvssV2Only90, cvssV3Only90, cvssV3OnlyCritHigh, cvssV3_80v2_99,
                                                   cvssV2Only10_0, cvssV3_89v2_90,
@@ -142,9 +142,9 @@ public void compareTo_proper_sorting() {
         List<String> expectedStartLetters = Arrays.asList("Z", "Y", "X", "W", "V", "U", "T", "SA", "SB", "R", "Q", "P", "O");
 
         for (int i = 0; i < vulns.size(); i++) {
-            assertTrue("Expected start:" + expectedStartLetters.get(i) + " encountered start: " + vulns.get(i).getName()
-                                                                                                       .substring(0, 2),
-                       vulns.get(i).getName().startsWith(expectedStartLetters.get(i)));
+            assertTrue(vulns.get(i).getName().startsWith(expectedStartLetters.get(i)),
+                       "Expected start:" + expectedStartLetters.get(i) + " encountered start: " + vulns.get(i).getName()
+                                                                                                       .substring(0, 2));
         }
         testSortStabilityForPermutations(vulns);
     }
@@ -154,10 +154,10 @@ private CvssV3 createCvssV3(double score, String severity) {
                 CvssV3Data.AttackComplexityType.HIGH, CvssV3Data.PrivilegesRequiredType.HIGH,
                 CvssV3Data.UserInteractionType.NONE, CvssV3Data.ScopeType.CHANGED,
                 CvssV3Data.CiaType.NONE, CvssV3Data.CiaType.NONE, CvssV3Data.CiaType.LOW,
-                
-                score, CvssV3Data.SeverityType.valueOf(severity), 
-                
-                CvssV3Data.ExploitCodeMaturityType.PROOF_OF_CONCEPT, CvssV3Data.RemediationLevelType.NOT_DEFINED, 
+
+                score, CvssV3Data.SeverityType.valueOf(severity),
+
+                CvssV3Data.ExploitCodeMaturityType.PROOF_OF_CONCEPT, CvssV3Data.RemediationLevelType.NOT_DEFINED,
                 CvssV3Data.ConfidenceType.REASONABLE, Double.MAX_VALUE, CvssV3Data.SeverityType.MEDIUM,
                 CvssV3Data.CiaRequirementType.NOT_DEFINED, CvssV3Data.CiaRequirementType.NOT_DEFINED,
                 CvssV3Data.CiaRequirementType.NOT_DEFINED, CvssV3Data.ModifiedAttackVectorType.ADJACENT_NETWORK,
@@ -169,22 +169,22 @@ private CvssV3 createCvssV3(double score, String severity) {
         return cvssV3;
     }
 
-    
+
     private CvssV2 createCvssV2(double score, String severity) {
         CvssV2Data v2Data = new CvssV2Data(CvssV2Data.Version._2_0, severity, CvssV2Data.AccessVectorType.NETWORK,
-                CvssV2Data.AccessComplexityType.MEDIUM, CvssV2Data.AuthenticationType.MULTIPLE, 
-                CvssV2Data.CiaType.PARTIAL, CvssV2Data.CiaType.PARTIAL, CvssV2Data.CiaType.PARTIAL, 
-                
-                score, severity, 
-                
-                CvssV2Data.ExploitabilityType.UNPROVEN, CvssV2Data.RemediationLevelType.NOT_DEFINED, 
-                CvssV2Data.ReportConfidenceType.UNCONFIRMED, 0.0, CvssV2Data.CollateralDamagePotentialType.NOT_DEFINED, 
-                CvssV2Data.TargetDistributionType.MEDIUM, CvssV2Data.CiaRequirementType.NOT_DEFINED, 
+                CvssV2Data.AccessComplexityType.MEDIUM, CvssV2Data.AuthenticationType.MULTIPLE,
+                CvssV2Data.CiaType.PARTIAL, CvssV2Data.CiaType.PARTIAL, CvssV2Data.CiaType.PARTIAL,
+
+                score, severity,
+
+                CvssV2Data.ExploitabilityType.UNPROVEN, CvssV2Data.RemediationLevelType.NOT_DEFINED,
+                CvssV2Data.ReportConfidenceType.UNCONFIRMED, 0.0, CvssV2Data.CollateralDamagePotentialType.NOT_DEFINED,
+                CvssV2Data.TargetDistributionType.MEDIUM, CvssV2Data.CiaRequirementType.NOT_DEFINED,
                 CvssV2Data.CiaRequirementType.NOT_DEFINED, CvssV2Data.CiaRequirementType.NOT_DEFINED, 0.0);
         CvssV2 cvssV2 = new CvssV2("testing", CvssV2.Type.PRIMARY, v2Data, severity, 0.0, 0.0, Boolean.TRUE, Boolean.TRUE, Boolean.TRUE, Boolean.TRUE, Boolean.TRUE);
         return cvssV2;
     }
-    
+
     /**
      * Sorts the offered list of vulnerabilities four times starting with the vulnerabilities arranged in different sequences
      * before sorting to check that sorting is stable for permutations of input sequence.<br> The input array is added to a
@@ -244,8 +244,8 @@ private void testSortStabilityForPermutations(final List<Vulnerability> vulnerab
 
     private void assertPermutationSortedEqual(final Vulnerability[] prev, final Vulnerability[] current, final int[] permutation,
                                               final int[] prevPermutation) {
-        assertArrayEquals(String.format("Differently sorted for permutation '%s' versus '%s'", Arrays.toString(prevPermutation),
-                                        Arrays.toString(permutation)), prev, current);
+        assertArrayEquals(prev, current, String.format("Differently sorted for permutation '%s' versus '%s'", Arrays.toString(prevPermutation),
+                                        Arrays.toString(permutation)));
     }
 
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java b/core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java
index a2a55d5246e..1d47f9a4995 100644
--- a/core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java
@@ -17,20 +17,22 @@
  */
 package org.owasp.dependencycheck.dependency;
 
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.assertFalse;
-
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import us.springett.parsers.cpe.exceptions.CpeValidationException;
 import us.springett.parsers.cpe.values.LogicalValue;
 import us.springett.parsers.cpe.values.Part;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 /**
  *
  * @author Jeremy Long
  */
-public class VulnerableSoftwareTest extends BaseTest {
+class VulnerableSoftwareTest extends BaseTest {
 
     /**
      * Test of equals method, of class VulnerableSoftware.
@@ -38,19 +40,19 @@ public class VulnerableSoftwareTest extends BaseTest {
      * @throws CpeValidationException
      */
     @Test
-    public void testEquals() throws CpeValidationException {
+    void testEquals() throws CpeValidationException {
         VulnerableSoftwareBuilder builder = new VulnerableSoftwareBuilder();
         VulnerableSoftware obj = null;
         VulnerableSoftware instance = builder.part(Part.APPLICATION).vendor("mortbay").product("jetty").version("6.1").build();
-        assertFalse(instance.equals(obj));
+        assertNotEquals(obj, instance);
 
         obj = builder.part(Part.APPLICATION).vendor("mortbay").product("jetty").version("6.1.0").build();
         instance = builder.part(Part.APPLICATION).vendor("mortbay").product("jetty").version("6.1").build();
-        assertFalse(instance.equals(obj));
+        assertNotEquals(instance, obj);
 
         obj = builder.part(Part.APPLICATION).vendor("mortbay").product("jetty").version("6.1.0").build();
         instance = builder.part(Part.APPLICATION).vendor("mortbay").product("jetty").version("6.1.0").build();
-        assertTrue(instance.equals(obj));
+        assertEquals(instance, obj);
     }
 
     /**
@@ -59,7 +61,7 @@ public void testEquals() throws CpeValidationException {
      * @throws CpeValidationException
      */
     @Test
-    public void testCompareTo() throws CpeValidationException {
+    void testCompareTo() throws CpeValidationException {
         VulnerableSoftwareBuilder builder = new VulnerableSoftwareBuilder();
         VulnerableSoftware obj = builder.part(Part.APPLICATION).vendor("mortbay").product("jetty").version("6.1.0").build();
         VulnerableSoftware instance = builder.part(Part.APPLICATION).vendor("mortbay").product("jetty").version("6.1").build();
@@ -73,7 +75,7 @@ public void testCompareTo() throws CpeValidationException {
     }
 
     @Test
-    public void testCompareVersionRange() throws CpeValidationException {
+    void testCompareVersionRange() throws CpeValidationException {
         VulnerableSoftwareBuilder builder = new VulnerableSoftwareBuilder();
         VulnerableSoftware instance = builder.version("2.0.0").build();
         assertTrue(instance.compareVersionRange("2.0.0"));
@@ -103,7 +105,7 @@ public void testCompareVersionRange() throws CpeValidationException {
     }
 
     @Test
-    public void testcompareUpdateAttributes() throws CpeValidationException {
+    void testcompareUpdateAttributes() {
 
         assertTrue(VulnerableSoftware.compareUpdateAttributes("update1", "u1"));
         assertTrue(VulnerableSoftware.compareUpdateAttributes("u1", "update1"));
diff --git a/core/src/test/java/org/owasp/dependencycheck/reporting/EscapeToolTest.java b/core/src/test/java/org/owasp/dependencycheck/reporting/EscapeToolTest.java
index ea8b9917925..81e6ae6f25f 100644
--- a/core/src/test/java/org/owasp/dependencycheck/reporting/EscapeToolTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/reporting/EscapeToolTest.java
@@ -17,26 +17,28 @@
  */
 package org.owasp.dependencycheck.reporting;
 
-import java.util.HashSet;
-import java.util.Set;
-import org.junit.Test;
-import static org.junit.Assert.*;
-
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.naming.GenericIdentifier;
 import org.owasp.dependencycheck.dependency.naming.Identifier;
 
+import java.util.HashSet;
+import java.util.Set;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 /**
  *
-* @author Jeremy Long
+ * @author Jeremy Long
  */
-public class EscapeToolTest {
+class EscapeToolTest {
 
     /**
      * Test of url method, of class EscapeTool.
      */
     @Test
-    public void testUrl() {
+    void testUrl() {
         String text = null;
         EscapeTool instance = new EscapeTool();
         String expResult = null;
@@ -58,7 +60,7 @@ public void testUrl() {
      * Test of html method, of class EscapeTool.
      */
     @Test
-    public void testHtml() {
+    void testHtml() {
         EscapeTool instance = new EscapeTool();
         String text = null;
         String expResult = null;
@@ -80,7 +82,7 @@ public void testHtml() {
      * Test of xml method, of class EscapeTool.
      */
     @Test
-    public void testXml() {
+    void testXml() {
         EscapeTool instance = new EscapeTool();
         String text = null;
         String expResult = null;
@@ -102,7 +104,7 @@ public void testXml() {
      * Test of json method, of class EscapeTool.
      */
     @Test
-    public void testJson() {
+    void testJson() {
         String text = null;
         EscapeTool instance = new EscapeTool();
         String expResult = null;
@@ -124,7 +126,7 @@ public void testJson() {
      * Test of csv method, of class EscapeTool.
      */
     @Test
-    public void testCsv() {
+    void testCsv() {
         String text = null;
         EscapeTool instance = new EscapeTool();
         String expResult = "\"\"";
@@ -146,7 +148,7 @@ public void testCsv() {
      * Test of csvIdentifiers method, of class EscapeTool.
      */
     @Test
-    public void testCsvIdentifiers() {
+    void testCsvIdentifiers() {
         EscapeTool instance = new EscapeTool();
         Set<Identifier> ids = null;
         String expResult = "\"\"";
@@ -177,7 +179,7 @@ public void testCsvIdentifiers() {
      * Test of csvCpeConfidence method, of class EscapeTool.
      */
     @Test
-    public void testCsvCpeConfidence() {
+    void testCsvCpeConfidence() {
         EscapeTool instance = new EscapeTool();
         Set<Identifier> ids = null;
         String expResult = "\"\"";
diff --git a/core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java b/core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java
index 7e3fe8daad1..b484dc04cc5 100644
--- a/core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIT.java
@@ -17,46 +17,43 @@
  */
 package org.owasp.dependencycheck.reporting;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseDBTestCase;
+import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.exception.ExceptionCollection;
+import org.owasp.dependencycheck.utils.DownloadFailedException;
+import org.owasp.dependencycheck.utils.Settings;
+
+import javax.xml.XMLConstants;
+import javax.xml.transform.stream.StreamSource;
+import javax.xml.validation.Schema;
+import javax.xml.validation.SchemaFactory;
+import javax.xml.validation.Validator;
 import java.io.BufferedInputStream;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.Arrays;
-import javax.xml.XMLConstants;
-import javax.xml.transform.stream.StreamSource;
-import javax.xml.validation.Schema;
-import javax.xml.validation.SchemaFactory;
-import javax.xml.validation.Validator;
-import org.junit.Assert;
 
-import org.junit.Test;
-import org.owasp.dependencycheck.BaseDBTestCase;
-import org.owasp.dependencycheck.BaseTest;
-import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
-import org.owasp.dependencycheck.exception.ExceptionCollection;
-import org.owasp.dependencycheck.exception.ReportException;
-import org.owasp.dependencycheck.utils.InvalidSettingException;
-import org.owasp.dependencycheck.utils.Settings;
-import org.xml.sax.SAXException;
-import static org.junit.Assert.fail;
-import org.owasp.dependencycheck.data.update.exception.UpdateException;
-import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.utils.DownloadFailedException;
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
  *
  * @author Jeremy Long
  */
-public class ReportGeneratorIT extends BaseDBTestCase {
+class ReportGeneratorIT extends BaseDBTestCase {
 
     /**
      * Generates an XML report containing known vulnerabilities and realistic
      * data and validates the generated XML document against the XSD.
      */
     @Test
-    public void testGenerateReport() {
+    void testGenerateReport() {
         File writeTo = new File("target/test-reports/Report.xml");
         File writeJsonTo = new File("target/test-reports/Report.json");
         File writeHtmlTo = new File("target/test-reports/Report.html");
@@ -74,7 +71,7 @@ public void testGenerateReport() {
         settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
         settings.setBoolean(Settings.KEYS.PRETTY_PRINT, true);
 
-        generateReport(settings, writeTo, writeJsonTo, writeHtmlTo, writeJunitTo, writeCsvTo, writeSarifTo, suppressionFile);        
+        generateReport(settings, writeTo, writeJsonTo, writeHtmlTo, writeJunitTo, writeCsvTo, writeSarifTo, suppressionFile);
     }
 
     /**
@@ -82,7 +79,7 @@ public void testGenerateReport() {
      * data and validates the generated XML document against the XSD.
      */
     @Test
-    public void testGenerateNodeAuditReport() {
+    void testGenerateNodeAuditReport() {
         File writeTo = new File("target/test-reports/nodeAudit/Report.xml");
         File writeJsonTo = new File("target/test-reports/nodeAudit/Report.json");
         File writeHtmlTo = new File("target/test-reports/nodeAudit/Report.html");
@@ -108,7 +105,7 @@ public void testGenerateNodeAuditReport() {
      * data and validates the generated XML document against the XSD.
      */
     @Test
-    public void testGenerateRetireJsReport() {
+    void testGenerateRetireJsReport() {
         File writeTo = new File("target/test-reports/retireJS/Report.xml");
         File writeJsonTo = new File("target/test-reports/retireJS/Report.json");
         File writeHtmlTo = new File("target/test-reports/retireJS/Report.html");
@@ -127,12 +124,13 @@ public void testGenerateRetireJsReport() {
 
         generateReport(settings, writeTo, writeJsonTo, writeHtmlTo, writeJunitTo, writeCsvTo, writeSarifTo, suppressionFile);
     }
+
     /**
      * Generates an XML report containing known vulnerabilities and realistic
      * data and validates the generated XML document against the XSD.
      */
     @Test
-    public void testGenerateNodePackageReport() {
+    void testGenerateNodePackageReport() {
         File writeTo = new File("target/test-reports/NodePackage/Report.xml");
         File writeJsonTo = new File("target/test-reports/NodePackage/Report.json");
         File writeHtmlTo = new File("target/test-reports/NodePackage/Report.html");
@@ -153,8 +151,8 @@ public void testGenerateNodePackageReport() {
     }
 
 
-    public void generateReport(Settings settings, File writeTo, File writeJsonTo, File writeHtmlTo, File writeJunitTo, File writeCsvTo, File writeSarifTo, File suppressionFile){
-        try {
+    private void generateReport(Settings settings, File writeTo, File writeJsonTo, File writeHtmlTo, File writeJunitTo, File writeCsvTo, File writeSarifTo, File suppressionFile){
+        assertDoesNotThrow(() -> {
             //first check parent folder
             createParentFolder(writeTo);
             createParentFolder(writeJsonTo);
@@ -166,7 +164,7 @@ public void generateReport(Settings settings, File writeTo, File writeJsonTo, Fi
             File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
             File war = BaseTest.getResourceAsFile(this, "war-4.0.war");
             File cfu = BaseTest.getResourceAsFile(this, "commons-fileupload-1.2.1.jar");
-            
+
             //File axis = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
             File axis = BaseTest.getResourceAsFile(this, "axis2-adb-1.4.1.jar");
             //File jetty = new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath());
@@ -208,10 +206,8 @@ public void generateReport(Settings settings, File writeTo, File writeJsonTo, Fi
 
             //Test CSV
             int linesWritten = countLines(writeCsvTo);
-            Assert.assertEquals(vulnCount + 1, linesWritten);
-        } catch (DatabaseException | ExceptionCollection | ReportException | SAXException | IOException ex) {
-            fail(ex.getMessage());
-        }
+            assertEquals(vulnCount + 1, linesWritten);
+        });
     }
 
     /**
diff --git a/core/src/test/java/org/owasp/dependencycheck/resources/DependencyCheckBaseSuppressionTest.java b/core/src/test/java/org/owasp/dependencycheck/resources/DependencyCheckBaseSuppressionTest.java
index f13847023fe..dde361906f4 100644
--- a/core/src/test/java/org/owasp/dependencycheck/resources/DependencyCheckBaseSuppressionTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/resources/DependencyCheckBaseSuppressionTest.java
@@ -1,26 +1,26 @@
 package org.owasp.dependencycheck.resources;
 
-import java.io.File;
-import java.io.IOException;
-import java.nio.file.Path;
-import java.nio.file.Paths;
-
-import javax.xml.XMLConstants;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
-
-import org.junit.Assert;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 import org.xml.sax.SAXException;
 
-public class DependencyCheckBaseSuppressionTest {
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+class DependencyCheckBaseSuppressionTest {
 
     @Test
-    public void testAllSuppressionsHaveBaseAttribute() throws ParserConfigurationException, SAXException, IOException {
+    void testAllSuppressionsHaveBaseAttribute() throws ParserConfigurationException, SAXException, IOException {
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
         factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 
@@ -45,6 +45,6 @@ public void testAllSuppressionsHaveBaseAttribute() throws ParserConfigurationExc
             }
         }
 
-        Assert.assertEquals(0, numberOfSuppressTagsWithoutBaseTrueAttribute);
+        assertEquals(0, numberOfSuppressTagsWithoutBaseTrueAttribute);
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/utils/CvssUtilTest.java b/core/src/test/java/org/owasp/dependencycheck/utils/CvssUtilTest.java
index 3dfcd5faf20..5d517d1998c 100644
--- a/core/src/test/java/org/owasp/dependencycheck/utils/CvssUtilTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/utils/CvssUtilTest.java
@@ -21,20 +21,22 @@
 import io.github.jeremylong.openvulnerability.client.nvd.CvssV2Data;
 import io.github.jeremylong.openvulnerability.client.nvd.CvssV3;
 import io.github.jeremylong.openvulnerability.client.nvd.CvssV3Data;
-import org.junit.Test;
-import static org.junit.Assert.*;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
 
 /**
  *
  * @author Jeremy Long
  */
-public class CvssUtilTest {
+class CvssUtilTest {
 
     /**
      * Test of vectorToCvssV2 method, of class CvssUtil.
      */
     @Test
-    public void testVectorToCvssV2() {
+    void testVectorToCvssV2() {
         String vectorString = "/AV:L/AC:L/Au:N/C:N/I:N/A:C";
         Double baseScore = 1.0;
         CvssV2 result = CvssUtil.vectorToCvssV2(vectorString, baseScore);
@@ -53,7 +55,7 @@ public void testVectorToCvssV2() {
      * Test of cvssV2ScoreToSeverity method, of class CvssUtil.
      */
     @Test
-    public void testCvssV2ScoreToSeverity() {
+    void testCvssV2ScoreToSeverity() {
         Double score = -1.0;
         String expResult = "UNKNOWN";
         String result = CvssUtil.cvssV2ScoreToSeverity(score);
@@ -104,7 +106,7 @@ public void testCvssV2ScoreToSeverity() {
      * Test of cvssV3ScoreToSeverity method, of class CvssUtil.
      */
     @Test
-    public void testCvssV3ScoreToSeverity() {
+    void testCvssV3ScoreToSeverity() {
         Double score = 0.0;
         CvssV3Data.SeverityType expResult = CvssV3Data.SeverityType.NONE;
         CvssV3Data.SeverityType result = CvssUtil.cvssV3ScoreToSeverity(score);
@@ -163,7 +165,7 @@ public void testCvssV3ScoreToSeverity() {
      * Test of vectorToCvssV3 method, of class CvssUtil.
      */
     @Test
-    public void testVectorToCvssV3() {
+    void testVectorToCvssV3() {
         String vectorString = "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H";
         Double baseScore = 10.0;
         CvssV3 result = CvssUtil.vectorToCvssV3(vectorString, baseScore);
diff --git a/core/src/test/java/org/owasp/dependencycheck/utils/DateUtilTest.java b/core/src/test/java/org/owasp/dependencycheck/utils/DateUtilTest.java
index b6563d19e5d..6d9b0e3dbd0 100644
--- a/core/src/test/java/org/owasp/dependencycheck/utils/DateUtilTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/utils/DateUtilTest.java
@@ -15,26 +15,26 @@
  */
 package org.owasp.dependencycheck.utils;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.exception.ParseException;
+
 import java.time.ZonedDateTime;
 import java.util.Calendar;
 
-import static org.junit.Assert.assertEquals;
-
-import org.junit.Test;
-import org.owasp.dependencycheck.BaseTest;
-import org.owasp.dependencycheck.exception.ParseException;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
  *
  * @author Jeremy Long
  */
-public class DateUtilTest extends BaseTest {
+class DateUtilTest extends BaseTest {
 
     /**
      * Test of withinDateRange method, of class DateUtil.
      */
     @Test
-    public void testWithinDateRange() {
+    void testWithinDateRange() {
         Calendar c = Calendar.getInstance();
 
         long current = c.getTimeInMillis() / 1000;
@@ -49,12 +49,12 @@ public void testWithinDateRange() {
         result = DateUtil.withinDateRange(lastRun, current, range);
         assertEquals(expResult, result);
     }
-    
-       /**
+
+    /**
      * Test of withinDateRange method, of class DateUtil.
      */
     @Test
-    public void testWithinZonedDateRange() {
+    void testWithinZonedDateRange() {
         ZonedDateTime lastRun = ZonedDateTime.parse("2023-11-15T11:15:03Z");
         ZonedDateTime current = ZonedDateTime.parse("2023-11-17T11:15:03Z");
         int range = 5;
@@ -74,7 +74,7 @@ public void testWithinZonedDateRange() {
      * @throws ParseException thrown when there is a parse error
      */
     @Test
-    public void testParseXmlDate() throws ParseException {
+    void testParseXmlDate() throws ParseException {
         String xsDate = "2019-01-02Z";
         Calendar result = DateUtil.parseXmlDate(xsDate);
         assertEquals(2019, result.get(Calendar.YEAR));
@@ -84,7 +84,7 @@ public void testParseXmlDate() throws ParseException {
     }
 
     @Test
-    public void testGetEpochValueInSeconds() throws ParseException {
+    void testGetEpochValueInSeconds() {
         String milliseconds = "1550538553466";
         long expected = 1550538553;
         long result = DateUtil.getEpochValueInSeconds(milliseconds);
diff --git a/core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java b/core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java
index fd5a108e831..9dcb92399f0 100644
--- a/core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java
@@ -17,26 +17,29 @@
  */
 package org.owasp.dependencycheck.utils;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseTest;
+
 import java.util.Arrays;
 import java.util.Iterator;
 import java.util.List;
-import static org.junit.Assert.assertArrayEquals;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import org.junit.Test;
-import org.owasp.dependencycheck.BaseTest;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  *
  * @author Jeremy Long
  */
-public class DependencyVersionTest extends BaseTest {
+class DependencyVersionTest extends BaseTest {
 
     /**
      * Test of parseVersion method, of class DependencyVersion.
      */
     @Test
-    public void testParseVersion() {
+    void testParseVersion() {
         String version = "1.2r1";
         DependencyVersion instance = new DependencyVersion();
         instance.parseVersion(version);
@@ -70,14 +73,14 @@ public void testParseVersion() {
      * Test of iterator method, of class DependencyVersion.
      */
     @Test
-    public void testIterator() {
+    void testIterator() {
         DependencyVersion instance = new DependencyVersion("1.2.3");
         Iterator<String> result = instance.iterator();
         assertTrue(result.hasNext());
         int count = 1;
         while (result.hasNext()) {
             String v = result.next();
-            assertTrue(String.valueOf(count++).equals(v));
+            assertEquals(String.valueOf(count++), v);
         }
     }
 
@@ -85,7 +88,7 @@ public void testIterator() {
      * Test of toString method, of class DependencyVersion.
      */
     @Test
-    public void testToString() {
+    void testToString() {
         DependencyVersion instance = new DependencyVersion("1.2.3r1");
         String expResult = "1.2.3.r1";
         String result = instance.toString();
@@ -96,7 +99,7 @@ public void testToString() {
      * Test of equals method, of class DependencyVersion.
      */
     @Test
-    public void testEquals() {
+    void testEquals() {
         DependencyVersion obj = new DependencyVersion("1.2.3.r1");
         DependencyVersion instance = new DependencyVersion("1.2.3");
         boolean expResult = false;
@@ -106,26 +109,26 @@ public void testEquals() {
         expResult = true;
         result = instance.equals(obj);
         assertEquals(expResult, result);
-        
+
         instance = new DependencyVersion("2.0.0");
         obj = new DependencyVersion("2");
         expResult = false;
         result = instance.equals(obj);
         assertEquals(expResult, result);
-        
+
         obj = new DependencyVersion("2.0");
         expResult = true;
         result = instance.equals(obj);
         assertEquals(expResult, result);
-        
-        
+
+
     }
 
     /**
      * Test of hashCode method, of class DependencyVersion.
      */
     @Test
-    public void testHashCode() {
+    void testHashCode() {
         DependencyVersion instance = new DependencyVersion("3.2.1");
         int expResult = 80756;
         int result = instance.hashCode();
@@ -136,26 +139,26 @@ public void testHashCode() {
      * Test of matchesAtLeastThreeLevels method, of class DependencyVersion.
      */
     @Test
-    public void testMatchesAtLeastThreeLevels() {
+    void testMatchesAtLeastThreeLevels() {
 
         DependencyVersion instance = new DependencyVersion("2.3.16.3");
         DependencyVersion version = new DependencyVersion("2.3.16.4");
         //true tests
-        assertEquals(true, instance.matchesAtLeastThreeLevels(version));
+        assertTrue(instance.matchesAtLeastThreeLevels(version));
         version = new DependencyVersion("2.3");
-        assertEquals(true, instance.matchesAtLeastThreeLevels(version));
+        assertTrue(instance.matchesAtLeastThreeLevels(version));
         //false tests
         version = new DependencyVersion("2.3.16.1");
-        assertEquals(false, instance.matchesAtLeastThreeLevels(version));
+        assertFalse(instance.matchesAtLeastThreeLevels(version));
         version = new DependencyVersion("2");
-        assertEquals(false, instance.matchesAtLeastThreeLevels(version));
+        assertFalse(instance.matchesAtLeastThreeLevels(version));
     }
 
     /**
      * Test of compareTo method, of class DependencyVersion.
      */
     @Test
-    public void testCompareTo() {
+    void testCompareTo() {
         DependencyVersion instance = new DependencyVersion("1.2.3");
         DependencyVersion version = new DependencyVersion("1.2.3");
         assertEquals(0, instance.compareTo(version));
@@ -202,7 +205,7 @@ public void testCompareTo() {
      * Test of getVersionParts method, of class DependencyVersion.
      */
     @Test
-    public void testGetVersionParts() {
+    void testGetVersionParts() {
         DependencyVersion instance = new DependencyVersion();
         List<String> versionParts = Arrays.asList("1", "1", "1");
         instance.setVersionParts(versionParts);
@@ -215,7 +218,7 @@ public void testGetVersionParts() {
      * Test of setVersionParts method, of class DependencyVersion.
      */
     @Test
-    public void testSetVersionParts() {
+    void testSetVersionParts() {
         List<String> versionParts = Arrays.asList("1", "1", "1");
         DependencyVersion instance = new DependencyVersion();
         instance.setVersionParts(versionParts);
diff --git a/core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionUtilTest.java b/core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionUtilTest.java
index b32df7ade6e..23f89847e71 100644
--- a/core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionUtilTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionUtilTest.java
@@ -17,23 +17,23 @@
  */
 package org.owasp.dependencycheck.utils;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
-
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
+
 /**
  *
  * @author Jeremy Long
  */
-public class DependencyVersionUtilTest extends BaseTest {
+class DependencyVersionUtilTest extends BaseTest {
 
     /**
      * Test of parseVersion method, of class DependencyVersionUtil.
      */
     @Test
-    public void testParseVersion_String() {
+    void testParseVersion_String() {
         final String[] fileName = {"openssl1.0.1c", "something-0.9.5.jar", "lib2-1.1.jar", "lib1.5r4-someflag-R26.jar",
             "lib-1.2.5-dev-20050313.jar", "testlib_V4.4.0.jar", "lib-core-2.0.0-RC1-SNAPSHOT.jar",
             "lib-jsp-2.0.1_R114940.jar", "dev-api-2.3.11_R121413.jar", "lib-api-3.7-SNAPSHOT.jar",
@@ -49,14 +49,14 @@ public void testParseVersion_String() {
             if (version != null) {
                 result = version.toString();
             }
-            assertEquals("Failed extraction on \"" + fileName[i] + "\".", expResult[i], result);
+            assertEquals(expResult[i], result, "Failed extraction on \"" + fileName[i] + "\".");
         }
 
         String[] failingNames = {"no-version-identified.jar", "somelib-04aug2000r7-dev.jar", /*"no.version15.jar",*/
             "lib_1.0_spec-1.1.jar", "lib-api_1.0_spec-1.0.1.jar"};
         for (String failingName : failingNames) {
             final DependencyVersion version = DependencyVersionUtil.parseVersion(failingName);
-            assertNull("Found version in name that should have failed \"" + failingName + "\".", version);
+            assertNull(version, "Found version in name that should have failed \"" + failingName + "\".");
         }
     }
 
@@ -64,7 +64,7 @@ public void testParseVersion_String() {
      * Test of parseVersion method, of class DependencyVersionUtil.
      */
     @Test
-    public void testParseVersion_String_boolean() {
+    void testParseVersion_String_boolean() {
         //cpe:/a:playframework:play_framework:2.1.1:rc1-2.9.x-backport
         String text = "2.1.1.rc1.2.9.x-backport";
         boolean firstMatchOnly = false;
@@ -89,7 +89,7 @@ public void testParseVersion_String_boolean() {
      * Test of parsePreVersion method, of class DependencyVersionUtil.
      */
     @Test
-    public void testParsePreVersion() {
+    void testParsePreVersion() {
         String text = "library-name-1.4.1r2-release.jar";
         String expResult = "library-name";
         String result = DependencyVersionUtil.parsePreVersion(text);
diff --git a/core/src/test/java/org/owasp/dependencycheck/utils/ExtractionUtilTest.java b/core/src/test/java/org/owasp/dependencycheck/utils/ExtractionUtilTest.java
index 359947f652f..5d3bbe81c97 100644
--- a/core/src/test/java/org/owasp/dependencycheck/utils/ExtractionUtilTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/utils/ExtractionUtilTest.java
@@ -17,49 +17,55 @@
  */
 package org.owasp.dependencycheck.utils;
 
-import java.io.File;
-import java.io.FilenameFilter;
 import org.apache.commons.io.filefilter.NameFileFilter;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 
+import java.io.File;
+import java.io.FilenameFilter;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
 /**
  *
  * @author Jeremy Long
  */
-public class ExtractionUtilTest extends BaseTest {
+class ExtractionUtilTest extends BaseTest {
 
     /**
      * Test of extractFiles method, of class ExtractionUtil.
      */
-    @Test(expected = org.owasp.dependencycheck.utils.ExtractionException.class)
-    public void testExtractFiles_File_File() throws Exception {
+    @Test
+    void testExtractFiles_File_File() throws Exception {
         File destination = getSettings().getTempDirectory();
         File archive = BaseTest.getResourceAsFile(this, "evil.zip");
-        ExtractionUtil.extractFiles(archive, destination);
+        assertThrows(org.owasp.dependencycheck.utils.ExtractionException.class, () ->
+            ExtractionUtil.extractFiles(archive, destination));
     }
 
     /**
      * Test of extractFiles method, of class ExtractionUtil.
      */
-    @Test(expected = org.owasp.dependencycheck.utils.ExtractionException.class)
-    public void testExtractFiles_3args() throws Exception {
+    @Test
+    void testExtractFiles_3args() throws Exception {
         File destination = getSettings().getTempDirectory();
         File archive = BaseTest.getResourceAsFile(this, "evil.zip");
         Engine engine = null;
-        ExtractionUtil.extractFiles(archive, destination, engine);
+        assertThrows(org.owasp.dependencycheck.utils.ExtractionException.class, () ->
+            ExtractionUtil.extractFiles(archive, destination, engine));
     }
 
     /**
      * Test of extractFilesUsingFilter method, of class ExtractionUtil.
      */
-    @Test(expected = org.owasp.dependencycheck.utils.ExtractionException.class)
-    public void testExtractFilesUsingFilter() throws Exception {
+    @Test
+    void testExtractFilesUsingFilter() throws Exception {
         File destination = getSettings().getTempDirectory();
         File archive = BaseTest.getResourceAsFile(this, "evil.zip");
         ExtractionUtil.extractFiles(archive, destination);
         FilenameFilter filter = new NameFileFilter("evil.txt");
-        ExtractionUtil.extractFilesUsingFilter(archive, destination, filter);
+        assertThrows(org.owasp.dependencycheck.utils.ExtractionException.class, () ->
+            ExtractionUtil.extractFilesUsingFilter(archive, destination, filter));
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/utils/FilterTest.java b/core/src/test/java/org/owasp/dependencycheck/utils/FilterTest.java
index dd4d96ca79c..eb0cd0919a6 100644
--- a/core/src/test/java/org/owasp/dependencycheck/utils/FilterTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/utils/FilterTest.java
@@ -17,37 +17,39 @@
  */
 package org.owasp.dependencycheck.utils;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseTest;
+
 import java.util.ArrayList;
 import java.util.List;
-import static org.junit.Assert.assertArrayEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import org.junit.Test;
-import org.owasp.dependencycheck.BaseTest;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  *
  * @author Jeremy Long
  */
-public class FilterTest extends BaseTest {
+class FilterTest extends BaseTest {
 
     /**
      * Test of passes method, of class Filter.
      */
     @Test
-    public void testPasses() {
+    void testPasses() {
         String keep = "keep";
         String fail = "fail";
 
-        assertTrue("String contained keep - but passes returned false.", TEST_FILTER.passes(keep));
-        assertFalse("String contained fail - but passes returned true.", TEST_FILTER.passes(fail));
+        assertTrue(TEST_FILTER.passes(keep), "String contained keep - but passes returned false.");
+        assertFalse(TEST_FILTER.passes(fail), "String contained fail - but passes returned true.");
     }
 
     /**
      * Test of filter method, of class Filter.
      */
     @Test
-    public void testFilter_Iterable() {
+    void testFilter_Iterable() {
         List<String> testData = new ArrayList<>();
         testData.add("keep");
         testData.add("remove");
@@ -64,10 +66,10 @@ public void testFilter_Iterable() {
         assertArrayEquals(expResults.toArray(), actResults.toArray());
     }
     private static final Filter<String> TEST_FILTER
-            = new Filter<String>() {
-                @Override
-                public boolean passes(String str) {
-                    return str.contains("keep");
-                }
-            };
+            = new Filter<>() {
+        @Override
+        public boolean passes(String str) {
+            return str.contains("keep");
+        }
+    };
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/utils/InterpolationUtilTest.java b/core/src/test/java/org/owasp/dependencycheck/utils/InterpolationUtilTest.java
index 9e0e38c5fb5..87c6906afc0 100644
--- a/core/src/test/java/org/owasp/dependencycheck/utils/InterpolationUtilTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/utils/InterpolationUtilTest.java
@@ -17,21 +17,23 @@
  */
 package org.owasp.dependencycheck.utils;
 
+import org.junit.jupiter.api.Test;
+
 import java.util.Properties;
-import org.junit.Test;
-import static org.junit.Assert.*;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
  *
  * @author Jeremy Long
  */
-public class InterpolationUtilTest {
+class InterpolationUtilTest {
 
     /**
      * Test of interpolate method, of class InterpolationUtil.
      */
     @Test
-    public void testInterpolate() {
+    void testInterpolate() {
         Properties prop = new Properties();
         prop.setProperty("key", "value");
         prop.setProperty("nested", "nested ${key}");
@@ -42,7 +44,7 @@ public void testInterpolate() {
     }
 
     @Test
-    public void testInterpolateNonexistentErased() {
+    void testInterpolateNonexistentErased() {
         Properties prop = new Properties();
         prop.setProperty("key", "value");
         String text = "This is a test of '${key}' and '${nothing}'";
@@ -52,7 +54,7 @@ public void testInterpolateNonexistentErased() {
     }
 
     @Test
-    public void testInterpolateMSBuild() {
+    void testInterpolateMSBuild() {
         Properties prop = new Properties();
         prop.setProperty("key", "value");
         prop.setProperty("nested", "nested $(key)");
@@ -63,7 +65,7 @@ public void testInterpolateMSBuild() {
     }
 
     @Test
-    public void testInterpolateNonexistentErasedMSBuild() {
+    void testInterpolateNonexistentErasedMSBuild() {
         Properties prop = new Properties();
         prop.setProperty("key", "value");
         String text = "This is a test of '$(key)' and '$(nothing)'";
diff --git a/core/src/test/java/org/owasp/dependencycheck/utils/PyPACoreMetadataParserTest.java b/core/src/test/java/org/owasp/dependencycheck/utils/PyPACoreMetadataParserTest.java
index a09093b9cbb..ce1fa923090 100644
--- a/core/src/test/java/org/owasp/dependencycheck/utils/PyPACoreMetadataParserTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/utils/PyPACoreMetadataParserTest.java
@@ -1,29 +1,31 @@
 package org.owasp.dependencycheck.utils;
 
-import org.junit.Assert;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.StringReader;
 import java.util.Properties;
 
-import static org.junit.Assert.*;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
 
-public class PyPACoreMetadataParserTest {
+class PyPACoreMetadataParserTest {
 
     @Test
-    public void getProperties_should_throw_exception_for_too_large_major() throws IOException {
+    void getProperties_should_throw_exception_for_too_large_major() throws IOException {
         try {
             PyPACoreMetadataParser.getProperties(new BufferedReader(new StringReader("Metadata-Version: 3.0")));
-            Assert.fail("Expected IllegalArgumentException for too large major in Metadata-Version");
+            fail("Expected IllegalArgumentException for too large major in Metadata-Version");
         } catch (IllegalArgumentException e) {
-            Assert.assertTrue(e.getMessage().contains("Unsupported PyPA Wheel metadata"));
+            assertTrue(e.getMessage().contains("Unsupported PyPA Wheel metadata"));
         }
     }
 
     @Test
-    public void getProperties_should_properly_parse_multiline_description() throws IOException {
+    void getProperties_should_properly_parse_multiline_description() throws IOException {
         String payload = "Metadata-Version: 1.0\r\n"
                          + "Description: This is the first line\r\n"
                          + "       | and this the second\r\n"
@@ -32,38 +34,40 @@ public void getProperties_should_properly_parse_multiline_description() throws I
                          + "\r\n"
                          + "This: is the body and it is ignored. It may contain an extensive description in various formats";
         Properties props = PyPACoreMetadataParser.getProperties(new BufferedReader(new StringReader(payload)));
-        Assert.assertEquals("1.0", props.get("Metadata-Version"));
-        Assert.assertEquals("This is the first line\n"
+        assertEquals("1.0", props.get("Metadata-Version"));
+        assertEquals("This is the first line\n"
                             + " and this the second\n"
                             + "\n"
                             + " and the fourth after an empty third", props.get("Description"));
-        Assert.assertFalse("Body was parsed as a header", props.containsKey("This"));
+        assertFalse(props.containsKey("This"), "Body was parsed as a header");
     }
 
     @Test
-    public void getProperties_should_support_colon_in_headerValue() throws IOException {
+    void getProperties_should_support_colon_in_headerValue() throws IOException {
         String payload = "Metadata-Version: 2.2\r\n"
                          + "Description: My value contains a : colon\r\n";
         Properties props = PyPACoreMetadataParser.getProperties(new BufferedReader(new StringReader(payload)));
-        Assert.assertEquals("2.2", props.getProperty("Metadata-Version"));
-        Assert.assertEquals("My value contains a : colon", props.getProperty("Description"));
+        assertEquals("2.2", props.getProperty("Metadata-Version"));
+        assertEquals("My value contains a : colon", props.getProperty("Description"));
     }
+
     @Test
-    public void getProperties_should_support_folding_in_headerValue() throws IOException {
+    void getProperties_should_support_folding_in_headerValue() throws IOException {
         String payload = "Metadata-Version: 2\r\n"
                          + " .2\r\n"
                          + "Description: My value\r\n"
                          + "  contains a \r\n"
                          + " : colon\r\n";
         Properties props = PyPACoreMetadataParser.getProperties(new BufferedReader(new StringReader(payload)));
-        Assert.assertEquals("2.2", props.getProperty("Metadata-Version"));
-        Assert.assertEquals("My value contains a : colon", props.getProperty("Description"));
+        assertEquals("2.2", props.getProperty("Metadata-Version"));
+        assertEquals("My value contains a : colon", props.getProperty("Description"));
     }
+
     @Test
-    public void getProperties_should_support_newer_minors() throws IOException {
+    void getProperties_should_support_newer_minors() throws IOException {
         String payload = "Metadata-Version: 2\r\n"
                          + " .5\r\n";
         Properties props = PyPACoreMetadataParser.getProperties(new BufferedReader(new StringReader(payload)));
-        Assert.assertEquals("2.5", props.getProperty("Metadata-Version"));
+        assertEquals("2.5", props.getProperty("Metadata-Version"));
     }
 }
\ No newline at end of file
diff --git a/core/src/test/java/org/owasp/dependencycheck/utils/SemverTest.java b/core/src/test/java/org/owasp/dependencycheck/utils/SemverTest.java
index 90d7e3a8951..d333dd50ffb 100644
--- a/core/src/test/java/org/owasp/dependencycheck/utils/SemverTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/utils/SemverTest.java
@@ -13,34 +13,35 @@
  */
 package org.owasp.dependencycheck.utils;
 
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.semver4j.Semver;
 
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 /**
  *
  * @author Jeremy Long
  */
-public class SemverTest {
+class SemverTest {
 
     /**
      * Test of semver4j. See https://github.com/dependency-check/DependencyCheck/issues/5128#issuecomment-1343080426
      */
     @Test
-    public void testSemver() {
+    void testSemver() {
         Semver semver = new Semver("3.1.4");
         assertTrue(semver.satisfies("^3.0.0-0"));
     }
+
     /**
      * Test of semver4j. See https://github.com/dependency-check/DependencyCheck/issues/5158
      */
     @Test
-    public void testSemverComplex() {
+    void testSemverComplex() {
         Semver semver = new Semver("18.11.5");
         assertFalse(semver.satisfies("^14.14.20 || ^16.0.0"));
-        
+
         semver = new Semver("14.15.0");
         assertTrue(semver.satisfies("^14.14.20 || ^16.0.0"));
     }
diff --git a/core/src/test/java/org/owasp/dependencycheck/utils/SeverityUtilTest.java b/core/src/test/java/org/owasp/dependencycheck/utils/SeverityUtilTest.java
index 82e975ef6cb..bb35f710563 100644
--- a/core/src/test/java/org/owasp/dependencycheck/utils/SeverityUtilTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/utils/SeverityUtilTest.java
@@ -18,20 +18,21 @@
 package org.owasp.dependencycheck.utils;
 
 import org.hamcrest.Matchers;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
+
 import static org.hamcrest.MatcherAssert.assertThat;
 
 /**
  *
  * @author Jeremy Long
  */
-public class SeverityUtilTest {
+class SeverityUtilTest {
 
     /**
      * Test of estimateCvssV2 method, of class SeverityUtil.
      */
     @Test
-    public void testEstimateCvssV2() {
+    void testEstimateCvssV2() {
         String severity = null;
         double expResult = 0.0;
         Double result = SeverityUtil.estimateCvssV2(severity);
diff --git a/core/src/test/java/org/owasp/dependencycheck/utils/UrlStringUtilsTest.java b/core/src/test/java/org/owasp/dependencycheck/utils/UrlStringUtilsTest.java
index 2487c8b47b5..2dcbe2ca787 100644
--- a/core/src/test/java/org/owasp/dependencycheck/utils/UrlStringUtilsTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/utils/UrlStringUtilsTest.java
@@ -17,22 +17,26 @@
  */
 package org.owasp.dependencycheck.utils;
 
+import org.junit.jupiter.api.Test;
+
 import java.util.Arrays;
 import java.util.List;
-import org.junit.Test;
-import static org.junit.Assert.*;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  *
  * @author jeremy long
  */
-public class UrlStringUtilsTest {
+class UrlStringUtilsTest {
 
     /**
      * Test of containsUrl method, of class UrlStringUtils.
      */
     @Test
-    public void testContainsUrl() {
+    void testContainsUrl() {
         String text = "Test of https://github.com";
         assertTrue(UrlStringUtils.containsUrl(text));
         text = "Test of github.com";
@@ -43,7 +47,7 @@ public void testContainsUrl() {
      * Test of isUrl method, of class UrlStringUtils.
      */
     @Test
-    public void testIsUrl() {
+    void testIsUrl() {
         String text = "https://github.com";
         assertTrue(UrlStringUtils.isUrl(text));
         text = "simple text";
@@ -54,17 +58,17 @@ public void testIsUrl() {
      * Test of extractImportantUrlData method, of class UrlStringUtils.
      */
     @Test
-    public void testExtractImportantUrlData() throws Exception {
+    void testExtractImportantUrlData() throws Exception {
         String text = "http://github.com/dependency-check/DependencyCheck/.gitignore";
         List<String> expResult = Arrays.asList("dependency-check", "DependencyCheck", "gitignore");
         List<String> result = UrlStringUtils.extractImportantUrlData(text);
         assertEquals(expResult, result);
-        
+
         text = "https://dependency-check.github.io/DependencyCheck/index.html";
         expResult = Arrays.asList("dependency-check", "DependencyCheck", "index");
         result = UrlStringUtils.extractImportantUrlData(text);
         assertEquals(expResult, result);
-        
+
         text = "http://example.com/dependency-check/DependencyCheck/something";
         expResult = Arrays.asList("example", "dependency-check", "DependencyCheck", "something");
         result = UrlStringUtils.extractImportantUrlData(text);
diff --git a/core/src/test/java/org/owasp/dependencycheck/xml/XmlEntityTest.java b/core/src/test/java/org/owasp/dependencycheck/xml/XmlEntityTest.java
index 6d143ddd8ed..5b297fe45a7 100644
--- a/core/src/test/java/org/owasp/dependencycheck/xml/XmlEntityTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/xml/XmlEntityTest.java
@@ -17,20 +17,21 @@
  */
 package org.owasp.dependencycheck.xml;
 
-import org.junit.Test;
-import static org.junit.Assert.*;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
  *
  * @author Jeremy Long
  */
-public class XmlEntityTest {
+class XmlEntityTest {
 
     /**
      * Test of fromNamedReference method, of class XmlEntity.
      */
     @Test
-    public void testFromNamedReference() {
+    void testFromNamedReference() {
         CharSequence s = null;
         String expResult = null;
         String result = XmlEntity.fromNamedReference(s);
diff --git a/core/src/test/java/org/owasp/dependencycheck/xml/XmlInputStreamTest.java b/core/src/test/java/org/owasp/dependencycheck/xml/XmlInputStreamTest.java
index 669c66e480c..9ee61e12f70 100644
--- a/core/src/test/java/org/owasp/dependencycheck/xml/XmlInputStreamTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/xml/XmlInputStreamTest.java
@@ -17,24 +17,28 @@
  */
 package org.owasp.dependencycheck.xml;
 
+import org.junit.jupiter.api.Test;
+
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
-import org.junit.Test;
-import static org.junit.Assert.*;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  *
  * @author Jeremy Long
  */
-public class XmlInputStreamTest {
+class XmlInputStreamTest {
 
     /**
      * Test of length method, of class XmlInputStream.
      */
     @Test
-    public void testLength() {
+    void testLength() {
         String data = "";
         InputStream stream = new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8));
         XmlInputStream instance = new XmlInputStream(stream);
@@ -53,7 +57,7 @@ public void testLength() {
      * Test of read method, of class XmlInputStream.
      */
     @Test
-    public void testRead_0args() throws Exception {
+    void testRead_0args() throws Exception {
         String data = "";
         InputStream stream = new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8));
         XmlInputStream instance = new XmlInputStream(stream);
@@ -73,7 +77,7 @@ public void testRead_0args() throws Exception {
      * Test of read method, of class XmlInputStream.
      */
     @Test
-    public void testRead_3args() throws Exception {
+    void testRead_3args() throws Exception {
         byte[] data = new byte[10];
         int offset = 0;
         int length = 10;
@@ -85,8 +89,8 @@ public void testRead_3args() throws Exception {
         int result = instance.read(data, offset, length);
         assertEquals(expResult, result);
         assertArrayEquals(expected, data);
-        
-        
+
+
         data = new byte[5];
         offset = 0;
         length = 5;
@@ -98,7 +102,7 @@ public void testRead_3args() throws Exception {
         result = instance.read(data, offset, length);
         assertEquals(expResult, result);
         assertArrayEquals(expected, data);
-        
+
         data = new byte[10];
         offset = 0;
         length = 10;
@@ -116,7 +120,7 @@ public void testRead_3args() throws Exception {
      * Test of toString method, of class XmlInputStream.
      */
     @Test
-    public void testToString() throws IOException {
+    void testToString() throws IOException {
         String data = "test";
         InputStream stream = new ByteArrayInputStream(data.getBytes(StandardCharsets.UTF_8));
         XmlInputStream instance = new XmlInputStream(stream);
diff --git a/core/src/test/java/org/owasp/dependencycheck/xml/assembly/GrokHandlerTest.java b/core/src/test/java/org/owasp/dependencycheck/xml/assembly/GrokHandlerTest.java
index 72ebc353bcd..3dd5064d712 100644
--- a/core/src/test/java/org/owasp/dependencycheck/xml/assembly/GrokHandlerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/xml/assembly/GrokHandlerTest.java
@@ -17,25 +17,27 @@
  */
 package org.owasp.dependencycheck.xml.assembly;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.utils.XmlUtils;
+import org.xml.sax.InputSource;
+import org.xml.sax.XMLReader;
+
+import javax.xml.parsers.SAXParser;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.Reader;
 import java.nio.charset.StandardCharsets;
-import javax.xml.parsers.SAXParser;
-import static org.junit.Assert.assertEquals;
-import org.junit.Test;
-import org.owasp.dependencycheck.BaseTest;
-import org.owasp.dependencycheck.utils.XmlUtils;
-import org.xml.sax.InputSource;
-import org.xml.sax.XMLReader;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
  *
  * @author Jeremy Long
  */
-public class GrokHandlerTest extends BaseTest {
+class GrokHandlerTest extends BaseTest {
 
     /**
      * Test of getSuppressionRules method, of class SuppressionHandler.
@@ -43,7 +45,7 @@ public class GrokHandlerTest extends BaseTest {
      * @throws Exception thrown if there is an exception....
      */
     @Test
-    public void testHandler() throws Exception {
+    void testHandler() throws Exception {
         File file = BaseTest.getResourceAsFile(this, "assembly/sample-grok.xml");
         InputStream schemaStream = BaseTest.getResourceAsStream(this, "schema/grok-assembly.1.0.xsd");
 
diff --git a/core/src/test/java/org/owasp/dependencycheck/xml/assembly/GrokParserTest.java b/core/src/test/java/org/owasp/dependencycheck/xml/assembly/GrokParserTest.java
index 3bb7f284865..f8a904f9208 100644
--- a/core/src/test/java/org/owasp/dependencycheck/xml/assembly/GrokParserTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/xml/assembly/GrokParserTest.java
@@ -17,24 +17,25 @@
  */
 package org.owasp.dependencycheck.xml.assembly;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseTest;
+
 import java.io.File;
-import org.junit.Assert;
 
-import org.junit.Test;
-import org.owasp.dependencycheck.BaseTest;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
  * Test of the Grok Assembly parser.
  *
  * @author Jeremy Long
  */
-public class GrokParserTest extends BaseTest {
+class GrokParserTest extends BaseTest {
 
     @Test
-    public void testParseSuppressionRulesV1dot0() throws Exception {
+    void testParseSuppressionRulesV1dot0() throws Exception {
         File file = BaseTest.getResourceAsFile(this, "assembly/sample-grok-error.xml");
         GrokParser instance = new GrokParser();
         AssemblyData result = instance.parse(file);
-        Assert.assertEquals("Unable to process file", result.getError());
+        assertEquals("Unable to process file", result.getError());
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/xml/hints/EvidenceMatcherTest.java b/core/src/test/java/org/owasp/dependencycheck/xml/hints/EvidenceMatcherTest.java
index 68568803050..452cbadc63c 100644
--- a/core/src/test/java/org/owasp/dependencycheck/xml/hints/EvidenceMatcherTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/xml/hints/EvidenceMatcherTest.java
@@ -17,18 +17,19 @@
  */
 package org.owasp.dependencycheck.xml.hints;
 
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.assertFalse;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Evidence;
 
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 /**
  * Unit tests for {@link EvidenceMatcher}.
- * 
+ *
  * @author Hans Aikema
  */
-public class EvidenceMatcherTest {
+class EvidenceMatcherTest {
 
     private static final Evidence EVIDENCE_HIGHEST = new Evidence("source", "name", "value", Confidence.HIGHEST);
     private static final Evidence EVIDENCE_HIGH = new Evidence("source", "name", "value", Confidence.HIGH);
@@ -44,76 +45,76 @@ public class EvidenceMatcherTest {
     private static final Evidence REGEX_EVIDENCE_LOW = new Evidence("source", "name", "val that should not match", Confidence.LOW);
 
     @Test
-    public void testExactMatching() throws Exception {
+    void testExactMatching() {
         final EvidenceMatcher exactMatcherHighest = new EvidenceMatcher("source", "name", "value", false, Confidence.HIGHEST);
-        assertTrue("exact matcher should match EVIDENCE_HIGHEST", exactMatcherHighest.matches(EVIDENCE_HIGHEST));
-        assertFalse("exact matcher should not match EVIDENCE_HIGH", exactMatcherHighest.matches(EVIDENCE_HIGH));
-        assertFalse("exact matcher should not match EVIDENCE_MEDIUM", exactMatcherHighest.matches(EVIDENCE_MEDIUM));
-        assertFalse("exact matcher should not match EVIDENCE_MEDIUM_SECOND_SOURCE", exactMatcherHighest.matches(EVIDENCE_MEDIUM_SECOND_SOURCE));
-        assertFalse("exact matcher should not match EVIDENCE_LOW", exactMatcherHighest.matches(EVIDENCE_LOW));
+        assertTrue(exactMatcherHighest.matches(EVIDENCE_HIGHEST), "exact matcher should match EVIDENCE_HIGHEST");
+        assertFalse(exactMatcherHighest.matches(EVIDENCE_HIGH), "exact matcher should not match EVIDENCE_HIGH");
+        assertFalse(exactMatcherHighest.matches(EVIDENCE_MEDIUM), "exact matcher should not match EVIDENCE_MEDIUM");
+        assertFalse(exactMatcherHighest.matches(EVIDENCE_MEDIUM_SECOND_SOURCE), "exact matcher should not match EVIDENCE_MEDIUM_SECOND_SOURCE");
+        assertFalse(exactMatcherHighest.matches(EVIDENCE_LOW), "exact matcher should not match EVIDENCE_LOW");
     }
 
     @Test
-    public void testWildcardConfidenceMatching() throws Exception {
+    void testWildcardConfidenceMatching() {
         final EvidenceMatcher wildcardCofidenceMatcher = new EvidenceMatcher("source", "name", "value", false, null);
-        assertTrue("wildcard confidence matcher should match EVIDENCE_HIGHEST", wildcardCofidenceMatcher.matches(EVIDENCE_HIGHEST));
-        assertTrue("wildcard confidence matcher should match EVIDENCE_HIGH", wildcardCofidenceMatcher.matches(EVIDENCE_HIGH));
-        assertTrue("wildcard confidence matcher should match EVIDENCE_MEDIUM", wildcardCofidenceMatcher.matches(EVIDENCE_MEDIUM));
-        assertFalse("wildcard confidence matcher should not match EVIDENCE_MEDIUM_SECOND_SOURCE", wildcardCofidenceMatcher.matches(EVIDENCE_MEDIUM_SECOND_SOURCE));
-        assertTrue("wildcard confidence matcher should match EVIDENCE_LOW", wildcardCofidenceMatcher.matches(EVIDENCE_LOW));
+        assertTrue(wildcardCofidenceMatcher.matches(EVIDENCE_HIGHEST), "wildcard confidence matcher should match EVIDENCE_HIGHEST");
+        assertTrue(wildcardCofidenceMatcher.matches(EVIDENCE_HIGH), "wildcard confidence matcher should match EVIDENCE_HIGH");
+        assertTrue(wildcardCofidenceMatcher.matches(EVIDENCE_MEDIUM), "wildcard confidence matcher should match EVIDENCE_MEDIUM");
+        assertFalse(wildcardCofidenceMatcher.matches(EVIDENCE_MEDIUM_SECOND_SOURCE), "wildcard confidence matcher should not match EVIDENCE_MEDIUM_SECOND_SOURCE");
+        assertTrue(wildcardCofidenceMatcher.matches(EVIDENCE_LOW), "wildcard confidence matcher should match EVIDENCE_LOW");
     }
 
     @Test
-    public void testWildcardSourceMatching() throws Exception {
+    void testWildcardSourceMatching() {
         final EvidenceMatcher wildcardSourceMatcher = new EvidenceMatcher(null, "name", "value", false, Confidence.MEDIUM);
-        assertFalse("wildcard source matcher should not match EVIDENCE_HIGHEST", wildcardSourceMatcher.matches(EVIDENCE_HIGHEST));
-        assertFalse("wildcard source matcher should not match EVIDENCE_HIGH", wildcardSourceMatcher.matches(EVIDENCE_HIGH));
-        assertTrue("wildcard source matcher should match EVIDENCE_MEDIUM", wildcardSourceMatcher.matches(EVIDENCE_MEDIUM));
-        assertTrue("wildcard source matcher should match EVIDENCE_MEDIUM_SECOND_SOURCE", wildcardSourceMatcher.matches(EVIDENCE_MEDIUM_SECOND_SOURCE));
-        assertFalse("wildcard source matcher should not match EVIDENCE_LOW", wildcardSourceMatcher.matches(EVIDENCE_LOW));
+        assertFalse(wildcardSourceMatcher.matches(EVIDENCE_HIGHEST), "wildcard source matcher should not match EVIDENCE_HIGHEST");
+        assertFalse(wildcardSourceMatcher.matches(EVIDENCE_HIGH), "wildcard source matcher should not match EVIDENCE_HIGH");
+        assertTrue(wildcardSourceMatcher.matches(EVIDENCE_MEDIUM), "wildcard source matcher should match EVIDENCE_MEDIUM");
+        assertTrue(wildcardSourceMatcher.matches(EVIDENCE_MEDIUM_SECOND_SOURCE), "wildcard source matcher should match EVIDENCE_MEDIUM_SECOND_SOURCE");
+        assertFalse(wildcardSourceMatcher.matches(EVIDENCE_LOW), "wildcard source matcher should not match EVIDENCE_LOW");
     }
 
     @Test
-    public void testRegExMatching() throws Exception {
+    void testRegExMatching() {
         final EvidenceMatcher regexMediumMatcher = new EvidenceMatcher("source 2", "name", ".*value.*", true, Confidence.MEDIUM);
-        assertFalse("regex medium matcher should not match REGEX_EVIDENCE_HIGHEST", regexMediumMatcher.matches(REGEX_EVIDENCE_HIGHEST));
-        assertFalse("regex medium matcher should not match REGEX_EVIDENCE_HIGH", regexMediumMatcher.matches(REGEX_EVIDENCE_HIGH));
-        assertFalse("regex medium matcher should not match REGEX_EVIDENCE_MEDIUM", regexMediumMatcher.matches(REGEX_EVIDENCE_MEDIUM));
-        assertTrue("regex medium matcher should match REGEX_EVIDENCE_MEDIUM_SECOND_SOURCE", regexMediumMatcher.matches(REGEX_EVIDENCE_MEDIUM_SECOND_SOURCE));
-        assertFalse("regex medium matcher should not match REGEX_EVIDENCE_MEDIUM_THIRD_SOURCE", regexMediumMatcher.matches(REGEX_EVIDENCE_MEDIUM_THIRD_SOURCE));
-        assertFalse("regex medium matcher should not match REGEX_EVIDENCE_LOW", regexMediumMatcher.matches(REGEX_EVIDENCE_LOW));
+        assertFalse(regexMediumMatcher.matches(REGEX_EVIDENCE_HIGHEST), "regex medium matcher should not match REGEX_EVIDENCE_HIGHEST");
+        assertFalse(regexMediumMatcher.matches(REGEX_EVIDENCE_HIGH), "regex medium matcher should not match REGEX_EVIDENCE_HIGH");
+        assertFalse(regexMediumMatcher.matches(REGEX_EVIDENCE_MEDIUM), "regex medium matcher should not match REGEX_EVIDENCE_MEDIUM");
+        assertTrue(regexMediumMatcher.matches(REGEX_EVIDENCE_MEDIUM_SECOND_SOURCE), "regex medium matcher should match REGEX_EVIDENCE_MEDIUM_SECOND_SOURCE");
+        assertFalse(regexMediumMatcher.matches(REGEX_EVIDENCE_MEDIUM_THIRD_SOURCE), "regex medium matcher should not match REGEX_EVIDENCE_MEDIUM_THIRD_SOURCE");
+        assertFalse(regexMediumMatcher.matches(REGEX_EVIDENCE_LOW), "regex medium matcher should not match REGEX_EVIDENCE_LOW");
     }
 
     @Test
-    public void testRegExWildcardSourceMatching() throws Exception {
+    void testRegExWildcardSourceMatching() {
         final EvidenceMatcher regexMediumWildcardSourceMatcher = new EvidenceMatcher(null, "name", "^.*v[al]{2,2}ue[a-z ]+$", true, Confidence.MEDIUM);
-        assertFalse("regex medium wildcard source matcher should not match REGEX_EVIDENCE_HIGHEST", regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_HIGHEST));
-        assertFalse("regex medium wildcard source matcher should not match REGEX_EVIDENCE_HIGH", regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_HIGH));
-        assertFalse("regex medium wildcard source matcher should not match REGEX_EVIDENCE_MEDIUM", regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_MEDIUM));
-        assertTrue("regex medium wildcard source matcher should match REGEX_EVIDENCE_MEDIUM_SECOND_SOURCE", regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_MEDIUM_SECOND_SOURCE));
-        assertTrue("regex medium wildcard source matcher should match REGEX_EVIDENCE_MEDIUM_THIRD_SOURCE", regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_MEDIUM_THIRD_SOURCE));
-        assertFalse("regex medium wildcard source matcher should not match REGEX_EVIDENCE_LOW", regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_LOW));
+        assertFalse(regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_HIGHEST), "regex medium wildcard source matcher should not match REGEX_EVIDENCE_HIGHEST");
+        assertFalse(regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_HIGH), "regex medium wildcard source matcher should not match REGEX_EVIDENCE_HIGH");
+        assertFalse(regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_MEDIUM), "regex medium wildcard source matcher should not match REGEX_EVIDENCE_MEDIUM");
+        assertTrue(regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_MEDIUM_SECOND_SOURCE), "regex medium wildcard source matcher should match REGEX_EVIDENCE_MEDIUM_SECOND_SOURCE");
+        assertTrue(regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_MEDIUM_THIRD_SOURCE), "regex medium wildcard source matcher should match REGEX_EVIDENCE_MEDIUM_THIRD_SOURCE");
+        assertFalse(regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_LOW), "regex medium wildcard source matcher should not match REGEX_EVIDENCE_LOW");
     }
 
     @Test
-    public void testRegExWildcardSourceWildcardConfidenceMatching() throws Exception {
+    void testRegExWildcardSourceWildcardConfidenceMatching() {
         final EvidenceMatcher regexMediumWildcardSourceMatcher = new EvidenceMatcher(null, "name", ".*value.*", true, null);
-        assertTrue("regex wildcard source wildcard confidence matcher should match REGEX_EVIDENCE_HIGHEST", regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_HIGHEST));
-        assertTrue("regex wildcard source wildcard confidence matcher should match REGEX_EVIDENCE_HIGH", regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_HIGH));
-        assertFalse("regex wildcard source wildcard confidence matcher should not match REGEX_EVIDENCE_MEDIUM", regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_MEDIUM));
-        assertTrue("regex wildcard source wildcard confidence matcher should match REGEX_EVIDENCE_MEDIUM_SECOND_SOURCE", regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_MEDIUM_SECOND_SOURCE));
-        assertTrue("regex wildcard source wildcard confidence matcher should match REGEX_EVIDENCE_MEDIUM_THIRD_SOURCE", regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_MEDIUM_THIRD_SOURCE));
-        assertFalse("regex wildcard source wildcard confidence matcher should match REGEX_EVIDENCE_LOW", regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_LOW));
+        assertTrue(regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_HIGHEST), "regex wildcard source wildcard confidence matcher should match REGEX_EVIDENCE_HIGHEST");
+        assertTrue(regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_HIGH), "regex wildcard source wildcard confidence matcher should match REGEX_EVIDENCE_HIGH");
+        assertFalse(regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_MEDIUM), "regex wildcard source wildcard confidence matcher should not match REGEX_EVIDENCE_MEDIUM");
+        assertTrue(regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_MEDIUM_SECOND_SOURCE), "regex wildcard source wildcard confidence matcher should match REGEX_EVIDENCE_MEDIUM_SECOND_SOURCE");
+        assertTrue(regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_MEDIUM_THIRD_SOURCE), "regex wildcard source wildcard confidence matcher should match REGEX_EVIDENCE_MEDIUM_THIRD_SOURCE");
+        assertFalse(regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_LOW), "regex wildcard source wildcard confidence matcher should match REGEX_EVIDENCE_LOW");
     }
 
     @Test
-    public void testRegExWildcardSourceWildcardConfidenceFourMatching() throws Exception {
+    void testRegExWildcardSourceWildcardConfidenceFourMatching() {
         final EvidenceMatcher regexMediumWildcardSourceMatcher = new EvidenceMatcher(null, "name", "^.*[Vv][al]{2,2}[a-z ]+$", true, null);
-        assertFalse("regex wildcard source wildcard confidence matcher should not match REGEX_EVIDENCE_HIGHEST", regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_HIGHEST));
-        assertFalse("regex wildcard source wildcard confidence matcher should not match REGEX_EVIDENCE_HIGH", regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_HIGH));
-        assertTrue("regex wildcard source wildcard confidence matcher should match REGEX_EVIDENCE_MEDIUM", regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_MEDIUM));
-        assertTrue("regex wildcard source wildcard confidence matcher should match REGEX_EVIDENCE_MEDIUM_SECOND_SOURCE", regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_MEDIUM_SECOND_SOURCE));
-        assertTrue("regex wildcard source wildcard confidence matcher should match REGEX_EVIDENCE_MEDIUM_THIRD_SOURCE", regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_MEDIUM_THIRD_SOURCE));
-        assertTrue("regex wildcard source wildcard confidence matcher should match REGEX_EVIDENCE_LOW", regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_LOW));
+        assertFalse(regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_HIGHEST), "regex wildcard source wildcard confidence matcher should not match REGEX_EVIDENCE_HIGHEST");
+        assertFalse(regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_HIGH), "regex wildcard source wildcard confidence matcher should not match REGEX_EVIDENCE_HIGH");
+        assertTrue(regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_MEDIUM), "regex wildcard source wildcard confidence matcher should match REGEX_EVIDENCE_MEDIUM");
+        assertTrue(regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_MEDIUM_SECOND_SOURCE), "regex wildcard source wildcard confidence matcher should match REGEX_EVIDENCE_MEDIUM_SECOND_SOURCE");
+        assertTrue(regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_MEDIUM_THIRD_SOURCE), "regex wildcard source wildcard confidence matcher should match REGEX_EVIDENCE_MEDIUM_THIRD_SOURCE");
+        assertTrue(regexMediumWildcardSourceMatcher.matches(REGEX_EVIDENCE_LOW), "regex wildcard source wildcard confidence matcher should match REGEX_EVIDENCE_LOW");
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/xml/hints/HintHandlerTest.java b/core/src/test/java/org/owasp/dependencycheck/xml/hints/HintHandlerTest.java
index bcab081b92c..07b63650a12 100644
--- a/core/src/test/java/org/owasp/dependencycheck/xml/hints/HintHandlerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/xml/hints/HintHandlerTest.java
@@ -17,36 +17,34 @@
  */
 package org.owasp.dependencycheck.xml.hints;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseTest;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+import org.xml.sax.XMLReader;
+
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.SAXParser;
+import javax.xml.parsers.SAXParserFactory;
 import java.io.File;
 import java.io.FileInputStream;
-import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.Reader;
-import java.io.UnsupportedEncodingException;
 import java.nio.charset.StandardCharsets;
 import java.util.List;
-import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.parsers.SAXParser;
-import javax.xml.parsers.SAXParserFactory;
-import org.junit.Test;
-import static org.junit.Assert.*;
-import org.owasp.dependencycheck.BaseTest;
-import org.xml.sax.InputSource;
-import org.xml.sax.SAXException;
-import org.xml.sax.SAXNotRecognizedException;
-import org.xml.sax.SAXNotSupportedException;
-import org.xml.sax.XMLReader;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
  *
  * @author Jeremy Long
  */
-public class HintHandlerTest extends BaseTest {
-    
+class HintHandlerTest extends BaseTest {
+
     @Test
-    public void testHandler() throws ParserConfigurationException, SAXException, IOException {
+    void testHandler() throws ParserConfigurationException, SAXException, IOException {
         File file = BaseTest.getResourceAsFile(this, "hints.xml");
         File schema = BaseTest.getResourceAsFile(this, "schema/dependency-hint.1.1.xsd");
         HintHandler handler = new HintHandler();
@@ -67,7 +65,7 @@ public void testHandler() throws ParserConfigurationException, SAXException, IOE
         xmlReader.parse(in);
 
         List<HintRule> result = handler.getHintRules();
-        assertEquals("two hint rules should have been loaded",2,result.size());
+        assertEquals(2,result.size(),"two hint rules should have been loaded");
     }
 
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/xml/hints/HintParserTest.java b/core/src/test/java/org/owasp/dependencycheck/xml/hints/HintParserTest.java
index fc9b92823cd..739b339ddd2 100644
--- a/core/src/test/java/org/owasp/dependencycheck/xml/hints/HintParserTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/xml/hints/HintParserTest.java
@@ -17,50 +17,54 @@
  */
 package org.owasp.dependencycheck.xml.hints;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseTest;
+
 import java.io.File;
 import java.io.InputStream;
 import java.util.List;
-import org.junit.Assert;
-import org.junit.Test;
-import static org.junit.Assert.assertEquals;
-import org.owasp.dependencycheck.BaseTest;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  *
  * @author Jeremy Long
  */
-public class HintParserTest extends BaseTest {
+class HintParserTest extends BaseTest {
 
     /**
      * Test of parseHints method, of class HintParser.
      */
     @Test
-    public void testParseHints_File() throws Exception {
+    void testParseHints_File() throws Exception {
         File file = BaseTest.getResourceAsFile(this, "hints.xml");
         HintParser instance = new HintParser();
         instance.parseHints(file);
         List<HintRule> hintRules = instance.getHintRules();
         List<VendorDuplicatingHintRule> vendorRules = instance.getVendorDuplicatingHintRules();
-        assertEquals("Two duplicating hints should have been read", 2, vendorRules.size());
-        assertEquals("Two hint rules should have been read", 2, hintRules.size());
-
-        assertEquals("One add product should have been read", 1, hintRules.get(0).getAddProduct().size());
-        assertEquals("One add vendor should have been read", 1, hintRules.get(0).getAddVendor().size());
-        assertEquals("Two file name should have been read", 2, hintRules.get(1).getFileNames().size());
-
-        assertEquals("add product name not found", "add product name", hintRules.get(0).getAddProduct().get(0).getName());
-        assertEquals("add vendor name not found", "add vendor name", hintRules.get(0).getAddVendor().get(0).getName());
-        assertEquals("given product name not found", "given product name", hintRules.get(0).getGivenProduct().get(0).getName());
-        assertEquals("given vendor name not found", "given vendor name", hintRules.get(0).getGivenVendor().get(0).getName());
-
-        assertEquals("spring file name not found", "spring", hintRules.get(1).getFileNames().get(0).getValue());
-        assertEquals("file name 1 should not be case sensitive", false, hintRules.get(1).getFileNames().get(0).isCaseSensitive());
-        assertEquals("file name 1 should not be a regex", false, hintRules.get(1).getFileNames().get(0).isRegex());
-        assertEquals("file name 2 should be case sensitive", true, hintRules.get(1).getFileNames().get(1).isCaseSensitive());
-        assertEquals("file name 2 should be a regex", true, hintRules.get(1).getFileNames().get(1).isRegex());
-
-        assertEquals("sun duplicating vendor", "sun", vendorRules.get(0).getValue());
-        assertEquals("sun duplicates vendor oracle", "oracle", vendorRules.get(0).getDuplicate());
+        assertEquals(2, vendorRules.size(), "Two duplicating hints should have been read");
+        assertEquals(2, hintRules.size(), "Two hint rules should have been read");
+
+        assertEquals(1, hintRules.get(0).getAddProduct().size(), "One add product should have been read");
+        assertEquals(1, hintRules.get(0).getAddVendor().size(), "One add vendor should have been read");
+        assertEquals(2, hintRules.get(1).getFileNames().size(), "Two file name should have been read");
+
+        assertEquals("add product name", hintRules.get(0).getAddProduct().get(0).getName(), "add product name not found");
+        assertEquals("add vendor name", hintRules.get(0).getAddVendor().get(0).getName(), "add vendor name not found");
+        assertEquals("given product name", hintRules.get(0).getGivenProduct().get(0).getName(), "given product name not found");
+        assertEquals("given vendor name", hintRules.get(0).getGivenVendor().get(0).getName(), "given vendor name not found");
+
+        assertEquals("spring", hintRules.get(1).getFileNames().get(0).getValue(), "spring file name not found");
+        assertFalse(hintRules.get(1).getFileNames().get(0).isCaseSensitive(), "file name 1 should not be case sensitive");
+        assertFalse(hintRules.get(1).getFileNames().get(0).isRegex(), "file name 1 should not be a regex");
+        assertTrue(hintRules.get(1).getFileNames().get(1).isCaseSensitive(), "file name 2 should be case sensitive");
+        assertTrue(hintRules.get(1).getFileNames().get(1).isRegex(), "file name 2 should be a regex");
+
+        assertEquals("sun", vendorRules.get(0).getValue(), "sun duplicating vendor");
+        assertEquals("oracle", vendorRules.get(0).getDuplicate(), "sun duplicates vendor oracle");
     }
 
     /**
@@ -75,11 +79,11 @@ public void testParseHints_File() throws Exception {
      * error-message of the SAXParser in the exception's message.
      */
     @Test
-    public void testParseHintsXSDSelection() throws Exception {
+    void testParseHintsXSDSelection() {
         File file = BaseTest.getResourceAsFile(this, "hints_invalid.xml");
         HintParser instance = new HintParser();
-        Exception exception = Assert.assertThrows(org.owasp.dependencycheck.xml.hints.HintParseException.class, () -> instance.parseHints(file));
-        Assert.assertTrue(exception.getMessage().contains("Line=7, Column=133: cvc-enumeration-valid: Value 'version' is not facet-valid with respect to enumeration '[vendor, product]'. It must be a value from the enumeration."));
+        Exception exception = assertThrows(org.owasp.dependencycheck.xml.hints.HintParseException.class, () -> instance.parseHints(file));
+        assertTrue(exception.getMessage().contains("Line=7, Column=133: cvc-enumeration-valid: Value 'version' is not facet-valid with respect to enumeration '[vendor, product]'. It must be a value from the enumeration."));
 
     }
 
@@ -87,50 +91,50 @@ public void testParseHintsXSDSelection() throws Exception {
      * Test of parseHints method, of class HintParser.
      */
     @Test
-    public void testParseHints_InputStream() throws Exception {
+    void testParseHints_InputStream() throws Exception {
         InputStream ins = BaseTest.getResourceAsStream(this, "hints_12.xml");
         HintParser instance = new HintParser();
         instance.parseHints(ins);
         List<HintRule> hintRules = instance.getHintRules();
         List<VendorDuplicatingHintRule> vendorRules = instance.getVendorDuplicatingHintRules();
-        assertEquals("Zero duplicating hints should have been read", 0, vendorRules.size());
-        assertEquals("Two hint rules should have been read", 2, hintRules.size());
+        assertEquals(0, vendorRules.size(), "Zero duplicating hints should have been read");
+        assertEquals(2, hintRules.size(), "Two hint rules should have been read");
 
-        assertEquals("One given product should have been read in hint 0", 1, hintRules.get(0).getGivenProduct().size());
-        assertEquals("One given vendor should have been read in hint 0", 1, hintRules.get(0).getGivenVendor().size());
-        assertEquals("One given version should have been read in hint 0", 1, hintRules.get(0).getGivenVersion().size());
+        assertEquals(1, hintRules.get(0).getGivenProduct().size(), "One given product should have been read in hint 0");
+        assertEquals(1, hintRules.get(0).getGivenVendor().size(), "One given vendor should have been read in hint 0");
+        assertEquals(1, hintRules.get(0).getGivenVersion().size(), "One given version should have been read in hint 0");
 
-        assertEquals("One add product should have been read in hint 0", 1, hintRules.get(0).getAddProduct().size());
-        assertEquals("One add vendor should have been read in hint 0", 1, hintRules.get(0).getAddVendor().size());
-        assertEquals("One add version should have been read in hint 0", 1, hintRules.get(0).getAddVersion().size());
-        assertEquals("Zero remove product should have been read in hint 0", 0, hintRules.get(0).getRemoveProduct().size());
-        assertEquals("Zero remove vendor should have been read in hint 0", 0, hintRules.get(0).getRemoveVendor().size());
-        assertEquals("Zero remove version should have been read in hint 0", 0, hintRules.get(0).getRemoveVersion().size());
+        assertEquals(1, hintRules.get(0).getAddProduct().size(), "One add product should have been read in hint 0");
+        assertEquals(1, hintRules.get(0).getAddVendor().size(), "One add vendor should have been read in hint 0");
+        assertEquals(1, hintRules.get(0).getAddVersion().size(), "One add version should have been read in hint 0");
+        assertEquals(0, hintRules.get(0).getRemoveProduct().size(), "Zero remove product should have been read in hint 0");
+        assertEquals(0, hintRules.get(0).getRemoveVendor().size(), "Zero remove vendor should have been read in hint 0");
+        assertEquals(0, hintRules.get(0).getRemoveVersion().size(), "Zero remove version should have been read in hint 0");
 
-        assertEquals("Zero given product should have been read in hint 1", 0, hintRules.get(1).getGivenProduct().size());
-        assertEquals("Zero given vendor should have been read in hint 1", 0, hintRules.get(1).getGivenVendor().size());
-        assertEquals("One given version should have been read in hint 1", 1, hintRules.get(1).getGivenVersion().size());
+        assertEquals(0, hintRules.get(1).getGivenProduct().size(), "Zero given product should have been read in hint 1");
+        assertEquals(0, hintRules.get(1).getGivenVendor().size(), "Zero given vendor should have been read in hint 1");
+        assertEquals(1, hintRules.get(1).getGivenVersion().size(), "One given version should have been read in hint 1");
 
-        assertEquals("One remove product should have been read in hint 1", 1, hintRules.get(1).getRemoveProduct().size());
-        assertEquals("One remove vendor should have been read in hint 1", 1, hintRules.get(1).getRemoveVendor().size());
-        assertEquals("One remove version should have been read in hint 1", 1, hintRules.get(1).getRemoveVersion().size());
-        assertEquals("Zero add product should have been read in hint 1", 0, hintRules.get(1).getAddProduct().size());
-        assertEquals("Zero add vendor should have been read in hint 1", 0, hintRules.get(1).getAddVendor().size());
-        assertEquals("Zero add version should have been read in hint 1", 0, hintRules.get(1).getAddVersion().size());
+        assertEquals(1, hintRules.get(1).getRemoveProduct().size(), "One remove product should have been read in hint 1");
+        assertEquals(1, hintRules.get(1).getRemoveVendor().size(), "One remove vendor should have been read in hint 1");
+        assertEquals(1, hintRules.get(1).getRemoveVersion().size(), "One remove version should have been read in hint 1");
+        assertEquals(0, hintRules.get(1).getAddProduct().size(), "Zero add product should have been read in hint 1");
+        assertEquals(0, hintRules.get(1).getAddVendor().size(), "Zero add vendor should have been read in hint 1");
+        assertEquals(0, hintRules.get(1).getAddVersion().size(), "Zero add version should have been read in hint 1");
 
-        assertEquals("add product name not found in hint 0", "add product name", hintRules.get(0).getAddProduct().get(0).getName());
-        assertEquals("add vendor name not found in hint 0", "add vendor name", hintRules.get(0).getAddVendor().get(0).getName());
-        assertEquals("add version name not found in hint 0", "add version name", hintRules.get(0).getAddVersion().get(0).getName());
+        assertEquals("add product name", hintRules.get(0).getAddProduct().get(0).getName(), "add product name not found in hint 0");
+        assertEquals("add vendor name", hintRules.get(0).getAddVendor().get(0).getName(), "add vendor name not found in hint 0");
+        assertEquals("add version name", hintRules.get(0).getAddVersion().get(0).getName(), "add version name not found in hint 0");
 
-        assertEquals("given product name not found in hint 0", "given product name", hintRules.get(0).getGivenProduct().get(0).getName());
-        assertEquals("given vendor name not found in hint 0", "given vendor name", hintRules.get(0).getGivenVendor().get(0).getName());
-        assertEquals("given version name not found in hint 0", "given version name", hintRules.get(0).getGivenVersion().get(0).getName());
+        assertEquals("given product name", hintRules.get(0).getGivenProduct().get(0).getName(), "given product name not found in hint 0");
+        assertEquals("given vendor name", hintRules.get(0).getGivenVendor().get(0).getName(), "given vendor name not found in hint 0");
+        assertEquals("given version name", hintRules.get(0).getGivenVersion().get(0).getName(), "given version name not found in hint 0");
 
-        assertEquals("given version name not found in hint 1", "given version name", hintRules.get(1).getGivenVersion().get(0).getName());
+        assertEquals("given version name", hintRules.get(1).getGivenVersion().get(0).getName(), "given version name not found in hint 1");
 
-        assertEquals("add product name not found in hint 1", "remove product name", hintRules.get(1).getRemoveProduct().get(0).getName());
-        assertEquals("add vendor name not found in hint 1", "remove vendor name", hintRules.get(1).getRemoveVendor().get(0).getName());
-        assertEquals("add version name not found in hint 1", "remove version name", hintRules.get(1).getRemoveVersion().get(0).getName());
+        assertEquals("remove product name", hintRules.get(1).getRemoveProduct().get(0).getName(), "add product name not found in hint 1");
+        assertEquals("remove vendor name", hintRules.get(1).getRemoveVendor().get(0).getName(), "add vendor name not found in hint 1");
+        assertEquals("remove version name", hintRules.get(1).getRemoveVersion().get(0).getName(), "add version name not found in hint 1");
 
     }
 
@@ -138,58 +142,58 @@ public void testParseHints_InputStream() throws Exception {
      * Test of parseHints method, of class HintParser.
      */
     @Test
-    public void testParseHintsWithRegex() throws Exception {
+    void testParseHintsWithRegex() throws Exception {
         InputStream ins = BaseTest.getResourceAsStream(this, "hints_13.xml");
         HintParser instance = new HintParser();
         instance.parseHints(ins);
         List<VendorDuplicatingHintRule> vendor = instance.getVendorDuplicatingHintRules();
         List<HintRule> rules = instance.getHintRules();
 
-        assertEquals("Zero duplicating hints should have been read", 0, vendor.size());
-        assertEquals("Two hint rules should have been read", 2, rules.size());
-
-        assertEquals("One given product should have been read in hint 0", 1, rules.get(0).getGivenProduct().size());
-        assertEquals("One given vendor should have been read in hint 0", 1, rules.get(0).getGivenVendor().size());
-        assertEquals("One given version should have been read in hint 0", 1, rules.get(0).getGivenVersion().size());
-
-        assertEquals("One add product should have been read in hint 0", 1, rules.get(0).getAddProduct().size());
-        assertEquals("One add vendor should have been read in hint 0", 1, rules.get(0).getAddVendor().size());
-        assertEquals("One add version should have been read in hint 0", 1, rules.get(0).getAddVersion().size());
-        assertEquals("Zero remove product should have been read in hint 0", 0, rules.get(0).getRemoveProduct().size());
-        assertEquals("Zero remove vendor should have been read in hint 0", 0, rules.get(0).getRemoveVendor().size());
-        assertEquals("Zero remove version should have been read in hint 0", 0, rules.get(0).getRemoveVersion().size());
-
-        assertEquals("Zero given product should have been read in hint 1", 0, rules.get(1).getGivenProduct().size());
-        assertEquals("Zero given vendor should have been read in hint 1", 0, rules.get(1).getGivenVendor().size());
-        assertEquals("One given version should have been read in hint 1", 1, rules.get(1).getGivenVersion().size());
-
-        assertEquals("One remove product should have been read in hint 1", 1, rules.get(1).getRemoveProduct().size());
-        assertEquals("One remove vendor should have been read in hint 1", 1, rules.get(1).getRemoveVendor().size());
-        assertEquals("One remove version should have been read in hint 1", 1, rules.get(1).getRemoveVersion().size());
-        assertEquals("Zero add product should have been read in hint 1", 0, rules.get(1).getAddProduct().size());
-        assertEquals("Zero add vendor should have been read in hint 1", 0, rules.get(1).getAddVendor().size());
-        assertEquals("Zero add version should have been read in hint 1", 0, rules.get(1).getAddVersion().size());
-
-        assertEquals("add product name not found in hint 0", "add product name", rules.get(0).getAddProduct().get(0).getName());
-        assertEquals("add vendor name not found in hint 0", "add vendor name", rules.get(0).getAddVendor().get(0).getName());
-        assertEquals("add version name not found in hint 0", "add version name", rules.get(0).getAddVersion().get(0).getName());
-
-        assertEquals("given product name not found in hint 0", "given product name", rules.get(0).getGivenProduct().get(0).getName());
-        assertEquals("value not registered to be a regex for given product in hint 0", true, rules.get(0).getGivenProduct().get(0).isRegex());
-        assertEquals("given vendor name not found in hint 0", "given vendor name", rules.get(0).getGivenVendor().get(0).getName());
-        assertEquals("value not registered to be a regex for given vendor in hint 0", true, rules.get(0).getGivenVendor().get(0).isRegex());
-        assertEquals("given version name not found in hint 0", "given version name", rules.get(0).getGivenVersion().get(0).getName());
-        assertEquals("value not registered to not be a regex for given version in hint 0", false, rules.get(0).getGivenVersion().get(0).isRegex());
-
-        assertEquals("given version name not found in hint 1", "given version name", rules.get(1).getGivenVersion().get(0).getName());
-        assertEquals("value not registered to not be a regex by default for given version in hint 1", false, rules.get(1).getRemoveProduct().get(0).isRegex());
-
-        assertEquals("remove product name not found in hint 1", "remove product name", rules.get(1).getRemoveProduct().get(0).getName());
-        assertEquals("value not registered to not be a regex for product removal in hint 1", false, rules.get(1).getRemoveProduct().get(0).isRegex());
-        assertEquals("remove vendor name not found in hint 1", "remove vendor name", rules.get(1).getRemoveVendor().get(0).getName());
-        assertEquals("value not registered to not be a regex for vendor removal in hint 1", false, rules.get(1).getRemoveVendor().get(0).isRegex());
-        assertEquals("remove version name not found in hint 1", "remove version name", rules.get(1).getRemoveVersion().get(0).getName());
-        assertEquals("value not defaulted to not be a regex for vendor removal in hint 1", false, rules.get(1).getRemoveVersion().get(0).isRegex());
+        assertEquals(0, vendor.size(), "Zero duplicating hints should have been read");
+        assertEquals(2, rules.size(), "Two hint rules should have been read");
+
+        assertEquals(1, rules.get(0).getGivenProduct().size(), "One given product should have been read in hint 0");
+        assertEquals(1, rules.get(0).getGivenVendor().size(), "One given vendor should have been read in hint 0");
+        assertEquals(1, rules.get(0).getGivenVersion().size(), "One given version should have been read in hint 0");
+
+        assertEquals(1, rules.get(0).getAddProduct().size(), "One add product should have been read in hint 0");
+        assertEquals(1, rules.get(0).getAddVendor().size(), "One add vendor should have been read in hint 0");
+        assertEquals(1, rules.get(0).getAddVersion().size(), "One add version should have been read in hint 0");
+        assertEquals(0, rules.get(0).getRemoveProduct().size(), "Zero remove product should have been read in hint 0");
+        assertEquals(0, rules.get(0).getRemoveVendor().size(), "Zero remove vendor should have been read in hint 0");
+        assertEquals(0, rules.get(0).getRemoveVersion().size(), "Zero remove version should have been read in hint 0");
+
+        assertEquals(0, rules.get(1).getGivenProduct().size(), "Zero given product should have been read in hint 1");
+        assertEquals(0, rules.get(1).getGivenVendor().size(), "Zero given vendor should have been read in hint 1");
+        assertEquals(1, rules.get(1).getGivenVersion().size(), "One given version should have been read in hint 1");
+
+        assertEquals(1, rules.get(1).getRemoveProduct().size(), "One remove product should have been read in hint 1");
+        assertEquals(1, rules.get(1).getRemoveVendor().size(), "One remove vendor should have been read in hint 1");
+        assertEquals(1, rules.get(1).getRemoveVersion().size(), "One remove version should have been read in hint 1");
+        assertEquals(0, rules.get(1).getAddProduct().size(), "Zero add product should have been read in hint 1");
+        assertEquals(0, rules.get(1).getAddVendor().size(), "Zero add vendor should have been read in hint 1");
+        assertEquals(0, rules.get(1).getAddVersion().size(), "Zero add version should have been read in hint 1");
+
+        assertEquals("add product name", rules.get(0).getAddProduct().get(0).getName(), "add product name not found in hint 0");
+        assertEquals("add vendor name", rules.get(0).getAddVendor().get(0).getName(), "add vendor name not found in hint 0");
+        assertEquals("add version name", rules.get(0).getAddVersion().get(0).getName(), "add version name not found in hint 0");
+
+        assertEquals("given product name", rules.get(0).getGivenProduct().get(0).getName(), "given product name not found in hint 0");
+        assertTrue(rules.get(0).getGivenProduct().get(0).isRegex(), "value not registered to be a regex for given product in hint 0");
+        assertEquals("given vendor name", rules.get(0).getGivenVendor().get(0).getName(), "given vendor name not found in hint 0");
+        assertTrue(rules.get(0).getGivenVendor().get(0).isRegex(), "value not registered to be a regex for given vendor in hint 0");
+        assertEquals("given version name", rules.get(0).getGivenVersion().get(0).getName(), "given version name not found in hint 0");
+        assertFalse(rules.get(0).getGivenVersion().get(0).isRegex(), "value not registered to not be a regex for given version in hint 0");
+
+        assertEquals("given version name", rules.get(1).getGivenVersion().get(0).getName(), "given version name not found in hint 1");
+        assertFalse(rules.get(1).getRemoveProduct().get(0).isRegex(), "value not registered to not be a regex by default for given version in hint 1");
+
+        assertEquals("remove product name", rules.get(1).getRemoveProduct().get(0).getName(), "remove product name not found in hint 1");
+        assertFalse(rules.get(1).getRemoveProduct().get(0).isRegex(), "value not registered to not be a regex for product removal in hint 1");
+        assertEquals("remove vendor name", rules.get(1).getRemoveVendor().get(0).getName(), "remove vendor name not found in hint 1");
+        assertFalse(rules.get(1).getRemoveVendor().get(0).isRegex(), "value not registered to not be a regex for vendor removal in hint 1");
+        assertEquals("remove version name", rules.get(1).getRemoveVersion().get(0).getName(), "remove version name not found in hint 1");
+        assertFalse(rules.get(1).getRemoveVersion().get(0).isRegex(), "value not defaulted to not be a regex for vendor removal in hint 1");
 
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/xml/pom/ModelTest.java b/core/src/test/java/org/owasp/dependencycheck/xml/pom/ModelTest.java
index 26cabf49cff..5b6a0ba9a5d 100644
--- a/core/src/test/java/org/owasp/dependencycheck/xml/pom/ModelTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/xml/pom/ModelTest.java
@@ -17,26 +17,27 @@
  */
 package org.owasp.dependencycheck.xml.pom;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseTest;
+
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Properties;
 
-import org.junit.Test;
-import static org.junit.Assert.*;
-import org.owasp.dependencycheck.BaseTest;
-import org.owasp.dependencycheck.utils.InterpolationUtil;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
 
 /**
  *
  * @author jeremy long
  */
-public class ModelTest extends BaseTest {
+class ModelTest extends BaseTest {
 
     /**
      * Test of getName method, of class Model.
      */
     @Test
-    public void testGetName() {
+    void testGetName() {
         Model instance = new Model();
         instance.setName("");
         String expResult = "";
@@ -48,7 +49,7 @@ public void testGetName() {
      * Test of setName method, of class Model.
      */
     @Test
-    public void testSetName() {
+    void testSetName() {
         String name = "name";
         Model instance = new Model();
         instance.setName(name);
@@ -59,7 +60,7 @@ public void testSetName() {
      * Test of getOrganization method, of class Model.
      */
     @Test
-    public void testGetOrganization() {
+    void testGetOrganization() {
         Model instance = new Model();
         instance.setOrganization("");
         String expResult = "";
@@ -71,7 +72,7 @@ public void testGetOrganization() {
      * Test of setOrganization method, of class Model.
      */
     @Test
-    public void testSetOrganization() {
+    void testSetOrganization() {
         String organization = "apache";
         Model instance = new Model();
         instance.setOrganization(organization);
@@ -82,7 +83,7 @@ public void testSetOrganization() {
      * Test of getDescription method, of class Model.
      */
     @Test
-    public void testGetDescription() {
+    void testGetDescription() {
         Model instance = new Model();
         instance.setDescription("");
         String expResult = "";
@@ -94,7 +95,7 @@ public void testGetDescription() {
      * Test of setDescription method, of class Model.
      */
     @Test
-    public void testSetDescription() {
+    void testSetDescription() {
         String description = "description";
         String expected = "description";
         Model instance = new Model();
@@ -106,7 +107,7 @@ public void testSetDescription() {
      * Test of getGroupId method, of class Model.
      */
     @Test
-    public void testGetGroupId() {
+    void testGetGroupId() {
         Model instance = new Model();
         instance.setGroupId("");
         String expResult = "";
@@ -118,7 +119,7 @@ public void testGetGroupId() {
      * Test of setGroupId method, of class Model.
      */
     @Test
-    public void testSetGroupId() {
+    void testSetGroupId() {
         String groupId = "aaa";
         String expected = "aaa";
         Model instance = new Model();
@@ -130,7 +131,7 @@ public void testSetGroupId() {
      * Test of getArtifactId method, of class Model.
      */
     @Test
-    public void testGetArtifactId() {
+    void testGetArtifactId() {
         Model instance = new Model();
         instance.setArtifactId("");
         String expResult = "";
@@ -142,7 +143,7 @@ public void testGetArtifactId() {
      * Test of setArtifactId method, of class Model.
      */
     @Test
-    public void testSetArtifactId() {
+    void testSetArtifactId() {
         String artifactId = "aaa";
         String expected = "aaa";
         Model instance = new Model();
@@ -154,7 +155,7 @@ public void testSetArtifactId() {
      * Test of getVersion method, of class Model.
      */
     @Test
-    public void testGetVersion() {
+    void testGetVersion() {
         Model instance = new Model();
         instance.setVersion("");
         String expResult = "";
@@ -166,7 +167,7 @@ public void testGetVersion() {
      * Test of setVersion method, of class Model.
      */
     @Test
-    public void testSetVersion() {
+    void testSetVersion() {
         String version = "";
         Model instance = new Model();
         instance.setVersion(version);
@@ -177,7 +178,7 @@ public void testSetVersion() {
      * Test of getParentGroupId method, of class Model.
      */
     @Test
-    public void testGetParentGroupId() {
+    void testGetParentGroupId() {
         Model instance = new Model();
         instance.setParentGroupId("");
         String expResult = "";
@@ -189,7 +190,7 @@ public void testGetParentGroupId() {
      * Test of setParentGroupId method, of class Model.
      */
     @Test
-    public void testSetParentGroupId() {
+    void testSetParentGroupId() {
         String parentGroupId = "org.owasp";
         Model instance = new Model();
         instance.setParentGroupId(parentGroupId);
@@ -200,7 +201,7 @@ public void testSetParentGroupId() {
      * Test of getParentArtifactId method, of class Model.
      */
     @Test
-    public void testGetParentArtifactId() {
+    void testGetParentArtifactId() {
         Model instance = new Model();
         instance.setParentArtifactId("");
         String expResult = "";
@@ -212,7 +213,7 @@ public void testGetParentArtifactId() {
      * Test of setParentArtifactId method, of class Model.
      */
     @Test
-    public void testSetParentArtifactId() {
+    void testSetParentArtifactId() {
         String parentArtifactId = "something";
         Model instance = new Model();
         instance.setParentArtifactId(parentArtifactId);
@@ -223,7 +224,7 @@ public void testSetParentArtifactId() {
      * Test of getParentVersion method, of class Model.
      */
     @Test
-    public void testGetParentVersion() {
+    void testGetParentVersion() {
         Model instance = new Model();
         instance.setParentVersion("");
         String expResult = "";
@@ -235,7 +236,7 @@ public void testGetParentVersion() {
      * Test of setParentVersion method, of class Model.
      */
     @Test
-    public void testSetParentVersion() {
+    void testSetParentVersion() {
         String parentVersion = "1.0";
         Model instance = new Model();
         instance.setParentVersion(parentVersion);
@@ -246,7 +247,7 @@ public void testSetParentVersion() {
      * Test of getLicenses method, of class Model.
      */
     @Test
-    public void testGetLicenses() {
+    void testGetLicenses() {
         Model instance = new Model();
         instance.addLicense(new License("name", "url"));
         List<License> expResult = new ArrayList<>();
@@ -259,7 +260,7 @@ public void testGetLicenses() {
      * Test of addLicense method, of class Model.
      */
     @Test
-    public void testAddLicense() {
+    void testAddLicense() {
         License license = new License("name", "url");
         Model instance = new Model();
         instance.addLicense(license);
@@ -270,7 +271,7 @@ public void testAddLicense() {
      * Test of processProperties method, of class Model.
      */
     @Test
-    public void testProcessProperties() {
+    void testProcessProperties() {
 
         String text = "This is a test of '${key}' '${nested}'";
         Model instance = new Model();
diff --git a/core/src/test/java/org/owasp/dependencycheck/xml/pom/PomParserTest.java b/core/src/test/java/org/owasp/dependencycheck/xml/pom/PomParserTest.java
index 584ccaceebe..73447b8f321 100644
--- a/core/src/test/java/org/owasp/dependencycheck/xml/pom/PomParserTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/xml/pom/PomParserTest.java
@@ -17,89 +17,94 @@
  */
 package org.owasp.dependencycheck.xml.pom;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseTest;
+
 import java.io.File;
 import java.io.InputStream;
-import org.junit.Test;
-import static org.junit.Assert.*;
-import org.owasp.dependencycheck.BaseTest;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 /**
  *
  * @author jeremy long
  */
-public class PomParserTest {
+class PomParserTest {
 
     /**
      * Test of parse method, of class PomParser.
      */
     @Test
-    public void testParse_File() throws Exception {
+    void testParse_File() throws Exception {
         File file = BaseTest.getResourceAsFile(this, "pom/mailapi-1.4.3.pom");
         PomParser instance = new PomParser();
         String expVersion = "1.4.3";
         Model result = instance.parse(file);
-        assertEquals("Invalid version extracted", expVersion, result.getParentVersion());
+        assertEquals(expVersion, result.getParentVersion(), "Invalid version extracted");
     }
 
     /**
      * Test of parse method, of class PomParser.
      */
     @Test
-    public void testParse_InputStream() throws Exception {
+    void testParse_InputStream() throws Exception {
         InputStream inputStream = BaseTest.getResourceAsStream(this, "pom/plexus-utils-3.0.24.pom");
         PomParser instance = new PomParser();
         String expectedArtifactId = "plexus-utils";
         Model result = instance.parse(inputStream);
-        assertEquals("Invalid artifactId extracted", expectedArtifactId, result.getArtifactId());
+        assertEquals(expectedArtifactId, result.getArtifactId(), "Invalid artifactId extracted");
     }
 
     /**
      * Test of parse method, of class PomParser.
      */
     @Test
-    public void testParse_InputStreamWithDocType() throws Exception {
+    void testParse_InputStreamWithDocType() throws Exception {
         InputStream inputStream = BaseTest.getResourceAsStream(this, "pom/mailapi-1.4.3_doctype.pom");
         PomParser instance = new PomParser();
         String expVersion = "1.4.3";
         Model result = instance.parse(inputStream);
-        assertEquals("Invalid version extracted", expVersion, result.getParentVersion());
+        assertEquals(expVersion, result.getParentVersion(), "Invalid version extracted");
     }
 
     @Test
-    public void testParseWithoutDocTypeCleanup_InputStream() throws Exception {
+    void testParseWithoutDocTypeCleanup_InputStream() throws Exception {
         InputStream inputStream = BaseTest.getResourceAsStream(this, "pom/mailapi-1.4.3.pom");
         PomParser instance = new PomParser();
         String expVersion = "1.4.3";
         Model result = instance.parseWithoutDocTypeCleanup(inputStream);
-        assertEquals("Invalid version extracted", expVersion, result.getParentVersion());
+        assertEquals(expVersion, result.getParentVersion(), "Invalid version extracted");
     }
 
     @Test
-    public void testParseWithoutDocTypeCleanup() throws Exception {
+    void testParseWithoutDocTypeCleanup() throws Exception {
         File file = BaseTest.getResourceAsFile(this, "pom/mailapi-1.4.3.pom");
         PomParser instance = new PomParser();
         String expVersion = "1.4.3";
         Model result = instance.parseWithoutDocTypeCleanup(file);
-        assertEquals("Invalid version extracted", expVersion, result.getParentVersion());
+        assertEquals(expVersion, result.getParentVersion(), "Invalid version extracted");
     }
 
-    
-    @Test(expected = PomParseException.class)
-    public void testParseWithoutDocTypeCleanup_InputStreamWithDocType() throws Exception {
+
+    @Test
+    void testParseWithoutDocTypeCleanup_InputStreamWithDocType() throws Exception {
         InputStream inputStream = BaseTest.getResourceAsStream(this, "pom/mailapi-1.4.3_doctype.pom");
         PomParser instance = new PomParser();
         String expVersion = "1.4.3";
         Model result = instance.parseWithoutDocTypeCleanup(inputStream);
-        assertEquals("Invalid version extracted", expVersion, result.getParentVersion());
+        assertThrows(PomParseException.class, () ->
+            assertEquals(expVersion, result.getParentVersion(), "Invalid version extracted"));
     }
 
-    @Test(expected = PomParseException.class)
-    public void testParseWithoutDocTypeCleanup_WithDocType() throws Exception {
+    @Test
+    void testParseWithoutDocTypeCleanup_WithDocType() throws Exception {
         File file = BaseTest.getResourceAsFile(this, "pom/mailapi-1.4.3_doctype.pom");
         PomParser instance = new PomParser();
         String expVersion = "1.4.3";
         Model result = instance.parseWithoutDocTypeCleanup(file);
-        assertEquals("Invalid version extracted", expVersion, result.getParentVersion());
+        assertThrows(PomParseException.class, () ->
+            assertEquals(expVersion, result.getParentVersion(), "Invalid version extracted"));
     }
 
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/xml/pom/PomProjectInputStreamTest.java b/core/src/test/java/org/owasp/dependencycheck/xml/pom/PomProjectInputStreamTest.java
index 041dcffb5b1..6f3698fe530 100644
--- a/core/src/test/java/org/owasp/dependencycheck/xml/pom/PomProjectInputStreamTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/xml/pom/PomProjectInputStreamTest.java
@@ -17,19 +17,21 @@
  */
 package org.owasp.dependencycheck.xml.pom;
 
+import org.junit.jupiter.api.Test;
+
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.UnsupportedEncodingException;
 import java.nio.charset.StandardCharsets;
-import org.junit.Test;
-import static org.junit.Assert.*;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
  *
  * @author Jeremy Long
  */
-public class PomProjectInputStreamTest {
+class PomProjectInputStreamTest {
 
     private final String POM = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n"
             + "<!DOCTYPE xml [<!ENTITY quot \"&#34;\">\n"
@@ -62,7 +64,7 @@ public class PomProjectInputStreamTest {
             + "<blue></blue>";
 
     @Test
-    public void testFilter() throws IOException {
+    void testFilter() throws IOException {
         InputStream in = new ByteArrayInputStream(POM.getBytes(StandardCharsets.UTF_8));
         PomProjectInputStream instance = new PomProjectInputStream(in);
         byte[] expected = "<project></project>".getBytes(StandardCharsets.UTF_8);
@@ -85,7 +87,7 @@ public void testFilter() throws IOException {
      * Test of findSequence method, of class PomProjectInputStream.
      */
     @Test
-    public void testFindSequence() throws IOException {
+    void testFindSequence() {
 
         byte[] sequence = "project".getBytes(StandardCharsets.UTF_8);
         byte[] buffer = "my big project".getBytes(StandardCharsets.UTF_8);
diff --git a/core/src/test/java/org/owasp/dependencycheck/xml/pom/PomUtilsTest.java b/core/src/test/java/org/owasp/dependencycheck/xml/pom/PomUtilsTest.java
index b47685c23a6..e848f9a53dc 100644
--- a/core/src/test/java/org/owasp/dependencycheck/xml/pom/PomUtilsTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/xml/pom/PomUtilsTest.java
@@ -17,20 +17,21 @@
  */
 package org.owasp.dependencycheck.xml.pom;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+
 import java.io.File;
 import java.util.jar.JarFile;
 
-import org.junit.Test;
-import static org.junit.Assert.*;
-import org.owasp.dependencycheck.BaseTest;
-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
  * Test the PomUtils object.
  *
  * @author Jeremy Long
  */
-public class PomUtilsTest extends BaseTest {
+class PomUtilsTest extends BaseTest {
 
     /**
      * Test of readPom method, of class PomUtils.
@@ -39,7 +40,7 @@ public class PomUtilsTest extends BaseTest {
      * exception
      */
     @Test
-    public void testReadPom_File() throws Exception {
+    void testReadPom_File() throws Exception {
         File file = BaseTest.getResourceAsFile(this, "dwr-pom.xml");
         String expResult = "Direct Web Remoting";
         Model result = PomUtils.readPom(file);
@@ -62,7 +63,7 @@ public void testReadPom_File() throws Exception {
     }
 
     @Test
-    public void testReadPom_String_File() throws Exception {
+    void testReadPom_String_File() throws Exception {
         File fileCommonValidator = BaseTest.getResourceAsFile(this, "commons-validator-1.4.0.jar");
         JarFile jar = new JarFile(fileCommonValidator, false);
         String expResult = "Commons Validator";
@@ -71,7 +72,7 @@ public void testReadPom_String_File() throws Exception {
     }
 
     @Test
-    public void testReadPom_should_trim_version() throws AnalysisException {
+    void testReadPom_should_trim_version() throws AnalysisException {
         File input = BaseTest.getResourceAsFile(this, "pom/pom-with-new-line.xml");
         String expectedOutputVersion = "2.2.0";
 
diff --git a/core/src/test/java/org/owasp/dependencycheck/xml/suppression/PropertyTypeTest.java b/core/src/test/java/org/owasp/dependencycheck/xml/suppression/PropertyTypeTest.java
index 6824e587863..3a62a73397d 100644
--- a/core/src/test/java/org/owasp/dependencycheck/xml/suppression/PropertyTypeTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/xml/suppression/PropertyTypeTest.java
@@ -17,24 +17,24 @@
  */
 package org.owasp.dependencycheck.xml.suppression;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 /**
  *
  * @author Jeremy Long
  */
-public class PropertyTypeTest extends BaseTest {
+class PropertyTypeTest extends BaseTest {
 
     /**
      * Test of set and getValue method, of class PropertyType.
      */
     @Test
-    public void testSetGetValue() {
+    void testSetGetValue() {
 
         PropertyType instance = new PropertyType();
         String expResult = "test";
@@ -47,7 +47,7 @@ public void testSetGetValue() {
      * Test of isRegex method, of class PropertyType.
      */
     @Test
-    public void testIsRegex() {
+    void testIsRegex() {
         PropertyType instance = new PropertyType();
         assertFalse(instance.isRegex());
         instance.setRegex(true);
@@ -58,7 +58,7 @@ public void testIsRegex() {
      * Test of isCaseSensitive method, of class PropertyType.
      */
     @Test
-    public void testIsCaseSensitive() {
+    void testIsCaseSensitive() {
         PropertyType instance = new PropertyType();
         assertFalse(instance.isCaseSensitive());
         instance.setCaseSensitive(true);
@@ -69,7 +69,7 @@ public void testIsCaseSensitive() {
      * Test of matches method, of class PropertyType.
      */
     @Test
-    public void testMatches() {
+    void testMatches() {
         String text = "Simple";
 
         PropertyType instance = new PropertyType();
diff --git a/core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandlerTest.java b/core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandlerTest.java
index f304112eff3..0177ea12faa 100644
--- a/core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandlerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandlerTest.java
@@ -17,6 +17,13 @@
  */
 package org.owasp.dependencycheck.xml.suppression;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.utils.XmlUtils;
+import org.xml.sax.InputSource;
+import org.xml.sax.XMLReader;
+
+import javax.xml.parsers.SAXParser;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.InputStream;
@@ -24,19 +31,14 @@
 import java.io.Reader;
 import java.nio.charset.StandardCharsets;
 import java.util.List;
-import javax.xml.parsers.SAXParser;
-import static org.junit.Assert.assertTrue;
-import org.junit.Test;
-import org.owasp.dependencycheck.BaseTest;
-import org.owasp.dependencycheck.utils.XmlUtils;
-import org.xml.sax.InputSource;
-import org.xml.sax.XMLReader;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  *
  * @author Jeremy Long
  */
-public class SuppressionHandlerTest extends BaseTest {
+class SuppressionHandlerTest extends BaseTest {
 
     /**
      * Test of getSuppressionRules method, of class SuppressionHandler.
@@ -44,7 +46,7 @@ public class SuppressionHandlerTest extends BaseTest {
      * @throws Exception thrown if there is an exception....
      */
     @Test
-    public void testHandler() throws Exception {
+    void testHandler() throws Exception {
         File file = BaseTest.getResourceAsFile(this, "suppressions.xml");
         InputStream schemaStream = BaseTest.getResourceAsStream(this, "schema/suppression.xsd");
 
diff --git a/core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionParserTest.java b/core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionParserTest.java
index 106b00e170e..a4f236271ed 100644
--- a/core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionParserTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionParserTest.java
@@ -17,31 +17,32 @@
  */
 package org.owasp.dependencycheck.xml.suppression;
 
+import org.junit.jupiter.api.Test;
+import org.owasp.dependencycheck.BaseTest;
+
 import java.io.File;
 import java.util.List;
-import org.junit.Assert;
 
-import org.junit.Test;
-import org.owasp.dependencycheck.BaseTest;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
  * Test of the suppression parser.
  *
  * @author Jeremy Long
  */
-public class SuppressionParserTest extends BaseTest {
+class SuppressionParserTest extends BaseTest {
 
     /**
      * Test of parseSuppressionRules method, of class SuppressionParser for the
      * v1.0 suppression XML Schema.
      */
     @Test
-    public void testParseSuppressionRulesV1dot0() throws Exception {
+    void testParseSuppressionRulesV1dot0() throws Exception {
         //File file = new File(this.getClass().getClassLoader().getResource("suppressions.xml").getPath());
         File file = BaseTest.getResourceAsFile(this, "suppressions.xml");
         SuppressionParser instance = new SuppressionParser();
         List<SuppressionRule> result = instance.parseSuppressionRules(file);
-        Assert.assertEquals(5, result.size());
+        assertEquals(5, result.size());
     }
 
     /**
@@ -49,12 +50,12 @@ public void testParseSuppressionRulesV1dot0() throws Exception {
      * v1.1 suppression XML Schema.
      */
     @Test
-    public void testParseSuppressionRulesV1dot1() throws Exception {
+    void testParseSuppressionRulesV1dot1() throws Exception {
         //File file = new File(this.getClass().getClassLoader().getResource("suppressions.xml").getPath());
         File file = BaseTest.getResourceAsFile(this, "suppressions_1_1.xml");
         SuppressionParser instance = new SuppressionParser();
         List<SuppressionRule> result = instance.parseSuppressionRules(file);
-        Assert.assertEquals(5, result.size());
+        assertEquals(5, result.size());
     }
 
     /**
@@ -62,12 +63,12 @@ public void testParseSuppressionRulesV1dot1() throws Exception {
      * v1.2 suppression XML Schema.
      */
     @Test
-    public void testParseSuppressionRulesV1dot2() throws Exception {
+    void testParseSuppressionRulesV1dot2() throws Exception {
         //File file = new File(this.getClass().getClassLoader().getResource("suppressions.xml").getPath());
         File file = BaseTest.getResourceAsFile(this, "suppressions_1_2.xml");
         SuppressionParser instance = new SuppressionParser();
         List<SuppressionRule> result = instance.parseSuppressionRules(file);
-        Assert.assertEquals(4, result.size());
+        assertEquals(4, result.size());
     }
 
     /**
@@ -75,11 +76,11 @@ public void testParseSuppressionRulesV1dot2() throws Exception {
      * v1.2 suppression XML Schema.
      */
     @Test
-    public void testParseSuppressionRulesV1dot3() throws Exception {
+    void testParseSuppressionRulesV1dot3() throws Exception {
         //File file = new File(this.getClass().getClassLoader().getResource("suppressions.xml").getPath());
         File file = BaseTest.getResourceAsFile(this, "suppressions_1_3.xml");
         SuppressionParser instance = new SuppressionParser();
         List<SuppressionRule> result = instance.parseSuppressionRules(file);
-        Assert.assertEquals(4, result.size());
+        assertEquals(4, result.size());
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionRuleTest.java b/core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionRuleTest.java
index d7ef1dcebd0..148962cb79f 100644
--- a/core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionRuleTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/xml/suppression/SuppressionRuleTest.java
@@ -19,16 +19,9 @@
 
 import com.github.packageurl.MalformedPackageURLException;
 import io.github.jeremylong.openvulnerability.client.nvd.CvssV2;
-import java.io.File;
-import java.util.ArrayList;
-import java.util.List;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.dependency.Confidence;
-
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.dependency.naming.CpeIdentifier;
@@ -36,19 +29,27 @@
 import org.owasp.dependencycheck.utils.CvssUtil;
 import us.springett.parsers.cpe.exceptions.CpeValidationException;
 
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 /**
  * Test of the suppression rule.
  *
  * @author Jeremy Long
  */
-public class SuppressionRuleTest extends BaseTest {
+class SuppressionRuleTest extends BaseTest {
 
     //<editor-fold defaultstate="collapsed" desc="Stupid tests of properties">
     /**
      * Test of FilePath property, of class SuppressionRule.
      */
     @Test
-    public void testFilePath() {
+    void testFilePath() {
         SuppressionRule instance = new SuppressionRule();
         PropertyType expResult = new PropertyType();
         expResult.setValue("test");
@@ -61,7 +62,7 @@ public void testFilePath() {
      * Test of Sha1 property, of class SuppressionRule.
      */
     @Test
-    public void testSha1() {
+    void testSha1() {
         SuppressionRule instance = new SuppressionRule();
         String expResult = "384FAA82E193D4E4B0546059CA09572654BC3970";
         instance.setSha1(expResult);
@@ -73,7 +74,7 @@ public void testSha1() {
      * Test of Cpe property, of class SuppressionRule.
      */
     @Test
-    public void testCpe() {
+    void testCpe() {
         SuppressionRule instance = new SuppressionRule();
         List<PropertyType> cpe = new ArrayList<>();
         instance.setCpe(cpe);
@@ -91,7 +92,7 @@ public void testCpe() {
      * Test of CvssBelow property, of class SuppressionRule.
      */
     @Test
-    public void testGetCvssBelow() {
+    void testGetCvssBelow() {
         SuppressionRule instance = new SuppressionRule();
         List<Double> cvss = new ArrayList<>();
         instance.setCvssBelow(cvss);
@@ -106,7 +107,7 @@ public void testGetCvssBelow() {
      * Test of Cwe property, of class SuppressionRule.
      */
     @Test
-    public void testCwe() {
+    void testCwe() {
         SuppressionRule instance = new SuppressionRule();
         List<String> cwe = new ArrayList<>();
         instance.setCwe(cwe);
@@ -121,7 +122,7 @@ public void testCwe() {
      * Test of Cve property, of class SuppressionRule.
      */
     @Test
-    public void testCve() {
+    void testCve() {
         SuppressionRule instance = new SuppressionRule();
         List<String> cve = new ArrayList<>();
         instance.setCve(cve);
@@ -136,12 +137,13 @@ public void testCve() {
      * Test of base property, of class SuppressionRule.
      */
     @Test
-    public void testBase() {
+    void testBase() {
         SuppressionRule instance = new SuppressionRule();
         assertFalse(instance.isBase());
         instance.setBase(true);
         assertTrue(instance.isBase());
     }
+
     //</editor-fold>
 
     //<editor-fold defaultstate="collapsed" desc="Ignored duplicate tests, left in, as empty tests, so IDE doesn't re-generate them">
@@ -150,7 +152,7 @@ public void testBase() {
      */
     @Test
     @SuppressWarnings("squid:S2699")
-    public void testGetFilePath() {
+    void testGetFilePath() {
         //already tested, this is just left so the IDE doesn't recreate it.
     }
 
@@ -159,7 +161,7 @@ public void testGetFilePath() {
      */
     @Test
     @SuppressWarnings("squid:S2699")
-    public void testSetFilePath() {
+    void testSetFilePath() {
         //already tested, this is just left so the IDE doesn't recreate it.
     }
 
@@ -168,7 +170,7 @@ public void testSetFilePath() {
      */
     @Test
     @SuppressWarnings("squid:S2699")
-    public void testGetSha1() {
+    void testGetSha1() {
         //already tested, this is just left so the IDE doesn't recreate it.
     }
 
@@ -177,7 +179,7 @@ public void testGetSha1() {
      */
     @Test
     @SuppressWarnings("squid:S2699")
-    public void testSetSha1() {
+    void testSetSha1() {
         //already tested, this is just left so the IDE doesn't recreate it.
     }
 
@@ -186,7 +188,7 @@ public void testSetSha1() {
      */
     @Test
     @SuppressWarnings("squid:S2699")
-    public void testGetCpe() {
+    void testGetCpe() {
         //already tested, this is just left so the IDE doesn't recreate it.
     }
 
@@ -195,7 +197,7 @@ public void testGetCpe() {
      */
     @Test
     @SuppressWarnings("squid:S2699")
-    public void testSetCpe() {
+    void testSetCpe() {
         //already tested, this is just left so the IDE doesn't recreate it.
     }
 
@@ -204,7 +206,7 @@ public void testSetCpe() {
      */
     @Test
     @SuppressWarnings("squid:S2699")
-    public void testAddCpe() {
+    void testAddCpe() {
         //already tested, this is just left so the IDE doesn't recreate it.
     }
 
@@ -213,7 +215,7 @@ public void testAddCpe() {
      */
     @Test
     @SuppressWarnings("squid:S2699")
-    public void testHasCpe() {
+    void testHasCpe() {
         //already tested, this is just left so the IDE doesn't recreate it.
     }
 
@@ -222,7 +224,7 @@ public void testHasCpe() {
      */
     @Test
     @SuppressWarnings("squid:S2699")
-    public void testSetCvssBelow() {
+    void testSetCvssBelow() {
         //already tested, this is just left so the IDE doesn't recreate it.
     }
 
@@ -231,7 +233,7 @@ public void testSetCvssBelow() {
      */
     @Test
     @SuppressWarnings("squid:S2699")
-    public void testAddCvssBelow() {
+    void testAddCvssBelow() {
         //already tested, this is just left so the IDE doesn't recreate it.
     }
 
@@ -240,7 +242,7 @@ public void testAddCvssBelow() {
      */
     @Test
     @SuppressWarnings("squid:S2699")
-    public void testHasCvssBelow() {
+    void testHasCvssBelow() {
         //already tested, this is just left so the IDE doesn't recreate it.
     }
 
@@ -249,7 +251,7 @@ public void testHasCvssBelow() {
      */
     @Test
     @SuppressWarnings("squid:S2699")
-    public void testGetCwe() {
+    void testGetCwe() {
         //already tested, this is just left so the IDE doesn't recreate it.
     }
 
@@ -258,7 +260,7 @@ public void testGetCwe() {
      */
     @Test
     @SuppressWarnings("squid:S2699")
-    public void testSetCwe() {
+    void testSetCwe() {
         //already tested, this is just left so the IDE doesn't recreate it.
     }
 
@@ -267,7 +269,7 @@ public void testSetCwe() {
      */
     @Test
     @SuppressWarnings("squid:S2699")
-    public void testAddCwe() {
+    void testAddCwe() {
         //already tested, this is just left so the IDE doesn't recreate it.
     }
 
@@ -276,7 +278,7 @@ public void testAddCwe() {
      */
     @Test
     @SuppressWarnings("squid:S2699")
-    public void testHasCwe() {
+    void testHasCwe() {
         //already tested, this is just left so the IDE doesn't recreate it.
     }
 
@@ -285,7 +287,7 @@ public void testHasCwe() {
      */
     @Test
     @SuppressWarnings("squid:S2699")
-    public void testGetCve() {
+    void testGetCve() {
         //already tested, this is just left so the IDE doesn't recreate it.
     }
 
@@ -294,7 +296,7 @@ public void testGetCve() {
      */
     @Test
     @SuppressWarnings("squid:S2699")
-    public void testSetCve() {
+    void testSetCve() {
         //already tested, this is just left so the IDE doesn't recreate it.
     }
 
@@ -303,7 +305,7 @@ public void testSetCve() {
      */
     @Test
     @SuppressWarnings("squid:S2699")
-    public void testAddCve() {
+    void testAddCve() {
         //already tested, this is just left so the IDE doesn't recreate it.
     }
 
@@ -312,16 +314,17 @@ public void testAddCve() {
      */
     @Test
     @SuppressWarnings("squid:S2699")
-    public void testHasCve() {
+    void testHasCve() {
         //already tested, this is just left so the IDE doesn't recreate it.
     }
+
     //</editor-fold>
 
     /**
      * Test of cpeHasNoVersion method, of class SuppressionRule.
      */
     @Test
-    public void testCpeHasNoVersion() {
+    void testCpeHasNoVersion() {
         PropertyType c = new PropertyType();
         c.setValue("cpe:/a:microsoft:.net_framework:4.5");
         SuppressionRule instance = new SuppressionRule();
@@ -336,7 +339,7 @@ public void testCpeHasNoVersion() {
      * Test of identifierMatches method, of class SuppressionRule.
      */
     @Test
-    public void testCpeMatches() throws CpeValidationException, MalformedPackageURLException {
+    void testCpeMatches() throws CpeValidationException, MalformedPackageURLException {
         CpeIdentifier identifier = new CpeIdentifier("microsoft", ".net_framework", "4.5", Confidence.HIGHEST);
 
         PropertyType cpe = new PropertyType();
@@ -412,7 +415,7 @@ public void testCpeMatches() throws CpeValidationException, MalformedPackageURLE
      * Test of process method, of class SuppressionRule.
      */
     @Test
-    public void testProcess() throws CpeValidationException {
+    void testProcess() throws CpeValidationException {
         //File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
         File struts = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
         Dependency dependency = new Dependency(struts);
@@ -462,7 +465,7 @@ public void testProcess() throws CpeValidationException {
         pt.setValue("cpe:/a:microsoft:.net_framework:4.0");
         instance.addCpe(pt);
         instance.process(dependency);
-        assertTrue(dependency.getVulnerableSoftwareIdentifiers().size() == 1);
+        assertEquals(1, dependency.getVulnerableSoftwareIdentifiers().size());
         pt = new PropertyType();
         pt.setValue("cpe:/a:microsoft:.net_framework:4.5");
         instance.addCpe(pt);
@@ -494,7 +497,7 @@ public void testProcess() throws CpeValidationException {
      * Test of process method, of class SuppressionRule.
      */
     @Test
-    public void testProcessGAV() throws CpeValidationException, MalformedPackageURLException {
+    void testProcessGAV() throws CpeValidationException, MalformedPackageURLException {
         //File spring = new File(this.getClass().getClassLoader().getResource("spring-security-web-3.0.0.RELEASE.jar").getPath());
         File spring = BaseTest.getResourceAsFile(this, "spring-security-web-3.0.0.RELEASE.jar");
         Dependency dependency = new Dependency(spring);
@@ -529,7 +532,7 @@ public void testProcessGAV() throws CpeValidationException, MalformedPackageURLE
     }
 
     @Test
-    public void testProcessVulnerabilityNames() throws CpeValidationException, MalformedPackageURLException {
+    void testProcessVulnerabilityNames() throws CpeValidationException, MalformedPackageURLException {
         File spring = BaseTest.getResourceAsFile(this, "spring-security-web-3.0.0.RELEASE.jar");
         Dependency dependency = new Dependency(spring);
         dependency.addVulnerableSoftwareIdentifier(new CpeIdentifier("vmware", "springsource_spring_security", "3.0.0", Confidence.HIGH));
@@ -552,11 +555,11 @@ public void testProcessVulnerabilityNames() throws CpeValidationException, Malfo
         assertEquals(1, dependency.getVulnerabilities().size());
         assertEquals(0, dependency.getSuppressedVulnerabilities().size());
 
-        
+
         pt = new PropertyType();
         pt.setValue("CVE-2013-1337");
         instance.addVulnerabilityName(pt);
-        
+
         instance.process(dependency);
         assertEquals(0, dependency.getVulnerabilities().size());
         assertEquals(1, dependency.getSuppressedVulnerabilities().size());
@@ -566,7 +569,7 @@ private Vulnerability createVulnerability() {
         Vulnerability v = new Vulnerability();
         v.addCwe("CWE-287 Improper Authentication");
         v.setName("CVE-2013-1337");
-        
+
         CvssV2 cvss = CvssUtil.vectorToCvssV2("/AV:N/AC:L/Au:N/C:P/I:P/A:P", 7.5);
         v.setCvssV2(cvss);
         return v;

From 6c5676188a5df55a09b903eb5bd885a27c32a15b Mon Sep 17 00:00:00 2001
From: strangelookingnerd
 <49242855+strangelookingnerd@users.noreply.github.com>
Date: Tue, 29 Apr 2025 14:32:44 +0200
Subject: [PATCH 030/195] Migrate tests to JUnit5 (maven)

* Migrate annotations and imports
* Migrate assertions
* Remove public visibility for test classes and methods
* Minor code cleanup
---
 maven/pom.xml                                 |  2 +-
 .../maven/ArtifactScopeExcludedTest.java      | 37 +++++-------------
 .../maven/ArtifactTypeExcludedTest.java       |  9 +++--
 .../maven/BaseDependencyCheckMojoTest.java    | 39 +++++++++----------
 .../owasp/dependencycheck/maven/BaseTest.java | 11 +++---
 .../resources/maven_project_base_dir/pom.xml  |  6 +--
 6 files changed, 43 insertions(+), 61 deletions(-)

diff --git a/maven/pom.xml b/maven/pom.xml
index aa58a3c401f..be83676df0d 100644
--- a/maven/pom.xml
+++ b/maven/pom.xml
@@ -116,7 +116,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
         </dependency>
         <dependency>
             <groupId>org.mockito</groupId>
-            <artifactId>mockito-core</artifactId>
+            <artifactId>mockito-junit-jupiter</artifactId>
             <scope>test</scope>
         </dependency>
         <dependency>
diff --git a/maven/src/test/java/org/owasp/dependencycheck/maven/ArtifactScopeExcludedTest.java b/maven/src/test/java/org/owasp/dependencycheck/maven/ArtifactScopeExcludedTest.java
index e286c61c78d..63e615c3e08 100644
--- a/maven/src/test/java/org/owasp/dependencycheck/maven/ArtifactScopeExcludedTest.java
+++ b/maven/src/test/java/org/owasp/dependencycheck/maven/ArtifactScopeExcludedTest.java
@@ -17,9 +17,8 @@
  */
 package org.owasp.dependencycheck.maven;
 
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.junit.runners.Parameterized;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.MethodSource;
 import org.owasp.dependencycheck.utils.Filter;
 
 import java.util.Arrays;
@@ -38,18 +37,9 @@
 import static org.hamcrest.core.IsEqual.equalTo;
 import static org.owasp.dependencycheck.maven.ArtifactScopeExcludedTest.ArtifactScopeExcludedTestBuilder.pluginDefaults;
 
-@RunWith(Parameterized.class)
-public class ArtifactScopeExcludedTest {
+class ArtifactScopeExcludedTest {
 
-	private final boolean skipTestScope;
-	private final boolean skipProvidedScope;
-	private final boolean skipSystemScope;
-	private final boolean skipRuntimeScope;
-	private final String testString;
-	private final boolean expectedResult;
-
-	@Parameterized.Parameters(name = "{0}")
-	public static Collection<Object[]> getParameters() {
+	static Collection<Object[]> getParameters() {
 		return Arrays.asList(new Object[][]{
 				{pluginDefaults().withTestString(SCOPE_COMPILE).withExpectedResult(false)},
 				{pluginDefaults().withTestString(SCOPE_COMPILE_PLUS_RUNTIME).withExpectedResult(false)},
@@ -66,19 +56,12 @@ public static Collection<Object[]> getParameters() {
 		});
 	}
 
-	public ArtifactScopeExcludedTest(final ArtifactScopeExcludedTestBuilder builder) {
-		this.skipTestScope = builder.skipTestScope;
-		this.skipProvidedScope = builder.skipProvidedScope;
-		this.skipSystemScope = builder.skipSystemScope;
-		this.skipRuntimeScope = builder.skipRuntimeScope;
-		this.testString = builder.testString;
-		this.expectedResult = builder.expectedResult;
-	}
-
-	@Test
-	public void shouldExcludeArtifact() {
-		final Filter<String> artifactScopeExcluded = new ArtifactScopeExcluded(skipTestScope, skipProvidedScope, skipSystemScope, skipRuntimeScope);
-		assertThat(expectedResult, is(equalTo(artifactScopeExcluded.passes(testString))));
+    @ParameterizedTest(name = "{0}")
+	@MethodSource("getParameters")
+    void shouldExcludeArtifact(final ArtifactScopeExcludedTestBuilder builder) {
+		final Filter<String> artifactScopeExcluded = new ArtifactScopeExcluded(
+				builder.skipTestScope, builder.skipProvidedScope, builder.skipSystemScope, builder.skipRuntimeScope);
+		assertThat(builder.expectedResult, is(equalTo(artifactScopeExcluded.passes(builder.testString))));
 	}
 
 	public static final class ArtifactScopeExcludedTestBuilder {
diff --git a/maven/src/test/java/org/owasp/dependencycheck/maven/ArtifactTypeExcludedTest.java b/maven/src/test/java/org/owasp/dependencycheck/maven/ArtifactTypeExcludedTest.java
index e3a78f95eb1..101b5a35786 100644
--- a/maven/src/test/java/org/owasp/dependencycheck/maven/ArtifactTypeExcludedTest.java
+++ b/maven/src/test/java/org/owasp/dependencycheck/maven/ArtifactTypeExcludedTest.java
@@ -17,20 +17,21 @@
  */
 package org.owasp.dependencycheck.maven;
 
-import org.junit.Test;
-import static org.junit.Assert.assertEquals;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
 /**
  *
  * @author Jeremy Long
  */
-public class ArtifactTypeExcludedTest {
+class ArtifactTypeExcludedTest {
 
     /**
      * Test of passes method, of class ArtifactTypeExcluded.
      */
     @Test
-    public void testPasses() {
+    void testPasses() {
         String artifactType = null;
         ArtifactTypeExcluded instance = new ArtifactTypeExcluded(null);
         boolean expResult = false;
diff --git a/maven/src/test/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojoTest.java b/maven/src/test/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojoTest.java
index 13f47677ce9..1b7eed3cfe2 100644
--- a/maven/src/test/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojoTest.java
+++ b/maven/src/test/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojoTest.java
@@ -17,36 +17,33 @@
  */
 package org.owasp.dependencycheck.maven;
 
-import java.io.File;
-import java.util.Locale;
-
-import org.apache.maven.plugin.MojoExecutionException;
-import org.apache.maven.plugin.MojoFailureException;
 import org.apache.maven.project.MavenProject;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
-import static org.mockito.Mockito.doReturn;
-
-import org.junit.Test;
-import org.junit.runner.RunWith;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Spy;
-import org.mockito.junit.MockitoJUnitRunner;
+import org.mockito.junit.jupiter.MockitoExtension;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.exception.ExceptionCollection;
 
+import java.io.File;
+import java.util.Locale;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.mockito.Mockito.doReturn;
+
 /**
  *
  * @author Jeremy Long
  */
-@RunWith(MockitoJUnitRunner.class)
-public class BaseDependencyCheckMojoTest extends BaseTest {
+@ExtendWith(MockitoExtension.class)
+class BaseDependencyCheckMojoTest extends BaseTest {
 
     @Spy
     MavenProject project;
 
     @Test
-    public void should_newDependency_get_pom_from_base_dir() {
+    void should_newDependency_get_pom_from_base_dir() {
         // Given
         BaseDependencyCheckMojo instance = new BaseDependencyCheckMojoImpl();
 
@@ -62,7 +59,7 @@ public void should_newDependency_get_pom_from_base_dir() {
     }
 
     @Test
-    public void should_newDependency_get_default_virtual_dependency() {
+    void should_newDependency_get_default_virtual_dependency() {
         // Given
         BaseDependencyCheckMojo instance = new BaseDependencyCheckMojoImpl();
 
@@ -77,7 +74,7 @@ public void should_newDependency_get_default_virtual_dependency() {
     }
 
     @Test
-    public void should_newDependency_get_pom_declared_as_module() {
+    void should_newDependency_get_pom_declared_as_module() {
         // Given
         BaseDependencyCheckMojo instance = new BaseDependencyCheckMojoImpl();
 
@@ -99,7 +96,7 @@ public void should_newDependency_get_pom_declared_as_module() {
     public static class BaseDependencyCheckMojoImpl extends BaseDependencyCheckMojo {
 
         @Override
-        protected void runCheck() throws MojoExecutionException, MojoFailureException {
+        protected void runCheck() {
             throw new UnsupportedOperationException("Operation not supported");
         }
 
@@ -119,11 +116,11 @@ public boolean canGenerateReport() {
         }
 
         @Override
-        protected ExceptionCollection scanDependencies(Engine engine) throws MojoExecutionException {
+        protected ExceptionCollection scanDependencies(Engine engine) {
             throw new UnsupportedOperationException("Operation not supported");
         }
         @Override
-        protected ExceptionCollection scanPlugins(Engine engine, ExceptionCollection exCollection) throws MojoExecutionException {
+        protected ExceptionCollection scanPlugins(Engine engine, ExceptionCollection exCollection) {
             throw new UnsupportedOperationException("Operation not supported");
         }
     }
diff --git a/maven/src/test/java/org/owasp/dependencycheck/maven/BaseTest.java b/maven/src/test/java/org/owasp/dependencycheck/maven/BaseTest.java
index 00ad9a51e1f..cc3c2b115fc 100644
--- a/maven/src/test/java/org/owasp/dependencycheck/maven/BaseTest.java
+++ b/maven/src/test/java/org/owasp/dependencycheck/maven/BaseTest.java
@@ -17,11 +17,12 @@
  */
 package org.owasp.dependencycheck.maven;
 
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.owasp.dependencycheck.utils.Settings;
+
 import java.io.IOException;
 import java.io.InputStream;
-import org.junit.After;
-import org.junit.Before;
-import org.owasp.dependencycheck.utils.Settings;
 
 /**
  *
@@ -42,7 +43,7 @@ public abstract class BaseTest {
     /**
      * Initialize the {@link Settings}.
      */
-    @Before
+    @BeforeEach
     public void setUp() throws IOException {
         settings = new Settings();
         try (InputStream mojoProperties = BaseTest.class.getClassLoader().getResourceAsStream(BaseTest.PROPERTIES_FILE)) {
@@ -53,7 +54,7 @@ public void setUp() throws IOException {
     /**
      * Clean the {@link Settings}.
      */
-    @After
+    @AfterEach
     public void tearDown() {
         settings.cleanup(true);
     }
diff --git a/maven/src/test/resources/maven_project_base_dir/pom.xml b/maven/src/test/resources/maven_project_base_dir/pom.xml
index b9363e987eb..071b39f913f 100644
--- a/maven/src/test/resources/maven_project_base_dir/pom.xml
+++ b/maven/src/test/resources/maven_project_base_dir/pom.xml
@@ -48,9 +48,9 @@
             <version>2.1.2</version>
         </dependency>
         <dependency>
-            <groupId>junit</groupId>
-            <artifactId>junit</artifactId>
-            <version>3.8.1</version>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter</artifactId>
+            <version>5.12.2</version>
             <scope>test</scope>
         </dependency>
     </dependencies>

From 2463f9cfc3605471163fc45b5cf5c4cb81b96e73 Mon Sep 17 00:00:00 2001
From: strangelookingnerd
 <49242855+strangelookingnerd@users.noreply.github.com>
Date: Tue, 29 Apr 2025 14:33:44 +0200
Subject: [PATCH 031/195] Migrate tests to JUnit5 (utils)

* Migrate annotations and imports
* Migrate assertions
* Remove public visibility for test classes and methods
* Minor code cleanup
---
 utils/pom.xml                                 |  2 +-
 .../owasp/dependencycheck/utils/BaseTest.java | 16 +--
 .../dependencycheck/utils/ChecksumTest.java   | 41 ++++----
 .../dependencycheck/utils/DownloaderIT.java   | 22 ++---
 .../utils/ExpectedObjectInputStreamTest.java  | 28 +++---
 .../dependencycheck/utils/FileUtilsTest.java  | 32 +++---
 .../utils/JsonArrayFixingInputStreamTest.java | 83 +++++++---------
 .../dependencycheck/utils/SettingsTest.java   | 99 ++++++++++---------
 .../utils/search/FileContentSearchTest.java   | 20 ++--
 9 files changed, 167 insertions(+), 176 deletions(-)

diff --git a/utils/pom.xml b/utils/pom.xml
index fb9d1366c88..26b68a5c331 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -100,7 +100,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
         </dependency>
         <dependency>
             <groupId>org.mock-server</groupId>
-            <artifactId>mockserver-junit-rule</artifactId>
+            <artifactId>mockserver-junit-jupiter</artifactId>
             <scope>test</scope>
         </dependency>
     </dependencies>
diff --git a/utils/src/test/java/org/owasp/dependencycheck/utils/BaseTest.java b/utils/src/test/java/org/owasp/dependencycheck/utils/BaseTest.java
index ae52701e1ea..f766ba4202c 100644
--- a/utils/src/test/java/org/owasp/dependencycheck/utils/BaseTest.java
+++ b/utils/src/test/java/org/owasp/dependencycheck/utils/BaseTest.java
@@ -15,11 +15,13 @@
  */
 package org.owasp.dependencycheck.utils;
 
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+
 import java.io.File;
 import java.net.URISyntaxException;
-import org.junit.After;
-import org.junit.Assume;
-import org.junit.Before;
+
+import static org.junit.jupiter.api.Assumptions.assumeTrue;
 
 /**
  *
@@ -35,7 +37,7 @@ public abstract class BaseTest {
     /**
      * Initialize the {@link Settings}.
      */
-    @Before
+    @BeforeEach
     public void setUp() {
         settings = new Settings();
     }
@@ -43,7 +45,7 @@ public void setUp() {
     /**
      * Clean the {@link Settings}.
      */
-    @After
+    @AfterEach
     public void tearDown() {
         settings.cleanup(true);
     }
@@ -56,7 +58,7 @@ public void tearDown() {
     protected Settings getSettings() {
         return settings;
     }
-    
+
     /**
      * Returns the given resource as a File using the object's class loader. The
      * org.junit.Assume API is used so that test cases are skipped if the
@@ -69,7 +71,7 @@ protected Settings getSettings() {
     public static File getResourceAsFile(Object o, String resource) {
         try {
             File f = new File(o.getClass().getClassLoader().getResource(resource).toURI().getPath());
-            Assume.assumeTrue(String.format("%n%n[SEVERE] Unable to load resource for test case: %s%n%n", resource), f.exists());
+            assumeTrue(f.exists(), String.format("%n%n[SEVERE] Unable to load resource for test case: %s%n%n", resource));
             return f;
         } catch (URISyntaxException e) {
             throw new UnsupportedOperationException(e);
diff --git a/utils/src/test/java/org/owasp/dependencycheck/utils/ChecksumTest.java b/utils/src/test/java/org/owasp/dependencycheck/utils/ChecksumTest.java
index 94f4d5ae03e..5f954bb1c32 100644
--- a/utils/src/test/java/org/owasp/dependencycheck/utils/ChecksumTest.java
+++ b/utils/src/test/java/org/owasp/dependencycheck/utils/ChecksumTest.java
@@ -17,34 +17,32 @@
  */
 package org.owasp.dependencycheck.utils;
 
+import org.junit.jupiter.api.Test;
+
 import java.io.File;
 import java.io.IOException;
 import java.security.NoSuchAlgorithmException;
-import org.junit.Assert;
-import static org.junit.Assert.assertArrayEquals;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-import org.junit.Test;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  *
  * @author Jeremy Long
  */
-public class ChecksumTest {
+class ChecksumTest {
 
     /**
      * Test of getChecksum method, of class Checksum. This checks that an
      * exception is thrown when an invalid path is specified.
      *
-     * @throws Exception is thrown when an exception occurs.
      */
     @Test
-    public void testGetChecksum_FileNotFound() throws Exception {
+    void testGetChecksum_FileNotFound() {
         String algorithm = "MD5";
         File file = new File("not a valid file");
-        Exception exception = Assert.assertThrows(IOException.class, () -> Checksum.getChecksum(algorithm, file));
+        Exception exception = assertThrows(IOException.class, () -> Checksum.getChecksum(algorithm, file));
         assertTrue(exception.getMessage().contains("not a valid file"));
     }
 
@@ -52,13 +50,12 @@ public void testGetChecksum_FileNotFound() throws Exception {
      * Test of getChecksum method, of class Checksum. This checks that an
      * exception is thrown when an invalid algorithm is specified.
      *
-     * @throws Exception is thrown when an exception occurs.
      */
     @Test
-    public void testGetChecksum_NoSuchAlgorithm() throws Exception {
+    void testGetChecksum_NoSuchAlgorithm() {
         String algorithm = "some unknown algorithm";
         File file = new File(this.getClass().getClassLoader().getResource("checkSumTest.file").getPath());
-        Exception exception = Assert.assertThrows(NoSuchAlgorithmException.class, () -> Checksum.getChecksum(algorithm, file));
+        Exception exception = assertThrows(NoSuchAlgorithmException.class, () -> Checksum.getChecksum(algorithm, file));
         assertTrue(exception.getMessage().contains("some unknown algorithm"));
     }
 
@@ -68,7 +65,7 @@ public void testGetChecksum_NoSuchAlgorithm() throws Exception {
      * @throws Exception is thrown when an exception occurs.
      */
     @Test
-    public void testGetMD5Checksum() throws Exception {
+    void testGetMD5Checksum() throws Exception {
         File file = new File(this.getClass().getClassLoader().getResource("checkSumTest.file").toURI().getPath());
         //String expResult = "F0915C5F46B8CFA283E5AD67A09B3793";
         String expResult = "f0915c5f46b8cfa283e5ad67a09b3793";
@@ -82,7 +79,7 @@ public void testGetMD5Checksum() throws Exception {
      * @throws Exception is thrown when an exception occurs.
      */
     @Test
-    public void testGetSHA1Checksum() throws Exception {
+    void testGetSHA1Checksum() throws Exception {
         File file = new File(this.getClass().getClassLoader().getResource("checkSumTest.file").toURI().getPath());
         //String expResult = "B8A9FF28B21BCB1D0B50E24A5243D8B51766851A";
         String expResult = "b8a9ff28b21bcb1d0b50e24a5243d8b51766851a";
@@ -94,7 +91,7 @@ public void testGetSHA1Checksum() throws Exception {
      * Test of getHex method, of class Checksum.
      */
     @Test
-    public void testGetHex() {
+    void testGetHex() {
         byte[] raw = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16};
         //String expResult = "000102030405060708090A0B0C0D0E0F10";
         String expResult = "000102030405060708090a0b0c0d0e0f10";
@@ -106,7 +103,7 @@ public void testGetHex() {
      * Test of getChecksum method, of class Checksum.
      */
     @Test
-    public void testGetChecksum_String_File() throws Exception {
+    void testGetChecksum_String_File() throws Exception {
         String algorithm = "MD5";
         File file = new File(this.getClass().getClassLoader().getResource("checkSumTest.file").toURI().getPath());
         String expResult = "f0915c5f46b8cfa283e5ad67a09b3793";
@@ -121,7 +118,7 @@ public void testGetChecksum_String_File() throws Exception {
      * Test of getMD5Checksum method, of class Checksum.
      */
     @Test
-    public void testGetMD5Checksum_File() throws Exception {
+    void testGetMD5Checksum_File() throws Exception {
         File file = new File(this.getClass().getClassLoader().getResource("checkSumTest.file").toURI().getPath());
         String expResult = "f0915c5f46b8cfa283e5ad67a09b3793";
         String result = Checksum.getMD5Checksum(file);
@@ -132,7 +129,7 @@ public void testGetMD5Checksum_File() throws Exception {
      * Test of getSHA1Checksum method, of class Checksum.
      */
     @Test
-    public void testGetSHA1Checksum_File() throws Exception {
+    void testGetSHA1Checksum_File() throws Exception {
         File file = new File(this.getClass().getClassLoader().getResource("checkSumTest.file").toURI().getPath());
         String expResult = "b8a9ff28b21bcb1d0b50e24a5243d8b51766851a";
         String result = Checksum.getSHA1Checksum(file);
@@ -143,7 +140,7 @@ public void testGetSHA1Checksum_File() throws Exception {
      * Test of getChecksum method, of class Checksum.
      */
     @Test
-    public void testGetChecksum_String_byteArr() {
+    void testGetChecksum_String_byteArr() {
         String algorithm = "SHA1";
         byte[] bytes = {-16, -111, 92, 95, 70, -72, -49, -94, -125, -27, -83, 103, -96, -101, 55, -109};
         String expResult = "89268a389a97f0bfba13d3ff2370d8ad436e36f6";
@@ -155,7 +152,7 @@ public void testGetChecksum_String_byteArr() {
      * Test of getMD5Checksum method, of class Checksum.
      */
     @Test
-    public void testGetMD5Checksum_String() {
+    void testGetMD5Checksum_String() {
         String text = "test string";
         String expResult = "6f8db599de986fab7a21625b7916589c";
         String result = Checksum.getMD5Checksum(text);
@@ -166,7 +163,7 @@ public void testGetMD5Checksum_String() {
      * Test of getSHA1Checksum method, of class Checksum.
      */
     @Test
-    public void testGetSHA1Checksum_String() {
+    void testGetSHA1Checksum_String() {
         String text = "test string";
         String expResult = "661295c9cbf9d6b2f6428414504a8deed3020641";
         String result = Checksum.getSHA1Checksum(text);
diff --git a/utils/src/test/java/org/owasp/dependencycheck/utils/DownloaderIT.java b/utils/src/test/java/org/owasp/dependencycheck/utils/DownloaderIT.java
index 39dd348b4d7..016fa273397 100644
--- a/utils/src/test/java/org/owasp/dependencycheck/utils/DownloaderIT.java
+++ b/utils/src/test/java/org/owasp/dependencycheck/utils/DownloaderIT.java
@@ -17,29 +17,29 @@
  */
 package org.owasp.dependencycheck.utils;
 
+import org.apache.hc.client5.http.impl.classic.AbstractHttpClientResponseHandler;
+import org.apache.hc.core5.http.HttpEntity;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URL;
 
-import org.apache.hc.client5.http.impl.classic.AbstractHttpClientResponseHandler;
-import org.apache.hc.core5.http.HttpEntity;
-import org.junit.Test;
-
 import static java.nio.charset.StandardCharsets.UTF_8;
-import static org.junit.Assert.assertTrue;
-import org.junit.Before;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  *
  * @author Jeremy Long
  */
-public class DownloaderIT extends BaseTest {
+class DownloaderIT extends BaseTest {
 
     /**
      * Initialize the {@link Settings}.
      */
-    @Before
+    @BeforeEach
     @Override
     public void setUp() {
         super.setUp();
@@ -51,7 +51,7 @@ public void setUp() {
      * @throws Exception thrown when an exception occurs.
      */
     @Test
-    public void testFetchFile() throws Exception {
+    void testFetchFile() throws Exception {
         final String str = getSettings().getString(Settings.KEYS.ENGINE_VERSION_CHECK_URL, "https://dependency-check.github.io/DependencyCheck/current.txt");
         URL url = new URL(str);
         File outputPath = new File("target/current.txt");
@@ -66,9 +66,9 @@ public void testFetchFile() throws Exception {
      * @throws Exception thrown when an exception occurs.
      */
     @Test
-    public void testfetchAndHandleContent() throws Exception {
+    void testfetchAndHandleContent() throws Exception {
         URL url = new URL(getSettings().getString(Settings.KEYS.ENGINE_VERSION_CHECK_URL));
-        AbstractHttpClientResponseHandler<String> versionHandler = new AbstractHttpClientResponseHandler<String>() {
+        AbstractHttpClientResponseHandler<String> versionHandler = new AbstractHttpClientResponseHandler<>() {
             @Override
             public String handleEntity(HttpEntity entity) throws IOException {
                 try (InputStream in = entity.getContent()) {
diff --git a/utils/src/test/java/org/owasp/dependencycheck/utils/ExpectedObjectInputStreamTest.java b/utils/src/test/java/org/owasp/dependencycheck/utils/ExpectedObjectInputStreamTest.java
index b7e0cc8bfa1..50d7ae756bb 100644
--- a/utils/src/test/java/org/owasp/dependencycheck/utils/ExpectedObjectInputStreamTest.java
+++ b/utils/src/test/java/org/owasp/dependencycheck/utils/ExpectedObjectInputStreamTest.java
@@ -17,6 +17,8 @@
  */
 package org.owasp.dependencycheck.utils;
 
+import org.junit.jupiter.api.Test;
+
 import java.io.BufferedOutputStream;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -24,21 +26,21 @@
 import java.io.ObjectOutputStream;
 import java.util.ArrayList;
 import java.util.List;
-import static org.junit.Assert.fail;
-import org.junit.Test;
-import static org.junit.Assert.fail;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.fail;
 
 /**
  *
  * @author jeremy
  */
-public class ExpectedObjectInputStreamTest {
+class ExpectedObjectInputStreamTest {
 
     /**
      * Test of resolveClass method, of class ExpectedObjectInputStream.
      */
     @Test
-    public void testResolveClass() {
+    void testResolveClass() {
         List<SimplePojo> data = new ArrayList<>();
         data.add(new SimplePojo());
         try (ByteArrayOutputStream mem = new ByteArrayOutputStream();
@@ -57,21 +59,19 @@ public void testResolveClass() {
     /**
      * Test of resolveClass method, of class ExpectedObjectInputStream.
      */
-    @Test(expected = java.io.InvalidClassException.class)
-    public void testResolveClassException() throws Exception {
+    @Test
+    void testResolveClassException() throws Exception {
         List<SimplePojo> data = new ArrayList<>();
         data.add(new SimplePojo());
-
         ByteArrayOutputStream mem = new ByteArrayOutputStream();
         byte[] buf;
         try (ObjectOutputStream out = new ObjectOutputStream(new BufferedOutputStream(mem))) {
-            out.writeObject(data);
-            out.flush();
-            buf = mem.toByteArray();
-        }
+                out.writeObject(data);
+                out.flush();
+                buf = mem.toByteArray();
+            }
         ByteArrayInputStream in = new ByteArrayInputStream(buf);
-
         ExpectedObjectInputStream instance = new ExpectedObjectInputStream(in, "java.util.ArrayList", "org.owasp.dependencycheck.utils.SimplePojo");
-        instance.readObject();
+        assertThrows(java.io.InvalidClassException.class, instance::readObject);
     }
 }
diff --git a/utils/src/test/java/org/owasp/dependencycheck/utils/FileUtilsTest.java b/utils/src/test/java/org/owasp/dependencycheck/utils/FileUtilsTest.java
index fec966af8a2..affc5a06edf 100644
--- a/utils/src/test/java/org/owasp/dependencycheck/utils/FileUtilsTest.java
+++ b/utils/src/test/java/org/owasp/dependencycheck/utils/FileUtilsTest.java
@@ -17,30 +17,32 @@
  */
 package org.owasp.dependencycheck.utils;
 
+import org.junit.jupiter.api.Test;
+
 import java.io.File;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-import org.junit.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
 
 /**
  *
  * @author Jeremy Long
  */
-public class FileUtilsTest extends BaseTest {
+class FileUtilsTest extends BaseTest {
 
     /**
      * Test of getFileExtension method, of class FileUtils.
      */
     @Test
-    public void testGetFileExtension() {
+    void testGetFileExtension() {
         String[] fileName = {"something-0.9.5.jar", "lib2-1.1.js", "dir.tmp/noext"};
         String[] expResult = {"jar", "js", null};
 
         for (int i = 0; i < fileName.length; i++) {
             String result = FileUtils.getFileExtension(fileName[i]);
-            assertEquals("Failed extraction on \"" + fileName[i] + "\".", expResult[i], result);
+            assertEquals(expResult[i], result, "Failed extraction on \"" + fileName[i] + "\".");
         }
     }
 
@@ -48,31 +50,31 @@ public void testGetFileExtension() {
      * Test of delete method, of class FileUtils.
      */
     @Test
-    public void testDelete() throws Exception {
+    void testDelete() throws Exception {
 
         File file = File.createTempFile("tmp", "deleteme", getSettings().getTempDirectory());
         if (!file.exists()) {
             fail("Unable to create a temporary file.");
         }
         boolean status = FileUtils.delete(file);
-        assertTrue("delete returned a failed status", status);
-        assertFalse("Temporary file exists after attempting deletion", file.exists());
+        assertTrue(status, "delete returned a failed status");
+        assertFalse(file.exists(), "Temporary file exists after attempting deletion");
     }
 
     /**
      * Test of delete method with a non-empty directory, of class FileUtils.
      */
     @Test
-    public void testDeleteWithSubDirectories() throws Exception {
+    void testDeleteWithSubDirectories() throws Exception {
 
         File dir = new File(getSettings().getTempDirectory(), "delete-me");
         dir.mkdirs();
         File file = File.createTempFile("tmp", "deleteme", dir);
-        assertTrue("Unable to create a temporary file " + file.getAbsolutePath(), file.exists());
+        assertTrue(file.exists(), "Unable to create a temporary file " + file.getAbsolutePath());
 
         // delete the file
         boolean status = FileUtils.delete(dir);
-        assertTrue("delete returned a failed status", status);
-        assertFalse("Temporary file exists after attempting deletion", file.exists());
+        assertTrue(status, "delete returned a failed status");
+        assertFalse(file.exists(), "Temporary file exists after attempting deletion");
     }
 }
diff --git a/utils/src/test/java/org/owasp/dependencycheck/utils/JsonArrayFixingInputStreamTest.java b/utils/src/test/java/org/owasp/dependencycheck/utils/JsonArrayFixingInputStreamTest.java
index 274e7014a90..605dbc96892 100644
--- a/utils/src/test/java/org/owasp/dependencycheck/utils/JsonArrayFixingInputStreamTest.java
+++ b/utils/src/test/java/org/owasp/dependencycheck/utils/JsonArrayFixingInputStreamTest.java
@@ -17,29 +17,28 @@
  */
 package org.owasp.dependencycheck.utils;
 
-import java.io.ByteArrayInputStream;
-import java.io.InputStream;
-import org.junit.Test;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static java.nio.charset.StandardCharsets.UTF_8;
-import java.util.Arrays;
-import jakarta.json.JsonReader;
 import jakarta.json.Json;
 import jakarta.json.JsonArray;
+import jakarta.json.JsonReader;
 import org.apache.commons.io.IOUtils;
-import org.junit.After;
-import org.junit.AfterClass;
-import org.junit.Assert;
-import static org.junit.Assert.assertFalse;
-import org.junit.Before;
-import org.junit.BeforeClass;
+import org.junit.jupiter.api.Test;
+
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.util.Arrays;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  *
  * @author Jeremy Long
  */
-public class JsonArrayFixingInputStreamTest {
+class JsonArrayFixingInputStreamTest {
 
     final String sample1 = "{}";
     final String sample2 = "{}{}";
@@ -106,29 +105,13 @@ public class JsonArrayFixingInputStreamTest {
             + "\"GoMod\": \"/Users/me/go/pkg/mod/cache/download/github.com/!microsoft/hcsshim/@v/v0.8.8-0.20200421182805-c3e488f0d815.mod\"\n"
             + "}\n";
 
-    @BeforeClass
-    public static void setUpClass() throws Exception {
-    }
-
-    @AfterClass
-    public static void tearDownClass() throws Exception {
-    }
-
-    @Before
-    public void setUp() throws Exception {
-    }
-
-    @After
-    public void tearDown() throws Exception {
-    }
-
     /**
      * Test of read method, of class JsonArrayFixingInputStream.
      *
      * @throws Exception because one might happen
      */
     @Test
-    public void testRead_0args() throws Exception {
+    void testRead_0args() throws Exception {
         try (InputStream sample = new ByteArrayInputStream(sample1.getBytes());
                 JsonArrayFixingInputStream instance = new JsonArrayFixingInputStream(sample)) {
             assertEquals('[', instance.read());
@@ -157,7 +140,7 @@ public void testRead_0args() throws Exception {
      * @throws Exception because one might happen
      */
     @Test
-    public void testRead_byteArr() throws Exception {
+    void testRead_byteArr() throws Exception {
         byte[] b = new byte[9];
         try (InputStream sample = new ByteArrayInputStream(sample2.getBytes());
                 JsonArrayFixingInputStream instance = new JsonArrayFixingInputStream(sample)) {
@@ -185,8 +168,8 @@ public void testRead_byteArr() throws Exception {
         }
     }
 
-    @Test()
-    public void testRead_IOUtils() throws Exception {
+    @Test
+    void testRead_IOUtils() throws Exception {
         try (InputStream sample = new ByteArrayInputStream(sample3.getBytes());
                 JsonArrayFixingInputStream instance = new JsonArrayFixingInputStream(sample)) {
             String results = IOUtils.toString(instance, UTF_8);
@@ -195,8 +178,8 @@ public void testRead_IOUtils() throws Exception {
         }
     }
 
-    @Test()
-    public void testRead_RealSample() throws Exception {
+    @Test
+    void testRead_RealSample() throws Exception {
         try (InputStream sample = new ByteArrayInputStream(sample4.getBytes());
                 JsonArrayFixingInputStream instance = new JsonArrayFixingInputStream(sample)) {
             try (JsonReader reader = Json.createReader(instance)) {
@@ -211,8 +194,8 @@ public void testRead_RealSample() throws Exception {
      *
      * @throws Exception because one might happen
      */
-    @Test()
-    public void testRead_3args() throws Exception {
+    @Test
+    void testRead_3args() throws Exception {
         byte[] input = new byte[2048];
         Arrays.fill(input, (byte) ' ');
         input[0] = '{';
@@ -232,7 +215,7 @@ public void testRead_3args() throws Exception {
                 read = instance.read(results, pos, 2050 - pos);
                 pos += read;
             }
-            Assert.assertArrayEquals(expected, results);
+            assertArrayEquals(expected, results);
         }
     }
 
@@ -241,12 +224,14 @@ public void testRead_3args() throws Exception {
      *
      * @throws Exception because one might happen
      */
-    @Test(expected = UnsupportedOperationException.class)
-    public void testSkip() throws Exception {
-        try (InputStream sample = new ByteArrayInputStream(sample1.getBytes());
+    @Test
+    void testSkip() {
+        assertThrows(UnsupportedOperationException.class, () -> {
+            try (InputStream sample = new ByteArrayInputStream(sample1.getBytes());
                 JsonArrayFixingInputStream instance = new JsonArrayFixingInputStream(sample)) {
-            instance.skip(1);
-        }
+                instance.skip(1);
+            }
+        });
     }
 
     /**
@@ -255,7 +240,7 @@ public void testSkip() throws Exception {
      * @throws Exception because one might happen
      */
     @Test
-    public void testAvailable() throws Exception {
+    void testAvailable() throws Exception {
         try (InputStream sample = new ByteArrayInputStream(sample1.getBytes());
                 JsonArrayFixingInputStream instance = new JsonArrayFixingInputStream(sample)) {
             int results = instance.available();
@@ -275,7 +260,7 @@ public void testAvailable() throws Exception {
      * @throws Exception because one might happen
      */
     @Test
-    public void testClose() throws Exception {
+    void testClose() throws Exception {
         try (InputStream sample = new ByteArrayInputStream(sample1.getBytes());
                 JsonArrayFixingInputStream instance = new JsonArrayFixingInputStream(sample)) {
             int i = instance.read();
@@ -288,7 +273,7 @@ public void testClose() throws Exception {
      * @throws Exception because one might happen
      */
     @Test
-    public void testMarkSupported() throws Exception {
+    void testMarkSupported() throws Exception {
         try (InputStream sample = new ByteArrayInputStream(sample1.getBytes());
                 JsonArrayFixingInputStream instance = new JsonArrayFixingInputStream(sample)) {
             boolean result = instance.markSupported();
@@ -297,7 +282,7 @@ public void testMarkSupported() throws Exception {
     }
 
     @Test
-    public void testIsWhiteSpace() throws Exception {
+    void testIsWhiteSpace() {
         JsonArrayFixingInputStream instance = new JsonArrayFixingInputStream(null);
         assertFalse(instance.isWhiteSpace((byte) 'a'));
         assertTrue(instance.isWhiteSpace((byte) '\n'));
diff --git a/utils/src/test/java/org/owasp/dependencycheck/utils/SettingsTest.java b/utils/src/test/java/org/owasp/dependencycheck/utils/SettingsTest.java
index 24d63cfa157..4fbd4b0118b 100644
--- a/utils/src/test/java/org/owasp/dependencycheck/utils/SettingsTest.java
+++ b/utils/src/test/java/org/owasp/dependencycheck/utils/SettingsTest.java
@@ -17,11 +17,7 @@
  */
 package org.owasp.dependencycheck.utils;
 
-import static org.hamcrest.core.Is.is;
-import static org.hamcrest.core.IsNull.notNullValue;
-import static org.hamcrest.core.IsNull.nullValue;
-import static org.hamcrest.core.IsEqual.equalTo;
-import static org.hamcrest.MatcherAssert.assertThat;
+import org.junit.jupiter.api.Test;
 
 import java.io.File;
 import java.io.IOException;
@@ -29,35 +25,42 @@
 import java.util.ArrayList;
 import java.util.List;
 
-import org.junit.Assert;
-import org.junit.Test;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.core.Is.is;
+import static org.hamcrest.core.IsEqual.equalTo;
+import static org.hamcrest.core.IsNull.notNullValue;
+import static org.hamcrest.core.IsNull.nullValue;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 /**
  *
  * @author Jeremy Long
  */
-public class SettingsTest extends BaseTest {
+class SettingsTest extends BaseTest {
 
     /**
      * Test of getString method, of class Settings.
      */
     @Test
-    public void testGetString() {
+    void testGetString() {
         String key = Settings.KEYS.NVD_API_DATAFEED_VALID_FOR_DAYS;
         String expResult = "7";
         String result = getSettings().getString(key);
-        Assert.assertTrue(result.endsWith(expResult));
+        assertTrue(result.endsWith(expResult));
     }
 
     /**
      * Test of getDataFile method, of class Settings.
      */
     @Test
-    public void testGetDataFile() throws IOException {
+    void testGetDataFile() {
         String key = Settings.KEYS.DATA_DIRECTORY;
         String expResult = "data";
         File result = getSettings().getDataFile(key);
-        Assert.assertTrue(result.getAbsolutePath().endsWith(expResult));
+        assertTrue(result.getAbsolutePath().endsWith(expResult));
     }
 
     /**
@@ -67,170 +70,170 @@ public void testGetDataFile() throws IOException {
      * @throws java.net.URISyntaxException thrown when the test fails
      */
     @Test
-    public void testMergeProperties_String() throws IOException, URISyntaxException {
+    void testMergeProperties_String() throws IOException, URISyntaxException {
         String key = Settings.KEYS.PROXY_PORT;
         String expResult = getSettings().getString(key);
         File f = new File(this.getClass().getClassLoader().getResource("test.properties").toURI());
         //InputStream in = this.getClass().getClassLoader().getResourceAsStream("test.properties");
         getSettings().mergeProperties(f.getAbsolutePath());
         String result = getSettings().getString(key);
-        Assert.assertTrue("setting didn't change?", (expResult == null && result != null) || !expResult.equals(result));
+        assertTrue((expResult == null && result != null) || !expResult.equals(result), "setting didn't change?");
     }
 
     /**
      * Test of setString method, of class Settings.
      */
     @Test
-    public void testSetString() {
+    void testSetString() {
         String key = "newProperty";
         String value = "someValue";
         getSettings().setString(key, value);
         String expResults = getSettings().getString(key);
-        Assert.assertEquals(expResults, value);
+        assertEquals(value, expResults);
     }
 
     /**
      * Test of setStringIfNotNull method, of class Settings.
      */
     @Test
-    public void testSetStringIfNotNull() {
+    void testSetStringIfNotNull() {
         String key = "nullableProperty";
         String value = "someValue";
         getSettings().setString(key, value);
         getSettings().setStringIfNotNull(key, null); // NO-OP
         String expResults = getSettings().getString(key);
-        Assert.assertEquals(expResults, value);
+        assertEquals(value, expResults);
     }
 
     /**
      * Test of setStringIfNotNull method, of class Settings.
      */
     @Test
-    public void testSetStringIfNotEmpty() {
+    void testSetStringIfNotEmpty() {
         String key = "optionalProperty";
         String value = "someValue";
         getSettings().setString(key, value);
         getSettings().setStringIfNotEmpty(key, ""); // NO-OP
         String expResults = getSettings().getString(key);
-        Assert.assertEquals(expResults, value);
+        assertEquals(value, expResults);
     }
 
     /**
      * Test of getString method, of class Settings.
      */
     @Test
-    public void testGetString_String_String() {
+    void testGetString_String_String() {
         String key = "key That Doesn't Exist";
         String defaultValue = "blue bunny";
         String expResult = "blue bunny";
         String result = getSettings().getString(key);
-        Assert.assertTrue(result == null);
+        assertNull(result);
         result = getSettings().getString(key, defaultValue);
-        Assert.assertEquals(expResult, result);
+        assertEquals(expResult, result);
     }
 
     /**
      * Test of getString method, of class Settings.
      */
     @Test
-    public void testGetString_String() {
+    void testGetString_String() {
         String key = Settings.KEYS.CONNECTION_TIMEOUT;
         String result = getSettings().getString(key);
-        Assert.assertTrue(result == null);
+        assertNull(result);
     }
 
     /**
      * Test of getInt method, of class Settings.
      */
     @Test
-    public void testGetInt() throws InvalidSettingException {
+    void testGetInt() throws InvalidSettingException {
         String key = "SomeNumber";
         int expResult = 85;
         getSettings().setString(key, "85");
         int result = getSettings().getInt(key);
-        Assert.assertEquals(expResult, result);
+        assertEquals(expResult, result);
     }
 
     /**
      * Test of getInt method, of class Settings.
      */
     @Test
-    public void testGetIntDefault() throws InvalidSettingException {
+    void testGetIntDefault() {
         String key = "SomeKey";
         int expResult = 85;
         getSettings().setString(key, "blue");
         int result = getSettings().getInt(key, expResult);
-        Assert.assertEquals(expResult, result);
+        assertEquals(expResult, result);
     }
 
     /**
      * Test of getLong method, of class Settings.
      */
     @Test
-    public void testGetLong() throws InvalidSettingException {
+    void testGetLong() throws InvalidSettingException {
         String key = "SomeNumber";
         long expResult = 300L;
         getSettings().setString(key, "300");
         long result = getSettings().getLong(key);
-        Assert.assertEquals(expResult, result);
+        assertEquals(expResult, result);
     }
 
     /**
      * Test of getBoolean method, of class Settings.
      */
     @Test
-    public void testGetBoolean() throws InvalidSettingException {
+    void testGetBoolean() throws InvalidSettingException {
         String key = "SomeBoolean";
         getSettings().setString(key, "false");
         boolean expResult = false;
         boolean result = getSettings().getBoolean(key);
-        Assert.assertEquals(expResult, result);
+        assertEquals(expResult, result);
 
         key = "something that does not exist";
         expResult = true;
         result = getSettings().getBoolean(key, true);
-        Assert.assertEquals(expResult, result);
+        assertEquals(expResult, result);
     }
 
     /**
      * Test of removeProperty method, of class Settings.
      */
     @Test
-    public void testRemoveProperty() {
+    void testRemoveProperty() {
         String key = "SomeKey";
         String value = "value";
         String dfault = "default";
         getSettings().setString(key, value);
         String ret = getSettings().getString(key);
-        Assert.assertEquals(value, ret);
+        assertEquals(value, ret);
         getSettings().removeProperty(key);
         ret = getSettings().getString(key, dfault);
-        Assert.assertEquals(dfault, ret);
+        assertEquals(dfault, ret);
     }
 
     /**
      * Test of getConnectionString.
      */
     @Test
-    public void testGetConnectionString() throws Exception {
+    void testGetConnectionString() throws Exception {
         String value = getSettings().getConnectionString(Settings.KEYS.DB_CONNECTION_STRING, Settings.KEYS.DB_FILE_NAME);
-        Assert.assertNotNull(value);
+        assertNotNull(value);
         String msg = null;
         try {
             value = getSettings().getConnectionString("invalidKey", null);
         } catch (InvalidSettingException e) {
             msg = e.getMessage();
         }
-        Assert.assertNotNull(msg);
+        assertNotNull(msg);
     }
 
     /**
      * Test of getTempDirectory.
      */
     @Test
-    public void testGetTempDirectory() throws Exception {
+    void testGetTempDirectory() throws Exception {
         File tmp = getSettings().getTempDirectory();
-        Assert.assertTrue(tmp.exists());
+        assertTrue(tmp.exists());
     }
 
     /**
@@ -238,7 +241,7 @@ public void testGetTempDirectory() throws Exception {
      * multiple values in an array.
      */
     @Test
-    public void testGetArrayFromADelimitedString() {
+    void testGetArrayFromADelimitedString() {
         // GIVEN a delimited string
         final String delimitedString = "value1,value2";
         getSettings().setString("key", delimitedString);
@@ -258,7 +261,7 @@ public void testGetArrayFromADelimitedString() {
      * property is not set.
      */
     @Test
-    public void testGetArrayWhereThePropertyIsNotSet() {
+    void testGetArrayWhereThePropertyIsNotSet() {
         // WHEN getting the array
         final String[] array = getSettings().getArray("key");
 
@@ -271,7 +274,7 @@ public void testGetArrayWhereThePropertyIsNotSet() {
      * empty array is ignored.
      */
     @Test
-    public void testSetArrayNotEmptyIgnoresAnEmptyArray() {
+    void testSetArrayNotEmptyIgnoresAnEmptyArray() {
         // GIVEN an empty array
         final String[] array = {};
 
@@ -287,7 +290,7 @@ public void testSetArrayNotEmptyIgnoresAnEmptyArray() {
      * array is ignored.
      */
     @Test
-    public void testSetArrayNotEmptyIgnoresAnNullArray() {
+    void testSetArrayNotEmptyIgnoresAnNullArray() {
         // GIVEN a null array
         final String[] array = null;
 
@@ -303,7 +306,7 @@ public void testSetArrayNotEmptyIgnoresAnNullArray() {
      * correctly stores the list as an array.
      */
     @Test
-    public void testSetArrayNotEmptyWithList() {
+    void testSetArrayNotEmptyWithList() {
         // GIVEN a null array
         final List<String> list = new ArrayList<>();
         list.add("one");
@@ -318,7 +321,7 @@ public void testSetArrayNotEmptyWithList() {
     }
 
     @Test
-    public void testMaskedKeys() {
+    void testMaskedKeys() {
         getSettings().initMaskedKeys();
         assertThat("password should be masked",
                 getSettings().getPrintableValue("odc.database.password", "s3Cr3t!"),
diff --git a/utils/src/test/java/org/owasp/dependencycheck/utils/search/FileContentSearchTest.java b/utils/src/test/java/org/owasp/dependencycheck/utils/search/FileContentSearchTest.java
index fdb7a7c8734..956c29180ce 100644
--- a/utils/src/test/java/org/owasp/dependencycheck/utils/search/FileContentSearchTest.java
+++ b/utils/src/test/java/org/owasp/dependencycheck/utils/search/FileContentSearchTest.java
@@ -17,22 +17,24 @@
  */
 package org.owasp.dependencycheck.utils.search;
 
-import java.io.File;
-import org.junit.Test;
-import static org.junit.Assert.*;
+import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.utils.BaseTest;
 
+import java.io.File;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
 /**
  *
  * @author Jeremy Long
  */
-public class FileContentSearchTest extends BaseTest {
+class FileContentSearchTest extends BaseTest {
 
     /**
      * Test of contains method, of class FileContentSearch.
      */
     @Test
-    public void testContains_File_String() throws Exception {
+    void testContains_File_String() throws Exception {
         File file = BaseTest.getResourceAsFile(this, "SearchTest.txt");
         String pattern = "blue";
         boolean expResult = false;
@@ -44,7 +46,7 @@ public void testContains_File_String() throws Exception {
         result = FileContentSearch.contains(file, pattern);
         assertEquals(expResult, result);
 
-        
+
         pattern = "(?i)test";
         expResult = true;
         result = FileContentSearch.contains(file, pattern);
@@ -55,14 +57,14 @@ public void testContains_File_String() throws Exception {
      * Test of contains method, of class FileContentSearch.
      */
     @Test
-    public void testContains_File_List() throws Exception {
+    void testContains_File_List() throws Exception {
         File file = BaseTest.getResourceAsFile(this, "SearchTest.txt");
         String[] patterns = {"jeremy long", "blue"};
-        
+
         boolean expResult = false;
         boolean result = FileContentSearch.contains(file, patterns);
         assertEquals(expResult, result);
-        
+
         String[] patterns2 = {"jeremy long", "blue", "(?i)jeremy long"};
         expResult = true;
         result = FileContentSearch.contains(file, patterns2);

From fea5a739e2387a55689c1d6c0335898eb5e872aa Mon Sep 17 00:00:00 2001
From: strangelookingnerd
 <49242855+strangelookingnerd@users.noreply.github.com>
Date: Tue, 29 Apr 2025 16:13:14 +0200
Subject: [PATCH 032/195] Migrate tests to JUnit5 (fixes)

* Fix JUnit5 dependencies
* Fix mockito dependencies
* Fix assertions
* Revert lucene-based tests not compatible with Junit5
---
 .../resources/archetype-resources/pom.xml     | 12 +++++++
 .../data/lucene/AlphaNumericFilterTest.java   | 36 +++++++++++--------
 .../TokenPairConcatenatingFilterTest.java     | 23 +++++++-----
 .../data/lucene/UrlTokenizingFilterTest.java  | 31 +++++++++-------
 .../utils/ExtractionUtilTest.java             |  3 +-
 .../xml/pom/PomParserTest.java                | 14 ++++----
 maven/pom.xml                                 |  6 ++++
 .../resources/maven_project_base_dir/pom.xml  | 14 +++++++-
 pom.xml                                       | 28 +++++++++++++--
 9 files changed, 117 insertions(+), 50 deletions(-)

diff --git a/archetype/src/main/resources/archetype-resources/pom.xml b/archetype/src/main/resources/archetype-resources/pom.xml
index 85154e4cee0..44343deafab 100644
--- a/archetype/src/main/resources/archetype-resources/pom.xml
+++ b/archetype/src/main/resources/archetype-resources/pom.xml
@@ -37,11 +37,23 @@
             <version>${slf4j.version}</version>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-api</artifactId>
+            <version>5.12.2</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.junit.jupiter</groupId>
             <artifactId>junit-jupiter-engine</artifactId>
             <version>5.12.2</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-params</artifactId>
+            <version>5.12.2</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 </project>
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/lucene/AlphaNumericFilterTest.java b/core/src/test/java/org/owasp/dependencycheck/data/lucene/AlphaNumericFilterTest.java
index 671ec4d9acf..5f5c52ee148 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/lucene/AlphaNumericFilterTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/lucene/AlphaNumericFilterTest.java
@@ -17,27 +17,29 @@
  */
 package org.owasp.dependencycheck.data.lucene;
 
+import java.io.IOException;
 import org.apache.lucene.analysis.Analyzer;
-import org.apache.lucene.analysis.Tokenizer;
-import org.apache.lucene.analysis.core.KeywordTokenizer;
 import org.apache.lucene.tests.analysis.BaseTokenStreamTestCase;
+import static org.apache.lucene.tests.analysis.BaseTokenStreamTestCase.checkOneTerm;
+import static org.apache.lucene.tests.analysis.BaseTokenStreamTestCase.checkRandomData;
 import org.apache.lucene.tests.analysis.MockTokenizer;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-
-import java.io.IOException;
-
-import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+import org.apache.lucene.analysis.Tokenizer;
+import org.apache.lucene.analysis.core.KeywordTokenizer;
+import static org.apache.lucene.tests.util.LuceneTestCase.RANDOM_MULTIPLIER;
+import static org.apache.lucene.tests.util.LuceneTestCase.random;
+import org.junit.Test;
+import static org.junit.Assert.*;
+import org.junit.Before;
 
 /**
  *
  * @author Jeremy Long
  */
-class AlphaNumericFilterTest extends BaseTokenStreamTestCase {
+public class AlphaNumericFilterTest extends BaseTokenStreamTestCase {
 
     private Analyzer analyzer;
 
-    @BeforeEach
+    @Before
     @Override
     public void setUp() throws Exception {
         super.setUp();
@@ -56,7 +58,7 @@ protected Analyzer.TokenStreamComponents createComponents(String fieldName) {
      * @throws Exception thrown if there is a problem
      */
     @Test
-    void testIncrementToken() throws Exception {
+    public void testIncrementToken() throws Exception {
         String[] expected = new String[6];
         expected[0] = "http";
         expected[1] = "www";
@@ -73,7 +75,7 @@ void testIncrementToken() throws Exception {
      * @throws Exception thrown if there is a problem
      */
     @Test
-    void testGarbage() throws Exception {
+    public void testGarbage() throws Exception {
         String[] expected = new String[2];
         expected[0] = "test";
         expected[1] = "two";
@@ -86,8 +88,12 @@ void testGarbage() throws Exception {
      * blast some random strings through the analyzer
      */
     @Test
-    void testRandomStrings() {
-        assertDoesNotThrow(() -> checkRandomData(random(), analyzer, 1000 * RANDOM_MULTIPLIER), "Failed test random strings: ");
+    public void testRandomStrings() {
+        try {
+            checkRandomData(random(), analyzer, 1000 * RANDOM_MULTIPLIER);
+        } catch (IOException ex) {
+            fail("Failed test random strings: " + ex.getMessage());
+        }
     }
 
     /**
@@ -97,7 +103,7 @@ void testRandomStrings() {
      * @throws IOException
      */
     @Test
-    void testEmptyTerm() throws IOException {
+    public void testEmptyTerm() throws IOException {
         Analyzer a = new Analyzer() {
             @Override
             protected Analyzer.TokenStreamComponents createComponents(String fieldName) {
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilterTest.java b/core/src/test/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilterTest.java
index 293aa94599a..49aedacabf4 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilterTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilterTest.java
@@ -17,21 +17,22 @@
  */
 package org.owasp.dependencycheck.data.lucene;
 
+import java.io.IOException;
 import org.apache.lucene.analysis.Analyzer;
+import org.apache.lucene.tests.analysis.BaseTokenStreamTestCase;
+import static org.apache.lucene.tests.analysis.BaseTokenStreamTestCase.checkOneTerm;
+import org.apache.lucene.tests.analysis.MockTokenizer;
 import org.apache.lucene.analysis.Tokenizer;
 import org.apache.lucene.analysis.core.KeywordTokenizer;
-import org.apache.lucene.tests.analysis.BaseTokenStreamTestCase;
-import org.junit.jupiter.api.Test;
-
-import java.io.IOException;
-
-import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+import static org.junit.Assert.fail;
+import org.junit.Before;
+import org.junit.Test;
 
 /**
  *
  * @author Jeremy Long
  */
-class TokenPairConcatenatingFilterTest extends BaseTokenStreamTestCase {
+public class TokenPairConcatenatingFilterTest extends BaseTokenStreamTestCase {
 
 //    private Analyzer analyzer;
 //
@@ -80,7 +81,7 @@ class TokenPairConcatenatingFilterTest extends BaseTokenStreamTestCase {
      * @throws IOException
      */
     @Test
-    void testEmptyTerm() {
+    public void testEmptyTerm() {
         Analyzer a = new Analyzer() {
             @Override
             protected Analyzer.TokenStreamComponents createComponents(String fieldName) {
@@ -88,6 +89,10 @@ protected Analyzer.TokenStreamComponents createComponents(String fieldName) {
                 return new Analyzer.TokenStreamComponents(tokenizer, new TokenPairConcatenatingFilter(tokenizer));
             }
         };
-        assertDoesNotThrow(() -> checkOneTerm(a, "", ""), "Failed test random strings: ");
+        try {
+            checkOneTerm(a, "", "");
+        } catch (IOException ex) {
+            fail("Failed test random strings: " + ex.getMessage());
+        }
     }
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilterTest.java b/core/src/test/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilterTest.java
index 4393fd0d8b5..fd25509743a 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilterTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilterTest.java
@@ -17,36 +17,37 @@
  */
 package org.owasp.dependencycheck.data.lucene;
 
+import java.io.IOException;
 import org.apache.lucene.analysis.Analyzer;
-import org.apache.lucene.analysis.Tokenizer;
-import org.apache.lucene.analysis.core.KeywordTokenizer;
 import org.apache.lucene.tests.analysis.BaseTokenStreamTestCase;
 import org.apache.lucene.tests.analysis.MockTokenizer;
-import org.junit.jupiter.api.Test;
-
-import java.io.IOException;
-
-import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+import org.apache.lucene.analysis.Tokenizer;
+import org.apache.lucene.analysis.core.KeywordTokenizer;
+import org.junit.Test;
 
 /**
  *
  * @author Jeremy Long
  */
-class UrlTokenizingFilterTest extends BaseTokenStreamTestCase {
+public class UrlTokenizingFilterTest extends BaseTokenStreamTestCase {
 
-    private final Analyzer analyzer = new Analyzer() {
+    private final Analyzer analyzer;
+
+    public UrlTokenizingFilterTest() {
+        analyzer = new Analyzer() {
             @Override
             protected TokenStreamComponents createComponents(String fieldName) {
                 Tokenizer source = new MockTokenizer(MockTokenizer.WHITESPACE, false);
                 return new TokenStreamComponents(source, new UrlTokenizingFilter(source));
             }
         };
+    }
 
     /**
      * test some example domains
      */
     @Test
-    void testExamples() throws IOException {
+    public void testExamples() throws IOException {
         String[] expected = new String[2];
         expected[0] = "domain";
         expected[1] = "test";
@@ -60,8 +61,12 @@ void testExamples() throws IOException {
      * blast some random strings through the analyzer
      */
     @Test
-    void testRandomStrings() {
-        assertDoesNotThrow(() -> checkRandomData(random(), analyzer, 1000 * RANDOM_MULTIPLIER), "Failed test random strings: ");
+    public void testRandomStrings() {
+        try {
+            checkRandomData(random(), analyzer, 1000 * RANDOM_MULTIPLIER);
+        } catch (IOException ex) {
+            fail("Failed test random strings: " + ex.getMessage());
+        }
     }
 
     /**
@@ -71,7 +76,7 @@ void testRandomStrings() {
      * @throws IOException
      */
     @Test
-    void testEmptyTerm() throws IOException {
+    public void testEmptyTerm() throws IOException {
         Analyzer a = new Analyzer() {
             @Override
             protected TokenStreamComponents createComponents(String fieldName) {
diff --git a/core/src/test/java/org/owasp/dependencycheck/utils/ExtractionUtilTest.java b/core/src/test/java/org/owasp/dependencycheck/utils/ExtractionUtilTest.java
index 5d3bbe81c97..3cc54350d08 100644
--- a/core/src/test/java/org/owasp/dependencycheck/utils/ExtractionUtilTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/utils/ExtractionUtilTest.java
@@ -63,7 +63,8 @@ void testExtractFiles_3args() throws Exception {
     void testExtractFilesUsingFilter() throws Exception {
         File destination = getSettings().getTempDirectory();
         File archive = BaseTest.getResourceAsFile(this, "evil.zip");
-        ExtractionUtil.extractFiles(archive, destination);
+        assertThrows(org.owasp.dependencycheck.utils.ExtractionException.class, () ->
+            ExtractionUtil.extractFiles(archive, destination));
         FilenameFilter filter = new NameFileFilter("evil.txt");
         assertThrows(org.owasp.dependencycheck.utils.ExtractionException.class, () ->
             ExtractionUtil.extractFilesUsingFilter(archive, destination, filter));
diff --git a/core/src/test/java/org/owasp/dependencycheck/xml/pom/PomParserTest.java b/core/src/test/java/org/owasp/dependencycheck/xml/pom/PomParserTest.java
index 73447b8f321..60cc04060aa 100644
--- a/core/src/test/java/org/owasp/dependencycheck/xml/pom/PomParserTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/xml/pom/PomParserTest.java
@@ -88,23 +88,21 @@ void testParseWithoutDocTypeCleanup() throws Exception {
 
 
     @Test
-    void testParseWithoutDocTypeCleanup_InputStreamWithDocType() throws Exception {
+    void testParseWithoutDocTypeCleanup_InputStreamWithDocType() {
         InputStream inputStream = BaseTest.getResourceAsStream(this, "pom/mailapi-1.4.3_doctype.pom");
         PomParser instance = new PomParser();
-        String expVersion = "1.4.3";
-        Model result = instance.parseWithoutDocTypeCleanup(inputStream);
+
         assertThrows(PomParseException.class, () ->
-            assertEquals(expVersion, result.getParentVersion(), "Invalid version extracted"));
+            instance.parseWithoutDocTypeCleanup(inputStream));
     }
 
     @Test
-    void testParseWithoutDocTypeCleanup_WithDocType() throws Exception {
+    void testParseWithoutDocTypeCleanup_WithDocType() {
         File file = BaseTest.getResourceAsFile(this, "pom/mailapi-1.4.3_doctype.pom");
         PomParser instance = new PomParser();
-        String expVersion = "1.4.3";
-        Model result = instance.parseWithoutDocTypeCleanup(file);
+
         assertThrows(PomParseException.class, () ->
-            assertEquals(expVersion, result.getParentVersion(), "Invalid version extracted"));
+            instance.parseWithoutDocTypeCleanup(file));
     }
 
 }
diff --git a/maven/pom.xml b/maven/pom.xml
index be83676df0d..cdcbc44e08a 100644
--- a/maven/pom.xml
+++ b/maven/pom.xml
@@ -114,6 +114,12 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
             <artifactId>dependency-check-utils</artifactId>
             <version>${project.parent.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-core</artifactId>
+            <version>${mockito.version}</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-junit-jupiter</artifactId>
diff --git a/maven/src/test/resources/maven_project_base_dir/pom.xml b/maven/src/test/resources/maven_project_base_dir/pom.xml
index 071b39f913f..a0e99fe7213 100644
--- a/maven/src/test/resources/maven_project_base_dir/pom.xml
+++ b/maven/src/test/resources/maven_project_base_dir/pom.xml
@@ -49,7 +49,19 @@
         </dependency>
         <dependency>
             <groupId>org.junit.jupiter</groupId>
-            <artifactId>junit-jupiter</artifactId>
+            <artifactId>junit-jupiter-api</artifactId>
+            <version>5.12.2</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-engine</artifactId>
+            <version>5.12.2</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-params</artifactId>
             <version>5.12.2</version>
             <scope>test</scope>
         </dependency>
diff --git a/pom.xml b/pom.xml
index ce537ce5592..8f3661b7609 100644
--- a/pom.xml
+++ b/pom.xml
@@ -156,7 +156,7 @@ Copyright (c) 2012 - Jeremy Long
         <aho-corasick-double-array-trie.version>1.2.3</aho-corasick-double-array-trie.version>
         <junit.version>5.12.2</junit.version>
         <hamcrest.version>3.0</hamcrest.version>
-        <mockito.version>5.12.0</mockito.version>
+        <mockito.version>5.17.0</mockito.version>
         <jsoup.version>1.19.1</jsoup.version>
         <commons-compress.version>1.27.1</commons-compress.version>
         <org.apache.maven.shared.file-management.version>3.2.0</org.apache.maven.shared.file-management.version>
@@ -1082,7 +1082,19 @@ Copyright (c) 2012 - Jeremy Long
             </dependency>
             <dependency>
                 <groupId>org.junit.jupiter</groupId>
-                <artifactId>junit-jupiter</artifactId>
+                <artifactId>junit-jupiter-api</artifactId>
+                <version>${junit.version}</version>
+                <scope>test</scope>
+            </dependency>
+            <dependency>
+                <groupId>org.junit.jupiter</groupId>
+                <artifactId>junit-jupiter-engine</artifactId>
+                <version>${junit.version}</version>
+                <scope>test</scope>
+            </dependency>
+            <dependency>
+                <groupId>org.junit.jupiter</groupId>
+                <artifactId>junit-jupiter-params</artifactId>
                 <version>${junit.version}</version>
                 <scope>test</scope>
             </dependency>
@@ -1318,7 +1330,17 @@ Copyright (c) 2012 - Jeremy Long
         <!-- region generic test dependencies -->
         <dependency>
             <groupId>org.junit.jupiter</groupId>
-            <artifactId>junit-jupiter</artifactId>
+            <artifactId>junit-jupiter-api</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-engine</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-params</artifactId>
             <scope>test</scope>
         </dependency>
         <dependency>

From b2ad7b33e5e6effb0095627707645e589bd86dec Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 30 Apr 2025 01:52:57 +0000
Subject: [PATCH 033/195] build(deps): bump org.jsoup:jsoup from 1.19.1 to
 1.20.1

Bumps [org.jsoup:jsoup](https://github.com/jhy/jsoup) from 1.19.1 to 1.20.1.
- [Release notes](https://github.com/jhy/jsoup/releases)
- [Changelog](https://github.com/jhy/jsoup/blob/master/CHANGES.md)
- [Commits](https://github.com/jhy/jsoup/compare/jsoup-1.19.1...jsoup-1.20.1)

---
updated-dependencies:
- dependency-name: org.jsoup:jsoup
  dependency-version: 1.20.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index d20f4833023..abe8bc01d51 100644
--- a/pom.xml
+++ b/pom.xml
@@ -157,7 +157,7 @@ Copyright (c) 2012 - Jeremy Long
         <junit.version>4.13.2</junit.version>
         <hamcrest.version>3.0</hamcrest.version>
         <mockito-core.version>5.12.0</mockito-core.version>
-        <jsoup.version>1.19.1</jsoup.version>
+        <jsoup.version>1.20.1</jsoup.version>
         <commons-compress.version>1.27.1</commons-compress.version>
         <org.apache.maven.shared.file-management.version>3.2.0</org.apache.maven.shared.file-management.version>
         <maven-plugin-testing-harness.version>3.3.0</maven-plugin-testing-harness.version>

From c96e318f7b970941e4548e7daa9e8f25c7f4a7f5 Mon Sep 17 00:00:00 2001
From: strangelookingnerd
 <49242855+strangelookingnerd@users.noreply.github.com>
Date: Tue, 29 Apr 2025 16:38:53 +0200
Subject: [PATCH 034/195] Migrate tests to JUnit5 (fixes)

* Make CentralSearchTest more stable
---
 .../data/central/CentralSearchTest.java       | 40 +++++++++++--------
 1 file changed, 24 insertions(+), 16 deletions(-)

diff --git a/core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java b/core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java
index 448d989fa72..4951f4aaa2b 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java
@@ -6,10 +6,12 @@
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 
+import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.util.List;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertInstanceOf;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assumptions.assumeFalse;
@@ -46,13 +48,16 @@ void testMalformedSha1() {
     @Test
     void testValidSha1() throws Exception {
         try {
-        List<MavenArtifact> ma = searcher.searchSha1("9977a8d04e75609cf01badc4eb6a9c7198c4c5ea");
-        assertEquals("org.apache.maven.plugins", ma.get(0).getGroupId(), "Incorrect group");
-        assertEquals("maven-compiler-plugin", ma.get(0).getArtifactId(), "Incorrect artifact");
-        assertEquals("3.1", ma.get(0).getVersion(), "Incorrect version");
-                } catch (IOException ex) {
-            //we hit a failure state on the CI
+            List<MavenArtifact> ma = searcher.searchSha1("9977a8d04e75609cf01badc4eb6a9c7198c4c5ea");
+            assertEquals("org.apache.maven.plugins", ma.get(0).getGroupId(), "Incorrect group");
+            assertEquals("maven-compiler-plugin", ma.get(0).getArtifactId(), "Incorrect artifact");
+            assertEquals("3.1", ma.get(0).getVersion(), "Incorrect version");
+        } catch (IOException ex) {
+            // abort if we hit a failure state on the CI
             assumeFalse(StringUtils.contains(ex.getMessage(), "Could not connect to MavenCentral"));
+            assumeFalse(ex.getMessage().matches("^https://.+ - Server status: \\d{3} - Server reason: .+$"));
+
+            // otherwise fail the test
             throw ex;
         }
     }
@@ -62,15 +67,15 @@ void testValidSha1() throws Exception {
     // test it anyway
     @Test
     void testMissingSha1() {
-        assertThrows(IOException.class, () -> {
-            try {
-                searcher.searchSha1("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
-            } catch (IOException ex) {
-                //we hit a failure state on the CI
-                assumeFalse(StringUtils.contains(ex.getMessage(), "Could not connect to MavenCentral"));
-                throw ex;
-            }
-        });
+        IOException ex = assertThrows(IOException.class, () -> searcher.searchSha1("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"));
+
+        //abort if we hit a failure state on the CI
+        assumeFalse(StringUtils.contains(ex.getMessage(), "Could not connect to MavenCentral"));
+        assumeFalse(ex.getMessage().matches("^https://.+ - Server status: \\d{3} - Server reason: .+$"));
+
+        // otherwise assert that the exception is a FileNotFoundException
+        assertInstanceOf(FileNotFoundException.class, ex);
+        assertEquals("Artifact not found in Central", ex.getMessage());
     }
 
     // This test should give us multiple results back from Central
@@ -80,8 +85,11 @@ void testMultipleReturns() throws Exception {
             List<MavenArtifact> ma = searcher.searchSha1("94A9CE681A42D0352B3AD22659F67835E560D107");
             assertTrue(ma.size() > 1);
         } catch (IOException ex) {
-            //we hit a failure state on the CI
+            // abort if we hit a failure state on the CI
             assumeFalse(StringUtils.contains(ex.getMessage(), "Could not connect to MavenCentral"));
+            assumeFalse(ex.getMessage().matches("^https://.+ - Server status: \\d{3} - Server reason: .+$"));
+
+            // otherwise fail the test
             throw ex;
         }
     }

From 945208dff204929b44d552cddd9b307b689ea165 Mon Sep 17 00:00:00 2001
From: strangelookingnerd
 <49242855+strangelookingnerd@users.noreply.github.com>
Date: Wed, 30 Apr 2025 13:34:52 +0200
Subject: [PATCH 035/195] Migrate tests to JUnit5 (assertThrows)

* Replace try / fail(expected exception) / catch pattern with assertThrows
* Reduce usage of fail()
---
 .../taskdefs/DependencyCheckTaskIT.java       |  12 +-
 .../owasp/dependencycheck/CliParserTest.java  |  92 ++++++--------
 .../org/owasp/dependencycheck/EngineIT.java   |   8 +-
 .../analyzer/ArchiveAnalyzerIT.java           |   6 +-
 .../analyzer/AssemblyAnalyzerTest.java        |  13 +-
 .../analyzer/CPEAnalyzerIT.java               |   4 +-
 .../analyzer/OssIndexAnalyzerTest.java        |  12 +-
 .../data/artifactory/ArtifactorySearchIT.java |  15 +--
 .../ArtifactorySearchResponseHandlerTest.java | 119 ++++++++----------
 .../artifactory/ArtifactorySearchTest.java    |  19 ++-
 .../data/central/CentralSearchTest.java       |   2 +-
 .../data/nvdcve/DriverLoaderTest.java         |   9 +-
 .../utils/PyPACoreMetadataParserTest.java     |  14 +--
 .../dependencycheck/utils/FileUtilsTest.java  |   9 +-
 14 files changed, 141 insertions(+), 193 deletions(-)

diff --git a/ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskIT.java b/ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskIT.java
index d5da603f281..6e87f075695 100644
--- a/ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskIT.java
+++ b/ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskIT.java
@@ -29,7 +29,6 @@
 
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.junit.jupiter.api.Assertions.fail;
 
 /**
  *
@@ -127,12 +126,11 @@ void testNestedReportFormat() throws Exception {
 
     @Test
     void testNestedBADReportFormat() {
-        try {
-            buildFileRule.executeTarget("test.formatBADNested");
-            fail("Should have had a buildExceotion for a bad format attribute");
-        } catch (BuildException e) {
-            assertTrue(e.getMessage().contains("BAD is not a legal value for this attribute"), "Message did not have BAD, unexpected exception: " + e.getMessage());
-        }
+        BuildException e = assertThrows(BuildException.class,
+                () -> buildFileRule.executeTarget("test.formatBADNested"),
+                "Should have had a buildException for a bad format attribute");
+        assertTrue(e.getMessage().contains("BAD is not a legal value for this attribute"),
+                "Message did not have BAD, unexpected exception: " + e.getMessage());
     }
 
     /**
diff --git a/cli/src/test/java/org/owasp/dependencycheck/CliParserTest.java b/cli/src/test/java/org/owasp/dependencycheck/CliParserTest.java
index 14c3b0ca098..f92288c6ade 100644
--- a/cli/src/test/java/org/owasp/dependencycheck/CliParserTest.java
+++ b/cli/src/test/java/org/owasp/dependencycheck/CliParserTest.java
@@ -30,6 +30,7 @@
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assertions.fail;
 
@@ -99,20 +100,17 @@ void testParse_version() throws Exception {
     /**
      * Test of parse method with failOnCVSS without an argument
      *
-     * @throws Exception thrown when an exception occurs.
      */
     @Test
-    void testParse_failOnCVSSNoArg() throws Exception {
+    void testParse_failOnCVSSNoArg() {
 
         String[] args = {"--failOnCVSS"};
 
         CliParser instance = new CliParser(getSettings());
-        try {
-            instance.parse(args);
-            fail("an argument for failOnCVSS was missing and an exception was not thrown");
-        } catch (ParseException ex) {
-            assertTrue(ex.getMessage().contains("Missing argument"));
-        }
+        ParseException ex = assertThrows(ParseException.class, () -> instance.parse(args),
+                "an argument for failOnCVSS was missing and an exception was not thrown");
+        assertTrue(ex.getMessage().contains("Missing argument"));
+
         assertFalse(instance.isGetVersion());
         assertFalse(instance.isGetHelp());
         assertFalse(instance.isRunScan());
@@ -159,10 +157,9 @@ void testParse_failOnCVSSValidArgument() throws Exception {
     /**
      * Test of parse method with jar and cpe args, of class CliParser.
      *
-     * @throws Exception thrown when an exception occurs.
      */
     @Test
-    void testParse_unknown() throws Exception {
+    void testParse_unknown() {
 
         String[] args = {"-unknown"};
 
@@ -173,12 +170,10 @@ void testParse_unknown() throws Exception {
 
         CliParser instance = new CliParser(getSettings());
 
-        try {
-            instance.parse(args);
-            fail("Unrecognized option should have caused an exception");
-        } catch (ParseException ex) {
-            assertTrue(ex.getMessage().contains("Unrecognized option"));
-        }
+        ParseException ex = assertThrows(ParseException.class, () -> instance.parse(args) ,
+                "Unrecognized option should have caused an exception");
+        assertTrue(ex.getMessage().contains("Unrecognized option"));
+
         assertFalse(instance.isGetVersion());
         assertFalse(instance.isGetHelp());
         assertFalse(instance.isRunScan());
@@ -187,21 +182,17 @@ void testParse_unknown() throws Exception {
     /**
      * Test of parse method with scan arg, of class CliParser.
      *
-     * @throws Exception thrown when an exception occurs.
      */
     @Test
-    void testParse_scan() throws Exception {
+    void testParse_scan() {
 
         String[] args = {"-scan"};
 
         CliParser instance = new CliParser(getSettings());
 
-        try {
-            instance.parse(args);
-            fail("Missing argument should have caused an exception");
-        } catch (ParseException ex) {
-            assertTrue(ex.getMessage().contains("Missing argument"));
-        }
+        ParseException ex = assertThrows(ParseException.class, () -> instance.parse(args),
+                "Missing argument should have caused an exception");
+        assertTrue(ex.getMessage().contains("Missing argument"));
 
         assertFalse(instance.isGetVersion());
         assertFalse(instance.isGetHelp());
@@ -211,20 +202,17 @@ void testParse_scan() throws Exception {
     /**
      * Test of parse method with jar arg, of class CliParser.
      *
-     * @throws Exception thrown when an exception occurs.
      */
     @Test
-    void testParse_scan_unknownFile() throws Exception {
+    void testParse_scan_unknownFile() {
 
         String[] args = {"-scan", "jar.that.does.not.exist", "--project", "test"};
 
         CliParser instance = new CliParser(getSettings());
-        try {
-            instance.parse(args);
-            fail("An exception should have been thrown");
-        } catch (FileNotFoundException ex) {
-            assertTrue(ex.getMessage().contains("Invalid 'scan' argument"));
-        }
+
+        FileNotFoundException ex = assertThrows(FileNotFoundException.class, () -> instance.parse(args),
+                "An exception should have been thrown");
+        assertTrue(ex.getMessage().contains("Invalid 'scan' argument"));
 
         assertFalse(instance.isGetVersion());
         assertFalse(instance.isGetHelp());
@@ -274,7 +262,7 @@ void testParse_printVersionInfo() {
             assertFalse(text.contains("unknown"));
         } catch (IOException ex) {
             System.setOut(out);
-            fail("CliParser.printVersionInfo did not write anything to system.out.");
+            fail("CliParser.printVersionInfo did not write anything to system.out.", ex);
         } finally {
             System.setOut(out);
         }
@@ -318,16 +306,15 @@ void testParse_printHelp() throws Exception {
      * Test of getBooleanArgument method, of class CliParser.
      */
     @Test
-    void testGetBooleanArgument() throws ParseException {
+    void testGetBooleanArgument() {
         String[] args = {"--scan", "missing.file", "--artifactoryUseProxy", "false", "--artifactoryParallelAnalysis", "true", "--project", "test"};
 
         CliParser instance = new CliParser(getSettings());
-        try {
-            instance.parse(args);
-            fail("invalid scan should have caused an error");
-        } catch (FileNotFoundException ex) {
-            assertTrue(ex.getMessage().contains("Invalid 'scan' argument"));
-        }
+
+        FileNotFoundException ex = assertThrows(FileNotFoundException.class, () -> instance.parse(args),
+                "invalid scan should have caused an error");
+        assertTrue(ex.getMessage().contains("Invalid 'scan' argument"));
+
         boolean expResult;
         Boolean result = instance.getBooleanArgument("missingArgument");
         assertNull(result);
@@ -344,17 +331,16 @@ void testGetBooleanArgument() throws ParseException {
      * Test of getStringArgument method, of class CliParser.
      */
     @Test
-    void testGetStringArgument() throws ParseException {
+    void testGetStringArgument() {
 
         String[] args = {"--scan", "missing.file", "--artifactoryUsername", "blue42", "--project", "test"};
 
         CliParser instance = new CliParser(getSettings());
-        try {
-            instance.parse(args);
-            fail("invalid scan argument should have caused an exception");
-        } catch (FileNotFoundException ex) {
-            assertTrue(ex.getMessage().contains("Invalid 'scan' argument"));
-        }
+
+        FileNotFoundException ex = assertThrows(FileNotFoundException.class, () -> instance.parse(args),
+                "invalid scan argument should have caused an exception");
+        assertTrue(ex.getMessage().contains("Invalid 'scan' argument"));
+
         String expResult;
         String result = instance.getStringArgument("missingArgument");
         assertNull(result);
@@ -365,17 +351,15 @@ void testGetStringArgument() throws ParseException {
     }
 
     @Test
-    void testHasOption() throws ParseException {
+    void testHasOption() {
 
         String[] args = {"--scan", "missing.file", "--artifactoryUsername", "blue42", "--project", "test"};
 
         CliParser instance = new CliParser(getSettings());
-        try {
-            instance.parse(args);
-            fail("invalid scan argument should have caused an exception");
-        } catch (FileNotFoundException ex) {
-            assertTrue(ex.getMessage().contains("Invalid 'scan' argument"));
-        }
+
+        FileNotFoundException ex = assertThrows(FileNotFoundException.class, () -> instance.parse(args),
+                "invalid scan argument should have caused an exception");
+        assertTrue(ex.getMessage().contains("Invalid 'scan' argument"));
 
         Boolean result = instance.hasOption("missingOption");
         assertNull(result);
diff --git a/core/src/test/java/org/owasp/dependencycheck/EngineIT.java b/core/src/test/java/org/owasp/dependencycheck/EngineIT.java
index 2b38f6335bc..a46d2504ca3 100644
--- a/core/src/test/java/org/owasp/dependencycheck/EngineIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/EngineIT.java
@@ -36,8 +36,8 @@
 import java.util.concurrent.Executors;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.junit.jupiter.api.Assertions.fail;
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.doThrow;
 import static org.mockito.Mockito.spy;
@@ -72,9 +72,9 @@ void exceptionDuringAnalysisTaskExecutionIsFatal() throws DatabaseException {
              when(instance.getExecutorService(analyzer)).thenReturn(executorService);
              doReturn(failingAnalysisTask).when(instance).getAnalysisTasks(analyzer, exceptions);
 
-             instance.executeAnalysisTasks(analyzer, exceptions);
-             fail("ExceptionCollection exception was expected");
-         } catch (ExceptionCollection expected) {
+             ExceptionCollection expected = assertThrows(ExceptionCollection.class,
+                     () -> instance.executeAnalysisTasks(analyzer, exceptions),
+                     "ExceptionCollection exception was expected");
              List<Throwable> collected = expected.getExceptions();
              assertEquals(1, collected.size());
              assertEquals(java.util.concurrent.ExecutionException.class, collected.get(0).getClass());
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIT.java
index 13877daa793..981011e45d3 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIT.java
@@ -22,7 +22,6 @@
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.Settings;
 
 import java.io.File;
@@ -34,7 +33,6 @@
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.junit.jupiter.api.Assertions.fail;
 
 /**
  *
@@ -113,9 +111,7 @@ void testInitialize() {
         try {
             instance.setEnabled(true);
             instance.setFilesMatched(true);
-            instance.prepare(null);
-        } catch (InitializationException ex) {
-            fail(ex.getMessage());
+            assertDoesNotThrow(() -> instance.prepare(null));
         } finally {
             assertDoesNotThrow(instance::close);
         }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
index 60811a6849c..1d5fe726bef 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
@@ -35,8 +35,8 @@
 import java.io.File;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.junit.jupiter.api.Assertions.fail;
 import static org.junit.jupiter.api.Assumptions.assumeFalse;
 import static org.junit.jupiter.api.Assumptions.assumeTrue;
 
@@ -129,9 +129,8 @@ void testNonexistent() {
         Dependency d = new Dependency(test);
 
         try {
-            analyzer.analyze(d, null);
-            fail("Expected an AnalysisException");
-        } catch (AnalysisException ae) {
+            AnalysisException ae = assertThrows(AnalysisException.class, () -> analyzer.analyze(d, null),
+                "Expected an AnalysisException");
             assertTrue(ae.getMessage().contains("nonexistent.dll does not exist and cannot be analyzed by dependency-check"));
         } finally {
             System.setProperty(LOG_KEY, oldProp);
@@ -159,9 +158,9 @@ void testWithSettingMono() {
             AssemblyAnalyzer aanalyzer = new AssemblyAnalyzer();
             aanalyzer.initialize(getSettings());
             aanalyzer.accept(new File("test.dll")); // trick into "thinking it is active"
-            aanalyzer.prepare(null);
-            fail("Expected an InitializationException");
-        } catch (InitializationException ae) {
+
+            InitializationException ae = assertThrows(InitializationException.class, () -> aanalyzer.prepare(null),
+                    "Expected an InitializationException");
             assertEquals("An error occurred with the .NET AssemblyAnalyzer, is the dotnet 8.0 runtime or sdk installed?", ae.getMessage());
         } finally {
             System.setProperty(LOG_KEY, oldProp);
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java
index 5c33a3c9893..30721c8b149 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java
@@ -159,7 +159,7 @@ private void callDetermineCPE_full(String depName, String expResult, CPEAnalyzer
             }
             assertTrue(found, "Match not found: { dep:'" + dep.getFileName() + "', exp:'" + expResult + "' }");
         } else {
-            dep.getVulnerableSoftwareIdentifiers().forEach((id) -> fail("Unexpected match found: { dep:'" + dep.getFileName() + "', found:'" + id + "' }"));
+            dep.getVulnerableSoftwareIdentifiers().forEach(id -> fail("Unexpected match found: { dep:'" + dep.getFileName() + "', found:'" + id + "' }"));
         }
     }
 
@@ -222,7 +222,7 @@ void testDetermineCPE() throws Exception {
             instance.close();
 
             suppressionAnalyzer.analyze(commonValidator, engine);
-            commonValidator.getVulnerableSoftwareIdentifiers().forEach((i) -> fail("Apache Common Validator found an unexpected CPE identifier - " + i.getValue()));
+            commonValidator.getVulnerableSoftwareIdentifiers().forEach(i -> fail("Apache Common Validator found an unexpected CPE identifier - " + i.getValue()));
 
             String expResult = "cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*";
             assertFalse(struts.getVulnerableSoftwareIdentifiers().isEmpty(), "Incorrect match size - struts");
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
index d1d615978b9..b56c9556b6b 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
@@ -23,9 +23,9 @@
 import java.util.concurrent.Executors;
 import java.util.concurrent.Future;
 
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.junit.jupiter.api.Assertions.fail;
 
 class OssIndexAnalyzerTest extends BaseTest {
 
@@ -141,9 +141,8 @@ void should_analyzeDependency_only_warn_when_transport_error_from_sonatype() thr
         // When
         try (engine) {
             engine.setDependencies(Collections.singletonList(dependency));
-            analyzer.analyzeDependency(dependency, engine);
-        } catch (AnalysisException e) {
-            fail("Analysis exception thrown upon remote error although only a warning should have been logged");
+            assertDoesNotThrow(() -> analyzer.analyzeDependency(dependency, engine),
+                    "Analysis exception thrown upon remote error although only a warning should have been logged");
         } finally {
             analyzer.close();
         }
@@ -169,9 +168,8 @@ void should_analyzeDependency_only_warn_when_socket_error_from_sonatype() throws
         // When
         try (engine) {
             engine.setDependencies(Collections.singletonList(dependency));
-            analyzer.analyzeDependency(dependency, engine);
-        } catch (AnalysisException e) {
-            fail("Analysis exception thrown upon remote error although only a warning should have been logged");
+            assertDoesNotThrow(() -> analyzer.analyzeDependency(dependency, engine),
+                    "Analysis exception thrown upon remote error although only a warning should have been logged");
         } finally {
             analyzer.close();
         }
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchIT.java b/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchIT.java
index d7af9521183..0e030d42a09 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchIT.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchIT.java
@@ -28,7 +28,7 @@
 import java.util.List;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.fail;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 @Disabled
 class ArtifactorySearchIT {
@@ -63,7 +63,7 @@ void testWithRealInstanceUsingBearerToken() throws IOException {
     }
 
     @Test
-    void testWithRealInstanceAnonymous() throws IOException {
+    void testWithRealInstanceAnonymous() {
         // Given
         Dependency dependency = new Dependency();
         dependency.setSha1sum("c5b4c491aecb72e7c32a78da0b5c6b9cda8dee0f");
@@ -72,13 +72,10 @@ void testWithRealInstanceAnonymous() throws IOException {
         settings.setString(Settings.KEYS.ANALYZER_ARTIFACTORY_URL, "https://artifactory.techno.ingenico.com/artifactory");
         final ArtifactorySearch artifactorySearch = new ArtifactorySearch(settings);
         // When
-        try {
-            artifactorySearch.search(dependency);
-            fail("No Match found, should throw an exception!");
-        } catch (FileNotFoundException e) {
-            // Then
-            assertEquals("Artifact Dependency{ fileName='null', actualFilePath='null', filePath='null', packagePath='null'} not found in Artifactory", e.getMessage());
-        }
+        FileNotFoundException e = assertThrows(FileNotFoundException.class, () -> artifactorySearch.search(dependency),
+                "No Match found, should throw an exception!");
+        // Then
+        assertEquals("Artifact Dependency{ fileName='null', actualFilePath='null', filePath='null', packagePath='null'} not found in Artifactory", e.getMessage());
     }
 
     @Test
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchResponseHandlerTest.java b/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchResponseHandlerTest.java
index 0bdee41a09a..00dada71ec8 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchResponseHandlerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchResponseHandlerTest.java
@@ -37,7 +37,7 @@
 import java.util.List;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.fail;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
@@ -168,36 +168,35 @@ void shouldProcessCorrectlyForMissingXResultDetailHeader() throws IOException {
 
         // When
         final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(dependency);
-        try {
-            handler.handleResponse(response);
-            fail("Result with no details due to missing X-Result-Detail header, should throw an exception!");
-        } catch (FileNotFoundException e) {
-            // Then
-            assertEquals("Artifact Dependency{ fileName='freemarker-2.3.33.jar', actualFilePath='null', filePath='null', packagePath='null'} not found in Artifactory; discovered sha1 hits not recognized as matching maven artifacts",
-                    e.getMessage());
-
-            // There should be a WARN-log for for each of the results regarding the absence of X-Result-Detail header driven attributes
-            final List<ILoggingEvent> logsList = listAppender.list;
-            assertEquals(2, logsList.size(), "Number of log entries for the ArtifactorySearchResponseHandler");
-
-            ILoggingEvent logEvent = logsList.get(0);
-            assertEquals(Level.WARN, logEvent.getLevel());
-            assertEquals("No checksums found in artifactory search result of uri {}. Please make sure that header X-Result-Detail is retained on any (reverse)-proxy, loadbalancer or WebApplicationFirewall in the network path to your Artifactory Server", logEvent.getMessage());
-            Object[] args = logEvent.getArgumentArray();
-            assertEquals(1, args.length);
-            assertEquals("https://artifactory.example.com:443/artifactory/api/storage/maven-central-cache/org/freemarker/freemarker/2.3.33/freemarker-2.3.33.jar", args[0]);
-
-            logEvent = logsList.get(1);
-            assertEquals(Level.WARN, logEvent.getLevel());
-            assertEquals("No checksums found in artifactory search result of uri {}. Please make sure that header X-Result-Detail is retained on any (reverse)-proxy, loadbalancer or WebApplicationFirewall in the network path to your Artifactory Server", logEvent.getMessage());
-            args = logEvent.getArgumentArray();
-            assertEquals(1, args.length);
-            assertEquals("https://artifactory.example.com:443/artifactory/api/storage/gradle-plugins-extended-cache/org/freemarker/freemarker/2.3.33/freemarker-2.3.33.jar", args[0]);
-
-            // Remove our manually injected additional appender
-            sutLogger.detachAppender(listAppender);
-            listAppender.stop();
-        }
+
+        FileNotFoundException e = assertThrows(FileNotFoundException.class, () -> handler.handleResponse(response),
+                "Result with no details due to missing X-Result-Detail header, should throw an exception!");
+
+        // Then
+        assertEquals("Artifact Dependency{ fileName='freemarker-2.3.33.jar', actualFilePath='null', filePath='null', packagePath='null'} not found in Artifactory; discovered sha1 hits not recognized as matching maven artifacts",
+                e.getMessage());
+
+        // There should be a WARN-log for for each of the results regarding the absence of X-Result-Detail header driven attributes
+        final List<ILoggingEvent> logsList = listAppender.list;
+        assertEquals(2, logsList.size(), "Number of log entries for the ArtifactorySearchResponseHandler");
+
+        ILoggingEvent logEvent = logsList.get(0);
+        assertEquals(Level.WARN, logEvent.getLevel());
+        assertEquals("No checksums found in artifactory search result of uri {}. Please make sure that header X-Result-Detail is retained on any (reverse)-proxy, loadbalancer or WebApplicationFirewall in the network path to your Artifactory Server", logEvent.getMessage());
+        Object[] args = logEvent.getArgumentArray();
+        assertEquals(1, args.length);
+        assertEquals("https://artifactory.example.com:443/artifactory/api/storage/maven-central-cache/org/freemarker/freemarker/2.3.33/freemarker-2.3.33.jar", args[0]);
+
+        logEvent = logsList.get(1);
+        assertEquals(Level.WARN, logEvent.getLevel());
+        assertEquals("No checksums found in artifactory search result of uri {}. Please make sure that header X-Result-Detail is retained on any (reverse)-proxy, loadbalancer or WebApplicationFirewall in the network path to your Artifactory Server", logEvent.getMessage());
+        args = logEvent.getArgumentArray();
+        assertEquals(1, args.length);
+        assertEquals("https://artifactory.example.com:443/artifactory/api/storage/gradle-plugins-extended-cache/org/freemarker/freemarker/2.3.33/freemarker-2.3.33.jar", args[0]);
+
+        // Remove our manually injected additional appender
+        sutLogger.detachAppender(listAppender);
+        listAppender.stop();
     }
 
     @Test
@@ -214,14 +213,11 @@ void shouldHandleNoMatches() throws IOException {
 
         // When
         final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(dependency);
-        try {
-            handler.handleResponse(response);
-            fail("No Match found, should throw an exception!");
-        } catch (FileNotFoundException e) {
-            // Then
-            assertEquals("Artifact Dependency{ fileName='null', actualFilePath='null', filePath='null', packagePath='null'} not found in Artifactory",
-                    e.getMessage());
-        }
+        FileNotFoundException e = assertThrows(FileNotFoundException.class, () -> handler.handleResponse(response),
+                "No Match found, should throw an exception!");
+        // Then
+        assertEquals("Artifact Dependency{ fileName='null', actualFilePath='null', filePath='null', packagePath='null'} not found in Artifactory",
+                e.getMessage());
     }
 
     private byte[] multipleMatchesPayload() {
@@ -424,15 +420,12 @@ void shouldProcessCorrectlyArtifactoryAnswerMisMatchMd5() throws IOException {
 
         // When
         final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(dependency);
-        try {
-            handler.handleResponse(response);
-            fail("MD5 mismatching should throw an exception!");
-        } catch (FileNotFoundException e) {
-            // Then
-            assertEquals("Artifact " + dependency
-                    + " not found in Artifactory; discovered sha1 hits not recognized as matching maven artifacts", e.getMessage());
+        FileNotFoundException e = assertThrows(FileNotFoundException.class, () -> handler.handleResponse(response),
+                "MD5 mismatching should throw an exception!");
 
-        }
+        // Then
+        assertEquals("Artifact " + dependency
+                + " not found in Artifactory; discovered sha1 hits not recognized as matching maven artifacts", e.getMessage());
     }
 
     @Test
@@ -450,13 +443,11 @@ void shouldProcessCorrectlyArtifactoryAnswerMisMatchSha1() throws IOException {
 
         // When
         final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(dependency);
-        try {
-            handler.handleResponse(response);
-            fail("SHA1 mismatching should throw an exception!");
-        } catch (FileNotFoundException e) {
-            // Then
-            assertEquals("Artifact Dependency{ fileName='null', actualFilePath='null', filePath='null', packagePath='null'} not found in Artifactory; discovered sha1 hits not recognized as matching maven artifacts", e.getMessage());
-        }
+        FileNotFoundException e = assertThrows(FileNotFoundException.class, () -> handler.handleResponse(response),
+                "SHA1 mismatching should throw an exception!");
+
+        // Then
+        assertEquals("Artifact Dependency{ fileName='null', actualFilePath='null', filePath='null', packagePath='null'} not found in Artifactory; discovered sha1 hits not recognized as matching maven artifacts", e.getMessage());
     }
 
     @Test
@@ -474,13 +465,11 @@ void shouldProcessCorrectlyArtifactoryAnswerMisMatchSha256() throws IOException
 
         // When
         final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(dependency);
-        try {
-            handler.handleResponse(response);
-            fail("SHA256 mismatching should throw an exception!");
-        } catch (FileNotFoundException e) {
-            // Then
-            assertEquals("Artifact Dependency{ fileName='null', actualFilePath='null', filePath='null', packagePath='null'} not found in Artifactory; discovered sha1 hits not recognized as matching maven artifacts", e.getMessage());
-        }
+        FileNotFoundException e = assertThrows(FileNotFoundException.class, () -> handler.handleResponse(response),
+                "SHA256 mismatching should throw an exception!");
+
+        // Then
+        assertEquals("Artifact Dependency{ fileName='null', actualFilePath='null', filePath='null', packagePath='null'} not found in Artifactory; discovered sha1 hits not recognized as matching maven artifacts", e.getMessage());
     }
 
     @Test
@@ -499,13 +488,11 @@ void shouldThrowNotFoundWhenPatternCannotBeParsed() throws IOException {
 
         // When
         final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(dependency);
-        try {
-            handler.handleResponse(response);
-            fail("Maven GAV pattern mismatch for filepath should throw a not found exception!");
-        } catch (FileNotFoundException e) {
+        FileNotFoundException e = assertThrows(FileNotFoundException.class, () -> handler.handleResponse(response),
+                "Maven GAV pattern mismatch for filepath should throw a not found exception!");
+
             // Then
             assertEquals("Artifact Dependency{ fileName='null', actualFilePath='null', filePath='null', packagePath='null'} not found in Artifactory; discovered sha1 hits not recognized as matching maven artifacts", e.getMessage());
-        }
     }
 
     @Test
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchTest.java b/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchTest.java
index 17438c3f2d5..c2342ba00f2 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchTest.java
@@ -25,12 +25,11 @@
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
 
-import java.io.IOException;
 import java.net.UnknownHostException;
 
 import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.junit.jupiter.api.Assertions.fail;
 
 class ArtifactorySearchTest extends BaseTest {
     private static String httpsProxyHostOrig;
@@ -68,7 +67,7 @@ public void setUp() throws Exception {
 
 
     @Test
-    void shouldFailWhenHostUnknown() throws IOException {
+    void shouldFailWhenHostUnknown() {
         // Given
         Dependency dependency = new Dependency();
         dependency.setSha1sum("c5b4c491aecb72e7c32a78da0b5c6b9cda8dee0f");
@@ -79,14 +78,12 @@ void shouldFailWhenHostUnknown() throws IOException {
         settings.setString(Settings.KEYS.ANALYZER_ARTIFACTORY_URL, "https://artifactory.techno.ingenico.com.invalid/artifactory");
         final ArtifactorySearch artifactorySearch = new ArtifactorySearch(settings);
         // When
-        try {
-            artifactorySearch.search(dependency);
-            fail("Should have thrown an UnknownHostException");
-        } catch (UnknownHostException exception) {
-            // Then
-            assertNotNull(exception.getMessage());
-            assertTrue(exception.getMessage().contains("artifactory.techno.ingenico.com.invalid"));
-        }
+        UnknownHostException exception = assertThrows(UnknownHostException.class, () -> artifactorySearch.search(dependency),
+                "Should have thrown an UnknownHostException");
+
+        // Then
+        assertNotNull(exception.getMessage());
+        assertTrue(exception.getMessage().contains("artifactory.techno.ingenico.com.invalid"));
     }
 
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java b/core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java
index 4951f4aaa2b..f9efb597e28 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java
@@ -69,7 +69,7 @@ void testValidSha1() throws Exception {
     void testMissingSha1() {
         IOException ex = assertThrows(IOException.class, () -> searcher.searchSha1("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"));
 
-        //abort if we hit a failure state on the CI
+        // abort if we hit a failure state on the CI
         assumeFalse(StringUtils.contains(ex.getMessage(), "Could not connect to MavenCentral"));
         assumeFalse(ex.getMessage().matches("^https://.+ - Server status: \\d{3} - Server reason: .+$"));
 
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DriverLoaderTest.java b/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DriverLoaderTest.java
index ee77e88bc75..1d9aebcef07 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DriverLoaderTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DriverLoaderTest.java
@@ -25,6 +25,7 @@
 import java.sql.DriverManager;
 import java.sql.SQLException;
 
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -47,9 +48,7 @@ void testLoad_String() throws SQLException {
         String className = "org.h2.Driver";
         Driver d = null;
         try {
-            d = DriverLoader.load(className);
-        } catch (DriverLoadException ex) {
-            fail(ex.getMessage());
+            d = assertDoesNotThrow(() ->  DriverLoader.load(className));
         } finally {
             if (d != null) {
                 DriverManager.deregisterDriver(d);
@@ -107,9 +106,7 @@ void testLoad_String_String_multiple_paths() {
 
         Driver d = null;
         try {
-            d = DriverLoader.load(className, paths);
-        } catch (DriverLoadException ex) {
-            fail(ex.getMessage());
+            d = assertDoesNotThrow(() -> DriverLoader.load(className, paths));
         } finally {
             if (d != null) {
                 try {
diff --git a/core/src/test/java/org/owasp/dependencycheck/utils/PyPACoreMetadataParserTest.java b/core/src/test/java/org/owasp/dependencycheck/utils/PyPACoreMetadataParserTest.java
index ce1fa923090..d0e2caa2f86 100644
--- a/core/src/test/java/org/owasp/dependencycheck/utils/PyPACoreMetadataParserTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/utils/PyPACoreMetadataParserTest.java
@@ -9,19 +9,17 @@
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.junit.jupiter.api.Assertions.fail;
 
 class PyPACoreMetadataParserTest {
 
     @Test
-    void getProperties_should_throw_exception_for_too_large_major() throws IOException {
-        try {
-            PyPACoreMetadataParser.getProperties(new BufferedReader(new StringReader("Metadata-Version: 3.0")));
-            fail("Expected IllegalArgumentException for too large major in Metadata-Version");
-        } catch (IllegalArgumentException e) {
-            assertTrue(e.getMessage().contains("Unsupported PyPA Wheel metadata"));
-        }
+    void getProperties_should_throw_exception_for_too_large_major() {
+        IllegalArgumentException e = assertThrows(IllegalArgumentException.class,
+                () -> PyPACoreMetadataParser.getProperties(new BufferedReader(new StringReader("Metadata-Version: 3.0"))),
+                "Expected IllegalArgumentException for too large major in Metadata-Version");
+        assertTrue(e.getMessage().contains("Unsupported PyPA Wheel metadata"));
     }
 
     @Test
diff --git a/utils/src/test/java/org/owasp/dependencycheck/utils/FileUtilsTest.java b/utils/src/test/java/org/owasp/dependencycheck/utils/FileUtilsTest.java
index affc5a06edf..5c63b668099 100644
--- a/utils/src/test/java/org/owasp/dependencycheck/utils/FileUtilsTest.java
+++ b/utils/src/test/java/org/owasp/dependencycheck/utils/FileUtilsTest.java
@@ -24,7 +24,6 @@
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.junit.jupiter.api.Assertions.fail;
 
 /**
  *
@@ -51,11 +50,10 @@ void testGetFileExtension() {
      */
     @Test
     void testDelete() throws Exception {
-
         File file = File.createTempFile("tmp", "deleteme", getSettings().getTempDirectory());
-        if (!file.exists()) {
-            fail("Unable to create a temporary file.");
-        }
+
+        assertTrue(file.exists(), "Unable to create a temporary file.");
+
         boolean status = FileUtils.delete(file);
         assertTrue(status, "delete returned a failed status");
         assertFalse(file.exists(), "Temporary file exists after attempting deletion");
@@ -66,7 +64,6 @@ void testDelete() throws Exception {
      */
     @Test
     void testDeleteWithSubDirectories() throws Exception {
-
         File dir = new File(getSettings().getTempDirectory(), "delete-me");
         dir.mkdirs();
         File file = File.createTempFile("tmp", "deleteme", dir);

From dc796358b31a34c5707b53e3f039b3aa71767075 Mon Sep 17 00:00:00 2001
From: strangelookingnerd
 <49242855+strangelookingnerd@users.noreply.github.com>
Date: Wed, 30 Apr 2025 20:29:16 +0200
Subject: [PATCH 036/195] Apply suggestions from code review

Co-authored-by: Hans Aikema <aikebah-github@aikebah.net>
---
 .../dependencycheck/taskdefs/DependencyCheckTaskIT.java   | 2 +-
 cli/src/test/java/org/owasp/dependencycheck/AppTest.java  | 2 +-
 maven/pom.xml                                             | 1 -
 pom.xml                                                   | 8 ++++++--
 .../utils/ExpectedObjectInputStreamTest.java              | 8 ++++----
 5 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskIT.java b/ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskIT.java
index 6e87f075695..67b23f4819f 100644
--- a/ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskIT.java
+++ b/ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskIT.java
@@ -49,12 +49,12 @@ public void setUp() throws Exception {
     @AfterEach
     @Override
     public void tearDown() throws Exception {
-        super.tearDown();
         if (buildFileRule.getProject() != null) {
             if (this.buildFileRule.getProject().getTargets().containsKey("tearDown")) {
                 this.buildFileRule.getProject().executeTarget("tearDown");
             }
         }
+        super.tearDown();
     }
 
     /**
diff --git a/cli/src/test/java/org/owasp/dependencycheck/AppTest.java b/cli/src/test/java/org/owasp/dependencycheck/AppTest.java
index 0a45a9647b8..45f10d8c2cb 100644
--- a/cli/src/test/java/org/owasp/dependencycheck/AppTest.java
+++ b/cli/src/test/java/org/owasp/dependencycheck/AppTest.java
@@ -118,7 +118,7 @@ void testPopulateSettings() throws Exception {
     @Test
     void testPopulateSettingsException() {
         String[] args = {"-invalidPROPERTY"};
-        Exception exception = assertThrows(UnrecognizedOptionException.class, () -> testBooleanProperties(args, null));
+        UnrecognizedOptionException exception = assertThrows(UnrecognizedOptionException.class, () -> testBooleanProperties(args, null));
         assertTrue(exception.getMessage().contains("Unrecognized option: -invalidPROPERTY"));
     }
 
diff --git a/maven/pom.xml b/maven/pom.xml
index cdcbc44e08a..49dd1791637 100644
--- a/maven/pom.xml
+++ b/maven/pom.xml
@@ -117,7 +117,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-core</artifactId>
-            <version>${mockito.version}</version>
             <scope>test</scope>
         </dependency>
         <dependency>
diff --git a/pom.xml b/pom.xml
index 8898c2afb9e..b590df95b36 100644
--- a/pom.xml
+++ b/pom.xml
@@ -523,7 +523,6 @@ Copyright (c) 2012 - Jeremy Long
                     <detectJavaApiLink>false</detectJavaApiLink>
                 </configuration>
             </plugin>
-            <!--
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-enforcer-plugin</artifactId>
@@ -578,7 +577,6 @@ Copyright (c) 2012 - Jeremy Long
                     </execution>
                 </executions>
             </plugin>
-            -->
             <plugin>
                 <groupId>org.jacoco</groupId>
                 <artifactId>jacoco-maven-plugin</artifactId>
@@ -958,6 +956,12 @@ Copyright (c) 2012 - Jeremy Long
                 <version>${mock-server.version}</version>
                 <scope>test</scope>
             </dependency>
+            <dependency>
+                <groupId>org.mockito</groupId>
+                <artifactId>mockito-core</artifactId>
+                <version>${mockito.version}</version>
+                <scope>test</scope>
+            </dependency>
             <dependency>
                 <groupId>org.mockito</groupId>
                 <artifactId>mockito-junit-jupiter</artifactId>
diff --git a/utils/src/test/java/org/owasp/dependencycheck/utils/ExpectedObjectInputStreamTest.java b/utils/src/test/java/org/owasp/dependencycheck/utils/ExpectedObjectInputStreamTest.java
index 50d7ae756bb..5607a148d27 100644
--- a/utils/src/test/java/org/owasp/dependencycheck/utils/ExpectedObjectInputStreamTest.java
+++ b/utils/src/test/java/org/owasp/dependencycheck/utils/ExpectedObjectInputStreamTest.java
@@ -66,10 +66,10 @@ void testResolveClassException() throws Exception {
         ByteArrayOutputStream mem = new ByteArrayOutputStream();
         byte[] buf;
         try (ObjectOutputStream out = new ObjectOutputStream(new BufferedOutputStream(mem))) {
-                out.writeObject(data);
-                out.flush();
-                buf = mem.toByteArray();
-            }
+            out.writeObject(data);
+            out.flush();
+            buf = mem.toByteArray();
+        }
         ByteArrayInputStream in = new ByteArrayInputStream(buf);
         ExpectedObjectInputStream instance = new ExpectedObjectInputStream(in, "java.util.ArrayList", "org.owasp.dependencycheck.utils.SimplePojo");
         assertThrows(java.io.InvalidClassException.class, instance::readObject);

From e462a236841771b58a4831991334340d8defbb6b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 2 May 2025 06:13:06 -0400
Subject: [PATCH 037/195] build(deps): bump org.semver4j:semver4j from 5.6.0 to
 5.7.0 (#7626)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index b590df95b36..3a2f03e3b15 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1016,7 +1016,7 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>org.semver4j</groupId>
                 <artifactId>semver4j</artifactId>
-                <version>5.6.0</version>
+                <version>5.7.0</version>
             </dependency>
             <dependency>
                 <groupId>org.jetbrains</groupId>

From a4873910fbc047d04286e8bc11ba7892b24e64a6 Mon Sep 17 00:00:00 2001
From: Hans Aikema <aikebah-github@aikebah.net>
Date: Mon, 5 May 2025 11:53:52 +0200
Subject: [PATCH 038/195] fix: Resolve various WCAG accessibility / css issues
 in the HTML report (#7629)

---
 .../main/resources/templates/htmlReport.vsl   | 22 +++++++++++--------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/core/src/main/resources/templates/htmlReport.vsl b/core/src/main/resources/templates/htmlReport.vsl
index c1211aec3bc..936f190839d 100644
--- a/core/src/main/resources/templates/htmlReport.vsl
+++ b/core/src/main/resources/templates/htmlReport.vsl
@@ -22,7 +22,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 
 #[[
 <!DOCTYPE html>
-<html>
+<html lang="en">
     <head>
         <title>Dependency-Check Report</title>
         <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
@@ -211,7 +211,14 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             } else {
                 dependenciesHeader.text(dependenciesHeaderAllText);
             }
-            return toggleDisplay(event.target, '.notvulnerable', 'Showing Vulnerable Dependencies (click to show all)', 'Showing All Dependencies (click to show less)');
+            const plainCaptionPart = $('#tablecaption-plain');
+            const plainCaptionPartAllText = 'Summary of All Dependencies';
+            if (plainCaptionPart.text() == plainCaptionPartAllText) {
+                plainCaptionPart.text('Summary of Vulnerable Dependencies');
+            } else {
+                plainCaptionPart.text(plainCaptionPartAllText);
+            }
+            return toggleDisplay(event.target, '.notvulnerable', '(click to show all)', '(click to show less)');
           });
           $( ".versionToggle" ).bind( "click", function( event ) {
             var lnk = event.target;
@@ -230,7 +237,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 
 
         </script>
-        <style type="text/css">
+        <style>
             #modal-background {
                 display: none;
                 position: fixed;
@@ -606,9 +613,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             .notvulnerable {
                 display:none;
             }
-            .hidden {
-                display:none;
-            }
             .infolink {
                 text-decoration:none;
                 color: blue;
@@ -620,7 +624,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                 float:right;
             }
             .disclaimer {
-                color: #888888;
+                color: #595959;
                 font: 9px "Droid Sans",Arial,"Helvetica Neue","Lucida Grande",sans-serif
             }
             .sortable {
@@ -756,9 +760,9 @@ Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issue
         <br/>
 #end
 <h2>Summary</h2>
-                Display:&nbsp;<a href="#" title="Click to toggle display" id="vulnerabilityDisplayToggle">Showing Vulnerable Dependencies (click to show all)</a><br/><br/>
+                <p><span id="tablecaption-plain">Summary of Vulnerable Dependencies </span><a href="#" title="Click to toggle display" id="vulnerabilityDisplayToggle">(click to show all)</a></p>
                 #set($lnkcnt=0)
-                <table id="summaryTable" class="lined">
+                <table id="summaryTable" class="lined" aria-labelledby="tablecaption-plain">
                     <thead><tr style="text-align:left">
                         <th class="sortable" data-sort="string" title="The name of the dependency">Dependency</th>
                         <th class="sortable" data-sort="string" title="The Common Platform Enumeration">Vulnerability&nbsp;IDs</th>

From 06cce452c9de0983361d141ede029af75bb1ab67 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 7 May 2025 01:32:14 +0000
Subject: [PATCH 039/195] build(deps-dev): bump io.netty:netty-codec-http

Bumps [io.netty:netty-codec-http](https://github.com/netty/netty) from 4.2.0.Final to 4.2.1.Final.
- [Commits](https://github.com/netty/netty/compare/netty-4.2.0.Final...netty-4.2.1.Final)

---
updated-dependencies:
- dependency-name: io.netty:netty-codec-http
  dependency-version: 4.2.1.Final
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 utils/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/pom.xml b/utils/pom.xml
index 26b68a5c331..5be0d49bcd6 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -95,7 +95,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-codec-http</artifactId>
-            <version>4.2.0.Final</version>
+            <version>4.2.1.Final</version>
             <scope>test</scope>
         </dependency>
         <dependency>

From c20ecfd96592690bbbda10a3fc1736e5e6d6ae59 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 7 May 2025 05:47:57 -0400
Subject: [PATCH 040/195] build(deps): bump golang from 1.24.2-alpine to
 1.24.3-alpine (#7636)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 936f976331c..47db6128226 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.24.2-alpine AS go
+FROM golang:1.24.3-alpine AS go
 
 FROM azul/zulu-openjdk-alpine:21 AS jlink
 

From 82bd06387b85557a53213c4534cfdf6189cde146 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcel=20St=C3=B6r?= <marcelstoer@users.noreply.github.com>
Date: Wed, 14 May 2025 12:00:21 +0200
Subject: [PATCH 041/195] feat: Allow configuring OSS Index user/pw directly
 (#7640)

---
 .../maven/BaseDependencyCheckMojo.java        | 36 ++++++++++++++++---
 maven/src/site/markdown/configuration.md      |  2 ++
 2 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index 896c10b8f37..ed643eb8c10 100644
--- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -765,13 +765,34 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
     private String ossindexAnalyzerUrl;
 
     /**
-     * The id of a server defined in the settings.xml that configures the
-     * credentials (username and password) for a OSS Index service.
+     * The id of a server defined in the settings.xml to authenticate Sonatype
+     * OSS Index requests and profit from higher rate limits. Provide the OSS
+     * account email address as username and password or API token as password.
      */
     @SuppressWarnings("CanBeFinal")
     @Parameter(property = "ossIndexServerId")
     private String ossIndexServerId;
 
+    /**
+     * OSS account email address as an alternative to the indirection through
+     * the ossIndexServerId (see above). Both ossIndexUsername and
+     * ossIndexPassword must be set to use this approach instead of the server
+     * ID.
+     */
+    @SuppressWarnings("CanBeFinal")
+    @Parameter(property = "ossIndexUsername")
+    private String ossIndexUsername;
+
+    /**
+     * OSS password or API token as an alternative to the indirection through
+     * the ossIndexServerId (see above). Both ossIndexUsername and
+     * ossIndexPassword must be set to use this approach instead of the server
+     * ID.
+     */
+    @SuppressWarnings("CanBeFinal")
+    @Parameter(property = "ossIndexPassword")
+    private String ossIndexPassword;
+
     /**
      * Whether we should only warn about Sonatype OSS Index remote errors
      * instead of failing the goal completely.
@@ -2427,7 +2448,12 @@ protected void populateSettings() throws MojoFailureException, MojoExecutionExce
         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_RESOLVED_ENABLED, swiftPackageResolvedAnalyzerEnabled);
         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_ENABLED, ossindexAnalyzerEnabled);
         settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_URL, ossindexAnalyzerUrl);
-        configureServerCredentials(ossIndexServerId, Settings.KEYS.ANALYZER_OSSINDEX_USER, Settings.KEYS.ANALYZER_OSSINDEX_PASSWORD);
+        if (StringUtils.isEmpty(ossIndexUsername) || StringUtils.isEmpty(ossIndexPassword)) {
+            configureServerCredentials(ossIndexServerId, Settings.KEYS.ANALYZER_OSSINDEX_USER, Settings.KEYS.ANALYZER_OSSINDEX_PASSWORD);
+        } else {
+            settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_USER, ossIndexUsername);
+            settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_PASSWORD, ossIndexPassword);
+        }
         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_USE_CACHE, ossindexAnalyzerUseCache);
         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, ossIndexWarnOnlyOnRemoteErrors);
         if (retirejs != null) {
@@ -2517,8 +2543,8 @@ protected void populateSettings() throws MojoFailureException, MojoExecutionExce
      * <p>
      * When a serverId is given, then its values are used instead of the less secure direct values.<br />
      * A serverId with username/password will fill the `userKey` and `passwordKey` settings for Basic Auth. A serverId with only password
-     * filled will fill the `tokenKey` fro Bearer Auth.<br/>
-     * In absence of the serverId any non-null value will be transferred to the settings.
+     * filled will fill the `tokenKey` from Bearer Auth.<br/>
+     * In absence of the serverId, any non-null value will be transferred to the settings.
      *
      * @param serverId      The serverId specified for the connection or {@code null}
      * @param usernameValue The username specified for the connection or {@code null}
diff --git a/maven/src/site/markdown/configuration.md b/maven/src/site/markdown/configuration.md
index ff6f9abb224..e7907a2f0ef 100644
--- a/maven/src/site/markdown/configuration.md
+++ b/maven/src/site/markdown/configuration.md
@@ -64,6 +64,8 @@ knownExploitedUrl                   | Sets URL to the CISA Known Exploited Vulne
 ossindexAnalyzerEnabled             | Sets whether the [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be enabled. This analyzer requires an internet connection.         | true
 ossindexAnalyzerUseCache            | Sets whether the OSS Index Analyzer will cache results. Cached results expire after 24 hours.                                                       | true
 ossIndexServerId                    | The id of [a server](https://maven.apache.org/settings.html#Servers) defined in the `settings.xml` to authenticate Sonatype OSS Index requests and profit from higher rate limits. Provide the OSS account email address as `username` and password or API token as `password`. | &nbsp;
+ossIndexUsername                    | OSS account email address as an alternative to the indirection through the `ossIndexServerId` (see above). Both `ossIndexUsername` and `ossIndexPassword` must be set to use this approach instead of the server ID. | &nbsp;
+ossIndexPassword                    | OSS password or API token as an alternative to the indirection through the `ossIndexServerId` (see above). Both `ossIndexUsername` and `ossIndexPassword` must be set to use this approach instead of the server ID. | &nbsp;
 ossindexAnalyzerUrl                 | The OSS Index server URL | https://ossindex.sonatype.org
 ossIndexWarnOnlyOnRemoteErrors      | Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution.    | false
 nexusAnalyzerEnabled                | Sets whether Nexus Analyzer will be used (requires Nexus Pro). This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true

From 89c4ca95d857dbabd988246829b09f0f447347b7 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 21 May 2025 01:21:07 +0000
Subject: [PATCH 042/195] build(deps): bump mockito.version from 5.17.0 to
 5.18.0

Bumps `mockito.version` from 5.17.0 to 5.18.0.

Updates `org.mockito:mockito-core` from 5.17.0 to 5.18.0
- [Release notes](https://github.com/mockito/mockito/releases)
- [Commits](https://github.com/mockito/mockito/compare/v5.17.0...v5.18.0)

Updates `org.mockito:mockito-junit-jupiter` from 5.17.0 to 5.18.0
- [Release notes](https://github.com/mockito/mockito/releases)
- [Commits](https://github.com/mockito/mockito/compare/v5.17.0...v5.18.0)

---
updated-dependencies:
- dependency-name: org.mockito:mockito-core
  dependency-version: 5.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: org.mockito:mockito-junit-jupiter
  dependency-version: 5.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 3a2f03e3b15..a7dda393f3f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -156,7 +156,7 @@ Copyright (c) 2012 - Jeremy Long
         <aho-corasick-double-array-trie.version>1.2.3</aho-corasick-double-array-trie.version>
         <junit.version>5.12.2</junit.version>
         <hamcrest.version>3.0</hamcrest.version>
-        <mockito.version>5.17.0</mockito.version>
+        <mockito.version>5.18.0</mockito.version>
         <jsoup.version>1.20.1</jsoup.version>
         <commons-compress.version>1.27.1</commons-compress.version>
         <org.apache.maven.shared.file-management.version>3.2.0</org.apache.maven.shared.file-management.version>

From aa0ae5111de038d3fb3720c71f81ab66ec715a98 Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Thu, 22 May 2025 23:45:56 +0800
Subject: [PATCH 043/195] fix(cli): Patch generated Windows shell script for
 JAVACMD installs with spaces (#7653)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
 cli/pom.xml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/cli/pom.xml b/cli/pom.xml
index 03e33230f50..67fe720840c 100644
--- a/cli/pom.xml
+++ b/cli/pom.xml
@@ -96,12 +96,36 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
                 <executions>
                     <execution>
                         <id>assemble</id>
+                        <phase>package</phase>
                         <goals>
                             <goal>assemble</goal>
                         </goals>
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-antrun-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>fix-windows-shell-script</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>run</goal>
+                        </goals>
+                        <configuration>
+                            <!-- Hack/workaround for https://github.com/mojohaus/appassembler/issues/114 -->
+                            <target>
+                                <replace file="${project.build.directory}/release/bin/dependency-check.bat"
+                                         token="%JAVACMD% %JAVA_OPTS%"
+                                         value="&quot;%JAVACMD%&quot; %JAVA_OPTS%"
+                                         failOnNoReplacements="true"
+                                />
+                            </target>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-assembly-plugin</artifactId>

From 0357b5226f7ee12da30397863ef9019bcc746141 Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Fri, 23 May 2025 18:18:56 +0800
Subject: [PATCH 044/195] docs: Fix vulnz links (#7647)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
 ant/src/site/markdown/config-purge.md         |   8 +-
 ant/src/site/markdown/config-update.md        |  92 +++---
 ant/src/site/markdown/configuration.md        | 268 +++++++--------
 cli/src/site/markdown/arguments.md            | 272 +++++++--------
 .../data/update/NvdApiDataSource.java         |   2 +-
 maven/src/site/markdown/configuration.md      | 310 +++++++++---------
 src/site/markdown/data/cachenvd.md            |   2 +-
 .../configuration-aggregate.md                | 272 +++++++--------
 .../configuration-purge.md                    |  24 +-
 .../configuration-update.md                   | 110 +++----
 .../dependency-check-gradle/configuration.md  | 262 +++++++--------
 11 files changed, 811 insertions(+), 811 deletions(-)

diff --git a/ant/src/site/markdown/config-purge.md b/ant/src/site/markdown/config-purge.md
index 728fe248d54..e048190e5bb 100644
--- a/ant/src/site/markdown/config-purge.md
+++ b/ant/src/site/markdown/config-purge.md
@@ -14,8 +14,8 @@ Configuration: dependency-check-purge Task
 --------------------
 The following properties can be set on the dependency-check-purge task.
 
- Property      | Description                                                                | Default Value                                    
----------------|----------------------------------------------------------------------------|--------------------------------------------------
- dataDirectory | Data directory that is used to store the local caches and NVD CVE database | `<folder-of-dependency-check-ant.jar>/data/11.0` 
- failOnError   | Whether the build should fail if there is an error executing the purge     | true                                             
+| Property      | Description                                                                | Default Value                                    |
+|---------------|----------------------------------------------------------------------------|--------------------------------------------------|
+| dataDirectory | Data directory that is used to store the local caches and NVD CVE database | `<folder-of-dependency-check-ant.jar>/data/11.0` |
+| failOnError   | Whether the build should fail if there is an error executing the purge     | true                                             |
 
diff --git a/ant/src/site/markdown/config-update.md b/ant/src/site/markdown/config-update.md
index 08a67f39761..9d86a179987 100644
--- a/ant/src/site/markdown/config-update.md
+++ b/ant/src/site/markdown/config-update.md
@@ -17,54 +17,54 @@ Configuration: dependency-check-update Task
 --------------------
 The following properties can be set on the dependency-check-update task.
 
- Property                | Description                                                                                    | Default Value                                    
--------------------------|------------------------------------------------------------------------------------------------|--------------------------------------------------
- dataDirectory           | Data directory that is used to store the local caches and NVD CVE database                     | `<folder-of-dependency-check-ant.jar>/data/11.0` 
- failOnError             | Whether the build should fail if there is an error executing the update                        | true                                             
- proxyServer             | The Proxy Server; see the [proxy configuration](../data/proxy.html) page for more information. | &nbsp;                                           
- proxyPort               | The Proxy Port.                                                                                | &nbsp;                                           
- proxyUsername           | Defines the proxy user name.                                                                   | &nbsp;                                           
- proxyPassword           | Defines the proxy password.                                                                    | &nbsp;                                           
- nonProxyHosts           | Defines the hosts that will not be proxied.                                                    | &nbsp;                                           
- connectionTimeout       | The URL Connection Timeout (in milliseconds).                                                  | 10000                                            
- readtimeout             | The URL Read Timeout (in milliseconds).                                                        | 60000                                            
- retireJsAnalyzerEnabled | Sets whether the RetireJS Analyzer update and analyzer are enabled.                            | true                                             
+| Property                | Description                                                                                    | Default Value                                    |
+|-------------------------|------------------------------------------------------------------------------------------------|--------------------------------------------------|
+| dataDirectory           | Data directory that is used to store the local caches and NVD CVE database                     | `<folder-of-dependency-check-ant.jar>/data/11.0` |
+| failOnError             | Whether the build should fail if there is an error executing the update                        | true                                             |
+| proxyServer             | The Proxy Server; see the [proxy configuration](../data/proxy.html) page for more information. | &nbsp;                                           |
+| proxyPort               | The Proxy Port.                                                                                | &nbsp;                                           |
+| proxyUsername           | Defines the proxy user name.                                                                   | &nbsp;                                           |
+| proxyPassword           | Defines the proxy password.                                                                    | &nbsp;                                           |
+| nonProxyHosts           | Defines the hosts that will not be proxied.                                                    | &nbsp;                                           |
+| connectionTimeout       | The URL Connection Timeout (in milliseconds).                                                  | 10000                                            |
+| readtimeout             | The URL Read Timeout (in milliseconds).                                                        | 60000                                            |
+| retireJsAnalyzerEnabled | Sets whether the RetireJS Analyzer update and analyzer are enabled.                            | true                                             |
 
 Advanced Configuration
 ====================
 The following properties can be configured in the plugin. However, they are less frequently changed.
 
- Property                        | Description                                                                                                                                                                                                                        | Default Value                                                                          
----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------
- nvdApiKey                       | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key                                                                                                                                | &nbsp;                                                                                 
- nvdApiEndpoint                  | The NVD API endpoint URL; setting this is uncommon.                                                                                                                                                                                | https://services.nvd.nist.gov/rest/json/cves/2.0                                       
- nvdMaxRetryCount                | The maximum number of retry requests for a single call to the NVD API.                                                                                                                                                             | 10                                                                                     
- nvdApiDelay                     | The number of milliseconds to wait between calls to the NVD API.                                                                                                                                                                   | 3500 with an NVD API Key or 8000 without an API Key                                    
- nvdApiResultsPerPage            | The number records for a single page from NVD API (must be <=2000).                                                                                                                                                                | 2000                                                                                   
- nvdDatafeedUrl                  | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz` | &nbsp;                                                                                 
- nvdUser                         | Credentials used for basic authentication for the NVD API Data feed.                                                                                                                                                               | &nbsp;                                                                                 
- nvdPassword                     | Credentials used for basic authentication for the NVD API Data feed.                                                                                                                                                               | &nbsp;                                                                                 
- nvdValidForHours                | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours.                                                                                                                                  | 4                                                                                      
- databaseDriverName              | The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path.                                                                                       | &nbsp;                                                                                 
- databaseDriverPath              | The path to the database driver JAR file; only needs to be set if the driver is not in the class path.                                                                                                                             | &nbsp;                                                                                 
- connectionString                | The connection string used to connect to the database. See using a [database server](../data/database.html).                                                                                                                       | &nbsp;                                                                                 
- databaseUser                    | The username used when connecting to the database.                                                                                                                                                                                 | &nbsp;                                                                                 
- databasePassword                | The password used when connecting to the database.                                                                                                                                                                                 | &nbsp;                                                                                 
- hostedSuppressionsEnabled       | Whether the hosted suppression file will be used.                                                                                                                                                                                  | true                                                                                   
- hostedSuppressionsUrl           | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments                                                                                                                                   | https://dependency-check.github.io/DependencyCheck/suppressions/publishedSuppressions.xml    
- hostedSuppressionsUser          | The user for a Basic-auth-protected mirrored copy of the hosted suppressions file for internet-constrained environments                                                                                                            | &nbsp;                                                                                 
- hostedSuppressionsPassword      | The password/token for a Basic-auth-protected mirrored copy of the hosted suppressions file for internet-constrained environments                                                                                                  | &nbsp;                                                                                 
- hostedSuppressionsBearerToken   | The bearer token for a Bearer-auth-protected mirrored copy of the hosted suppressions file for internet-constrained environments                                                                                                   | &nbsp;                                                                                 
- hostedSuppressionsValidForHours | Sets the number of hours to wait before checking for new updates of the hosted suppressions file                                                                                                                                   | 2                                                                                      
- hostedSuppressionsForceUpdate   | Sets whether the hosted suppressions file should update regardless of the `autoupdate` and validForHours settings                                                                                                                  | false                                                                                  
- retireJsForceUpdate             | Sets whether the RetireJS repository should update regardless of the `autoupdate` setting.                                                                                                                                         | false                                                                                  
- retireJsUrl                     | The URL to a mirrored copy of the RetireJS repository for internet-constrained environments                                                                                                                                        | https://raw.githubusercontent.com/Retirejs/retire.js/main/repository/jsrepository.json 
- retireJsUrlUser                 | The user for a Basic-auth-protected mirrored copy of the RetireJS repository for internet-constrained environments                                                                                                                 | &nbsp;                                                                                 
- retireJsUrlPassword             | The password/token for a Basic-auth-protected mirrored copy of the RetireJS repository for internet-constrained environments                                                                                                       | &nbsp;                                                                                 
- retireJsUrlBearerToken          | The bearer token for a Bearer-auth-protected mirrored copy of the RetireJS repository for internet-constrained environments                                                                                                        | &nbsp;                                                                                 
- knownExploitedEnabled           | Sets whether the Known Exploited Vulnerability update and analyzer are enabled.                                                                                                                                                    | true                                                                                   
- knownExploitedUrl               | Sets URL to the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                                                                                               | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json    
- knownExploitedUser              | The user for a Basic-auth-protected mirrored copy of the CISA Known Exploited Vulnerabilities JSON data feed for internet-constrained environments                                                                                 | &nbsp;                                                                                 
- knownExploitedPassword          | The password/token for a Basic-auth-protected mirrored copy of the CISA Known Exploited Vulnerabilities JSON data feed for internet-constrained environments                                                                      | &nbsp;                                                                                 
- knownExploitedBearerToken       | The bearer token for a Bearer-auth-protected mirrored copy of the CISA Known Exploited Vulnerabilities JSON data feed for internet-constrained environments                                                                      | &nbsp;                                                                                 
- knownExploitedValidForHours     | Sets the number of hours to wait before checking for new updates of the CISA Known Exploited Vulnerabilities JSON data feed                                                                                                        | 24                                                                                     
+| Property                        | Description                                                                                                                                                                                                                          | Default Value                                                                             |
+|---------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|
+| nvdApiKey                       | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key                                                                                                                                  | &nbsp;                                                                                    |
+| nvdApiEndpoint                  | The NVD API endpoint URL; setting this is uncommon.                                                                                                                                                                                  | https://services.nvd.nist.gov/rest/json/cves/2.0                                          |
+| nvdMaxRetryCount                | The maximum number of retry requests for a single call to the NVD API.                                                                                                                                                               | 10                                                                                        |
+| nvdApiDelay                     | The number of milliseconds to wait between calls to the NVD API.                                                                                                                                                                     | 3500 with an NVD API Key or 8000 without an API Key                                       |
+| nvdApiResultsPerPage            | The number records for a single page from NVD API (must be <=2000).                                                                                                                                                                  | 2000                                                                                      |
+| nvdDatafeedUrl                  | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/open-vulnerability-cli/blob/main/README.md#mirroring-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz` | &nbsp;                                                                                    |
+| nvdUser                         | Credentials used for basic authentication for the NVD API Data feed.                                                                                                                                                                 | &nbsp;                                                                                    |
+| nvdPassword                     | Credentials used for basic authentication for the NVD API Data feed.                                                                                                                                                                 | &nbsp;                                                                                    |
+| nvdValidForHours                | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours.                                                                                                                                    | 4                                                                                         |
+| databaseDriverName              | The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path.                                                                                         | &nbsp;                                                                                    |
+| databaseDriverPath              | The path to the database driver JAR file; only needs to be set if the driver is not in the class path.                                                                                                                               | &nbsp;                                                                                    |
+| connectionString                | The connection string used to connect to the database. See using a [database server](../data/database.html).                                                                                                                         | &nbsp;                                                                                    |
+| databaseUser                    | The username used when connecting to the database.                                                                                                                                                                                   | &nbsp;                                                                                    |
+| databasePassword                | The password used when connecting to the database.                                                                                                                                                                                   | &nbsp;                                                                                    |
+| hostedSuppressionsEnabled       | Whether the hosted suppression file will be used.                                                                                                                                                                                    | true                                                                                      |
+| hostedSuppressionsUrl           | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments                                                                                                                                     | https://dependency-check.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
+| hostedSuppressionsUser          | The user for a Basic-auth-protected mirrored copy of the hosted suppressions file for internet-constrained environments                                                                                                              | &nbsp;                                                                                    |
+| hostedSuppressionsPassword      | The password/token for a Basic-auth-protected mirrored copy of the hosted suppressions file for internet-constrained environments                                                                                                    | &nbsp;                                                                                    |
+| hostedSuppressionsBearerToken   | The bearer token for a Bearer-auth-protected mirrored copy of the hosted suppressions file for internet-constrained environments                                                                                                     | &nbsp;                                                                                    |
+| hostedSuppressionsValidForHours | Sets the number of hours to wait before checking for new updates of the hosted suppressions file                                                                                                                                     | 2                                                                                         |
+| hostedSuppressionsForceUpdate   | Sets whether the hosted suppressions file should update regardless of the `autoupdate` and validForHours settings                                                                                                                    | false                                                                                     |
+| retireJsForceUpdate             | Sets whether the RetireJS repository should update regardless of the `autoupdate` setting.                                                                                                                                           | false                                                                                     |
+| retireJsUrl                     | The URL to a mirrored copy of the RetireJS repository for internet-constrained environments                                                                                                                                          | https://raw.githubusercontent.com/Retirejs/retire.js/main/repository/jsrepository.json    |
+| retireJsUrlUser                 | The user for a Basic-auth-protected mirrored copy of the RetireJS repository for internet-constrained environments                                                                                                                   | &nbsp;                                                                                    |
+| retireJsUrlPassword             | The password/token for a Basic-auth-protected mirrored copy of the RetireJS repository for internet-constrained environments                                                                                                         | &nbsp;                                                                                    |
+| retireJsUrlBearerToken          | The bearer token for a Bearer-auth-protected mirrored copy of the RetireJS repository for internet-constrained environments                                                                                                          | &nbsp;                                                                                    |
+| knownExploitedEnabled           | Sets whether the Known Exploited Vulnerability update and analyzer are enabled.                                                                                                                                                      | true                                                                                      |
+| knownExploitedUrl               | Sets URL to the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                                                                                                 | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json       |
+| knownExploitedUser              | The user for a Basic-auth-protected mirrored copy of the CISA Known Exploited Vulnerabilities JSON data feed for internet-constrained environments                                                                                   | &nbsp;                                                                                    |
+| knownExploitedPassword          | The password/token for a Basic-auth-protected mirrored copy of the CISA Known Exploited Vulnerabilities JSON data feed for internet-constrained environments                                                                         | &nbsp;                                                                                    |
+| knownExploitedBearerToken       | The bearer token for a Bearer-auth-protected mirrored copy of the CISA Known Exploited Vulnerabilities JSON data feed for internet-constrained environments                                                                          | &nbsp;                                                                                    |
+| knownExploitedValidForHours     | Sets the number of hours to wait before checking for new updates of the CISA Known Exploited Vulnerabilities JSON data feed                                                                                                          | 24                                                                                        |
diff --git a/ant/src/site/markdown/configuration.md b/ant/src/site/markdown/configuration.md
index 7907177320c..d4ef4c9642d 100644
--- a/ant/src/site/markdown/configuration.md
+++ b/ant/src/site/markdown/configuration.md
@@ -34,37 +34,37 @@ Configuration: dependency-check Task
 --------------------
 The following properties can be set on the dependency-check task.
 
- Property                         | Description                                                                                                                                                                                                                                                                                                                     | Default Value                                    
-----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------
- autoUpdate                       | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false.                                                                                                                                                                                                              | true                                             
- failBuildOnCVSS                  | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. More information on CVSS scores can be found at the [NVD](https://nvd.nist.gov/vuln-metrics/cvss)                | 11                                               
- junitFailOnCVSS                  | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure.                                                                                                                                                                                                                | 0                                                
- prettyPrint                      | Whether the XML and JSON formatted reports should be pretty printed.                                                                                                                                                                                                                                                            | false                                            
- projectName                      | The name of the project being scanned.                                                                                                                                                                                                                                                                                          | Dependency-Check                                 
- reportFormat                     | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                   | HTML                                             
- reportOutputDirectory            | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build                                                                                                                                                                                                              | 'target'                                         
- hintsFile                        | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html)                                                                                                                                                                                                                                 | &nbsp;                                           
- dataDirectory                    | Data directory that is used to store the local caches and NVD CVE database                                                                                                                                                                                                                                                      | `<folder-of-dependency-check-ant.jar>/data/11.0` 
- failOnError                      | Whether the build should fail if there is an error executing the dependency-check analysis                                                                                                                                                                                                                                      | true                                             
- proxyServer                      | The Proxy Server; see the [proxy configuration](../data/proxy.html) page for more information.                                                                                                                                                                                                                                  | &nbsp;                                           
- proxyPort                        | The Proxy Port.                                                                                                                                                                                                                                                                                                                 | &nbsp;                                           
- proxyUsername                    | Defines the proxy user name.                                                                                                                                                                                                                                                                                                    | &nbsp;                                           
- proxyPassword                    | Defines the proxy password.                                                                                                                                                                                                                                                                                                     | &nbsp;                                           
- nonProxyHosts                    | Defines the hosts that will not be proxied.                                                                                                                                                                                                                                                                                     | &nbsp;                                           
- connectionTimeout                | The URL Connection Timeout (in milliseconds).                                                                                                                                                                                                                                                                                   | 10000                                            
- readtimeout                      | The URL Read Timeout (in milliseconds).                                                                                                                                                                                                                                                                                         | 60000                                            
- enableExperimental               | Enable the [experimental analyzers](../analyzers/index.html). If not enabled the experimental analyzers (see below) will not be loaded or used.                                                                                                                                                                                 | false                                            
- enableRetired                    | Enable the [retired analyzers](../analyzers/index.html). If not enabled the retired analyzers (see below) will not be loaded or used.                                                                                                                                                                                           | false                                            
- suppressionFile                  | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html). The parameter value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/dependency-check/DependencyCheck/issues/1878#issuecomment-487533799) | &nbsp;                                           
- failBuildOnUnusedSuppressionRule | Specifies that if any unused suppression rule is found, the build will fail.                                                                                                                                                                                                                                                    | false                                            
- junitFailOnCVSS                  | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure.                                                                                                                                                                                                                | 0                                                
+| Property                         | Description                                                                                                                                                                                                                                                                                                                           | Default Value                                    |
+|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|
+| autoUpdate                       | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false.                                                                                                                                                                                                                    | true                                             |
+| failBuildOnCVSS                  | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. More information on CVSS scores can be found at the [NVD](https://nvd.nist.gov/vuln-metrics/cvss)                      | 11                                               |
+| junitFailOnCVSS                  | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure.                                                                                                                                                                                                                      | 0                                                |
+| prettyPrint                      | Whether the XML and JSON formatted reports should be pretty printed.                                                                                                                                                                                                                                                                  | false                                            |
+| projectName                      | The name of the project being scanned.                                                                                                                                                                                                                                                                                                | Dependency-Check                                 |
+| reportFormat                     | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                         | HTML                                             |
+| reportOutputDirectory            | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build                                                                                                                                                                                                                    | 'target'                                         |
+| hintsFile                        | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html)                                                                                                                                                                                                                                       | &nbsp;                                           |
+| dataDirectory                    | Data directory that is used to store the local caches and NVD CVE database                                                                                                                                                                                                                                                            | `<folder-of-dependency-check-ant.jar>/data/11.0` |
+| failOnError                      | Whether the build should fail if there is an error executing the dependency-check analysis                                                                                                                                                                                                                                            | true                                             |
+| proxyServer                      | The Proxy Server; see the [proxy configuration](../data/proxy.html) page for more information.                                                                                                                                                                                                                                        | &nbsp;                                           |
+| proxyPort                        | The Proxy Port.                                                                                                                                                                                                                                                                                                                       | &nbsp;                                           |
+| proxyUsername                    | Defines the proxy user name.                                                                                                                                                                                                                                                                                                          | &nbsp;                                           |
+| proxyPassword                    | Defines the proxy password.                                                                                                                                                                                                                                                                                                           | &nbsp;                                           |
+| nonProxyHosts                    | Defines the hosts that will not be proxied.                                                                                                                                                                                                                                                                                           | &nbsp;                                           |
+| connectionTimeout                | The URL Connection Timeout (in milliseconds).                                                                                                                                                                                                                                                                                         | 10000                                            |
+| readtimeout                      | The URL Read Timeout (in milliseconds).                                                                                                                                                                                                                                                                                               | 60000                                            |
+| enableExperimental               | Enable the [experimental analyzers](../analyzers/index.html). If not enabled the experimental analyzers (see below) will not be loaded or used.                                                                                                                                                                                       | false                                            |
+| enableRetired                    | Enable the [retired analyzers](../analyzers/index.html). If not enabled the retired analyzers (see below) will not be loaded or used.                                                                                                                                                                                                 | false                                            |
+| suppressionFile                  | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html). The parameter value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/dependency-check/DependencyCheck/issues/1878#issuecomment-487533799) | &nbsp;                                           |
+| failBuildOnUnusedSuppressionRule | Specifies that if any unused suppression rule is found, the build will fail.                                                                                                                                                                                                                                                          | false                                            |
+| junitFailOnCVSS                  | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure.                                                                                                                                                                                                                      | 0                                                |
 
 The following nested elements can be set on the dependency-check task.
 
- Element         | Property | Description                                                                                                                                                                                                                                                                                                                                                              | Default Value 
------------------|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------
- suppressionFile | path     | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html). Element can be specified multiple times. The parameter value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/dependency-check/DependencyCheck/issues/1878#issuecomment-487533799) | &nbsp;        | &nbsp;
- reportFormat    | format   | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL). Element can be specified multiple times.                                                                                                                                                                                                                                   | &nbsp;        
+| Element         | Property | Description                                                                                                                                                                                                                                                                                                                                                                    | Default Value |
+|-----------------|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|
+| suppressionFile | path     | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html). Element can be specified multiple times. The parameter value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/dependency-check/DependencyCheck/issues/1878#issuecomment-487533799) | &nbsp;        | &nbsp;
+| reportFormat    | format   | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL). Element can be specified multiple times.                                                                                                                                                                                                                                         | &nbsp;        |
 
 Analyzer Configuration
 ====================
@@ -74,115 +74,115 @@ Note, that specific analyzers will automatically disable themselves if no file
 types that they support are detected - so specifically disabling them may not
 be needed.
 
- Property                               | Description                                                                                                                                                                                                                                                                                                                                    | Default Value                                                                       
-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------
- archiveAnalyzerEnabled                 | Sets whether the Archive Analyzer will be used.                                                                                                                                                                                                                                                                                                | true                                                                                
- zipExtensions                          | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.                                                                                                                                                                                                               | &nbsp;                                                                              
- jarAnalyzer                            | Sets whether the Jar Analyzer will be used.                                                                                                                                                                                                                                                                                                    | true                                                                                
- centralAnalyzerEnabled                 | Sets whether the Central Analyzer will be used. **Disabling this analyzer for Ant builds is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below). | true                                                                                
- centralAnalyzerUseCache                | Sets whether the Central Analyer will cache results. Cached results expire after 30 days.                                                                                                                                                                                                                                                      | true                                                                                
- dartAnalyzerEnabled                    | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be used.                                                                                                                                                                                                                                                           | true                                                                                
- knownExploitedEnabled                  | Sets whether the Known Exploited Vulnerability update and analyzer are enabled.                                                                                                                                                                                                                                                                | true                                                                                
- knownExploitedUrl                      | Sets URL to the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                                                                                                                                                                                                           | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json 
- ossIndexAnalyzerEnabled                | Sets whether the [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be enabled. This analyzer requires an internet connection.                                                                                                                                                                                                    | true                                                                                
- ossindexAnalyzerUseCache               | Sets whether the OSS Index Analyzer will cache results. Cached results expire after 24 hours.                                                                                                                                                                                                                                                  | true                                                                                
- ossindexAnalyzerUsername               | Sets the username for OSS Index - note an account with OSS Index is not required.                                                                                                                                                                                                                                                              | &nbsp;                                                                              
- ossindexAnalyzerPassword               | Sets the password for OSS Index.                                                                                                                                                                                                                                                                                                               | &nbsp;                                                                              
- ossIndexAnalyzerWarnOnlyOnRemoteErrors | Whether we should only warn about Sonatype OSS Index remote errors instead of failing completely.                                                                                                                                                                                                                                              | &nbsp;                                                                              
- nexusAnalyzerEnabled                   | Sets whether Nexus Analyzer will be used (requires Nexus Pro). This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation.                                                                                                                                                   | true                                                                                
- nexusUrl                               | Defines the Nexus web service endpoint (example http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled.                                                                                                                                                                                                | &nbsp;                                                                              
- nexusUser                              | The username to authenticate to the Nexus Server's web service end point. If not set the Nexus Analyzer will use an unauthenticated connection.                                                                                                                                                                                                | &nbsp;                                                                              
- nexusPassword                          | The password to authenticate to the Nexus Server's web service end point. If not set the Nexus Analyzer will use an unauthenticated connection.                                                                                                                                                                                                | &nbsp;                                                                              
- nexusUsesProxy                         | Whether the defined proxy should be used when connecting to Nexus.                                                                                                                                                                                                                                                                             | true                                                                                
- artifactoryAnalyzerEnabled             | Sets whether Artifactory analyzer will be used                                                                                                                                                                                                                                                                                                 | false                                                                               
- artifactoryAnalyzerUrl                 | The Artifactory server URL.                                                                                                                                                                                                                                                                                                                    |  &nbsp;                                                                             
- artifactoryAnalyzerUseProxy            | Whether Artifactory should be accessed through a proxy or not.                                                                                                                                                                                                                                                                                 | false                                                                               
- artifactoryAnalyzerParallelAnalysis    | Whether the Artifactory analyzer should be run in parallel or not                                                                                                                                                                                                                                                                              |  true                                                                               
- artifactoryAnalyzerUsername            | The user name (only used with API token) to connect to Artifactory instance                                                                                                                                                                                                                                                                    | &nbsp;                                                                              
- artifactoryAnalyzerApiToken            | The API token to connect to Artifactory instance, only used if the username or the API key are not defined by artifactoryAnalyzerServerId,artifactoryAnalyzerUsername or artifactoryAnalyzerApiToken                                                                                                                                           | &nbsp;                                                                              
- artifactoryAnalyzerBearerToken         | The bearer token to connect to Artifactory instance                                                                                                                                                                                                                                                                                            | &nbsp;                                                                              
- pyDistributionAnalyzerEnabled          | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. `enableExperimental` must be set to true.                                                                                                                                                                                                  | true                                                                                
- pyPackageAnalyzerEnabled               | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. `enableExperimental` must be set to true.                                                                                                                                                                                                       | true                                                                                
- rubygemsAnalyzerEnabled                | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. `enableExperimental` must be set to true.                                                                                                                                                                                                         | true                                                                                
- opensslAnalyzerEnabled                 | Sets whether the openssl Analyzer should be used.                                                                                                                                                                                                                                                                                              | true                                                                                
- cmakeAnalyzerEnabled                   | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                              | true                                                                                
- autoconfAnalyzerEnabled                | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                           | true                                                                                
- pipAnalyzerEnabled                     | Sets whether the [experimental](../analyzers/index.html) pip Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                                | true                                                                                
- pipfileAnalyzerEnabled                 | Sets whether the [experimental](../analyzers/index.html) Pipfile Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                            | true                                                                                
- poetryAnalyzerEnabled                  | Sets whether the [experimental](../analyzers/index.html) Poetry Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                             | true                                                                                
- composerAnalyzerEnabled                | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                             | true                                                                                
- composerAnalyzerSkipDev                | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should skip "packages-dev"                                                                                                                                                                                                                            | false                                                                               
- cpanfileAnalyzerEnabled                | Sets whether the [experimental](../analyzers/index.html) Perl CPAN File Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                     | true                                                                                
- nodeAnalyzerEnabled                    | Sets whether the [retired](../analyzers/index.html) Node.js Analyzer should be used.                                                                                                                                                                                                                                                           | true                                                                                
- nodeAuditAnalyzerEnabled               | Sets whether the Node Audit Analyzer should be used. This analyzer requires an internet connection.                                                                                                                                                                                                                                            | true                                                                                
- nodeAuditAnalyzerUseCache              | Sets whether the Node Audit Analyzer will cache results. Cached results expire after 24 hours.                                                                                                                                                                                                                                                 | true                                                                                
- nodeAuditSkipDevDependencies           | Sets whether the Node Audit Analyzer will skip devDependencies.                                                                                                                                                                                                                                                                                | false                                                                               
- nodePackageSkipDevDependencies         | Sets whether the Node Package Analyzer will skip devDependencies.                                                                                                                                                                                                                                                                              | false                                                                               
- yarnAuditAnalyzerEnabled               | Sets whether the Yarn Audit Analyzer should be used. This analyzer requires yarn and an internet connection. Use `nodeAuditSkipDevDependencies` to skip dev dependencies.                                                                                                                                                                      | true                                                                                
- pnpmAuditAnalyzerEnabled               | Sets whether the Pnpm Audit Analyzer should be used. This analyzer requires pnpm and an internet connection. Use `nodeAuditSkipDevDependencies` to skip dev dependencies.                                                                                                                                                                      | true                                                                                
- pathToYarn                             | The path to `yarn`.                                                                                                                                                                                                                                                                                                                            | &nbsp;                                                                              
- pathToPnpm                             | The path to `pnpm`.                                                                                                                                                                                                                                                                                                                            | &nbsp;                                                                              
- retireJsAnalyzerEnabled                | Sets whether the RetireJS Analyzer update and analyzer are enabled.                                                                                                                                                                                                                                                                            | true                                                                                
- retirejsFilterNonVulnerable            | Configures the RetireJS Analyzer to remove non-vulnerable JS dependencies from the report.                                                                                                                                                                                                                                                     | false                                                                               
- retirejsFilter                         | A nested configuration that can be specified multple times; The regex defined is used to filter JS files based on content.                                                                                                                                                                                                                     | &nbsp;                                                                              
- nuspecAnalyzerEnabled                  | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                                                                                                                                                                                                                                                      | true                                                                                
- nugetconfAnalyzerEnabled               | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. `enableExperimental` must be set to true.                                                                                                                                                                                           | true                                                                                
- libmanAnalyzerEnabled                  | Sets whether the Libman Analyzer will be used.                                                                                                                                                                                                                                                                                                 | true                                                                                
- cocoapodsAnalyzerEnabled               | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                          | true                                                                                
- carthageAnalyzerEnabled                | Sets whether the [experimental](../analyzers/index.html) Carthage Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                           | true                                                                                
- mixAuditAnalyzerEnabled                | Sets whether the [experimental](../analyzers/index.html) Mix Audit Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                          | true                                                                                
- mixAuditPath                           | Sets the path to the mix_audit executable; only used if mix audit analyzer is enabled and experimental analyzers are enabled.                                                                                                                                                                                                                  | &nbsp;                                                                              
- bundleAuditAnalyzerEnabled             | Sets whether the [experimental](../analyzers/index.html) Bundle Audit Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                       | true                                                                                
- bundleAuditPath                        | Sets the path to the bundle audit executable; only used if bundle audit analyzer is enabled and experimental analyzers are enabled.                                                                                                                                                                                                            | &nbsp;                                                                              
- swiftPackageManagerAnalyzerEnabled     | Sets whether the [experimental](../analyzers/index.html) Swift Package Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                      | true                                                                                
- swiftPackageResolvedAnalyzerEnabled    | Sets whether the [experimental](../analyzers/index.html) Swift Package Resolved should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                      | true                                                                                
- assemblyAnalyzerEnabled                | Sets whether the .NET Assembly Analyzer should be used.                                                                                                                                                                                                                                                                                        | true                                                                                
- msbuildAnalyzerEnabled                 | Sets whether the MSBuild Analyzer should be used.                                                                                                                                                                                                                                                                                              | true                                                                                
- pathToCore                             | The path to dotnet core .NET assembly analysis on non-windows systems.                                                                                                                                                                                                                                                                         | &nbsp;                                                                              
- golangDepEnabled                       | Sets whether the [experimental](../analyzers/index.html) Golang Dependency Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                  | true                                                                                
- golangModEnabled                       | Sets whether the [experimental](../analyzers/index.html) Goland Module Analyzer should be used; requires `go` to be installed. `enableExperimental` must be set to true.                                                                                                                                                                       | true                                                                                
- pathToGo                               | The path to `go`.                                                                                                                                                                                                                                                                                                                              | &nbsp;                                                                              
- versionCheckEnabled                    | Whether dependency-check should check if a new version of dependency-check-maven exists.                                                                                                                                                                                                                                                       | true                                                                                
+| Property                               | Description                                                                                                                                                                                                                                                                                                                                    | Default Value                                                                       |
+|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|
+| archiveAnalyzerEnabled                 | Sets whether the Archive Analyzer will be used.                                                                                                                                                                                                                                                                                                | true                                                                                |
+| zipExtensions                          | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.                                                                                                                                                                                                               | &nbsp;                                                                              |
+| jarAnalyzer                            | Sets whether the Jar Analyzer will be used.                                                                                                                                                                                                                                                                                                    | true                                                                                |
+| centralAnalyzerEnabled                 | Sets whether the Central Analyzer will be used. **Disabling this analyzer for Ant builds is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below). | true                                                                                |
+| centralAnalyzerUseCache                | Sets whether the Central Analyer will cache results. Cached results expire after 30 days.                                                                                                                                                                                                                                                      | true                                                                                |
+| dartAnalyzerEnabled                    | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be used.                                                                                                                                                                                                                                                           | true                                                                                |
+| knownExploitedEnabled                  | Sets whether the Known Exploited Vulnerability update and analyzer are enabled.                                                                                                                                                                                                                                                                | true                                                                                |
+| knownExploitedUrl                      | Sets URL to the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                                                                                                                                                                                                           | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json |
+| ossIndexAnalyzerEnabled                | Sets whether the [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be enabled. This analyzer requires an internet connection.                                                                                                                                                                                                    | true                                                                                |
+| ossindexAnalyzerUseCache               | Sets whether the OSS Index Analyzer will cache results. Cached results expire after 24 hours.                                                                                                                                                                                                                                                  | true                                                                                |
+| ossindexAnalyzerUsername               | Sets the username for OSS Index - note an account with OSS Index is not required.                                                                                                                                                                                                                                                              | &nbsp;                                                                              |
+| ossindexAnalyzerPassword               | Sets the password for OSS Index.                                                                                                                                                                                                                                                                                                               | &nbsp;                                                                              |
+| ossIndexAnalyzerWarnOnlyOnRemoteErrors | Whether we should only warn about Sonatype OSS Index remote errors instead of failing completely.                                                                                                                                                                                                                                              | &nbsp;                                                                              |
+| nexusAnalyzerEnabled                   | Sets whether Nexus Analyzer will be used (requires Nexus Pro). This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation.                                                                                                                                                   | true                                                                                |
+| nexusUrl                               | Defines the Nexus web service endpoint (example http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled.                                                                                                                                                                                                | &nbsp;                                                                              |
+| nexusUser                              | The username to authenticate to the Nexus Server's web service end point. If not set the Nexus Analyzer will use an unauthenticated connection.                                                                                                                                                                                                | &nbsp;                                                                              |
+| nexusPassword                          | The password to authenticate to the Nexus Server's web service end point. If not set the Nexus Analyzer will use an unauthenticated connection.                                                                                                                                                                                                | &nbsp;                                                                              |
+| nexusUsesProxy                         | Whether the defined proxy should be used when connecting to Nexus.                                                                                                                                                                                                                                                                             | true                                                                                |
+| artifactoryAnalyzerEnabled             | Sets whether Artifactory analyzer will be used                                                                                                                                                                                                                                                                                                 | false                                                                               |
+| artifactoryAnalyzerUrl                 | The Artifactory server URL.                                                                                                                                                                                                                                                                                                                    | &nbsp;                                                                              |
+| artifactoryAnalyzerUseProxy            | Whether Artifactory should be accessed through a proxy or not.                                                                                                                                                                                                                                                                                 | false                                                                               |
+| artifactoryAnalyzerParallelAnalysis    | Whether the Artifactory analyzer should be run in parallel or not                                                                                                                                                                                                                                                                              | true                                                                                |
+| artifactoryAnalyzerUsername            | The user name (only used with API token) to connect to Artifactory instance                                                                                                                                                                                                                                                                    | &nbsp;                                                                              |
+| artifactoryAnalyzerApiToken            | The API token to connect to Artifactory instance, only used if the username or the API key are not defined by artifactoryAnalyzerServerId,artifactoryAnalyzerUsername or artifactoryAnalyzerApiToken                                                                                                                                           | &nbsp;                                                                              |
+| artifactoryAnalyzerBearerToken         | The bearer token to connect to Artifactory instance                                                                                                                                                                                                                                                                                            | &nbsp;                                                                              |
+| pyDistributionAnalyzerEnabled          | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. `enableExperimental` must be set to true.                                                                                                                                                                                                  | true                                                                                |
+| pyPackageAnalyzerEnabled               | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. `enableExperimental` must be set to true.                                                                                                                                                                                                       | true                                                                                |
+| rubygemsAnalyzerEnabled                | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. `enableExperimental` must be set to true.                                                                                                                                                                                                         | true                                                                                |
+| opensslAnalyzerEnabled                 | Sets whether the openssl Analyzer should be used.                                                                                                                                                                                                                                                                                              | true                                                                                |
+| cmakeAnalyzerEnabled                   | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                              | true                                                                                |
+| autoconfAnalyzerEnabled                | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                           | true                                                                                |
+| pipAnalyzerEnabled                     | Sets whether the [experimental](../analyzers/index.html) pip Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                                | true                                                                                |
+| pipfileAnalyzerEnabled                 | Sets whether the [experimental](../analyzers/index.html) Pipfile Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                            | true                                                                                |
+| poetryAnalyzerEnabled                  | Sets whether the [experimental](../analyzers/index.html) Poetry Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                             | true                                                                                |
+| composerAnalyzerEnabled                | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                             | true                                                                                |
+| composerAnalyzerSkipDev                | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should skip "packages-dev"                                                                                                                                                                                                                            | false                                                                               |
+| cpanfileAnalyzerEnabled                | Sets whether the [experimental](../analyzers/index.html) Perl CPAN File Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                     | true                                                                                |
+| nodeAnalyzerEnabled                    | Sets whether the [retired](../analyzers/index.html) Node.js Analyzer should be used.                                                                                                                                                                                                                                                           | true                                                                                |
+| nodeAuditAnalyzerEnabled               | Sets whether the Node Audit Analyzer should be used. This analyzer requires an internet connection.                                                                                                                                                                                                                                            | true                                                                                |
+| nodeAuditAnalyzerUseCache              | Sets whether the Node Audit Analyzer will cache results. Cached results expire after 24 hours.                                                                                                                                                                                                                                                 | true                                                                                |
+| nodeAuditSkipDevDependencies           | Sets whether the Node Audit Analyzer will skip devDependencies.                                                                                                                                                                                                                                                                                | false                                                                               |
+| nodePackageSkipDevDependencies         | Sets whether the Node Package Analyzer will skip devDependencies.                                                                                                                                                                                                                                                                              | false                                                                               |
+| yarnAuditAnalyzerEnabled               | Sets whether the Yarn Audit Analyzer should be used. This analyzer requires yarn and an internet connection. Use `nodeAuditSkipDevDependencies` to skip dev dependencies.                                                                                                                                                                      | true                                                                                |
+| pnpmAuditAnalyzerEnabled               | Sets whether the Pnpm Audit Analyzer should be used. This analyzer requires pnpm and an internet connection. Use `nodeAuditSkipDevDependencies` to skip dev dependencies.                                                                                                                                                                      | true                                                                                |
+| pathToYarn                             | The path to `yarn`.                                                                                                                                                                                                                                                                                                                            | &nbsp;                                                                              |
+| pathToPnpm                             | The path to `pnpm`.                                                                                                                                                                                                                                                                                                                            | &nbsp;                                                                              |
+| retireJsAnalyzerEnabled                | Sets whether the RetireJS Analyzer update and analyzer are enabled.                                                                                                                                                                                                                                                                            | true                                                                                |
+| retirejsFilterNonVulnerable            | Configures the RetireJS Analyzer to remove non-vulnerable JS dependencies from the report.                                                                                                                                                                                                                                                     | false                                                                               |
+| retirejsFilter                         | A nested configuration that can be specified multple times; The regex defined is used to filter JS files based on content.                                                                                                                                                                                                                     | &nbsp;                                                                              |
+| nuspecAnalyzerEnabled                  | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                                                                                                                                                                                                                                                      | true                                                                                |
+| nugetconfAnalyzerEnabled               | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. `enableExperimental` must be set to true.                                                                                                                                                                                           | true                                                                                |
+| libmanAnalyzerEnabled                  | Sets whether the Libman Analyzer will be used.                                                                                                                                                                                                                                                                                                 | true                                                                                |
+| cocoapodsAnalyzerEnabled               | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                          | true                                                                                |
+| carthageAnalyzerEnabled                | Sets whether the [experimental](../analyzers/index.html) Carthage Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                           | true                                                                                |
+| mixAuditAnalyzerEnabled                | Sets whether the [experimental](../analyzers/index.html) Mix Audit Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                          | true                                                                                |
+| mixAuditPath                           | Sets the path to the mix_audit executable; only used if mix audit analyzer is enabled and experimental analyzers are enabled.                                                                                                                                                                                                                  | &nbsp;                                                                              |
+| bundleAuditAnalyzerEnabled             | Sets whether the [experimental](../analyzers/index.html) Bundle Audit Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                       | true                                                                                |
+| bundleAuditPath                        | Sets the path to the bundle audit executable; only used if bundle audit analyzer is enabled and experimental analyzers are enabled.                                                                                                                                                                                                            | &nbsp;                                                                              |
+| swiftPackageManagerAnalyzerEnabled     | Sets whether the [experimental](../analyzers/index.html) Swift Package Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                      | true                                                                                |
+| swiftPackageResolvedAnalyzerEnabled    | Sets whether the [experimental](../analyzers/index.html) Swift Package Resolved should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                      | true                                                                                |
+| assemblyAnalyzerEnabled                | Sets whether the .NET Assembly Analyzer should be used.                                                                                                                                                                                                                                                                                        | true                                                                                |
+| msbuildAnalyzerEnabled                 | Sets whether the MSBuild Analyzer should be used.                                                                                                                                                                                                                                                                                              | true                                                                                |
+| pathToCore                             | The path to dotnet core .NET assembly analysis on non-windows systems.                                                                                                                                                                                                                                                                         | &nbsp;                                                                              |
+| golangDepEnabled                       | Sets whether the [experimental](../analyzers/index.html) Golang Dependency Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                                                                  | true                                                                                |
+| golangModEnabled                       | Sets whether the [experimental](../analyzers/index.html) Goland Module Analyzer should be used; requires `go` to be installed. `enableExperimental` must be set to true.                                                                                                                                                                       | true                                                                                |
+| pathToGo                               | The path to `go`.                                                                                                                                                                                                                                                                                                                              | &nbsp;                                                                              |
+| versionCheckEnabled                    | Whether dependency-check should check if a new version of dependency-check-maven exists.                                                                                                                                                                                                                                                       | true                                                                                |
 
 Advanced Configuration
 ====================
 The following properties can be configured in the plugin. However, they are less frequently changed.
 
- Property                        | Description                                                                                                                                                                                                                        | Default Value                                                                          
----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------
- nvdApiKey                       | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key                                                                                                                                | &nbsp;                                                                                 
- nvdApiEndpoint                  | The NVD API endpoint URL; setting this is uncommon.                                                                                                                                                                                | https://services.nvd.nist.gov/rest/json/cves/2.0                                       
- nvdMaxRetryCount                | The maximum number of retry requests for a single call to the NVD API.                                                                                                                                                             | 10                                                                                     
- nvdApiDelay                     | The number of milliseconds to wait between calls to the NVD API.                                                                                                                                                                   | 3500 with an NVD API Key or 8000 without an API Key                                    
- nvdApiResultsPerPage            | The number records for a single page from NVD API (must be <=2000).                                                                                                                                                                | 2000                                                                                   
- nvdDatafeedUrl                  | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz` | &nbsp;                                                                                 
- nvdUser                         | Credentials used for basic authentication for the NVD API Data feed.                                                                                                                                                               | &nbsp;                                                                                 
- nvdPassword                     | Credentials used for basic authentication for the NVD API Data feed.                                                                                                                                                               | &nbsp;                                                                                 
- nvdValidForHours                | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours.                                                                                                                                  | 4                                                                                      
- databaseDriverName              | The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path.                                                                                       | &nbsp;                                                                                 
- databaseDriverPath              | The path to the database driver JAR file; only needs to be set if the driver is not in the class path.                                                                                                                             | &nbsp;                                                                                 
- connectionString                | The connection string used to connect to the database. See using a [database server](../data/database.html).                                                                                                                       | &nbsp;                                                                                 
- databaseUser                    | The username used when connecting to the database.                                                                                                                                                                                 | &nbsp;                                                                                 
- databasePassword                | The password used when connecting to the database.                                                                                                                                                                                 | &nbsp;                                                                                 
- hostedSuppressionsEnabled       | Whether the hosted suppression file will be used.                                                                                                                                                                                  | true                                                                                   
- hostedSuppressionsUrl           | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments                                                                                                                                   | https://dependency-check.github.io/DependencyCheck/suppressions/publishedSuppressions.xml    
- hostedSuppressionsUser          | The user for a Basic-auth-protected mirrored copy of the hosted suppressions file for internet-constrained environments                                                                                                            | &nbsp;                                                                                 
- hostedSuppressionsPassword      | The password/token for a Basic-auth-protected mirrored copy of the hosted suppressions file for internet-constrained environments                                                                                                  | &nbsp;                                                                                 
- hostedSuppressionsBearerToken   | The bearer token for a Bearer-auth-protected mirrored copy of the hosted suppressions file for internet-constrained environments                                                                                                   | &nbsp;                                                                                 
- hostedSuppressionsValidForHours | Sets the number of hours to wait before checking for new updates of the hosted suppressions file                                                                                                                                   | 2                                                                                      
- hostedSuppressionsForceUpdate   | Sets whether the hosted suppressions file should update regardless of the `autoupdate` and validForHours settings                                                                                                                  | false                                                                                  
- retireJsForceUpdate             | Sets whether the RetireJS repository should update regardless of the `autoupdate` setting.                                                                                                                                         | false                                                                                  
- retireJsUrl                     | The URL to a mirrored copy of the RetireJS repository for internet-constrained environments                                                                                                                                        | https://raw.githubusercontent.com/Retirejs/retire.js/main/repository/jsrepository.json 
- retireJsUrlUser                 | The user for a Basic-auth-protected mirrored copy of the RetireJS repository for internet-constrained environments                                                                                                                 | &nbsp;                                                                                 
- retireJsUrlPassword             | The password/token for a Basic-auth-protected mirrored copy of the RetireJS repository for internet-constrained environments                                                                                                       | &nbsp;                                                                                 
- retireJsUrlBearerToken          | The bearer token for a Bearer-auth-protected mirrored copy of the RetireJS repository for internet-constrained environments                                                                                                        | &nbsp;                                                                                 
- suppressionFileUser             | The user for Basic-auth-protected suppression files hosted on a webserver                                                                                                                                                          | &nbsp;                                                                                 
- suppressionFilePassword         | The password/token for Basic-auth-protected suppression files hosted on a webserver                                                                                                                                                | &nbsp;                                                                                 
- suppressionFileBearerToken      | The bearer token for Bearer-auth-protected suppression files hosted on a webserver                                                                                                                                                 | &nbsp;                                                                                 
- knownExploitedEnabled           | Sets whether the Known Exploited Vulnerability update and analyzer are enabled.                                                                                                                                                    | true                                                                                   
- knownExploitedUrl               | Sets URL to the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                                                                                               | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json    
- knownExploitedUser              | The user for a Basic-auth-protected mirrored copy of the CISA Known Exploited Vulnerabilities JSON data feed for internet-constrained environments                                                                                 | &nbsp;                                                                                 
- knownExploitedPassword          | The password/token for a Basic-auth-protected mirrored copy of the CISA Known Exploited Vulnerabilities JSON data feed for internet-constrained environments                                                                       | &nbsp;                                                                                 
- knownExploitedBearerToken       | The bearer token for a Bearer-auth-protected mirrored copy of the CISA Known Exploited Vulnerabilities JSON data feed for internet-constrained environments                                                                        | &nbsp;                                                                                 
- knownExploitedValidForHours     | Sets the number of hours to wait before checking for new updates of the CISA Known Exploited Vulnerabilities JSON data feed                                                                                                        | 24                                                                                     
+| Property                        | Description                                                                                                                                                                                                                          | Default Value                                                                             |
+|---------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|
+| nvdApiKey                       | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key                                                                                                                                  | &nbsp;                                                                                    |
+| nvdApiEndpoint                  | The NVD API endpoint URL; setting this is uncommon.                                                                                                                                                                                  | https://services.nvd.nist.gov/rest/json/cves/2.0                                          |
+| nvdMaxRetryCount                | The maximum number of retry requests for a single call to the NVD API.                                                                                                                                                               | 10                                                                                        |
+| nvdApiDelay                     | The number of milliseconds to wait between calls to the NVD API.                                                                                                                                                                     | 3500 with an NVD API Key or 8000 without an API Key                                       |
+| nvdApiResultsPerPage            | The number records for a single page from NVD API (must be <=2000).                                                                                                                                                                  | 2000                                                                                      |
+| nvdDatafeedUrl                  | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/open-vulnerability-cli/blob/main/README.md#mirroring-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz` | &nbsp;                                                                                    |
+| nvdUser                         | Credentials used for basic authentication for the NVD API Data feed.                                                                                                                                                                 | &nbsp;                                                                                    |
+| nvdPassword                     | Credentials used for basic authentication for the NVD API Data feed.                                                                                                                                                                 | &nbsp;                                                                                    |
+| nvdValidForHours                | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours.                                                                                                                                    | 4                                                                                         |
+| databaseDriverName              | The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path.                                                                                         | &nbsp;                                                                                    |
+| databaseDriverPath              | The path to the database driver JAR file; only needs to be set if the driver is not in the class path.                                                                                                                               | &nbsp;                                                                                    |
+| connectionString                | The connection string used to connect to the database. See using a [database server](../data/database.html).                                                                                                                         | &nbsp;                                                                                    |
+| databaseUser                    | The username used when connecting to the database.                                                                                                                                                                                   | &nbsp;                                                                                    |
+| databasePassword                | The password used when connecting to the database.                                                                                                                                                                                   | &nbsp;                                                                                    |
+| hostedSuppressionsEnabled       | Whether the hosted suppression file will be used.                                                                                                                                                                                    | true                                                                                      |
+| hostedSuppressionsUrl           | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments                                                                                                                                     | https://dependency-check.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
+| hostedSuppressionsUser          | The user for a Basic-auth-protected mirrored copy of the hosted suppressions file for internet-constrained environments                                                                                                              | &nbsp;                                                                                    |
+| hostedSuppressionsPassword      | The password/token for a Basic-auth-protected mirrored copy of the hosted suppressions file for internet-constrained environments                                                                                                    | &nbsp;                                                                                    |
+| hostedSuppressionsBearerToken   | The bearer token for a Bearer-auth-protected mirrored copy of the hosted suppressions file for internet-constrained environments                                                                                                     | &nbsp;                                                                                    |
+| hostedSuppressionsValidForHours | Sets the number of hours to wait before checking for new updates of the hosted suppressions file                                                                                                                                     | 2                                                                                         |
+| hostedSuppressionsForceUpdate   | Sets whether the hosted suppressions file should update regardless of the `autoupdate` and validForHours settings                                                                                                                    | false                                                                                     |
+| retireJsForceUpdate             | Sets whether the RetireJS repository should update regardless of the `autoupdate` setting.                                                                                                                                           | false                                                                                     |
+| retireJsUrl                     | The URL to a mirrored copy of the RetireJS repository for internet-constrained environments                                                                                                                                          | https://raw.githubusercontent.com/Retirejs/retire.js/main/repository/jsrepository.json    |
+| retireJsUrlUser                 | The user for a Basic-auth-protected mirrored copy of the RetireJS repository for internet-constrained environments                                                                                                                   | &nbsp;                                                                                    |
+| retireJsUrlPassword             | The password/token for a Basic-auth-protected mirrored copy of the RetireJS repository for internet-constrained environments                                                                                                         | &nbsp;                                                                                    |
+| retireJsUrlBearerToken          | The bearer token for a Bearer-auth-protected mirrored copy of the RetireJS repository for internet-constrained environments                                                                                                          | &nbsp;                                                                                    |
+| suppressionFileUser             | The user for Basic-auth-protected suppression files hosted on a webserver                                                                                                                                                            | &nbsp;                                                                                    |
+| suppressionFilePassword         | The password/token for Basic-auth-protected suppression files hosted on a webserver                                                                                                                                                  | &nbsp;                                                                                    |
+| suppressionFileBearerToken      | The bearer token for Bearer-auth-protected suppression files hosted on a webserver                                                                                                                                                   | &nbsp;                                                                                    |
+| knownExploitedEnabled           | Sets whether the Known Exploited Vulnerability update and analyzer are enabled.                                                                                                                                                      | true                                                                                      |
+| knownExploitedUrl               | Sets URL to the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                                                                                                 | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json       |
+| knownExploitedUser              | The user for a Basic-auth-protected mirrored copy of the CISA Known Exploited Vulnerabilities JSON data feed for internet-constrained environments                                                                                   | &nbsp;                                                                                    |
+| knownExploitedPassword          | The password/token for a Basic-auth-protected mirrored copy of the CISA Known Exploited Vulnerabilities JSON data feed for internet-constrained environments                                                                         | &nbsp;                                                                                    |
+| knownExploitedBearerToken       | The bearer token for a Bearer-auth-protected mirrored copy of the CISA Known Exploited Vulnerabilities JSON data feed for internet-constrained environments                                                                          | &nbsp;                                                                                    |
+| knownExploitedValidForHours     | Sets the number of hours to wait before checking for new updates of the CISA Known Exploited Vulnerabilities JSON data feed                                                                                                          | 24                                                                                        |
  
\ No newline at end of file
diff --git a/cli/src/site/markdown/arguments.md b/cli/src/site/markdown/arguments.md
index 775cabdc490..782c7897d0a 100644
--- a/cli/src/site/markdown/arguments.md
+++ b/cli/src/site/markdown/arguments.md
@@ -3,142 +3,142 @@ Command Line Arguments
 
 The following table lists the command line arguments:
 
-| Short | Argument Name          | Parameter       | Description                            | Requirement |
-|-------|------------------------|-----------------|----------------------------------------|-------------|
-|       | \-\-project            | \<name\>        | The name of the project being scanned. | Optional    |
-| \-s   | \-\-scan               | \<path\>        | The path to scan \- this option can be specified multiple times. It is also possible to specify Ant style paths (e.g. 'directory/**/*.jar'); if using an Ant style path it is highly recommended that you use single quotes around the path so that the shell itself does not automatically perform replacements (see [issue #1812](https://github.com/dependency-check/DependencyCheck/issues/1812). | Required |
-|       | \-\-exclude            | \<pattern\>     | The path patterns to exclude from the scan \- this option can be specified multiple times. This accepts Ant style path patterns (e.g. **/exclude/**). | Optional |
-|       | \-\-symLink            | \<depth\>       | The depth that symbolic links will be followed; the default is 0 meaning symbolic links will not be followed. | Optional |
-| \-o   | \-\-out                | \<path\>        | The folder to write reports to. This defaults to the current directory. If the format is not set to ALL one could specify a specific file name. | Optional |
-| \-f   | \-\-format             | \<format\>      | The output format to write to (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL). Multiple formats can be specified by specifying the parameter multiple times. The default is HTML. | Required |
-|       | \-\-junitFailOnCVSS    | \<score\>       | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure. The default is 0. | Optional |
-|       | \-\-prettyPrint        |                 | When specified the JSON and XML report formats will be pretty printed. | Optional |
-|       | \-\-failOnCVSS         | \<score\>       | If the score set between 0 and 10 the exit code from dependency-check will indicate if a vulnerability with a CVSS score equal to or higher was identified. | Optional |
-| \-l   | \-\-log                | \<file\>        | The file path to write verbose logging information. | Optional |
-| \-n   | \-\-noupdate           |                 | Disables the automatic updating of the NVD-CVE, hosted-suppressions and RetireJS data. | Optional |
-|       | \-\-suppression        | \<files\>       | The file paths to the suppression XML files; used to suppress [false positives](../general/suppression.html). This can be specified more than once to utilize multiple suppression files. The argument can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/dependency-check/DependencyCheck/issues/1878#issuecomment-487533799) | Optional |
-| \-h   | \-\-help               |                 | Print the help message. | Optional |
-|       | \-\-advancedHelp       |                 | Print the advanced help message. | Optional |
-| \-v   | \-\-version            |                 | Print the version information. | Optional |
-|       | \-\-enableExperimental |                 | Enable the [experimental analyzers](../analyzers/index.html). If not set the analyzers marked as experimental below will not be loaded or used. | Optional |
-|       | \-\-enableRetired      |                 | Enable the [retired analyzers](../analyzers/index.html). If not set the analyzers marked as retired below will not be loaded or used. | Optional |
+| Short | Argument Name          | Parameter   | Description                                                                                                                                                                                                                                                                                                                                                                                                | Requirement |
+|-------|------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
+|       | \-\-project            | \<name\>    | The name of the project being scanned.                                                                                                                                                                                                                                                                                                                                                                     | Optional    |
+| \-s   | \-\-scan               | \<path\>    | The path to scan \- this option can be specified multiple times. It is also possible to specify Ant style paths (e.g. 'directory/**/*.jar'); if using an Ant style path it is highly recommended that you use single quotes around the path so that the shell itself does not automatically perform replacements (see [issue #1812](https://github.com/dependency-check/DependencyCheck/issues/1812).      | Required    |
+|       | \-\-exclude            | \<pattern\> | The path patterns to exclude from the scan \- this option can be specified multiple times. This accepts Ant style path patterns (e.g. **/exclude/**).                                                                                                                                                                                                                                                      | Optional    |
+|       | \-\-symLink            | \<depth\>   | The depth that symbolic links will be followed; the default is 0 meaning symbolic links will not be followed.                                                                                                                                                                                                                                                                                              | Optional    |
+| \-o   | \-\-out                | \<path\>    | The folder to write reports to. This defaults to the current directory. If the format is not set to ALL one could specify a specific file name.                                                                                                                                                                                                                                                            | Optional    |
+| \-f   | \-\-format             | \<format\>  | The output format to write to (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL). Multiple formats can be specified by specifying the parameter multiple times. The default is HTML.                                                                                                                                                                                                               | Required    |
+|       | \-\-junitFailOnCVSS    | \<score\>   | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure. The default is 0.                                                                                                                                                                                                                                                                         | Optional    |
+|       | \-\-prettyPrint        |             | When specified the JSON and XML report formats will be pretty printed.                                                                                                                                                                                                                                                                                                                                     | Optional    |
+|       | \-\-failOnCVSS         | \<score\>   | If the score set between 0 and 10 the exit code from dependency-check will indicate if a vulnerability with a CVSS score equal to or higher was identified.                                                                                                                                                                                                                                                | Optional    |
+| \-l   | \-\-log                | \<file\>    | The file path to write verbose logging information.                                                                                                                                                                                                                                                                                                                                                        | Optional    |
+| \-n   | \-\-noupdate           |             | Disables the automatic updating of the NVD-CVE, hosted-suppressions and RetireJS data.                                                                                                                                                                                                                                                                                                                     | Optional    |
+|       | \-\-suppression        | \<files\>   | The file paths to the suppression XML files; used to suppress [false positives](../general/suppression.html). This can be specified more than once to utilize multiple suppression files. The argument can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/dependency-check/DependencyCheck/issues/1878#issuecomment-487533799) | Optional    |
+| \-h   | \-\-help               |             | Print the help message.                                                                                                                                                                                                                                                                                                                                                                                    | Optional    |
+|       | \-\-advancedHelp       |             | Print the advanced help message.                                                                                                                                                                                                                                                                                                                                                                           | Optional    |
+| \-v   | \-\-version            |             | Print the version information.                                                                                                                                                                                                                                                                                                                                                                             | Optional    |
+|       | \-\-enableExperimental |             | Enable the [experimental analyzers](../analyzers/index.html). If not set the analyzers marked as experimental below will not be loaded or used.                                                                                                                                                                                                                                                            | Optional    |
+|       | \-\-enableRetired      |             | Enable the [retired analyzers](../analyzers/index.html). If not set the analyzers marked as retired below will not be loaded or used.                                                                                                                                                                                                                                                                      | Optional    |
 
 Advanced Options
 ================
-| Short | Argument Name                         | Parameter       | Description                                                                                                                                                                                                                                                                                                                        | Default Value |
-|-------|---------------------------------------|-----------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|
-|       | \-\-nvdApiKey                         | \<apiKey\>      | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key                                                                                                                                                                                                                                | &nbsp;        |
-|       | \-\-nvdApiEndpoint                    | \<endpoint\>    | The NVD API endpoint URL; setting this is uncommon.                                                                                                                                                                                                                                                                                | https://services.nvd.nist.gov/rest/json/cves/2.0 |
-|       | \-\-nvdMaxRetryCount                  | \<count\>       | The maximum number of retry requests for a single call to the NVD API.                                                                                                                                                                                                                                                             | 10            |
-|       | \-\-nvdApiDelay                       | \<milliseconds\>| The number of milliseconds to wait between calls to the NVD API.                                                                                                                                                                                                                                                                   | 3500 with an NVD API Key or 8000 without an API Key |
-|       | \-\-nvdApiResultsPerPage              | \<number\>      | The number records for a single page from NVD API (must be <=2000).                                                                                                                                                                                                                                                                | 2000 |
-|       | \-\-nvdDatafeed                       | \<url\>         | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz`                                                                                                 | &nbsp; |
-|       | \-\-nvdUser                           | \<username\>    | Credentials used for basic authentication for the NVD API Data feed.                                                                                                                                                                                                                                                               | &nbsp;        |
-|       | \-\-nvdPassword                       | \<password\>    | Credentials used for basic authentication for the NVD API Data feed.                                                                                                                                                                                                                                                               | &nbsp;        |
-|       | \-\-nvdBearerToken                    | \<Token\>       | Credentials used for bearer authentication for the NVD API Data feed.                                                                                                                                                                                                                                                              | &nbsp;        |
-|       | \-\-nvdValidForHours                  | \<hours\>       | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours.                                                                                                                                                                                                                                  | 4             |
-|       | \-\-hints                             | \<file\>        | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html)                                                                                                                                                                                                                                    | &nbsp;        |
-| \-P   | \-\-propertyfile                      | \<file\>        | Specifies a file that contains properties to use instead of application defaults. The key values used in the properties file are not the same as the arguments listed on this page; use the keys here: https://github.com/dependency-check/DependencyCheck/blob/main/core/src/main/resources/dependencycheck.properties            | &nbsp; |
-|       | \-\-updateonly                        |                 | If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated.                                                                                                                                                                                                       | &nbsp;        |
-|       | \-\-disableKnownExploited             |                 | Sets whether the Known Exploited Vulnerability update and analyzer are enabled.                                                                                                                                                                                                                                                    | &nbsp;        |
-|       | \-\-kevURL                            | \<url\>         | URL to the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                                                                                                                                                                                                    | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json |
-|       | \-\-kevUser                           | \<user\>        | Credentials used for basic authentication for the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                                                                                                                                                             | &nbsp;        |
-|       | \-\-kevPassword                       | \<password\>    | Credentials used for basic authentication for URL to the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                                                                                                                                                      | &nbsp;        |
-|       | \-\-kevBearerToken                    | \<token\>       | Credentials used for bearer authentication for URL to the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                                                                                                                                                     | &nbsp;        |
-|       | \-\-disableFileName                   |                 | Disables the File Name Analyzer; in generally, this should not be disabled.                                                                                                                                                                                                                                                        | &nbsp;        |
-|       | \-\-disablePyDist                     |                 | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used.                                                                                                                                                                                                                                | &nbsp;        |
-|       | \-\-disablePyPkg                      |                 | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used.                                                                                                                                                                                                                                     | &nbsp;        |
-|       | \-\-disableMSBuild                    |                 | Sets whether the MS Build Project Analyzer will be used.                                                                                                                                                                                                                                                                           | &nbsp;        |
-|       | \-\-disableNodeJS                     |                 | Sets whether the Node.js Package Analyzer will be used.                                                                                                                                                                                                                                                                            | &nbsp;        |
-|       | \-\-disableYarnAudit                  |                 | Sets whether the yarn Audit Analyzer will be used. This analyzer requires an internet connection and that yarn is installed.   Use `--nodeAuditSkipDevDependencies` to skip dev dependencies.                                                                                                                                      | &nbsp;        |
-|       | \-\-yarn                              | \<path\>        | The path to `yarn`.                                                                                                                                                                                                                                                                                                                | &nbsp;        |
-|       | \-\-disablePnpmAudit                  |                 | Sets whether the pnpm Audit Analyzer will be used. This analyzer requires an internet connection and that pnpm is installed.   Use `--nodeAuditSkipDevDependencies` to skip dev dependencies.                                                                                                                                      | &nbsp;        |
-|       | \-\-pnpm                              | \<path\>        | The path to `pnpm`.                                                                                                                                                                                                                                                                                                                | &nbsp;        |
-|       | \-\-disableNodeAudit                  |                 | Sets whether the Node Audit Analyzer will be used. This analyzer requires an internet connection.                                                                                                                                                                                                                                  | &nbsp;        |
-|       | \-\-disableNodeAuditCache             |                 | When the argument is present the Node Audit Analyzer will not cache results. By default the results are cached for 24 hours.                                                                                                                                                                                                       | &nbsp;        |
-|       | \-\-nodeAuditSkipDevDependencies      |                 | Configures the Node Audit Analyzer to skip devDependencies.                                                                                                                                                                                                                                                                        | &nbsp;        |
-|       | \-\-nodePackageSkipDevDependencies    |                 | Configures the Node Package Analyzer to skip devDependencies.                                                                                                                                                                                                                                                                      | &nbsp;        |
-|       | \-\-disableRetireJS                   |                 | Sets whether the RetireJS Analyzer will be used.                                                                                                                                                                                                                                                                                   | &nbsp;        |
-|       | \-\-retireJsForceUpdate               |                 | Sets whether the RetireJS Analyzer will update regardless of the `noupdate` argument.                                                                                                                                                                                                                                              | false         |
-|       | \-\-retireJsUrl                       | \<url\>         | The URL to the Retire JS repository.                                                                                                                                                                                                                                                                                               | https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json |
-|       | \-\-retirejsFilter                    | \<pattern\>     | The RetireJS Analyzers content filter used to exclude JS files when the content contains the given regular expression; this option can be specified multiple times.                                                                                                                                                                | &nbsp;        |
-|       | \-\-retirejsFilterNonVulnerable       |                 | Specifies that the Retire JS Analyzer should filter out non-vulnerable JS files from the report.                                                                                                                                                                                                                                   | &nbsp;        |
-|       | \-\-retireJsUrlUser                   | \<username\>    | Credentials used for basic authentication for the RetireJS data.                                                                                                                                                                                                                                                                   | &nbsp;        |
-|       | \-\-retirejsUrlPassword               | \<password\>    | Credentials used for basic authentication for the RetireJS data.                                                                                                                                                                                                                                                                   | &nbsp;        |
-|       | \-\-retirejsUrlBearerToken            | \<token\>       | Credentials used for bearer authentication for the RetireJS data.                                                                                                                                                                                                                                                                  | &nbsp;        |
-|       | \-\-disableRubygems                   |                 | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used.                                                                                                                                                                                                                                       | &nbsp;        |
-|       | \-\-disableBundleAudit                |                 | Sets whether the [experimental](../analyzers/index.html) Ruby Bundler Audit Analyzer will be used.                                                                                                                                                                                                                                 | &nbsp;        |
-|       | \-\-disableCocoapodsAnalyzer          |                 | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer will be used.                                                                                                                                                                                                                                          | &nbsp;        |
-|       | \-\-disableCarthageAnalyzer           |                 | Sets whether the [experimental](../analyzers/index.html) Carthage Analyzer will be used.                                                                                                                                                                                                                                           | &nbsp;        |
-|       | \-\-disableSwiftPackageManagerAnalyzer |                 | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer will be used.                                                                                                                                                                                                                              | &nbsp;        |
-|       | \-\-disableSwiftPackageResolvedAnalyzer|                 | Sets whether the [experimental](../analyzers/index.html) Swift Package Resolved Analyzer will be used.                                                                                                                                                                                                                             | &nbsp;        |
-|       | \-\-disableAutoconf                   |                 | Sets whether the [experimental](../analyzers/index.html) Autoconf Analyzer will be used.                                                                                                                                                                                                                                           | &nbsp;        |
-|       | \-\-disableOpenSSL                    |                 | Sets whether the OpenSSL Analyzer will be used.                                                                                                                                                                                                                                                                                    | &nbsp;        |
-|       | \-\-disableCmake                      |                 | Sets whether the [experimental](../analyzers/index.html) Cmake Analyzer will be disabled.                                                                                                                                                                                                                                          | &nbsp;        |
-|       | \-\-disableArchive                    |                 | Sets whether the Archive Analyzer will be disabled.                                                                                                                                                                                                                                                                                | &nbsp;        |
-|       | \-\-zipExtensions                     | \<strings\>     | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.                                                                                                                                                                                                   | &nbsp;        |
-|       | \-\-disableJar                        |                 | Sets whether the Jar Analyzer will be disabled.                                                                                                                                                                                                                                                                                    | &nbsp;        |
-|       | \-\-disableComposer                   |                 | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer will be disabled.                                                                                                                                                                                                                         | &nbsp;        |
-|       | \-\-composerSkipDev                   |                 | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should skip "packages-dev".                                                                                                                                                                                                               | &nbsp;        |
-|       | \-\-disableCpan                       |                 | Sets whether the [experimental](../analyzers/index.html) Perl CPAN File Analyzer will be disabled.                                                                                                                                                                                                                                 | &nbsp;        |
-|       | \-\-disableDart                       |                 | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be disabled.                                                                                                                                                                                                                                           | &nbsp;        |
-|       | \-\-disableOssIndex                   |                 | Sets whether the [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be disabled. This analyzer requires an internet connection.                                                                                                                                                                                       | &nbsp;        |
-|       | \-\-disableOssIndexCache              |                 | When the argument is present the OSS Index Analyzer will not cache results. By default results are cached for 24 hours.                                                                                                                                                                                                            | &nbsp;        |
-|       | \-\-ossIndexUsername                  | \<username\>    | To authenticate Sonatype OSS Index requests and profit from higher rate limits, provide the OSS account email address as username. Provide both a username _and_ a password (see below) or none.                                                                                                                                   | &nbsp;        |
-|       | \-\-ossIndexPassword                  | \<password\>    | Password or API token to connect to Sonatype's OSS Index. Provide both a username (see above) _and_ a password or none.                                                                                                                                                                                                            | &nbsp;        |
-|       | \-\-ossIndexRemoteErrorWarnOnly       | \<true\|false\> | Whether we should only warn about Sonatype OSS Index remote errors instead of failing completely.                                                                                                                                                                                                                                  | &nbsp;        |
-|       | \-\-ossIndexUrl                       | \<url\>         | Alternative URL for the OSS Index. If not set the public Sonatype OSS Index will be used.                                                                                                                                                                                                                                          | https://ossindex.sonatype.org |
-|       | \-\-disableCentral                    |                 | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Artifactory or Nexus Analyzer. | &nbsp; |
-|       | \-\-disableCentralCache               |                 | When the argument is present the Central Analyzer will not cache results locally. By default results are cached locally for 30 days.                                                                                                                                                                                               | &nbsp;        |
-|       | \-\-centralUrl                        |                 | Alternative URL for Maven Central Search. If not set the public Sonatype Maven Central will be used.                                                                                                                                                                                                                               | https://search.maven.org/solrsearch/select |
-|       | \-\-centralUsername                   | \<username\>    | The username to authenticate with bearer auth to the alternative Maven Central url set by the 'centralUrl' argument. If neither basic nor bearer auth config is set it will use an unauthenticated connection.                                                                                                                     | &nbsp;        |
-|       | \-\-centralPassword                   | \<password\>    | The password to authenticate with bearer auth to the alternative Maven Central url set by the 'centralUrl' argument. If neither basic nor bearer auth config is set it will use an unauthenticated connection.                                                                                                                     | &nbsp;        |
-|       | \-\-centralBearerToken                | \<token\>       | The token to authenticate with bearer auth to the alternative Maven Central url set by the 'centralUrl' argument. If neither basic nor bearer auth config is set it will use an unauthenticated connection.                                                                                                                        | &nbsp;        |
-|       | \-\-enableNexus                       |                 | Sets whether the Nexus Analyzer will be used (requires Nexus v2 or Pro v3). You can configure the Nexus URL to utilize an internally hosted Nexus server.                                                                                                                                                                          | &nbsp;        |
-|       | \-\-enableArtifactory                 |                 | Sets whether Artifactory analyzer will be used                                                                                                                                                                                                                                                                                     | &nbsp;        |
-|       | \-\-artifactoryUrl                    | \<url\>         | The Artifactory server URL.                                                                                                                                                                                                                                                                                                        | &nbsp;        |
-|       | \-\-artifactoryUseProxy               | \<true\|false\> | Whether Artifactory should be accessed through a proxy or not.                                                                                                                                                                                                                                                                     | false         |
-|       | \-\-artifactoryParallelAnalysis       | \<true\|false\> | Whether the Artifactory analyzer should be run in parallel or not                                                                                                                                                                                                                                                                  | true          |
-|       | \-\-artifactoryUsername               | \<username\>    | The user name (only used with API token) to connect to Artifactory instance                                                                                                                                                                                                                                                        | &nbsp;        |
-|       | \-\-artifactoryApiToken               | \<token\>       | The API token to connect to Artifactory instance, only used if the username or the API key are not defined by artifactoryAnalyzerServerId, artifactoryAnalyzerUsername or artifactoryAnalyzerApiToken.                                                                                                                             | &nbsp;        |
-|       | \-\-artifactoryBearerToken            | \<token\>       | The bearer token to connect to Artifactory instance                                                                                                                                                                                                                                                                                | &nbsp;        |
-|       | \-\-nexus                             | \<url\>         | The url to the Nexus Server's web service end point (example: http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled.                                                                                                                                                                      | &nbsp;        |
-|       | \-\-nexusUser                         | \<username\>    | The username to authenticate to the Nexus Server's REST API Endpoint. If not set the Nexus Analyzer will use an unauthenticated connection.                                                                                                                                                                                        | &nbsp;        |
-|       | \-\-nexusPass                         | \<password\>    | The password to authenticate to the Nexus Server's REST API Endpoint. If not set the Nexus Analyzer will use an unauthenticated connection.                                                                                                                                                                                        | &nbsp;        |
-|       | \-\-nexusUsesProxy                    | \<true\|false\> | Whether or not the defined proxy should be used when connecting to Nexus.                                                                                                                                                                                                                                                          | true          |
-|       | \-\-disableNuspec                     |                 | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                                                                                                                                                                                                                                          | &nbsp;        |
-|       | \-\-disableNugetconf                  |                 | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used.                                                                                                                                                                                                                         | &nbsp;        |
-|       | \-\-disableAssembly                   |                 | Sets whether the .NET Assembly Analyzer should be used.                                                                                                                                                                                                                                                                            | &nbsp;        |
-|       | \-\-dotnet                            | \<path\>        | The path to dotnet core for .NET Assembly analysis on non-windows systems.                                                                                                                                                                                                                                                         | &nbsp;        |
-|       | \-\-disableGolangDep                  |                 | Sets whether the [experimental](../analyzers/index.html) Go Dependency Analyzer should be used.                                                                                                                                                                                                                                    | &nbsp;        |
-|       | \-\-disableGolangMod                  |                 | Sets whether the [experimental](../analyzers/index.html) Go Mod Analyzer should be used.                                                                                                                                                                                                                                           | &nbsp;        |
-|       | \-\-disableMixAudit                   |                 | Sets whether the [experimental](../analyzers/index.html) Elixir mix audit Analyze should be used.                                                                                                                                                                                                                                  | &nbsp;        |
-|       | \-\-disablePoetry                     |                 | Sets whether the [experimental](../analyzers/index.html) Poetry Analyzer should be used.                                                                                                                                                                                                                                           | &nbsp;        |
-|       | \-\-disableVersionCheck               |                 | Sets whether dependency-check should check if a new version is available.                                                                                                                                                                                                                                                          | &nbsp;        |
-|       | \-\-go                                | \<path\>        | The path to `go` executable for the Go Mode Analyzer; only necessary if `go` is not on the path.                                                                                                                                                                                                                                   | &nbsp;        |
-|       | \-\-bundleAudit                       |                 | The path to the bundle-audit executable.                                                                                                                                                                                                                                                                                           | &nbsp;        |
-|       | \-\-bundleAuditWorkingDirectory       | \<path\>        | The path to working directory that the bundle-audit command should be executed from when doing Gem bundle analysis.                                                                                                                                                                                                                | &nbsp;        |
-|       | \-\-proxyserver                       | \<server\>      | The proxy server to use when downloading resources; see the [proxy configuration](../data/proxy.html) page for more information.                                                                                                                                                                                                   | &nbsp;        |
-|       | \-\-proxyport                         | \<port\>        | The proxy port to use when downloading resources.                                                                                                                                                                                                                                                                                  | &nbsp;        |
-|       | \-\-nonProxyHosts                     | \<list\>        | The proxy exclusion list: hostnames (or patterns) for which proxy should not be used. Use pipe, comma or colon as list separator. Example: `something.com\|*.something.com\|www.somethingelse.*`                                                                                                                                   | &nbsp;        |
-| \-c   | \-\-connectiontimeout                 | \<timeout\>     | The connection timeout (in milliseconds) to use when downloading resources.                                                                                                                                                                                                                                                        | 10000         |
-|       | \-\-readtimeout                       | \<timeout\>     | The read timeout (in milliseconds) to use when downloading resources.                                                                                                                                                                                                                                                              | 60000         |
-|       | \-\-proxypass                         | \<pass\>        | The proxy password to use when downloading resources.                                                                                                                                                                                                                                                                              | &nbsp;        |
-|       | \-\-proxyuser                         | \<user\>        | The proxy username to use when downloading resources.                                                                                                                                                                                                                                                                              | &nbsp;        |
-|       | \-\-connectionString                  | \<connStr\>     | The connection string to the database. See using a [database server](../data/database.html).                                                                                                                                                                                                                                       | &nbsp;        |
-|       | \-\-dbDriverName                      | \<driver\>      | The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path.                                                                                                                                                                                       | &nbsp;        |
-|       | \-\-dbDriverPath                      | \<path\>        | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path.                                                                                                                                                                                                                   | &nbsp;        |
-|       | \-\-dbPassword                        | \<password\>    | The password for connecting to the database.                                                                                                                                                                                                                                                                                       | &nbsp;        |
-|       | \-\-dbUser                            | \<user\>        | The username used to connect to the database.                                                                                                                                                                                                                                                                                      | &nbsp;        |
-| \-d   | \-\-data                              | \<path\>        | The location of the data directory used to store persistent data.                                                                                                                                                                                                                                                                  | /usr/local/var/dependencycheck if installed through brew (→ [formula](https://github.com/Homebrew/homebrew-core/blob/master/Formula/d/dependency-check.rb#L29)). Otherwise, the data directory is created inside the install directory i.e. as a sibling to the `<install-dir>/bin`, `<install-dir>/lib` directories.       |
-|       | \-\-purge                             |                 | Delete the local copy of the NVD. This is used to force a refresh of the data.                                                                                                                                                                                                                                                     | &nbsp;        |
-|       | \-\-disableHostedSuppressions         |                 | Whether the usage of the hosted suppressions file will be disabled.                                                                                                                                                                                                                                                                | false         |
-|       | \-\-hostedSuppressionsForceUpdate     |                 | Whether the hosted suppressions file will update regardless of the `noupdate` argument.                                                                                                                                                                                                                                            | false         |
-|       | \-\-hostedSuppressionsValidForHours   | \<hours\>       | The number of hours to wait before checking for new updates of the hosted suppressions file                                                                                                                                                                                                                                        | 2             |
-|       | \-\-hostedSuppressionsUrl             | \<url\>         | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments                                                                                                                                                                                                                                   | https://dependency-check.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
-|       | \-\-hostedSuppressionsUser            | \<user\>        | The user for basic authentication to a mirrored copy of the hosted suppressions file                                                                                                                                                                                                                                               | &nbsp;        |
-|       | \-\-hostedSuppressionsPassword        | \<password\>    | The password for basic authentication to a mirrored copy of the hosted suppressions file                                                                                                                                                                                                                                           | &nbsp;        |
-|       | \-\-hostedSuppressionsBearerToken     | \<token\>       | The token for bearer authentication to a mirrored copy of the hosted suppressions file                                                                                                                                                                                                                                             | &nbsp;        |
-|       | \-\-suppressionUser                   | \<user\>        | The user for basic authentication to web-hosted suppression XML files (as configured with `--suppression`)                                                                                                                                                                                                                         | &nbsp;        |
-|       | \-\-suppressionPassword               | \<password\>    | The password for basic authentication to web-hosted suppression XML files (as configured with `--suppression`)                                                                                                                                                                                                                     | &nbsp;        |
-|       | \-\-suppressionBearerToken            | \<token\>       | The token for bearer authentication to web-hosted suppression XML files (as configured with `--suppression`)                                                                                                                                                                                                                       | &nbsp;        |
+| Short | Argument Name                           | Parameter        | Description                                                                                                                                                                                                                                                                                                                        | Default Value                                                                                                                                                                                                                                                                                                         |
+|-------|-----------------------------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|       | \-\-nvdApiKey                           | \<apiKey\>       | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key                                                                                                                                                                                                                                | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-nvdApiEndpoint                      | \<endpoint\>     | The NVD API endpoint URL; setting this is uncommon.                                                                                                                                                                                                                                                                                | https://services.nvd.nist.gov/rest/json/cves/2.0                                                                                                                                                                                                                                                                      |
+|       | \-\-nvdMaxRetryCount                    | \<count\>        | The maximum number of retry requests for a single call to the NVD API.                                                                                                                                                                                                                                                             | 10                                                                                                                                                                                                                                                                                                                    |
+|       | \-\-nvdApiDelay                         | \<milliseconds\> | The number of milliseconds to wait between calls to the NVD API.                                                                                                                                                                                                                                                                   | 3500 with an NVD API Key or 8000 without an API Key                                                                                                                                                                                                                                                                   |
+|       | \-\-nvdApiResultsPerPage                | \<number\>       | The number records for a single page from NVD API (must be <=2000).                                                                                                                                                                                                                                                                | 2000                                                                                                                                                                                                                                                                                                                  |
+|       | \-\-nvdDatafeed                         | \<url\>          | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/open-vulnerability-cli/blob/main/README.md#mirroring-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz`                                                                                               | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-nvdUser                             | \<username\>     | Credentials used for basic authentication for the NVD API Data feed.                                                                                                                                                                                                                                                               | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-nvdPassword                         | \<password\>     | Credentials used for basic authentication for the NVD API Data feed.                                                                                                                                                                                                                                                               | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-nvdBearerToken                      | \<Token\>        | Credentials used for bearer authentication for the NVD API Data feed.                                                                                                                                                                                                                                                              | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-nvdValidForHours                    | \<hours\>        | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours.                                                                                                                                                                                                                                  | 4                                                                                                                                                                                                                                                                                                                     |
+|       | \-\-hints                               | \<file\>         | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html)                                                                                                                                                                                                                                    | &nbsp;                                                                                                                                                                                                                                                                                                                |
+| \-P   | \-\-propertyfile                        | \<file\>         | Specifies a file that contains properties to use instead of application defaults. The key values used in the properties file are not the same as the arguments listed on this page; use the keys here: https://github.com/dependency-check/DependencyCheck/blob/main/core/src/main/resources/dependencycheck.properties            | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-updateonly                          |                  | If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated.                                                                                                                                                                                                       | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableKnownExploited               |                  | Sets whether the Known Exploited Vulnerability update and analyzer are enabled.                                                                                                                                                                                                                                                    | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-kevURL                              | \<url\>          | URL to the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                                                                                                                                                                                                    | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json                                                                                                                                                                                                                                   |
+|       | \-\-kevUser                             | \<user\>         | Credentials used for basic authentication for the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                                                                                                                                                             | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-kevPassword                         | \<password\>     | Credentials used for basic authentication for URL to the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                                                                                                                                                      | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-kevBearerToken                      | \<token\>        | Credentials used for bearer authentication for URL to the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                                                                                                                                                     | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableFileName                     |                  | Disables the File Name Analyzer; in generally, this should not be disabled.                                                                                                                                                                                                                                                        | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disablePyDist                       |                  | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used.                                                                                                                                                                                                                                | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disablePyPkg                        |                  | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used.                                                                                                                                                                                                                                     | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableMSBuild                      |                  | Sets whether the MS Build Project Analyzer will be used.                                                                                                                                                                                                                                                                           | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableNodeJS                       |                  | Sets whether the Node.js Package Analyzer will be used.                                                                                                                                                                                                                                                                            | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableYarnAudit                    |                  | Sets whether the yarn Audit Analyzer will be used. This analyzer requires an internet connection and that yarn is installed.   Use `--nodeAuditSkipDevDependencies` to skip dev dependencies.                                                                                                                                      | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-yarn                                | \<path\>         | The path to `yarn`.                                                                                                                                                                                                                                                                                                                | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disablePnpmAudit                    |                  | Sets whether the pnpm Audit Analyzer will be used. This analyzer requires an internet connection and that pnpm is installed.   Use `--nodeAuditSkipDevDependencies` to skip dev dependencies.                                                                                                                                      | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-pnpm                                | \<path\>         | The path to `pnpm`.                                                                                                                                                                                                                                                                                                                | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableNodeAudit                    |                  | Sets whether the Node Audit Analyzer will be used. This analyzer requires an internet connection.                                                                                                                                                                                                                                  | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableNodeAuditCache               |                  | When the argument is present the Node Audit Analyzer will not cache results. By default the results are cached for 24 hours.                                                                                                                                                                                                       | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-nodeAuditSkipDevDependencies        |                  | Configures the Node Audit Analyzer to skip devDependencies.                                                                                                                                                                                                                                                                        | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-nodePackageSkipDevDependencies      |                  | Configures the Node Package Analyzer to skip devDependencies.                                                                                                                                                                                                                                                                      | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableRetireJS                     |                  | Sets whether the RetireJS Analyzer will be used.                                                                                                                                                                                                                                                                                   | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-retireJsForceUpdate                 |                  | Sets whether the RetireJS Analyzer will update regardless of the `noupdate` argument.                                                                                                                                                                                                                                              | false                                                                                                                                                                                                                                                                                                                 |
+|       | \-\-retireJsUrl                         | \<url\>          | The URL to the Retire JS repository.                                                                                                                                                                                                                                                                                               | https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json                                                                                                                                                                                                                              |
+|       | \-\-retirejsFilter                      | \<pattern\>      | The RetireJS Analyzers content filter used to exclude JS files when the content contains the given regular expression; this option can be specified multiple times.                                                                                                                                                                | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-retirejsFilterNonVulnerable         |                  | Specifies that the Retire JS Analyzer should filter out non-vulnerable JS files from the report.                                                                                                                                                                                                                                   | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-retireJsUrlUser                     | \<username\>     | Credentials used for basic authentication for the RetireJS data.                                                                                                                                                                                                                                                                   | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-retirejsUrlPassword                 | \<password\>     | Credentials used for basic authentication for the RetireJS data.                                                                                                                                                                                                                                                                   | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-retirejsUrlBearerToken              | \<token\>        | Credentials used for bearer authentication for the RetireJS data.                                                                                                                                                                                                                                                                  | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableRubygems                     |                  | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used.                                                                                                                                                                                                                                       | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableBundleAudit                  |                  | Sets whether the [experimental](../analyzers/index.html) Ruby Bundler Audit Analyzer will be used.                                                                                                                                                                                                                                 | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableCocoapodsAnalyzer            |                  | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer will be used.                                                                                                                                                                                                                                          | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableCarthageAnalyzer             |                  | Sets whether the [experimental](../analyzers/index.html) Carthage Analyzer will be used.                                                                                                                                                                                                                                           | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableSwiftPackageManagerAnalyzer  |                  | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer will be used.                                                                                                                                                                                                                              | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableSwiftPackageResolvedAnalyzer |                  | Sets whether the [experimental](../analyzers/index.html) Swift Package Resolved Analyzer will be used.                                                                                                                                                                                                                             | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableAutoconf                     |                  | Sets whether the [experimental](../analyzers/index.html) Autoconf Analyzer will be used.                                                                                                                                                                                                                                           | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableOpenSSL                      |                  | Sets whether the OpenSSL Analyzer will be used.                                                                                                                                                                                                                                                                                    | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableCmake                        |                  | Sets whether the [experimental](../analyzers/index.html) Cmake Analyzer will be disabled.                                                                                                                                                                                                                                          | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableArchive                      |                  | Sets whether the Archive Analyzer will be disabled.                                                                                                                                                                                                                                                                                | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-zipExtensions                       | \<strings\>      | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.                                                                                                                                                                                                   | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableJar                          |                  | Sets whether the Jar Analyzer will be disabled.                                                                                                                                                                                                                                                                                    | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableComposer                     |                  | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer will be disabled.                                                                                                                                                                                                                         | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-composerSkipDev                     |                  | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should skip "packages-dev".                                                                                                                                                                                                               | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableCpan                         |                  | Sets whether the [experimental](../analyzers/index.html) Perl CPAN File Analyzer will be disabled.                                                                                                                                                                                                                                 | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableDart                         |                  | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be disabled.                                                                                                                                                                                                                                           | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableOssIndex                     |                  | Sets whether the [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be disabled. This analyzer requires an internet connection.                                                                                                                                                                                       | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableOssIndexCache                |                  | When the argument is present the OSS Index Analyzer will not cache results. By default results are cached for 24 hours.                                                                                                                                                                                                            | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-ossIndexUsername                    | \<username\>     | To authenticate Sonatype OSS Index requests and profit from higher rate limits, provide the OSS account email address as username. Provide both a username _and_ a password (see below) or none.                                                                                                                                   | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-ossIndexPassword                    | \<password\>     | Password or API token to connect to Sonatype's OSS Index. Provide both a username (see above) _and_ a password or none.                                                                                                                                                                                                            | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-ossIndexRemoteErrorWarnOnly         | \<true\|false\>  | Whether we should only warn about Sonatype OSS Index remote errors instead of failing completely.                                                                                                                                                                                                                                  | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-ossIndexUrl                         | \<url\>          | Alternative URL for the OSS Index. If not set the public Sonatype OSS Index will be used.                                                                                                                                                                                                                                          | https://ossindex.sonatype.org                                                                                                                                                                                                                                                                                         |
+|       | \-\-disableCentral                      |                  | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Artifactory or Nexus Analyzer. | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableCentralCache                 |                  | When the argument is present the Central Analyzer will not cache results locally. By default results are cached locally for 30 days.                                                                                                                                                                                               | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-centralUrl                          |                  | Alternative URL for Maven Central Search. If not set the public Sonatype Maven Central will be used.                                                                                                                                                                                                                               | https://search.maven.org/solrsearch/select                                                                                                                                                                                                                                                                            |
+|       | \-\-centralUsername                     | \<username\>     | The username to authenticate with bearer auth to the alternative Maven Central url set by the 'centralUrl' argument. If neither basic nor bearer auth config is set it will use an unauthenticated connection.                                                                                                                     | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-centralPassword                     | \<password\>     | The password to authenticate with bearer auth to the alternative Maven Central url set by the 'centralUrl' argument. If neither basic nor bearer auth config is set it will use an unauthenticated connection.                                                                                                                     | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-centralBearerToken                  | \<token\>        | The token to authenticate with bearer auth to the alternative Maven Central url set by the 'centralUrl' argument. If neither basic nor bearer auth config is set it will use an unauthenticated connection.                                                                                                                        | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-enableNexus                         |                  | Sets whether the Nexus Analyzer will be used (requires Nexus v2 or Pro v3). You can configure the Nexus URL to utilize an internally hosted Nexus server.                                                                                                                                                                          | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-enableArtifactory                   |                  | Sets whether Artifactory analyzer will be used                                                                                                                                                                                                                                                                                     | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-artifactoryUrl                      | \<url\>          | The Artifactory server URL.                                                                                                                                                                                                                                                                                                        | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-artifactoryUseProxy                 | \<true\|false\>  | Whether Artifactory should be accessed through a proxy or not.                                                                                                                                                                                                                                                                     | false                                                                                                                                                                                                                                                                                                                 |
+|       | \-\-artifactoryParallelAnalysis         | \<true\|false\>  | Whether the Artifactory analyzer should be run in parallel or not                                                                                                                                                                                                                                                                  | true                                                                                                                                                                                                                                                                                                                  |
+|       | \-\-artifactoryUsername                 | \<username\>     | The user name (only used with API token) to connect to Artifactory instance                                                                                                                                                                                                                                                        | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-artifactoryApiToken                 | \<token\>        | The API token to connect to Artifactory instance, only used if the username or the API key are not defined by artifactoryAnalyzerServerId, artifactoryAnalyzerUsername or artifactoryAnalyzerApiToken.                                                                                                                             | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-artifactoryBearerToken              | \<token\>        | The bearer token to connect to Artifactory instance                                                                                                                                                                                                                                                                                | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-nexus                               | \<url\>          | The url to the Nexus Server's web service end point (example: http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled.                                                                                                                                                                      | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-nexusUser                           | \<username\>     | The username to authenticate to the Nexus Server's REST API Endpoint. If not set the Nexus Analyzer will use an unauthenticated connection.                                                                                                                                                                                        | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-nexusPass                           | \<password\>     | The password to authenticate to the Nexus Server's REST API Endpoint. If not set the Nexus Analyzer will use an unauthenticated connection.                                                                                                                                                                                        | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-nexusUsesProxy                      | \<true\|false\>  | Whether or not the defined proxy should be used when connecting to Nexus.                                                                                                                                                                                                                                                          | true                                                                                                                                                                                                                                                                                                                  |
+|       | \-\-disableNuspec                       |                  | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                                                                                                                                                                                                                                          | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableNugetconf                    |                  | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used.                                                                                                                                                                                                                         | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableAssembly                     |                  | Sets whether the .NET Assembly Analyzer should be used.                                                                                                                                                                                                                                                                            | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-dotnet                              | \<path\>         | The path to dotnet core for .NET Assembly analysis on non-windows systems.                                                                                                                                                                                                                                                         | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableGolangDep                    |                  | Sets whether the [experimental](../analyzers/index.html) Go Dependency Analyzer should be used.                                                                                                                                                                                                                                    | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableGolangMod                    |                  | Sets whether the [experimental](../analyzers/index.html) Go Mod Analyzer should be used.                                                                                                                                                                                                                                           | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableMixAudit                     |                  | Sets whether the [experimental](../analyzers/index.html) Elixir mix audit Analyze should be used.                                                                                                                                                                                                                                  | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disablePoetry                       |                  | Sets whether the [experimental](../analyzers/index.html) Poetry Analyzer should be used.                                                                                                                                                                                                                                           | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableVersionCheck                 |                  | Sets whether dependency-check should check if a new version is available.                                                                                                                                                                                                                                                          | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-go                                  | \<path\>         | The path to `go` executable for the Go Mode Analyzer; only necessary if `go` is not on the path.                                                                                                                                                                                                                                   | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-bundleAudit                         |                  | The path to the bundle-audit executable.                                                                                                                                                                                                                                                                                           | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-bundleAuditWorkingDirectory         | \<path\>         | The path to working directory that the bundle-audit command should be executed from when doing Gem bundle analysis.                                                                                                                                                                                                                | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-proxyserver                         | \<server\>       | The proxy server to use when downloading resources; see the [proxy configuration](../data/proxy.html) page for more information.                                                                                                                                                                                                   | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-proxyport                           | \<port\>         | The proxy port to use when downloading resources.                                                                                                                                                                                                                                                                                  | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-nonProxyHosts                       | \<list\>         | The proxy exclusion list: hostnames (or patterns) for which proxy should not be used. Use pipe, comma or colon as list separator. Example: `something.com\|*.something.com\|www.somethingelse.*`                                                                                                                                   | &nbsp;                                                                                                                                                                                                                                                                                                                |
+| \-c   | \-\-connectiontimeout                   | \<timeout\>      | The connection timeout (in milliseconds) to use when downloading resources.                                                                                                                                                                                                                                                        | 10000                                                                                                                                                                                                                                                                                                                 |
+|       | \-\-readtimeout                         | \<timeout\>      | The read timeout (in milliseconds) to use when downloading resources.                                                                                                                                                                                                                                                              | 60000                                                                                                                                                                                                                                                                                                                 |
+|       | \-\-proxypass                           | \<pass\>         | The proxy password to use when downloading resources.                                                                                                                                                                                                                                                                              | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-proxyuser                           | \<user\>         | The proxy username to use when downloading resources.                                                                                                                                                                                                                                                                              | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-connectionString                    | \<connStr\>      | The connection string to the database. See using a [database server](../data/database.html).                                                                                                                                                                                                                                       | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-dbDriverName                        | \<driver\>       | The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path.                                                                                                                                                                                       | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-dbDriverPath                        | \<path\>         | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path.                                                                                                                                                                                                                   | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-dbPassword                          | \<password\>     | The password for connecting to the database.                                                                                                                                                                                                                                                                                       | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-dbUser                              | \<user\>         | The username used to connect to the database.                                                                                                                                                                                                                                                                                      | &nbsp;                                                                                                                                                                                                                                                                                                                |
+| \-d   | \-\-data                                | \<path\>         | The location of the data directory used to store persistent data.                                                                                                                                                                                                                                                                  | /usr/local/var/dependencycheck if installed through brew (→ [formula](https://github.com/Homebrew/homebrew-core/blob/master/Formula/d/dependency-check.rb#L29)). Otherwise, the data directory is created inside the install directory i.e. as a sibling to the `<install-dir>/bin`, `<install-dir>/lib` directories. |
+|       | \-\-purge                               |                  | Delete the local copy of the NVD. This is used to force a refresh of the data.                                                                                                                                                                                                                                                     | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableHostedSuppressions           |                  | Whether the usage of the hosted suppressions file will be disabled.                                                                                                                                                                                                                                                                | false                                                                                                                                                                                                                                                                                                                 |
+|       | \-\-hostedSuppressionsForceUpdate       |                  | Whether the hosted suppressions file will update regardless of the `noupdate` argument.                                                                                                                                                                                                                                            | false                                                                                                                                                                                                                                                                                                                 |
+|       | \-\-hostedSuppressionsValidForHours     | \<hours\>        | The number of hours to wait before checking for new updates of the hosted suppressions file                                                                                                                                                                                                                                        | 2                                                                                                                                                                                                                                                                                                                     |
+|       | \-\-hostedSuppressionsUrl               | \<url\>          | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments                                                                                                                                                                                                                                   | https://dependency-check.github.io/DependencyCheck/suppressions/publishedSuppressions.xml                                                                                                                                                                                                                             |
+|       | \-\-hostedSuppressionsUser              | \<user\>         | The user for basic authentication to a mirrored copy of the hosted suppressions file                                                                                                                                                                                                                                               | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-hostedSuppressionsPassword          | \<password\>     | The password for basic authentication to a mirrored copy of the hosted suppressions file                                                                                                                                                                                                                                           | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-hostedSuppressionsBearerToken       | \<token\>        | The token for bearer authentication to a mirrored copy of the hosted suppressions file                                                                                                                                                                                                                                             | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-suppressionUser                     | \<user\>         | The user for basic authentication to web-hosted suppression XML files (as configured with `--suppression`)                                                                                                                                                                                                                         | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-suppressionPassword                 | \<password\>     | The password for basic authentication to web-hosted suppression XML files (as configured with `--suppression`)                                                                                                                                                                                                                     | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-suppressionBearerToken              | \<token\>        | The token for bearer authentication to web-hosted suppression XML files (as configured with `--suppression`)                                                                                                                                                                                                                       | &nbsp;                                                                                                                                                                                                                                                                                                                |
diff --git a/core/src/main/java/org/owasp/dependencycheck/data/update/NvdApiDataSource.java b/core/src/main/java/org/owasp/dependencycheck/data/update/NvdApiDataSource.java
index 45d558d68b8..43f530cc562 100644
--- a/core/src/main/java/org/owasp/dependencycheck/data/update/NvdApiDataSource.java
+++ b/core/src/main/java/org/owasp/dependencycheck/data/update/NvdApiDataSource.java
@@ -387,7 +387,7 @@ private boolean processApi() throws UpdateException {
                     final String msg;
                     if (key != null) {
                         msg = "Error updating the NVD Data; the NVD returned a 403 or 404 error\n\nPlease ensure your API Key is valid; "
-                                + "see https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#api-key-is-used-and-a-403-or-404-error-occurs\n\n"
+                                + "see https://github.com/jeremylong/open-vulnerability-cli/blob/main/README.md#api-key-is-used-and-a-403-or-404-error-occurs\n\n"
                                 + "If your NVD API Key is valid try increasing the NVD API Delay.\n\n"
                                 + "If this is occurring in a CI environment";
                     } else {
diff --git a/maven/src/site/markdown/configuration.md b/maven/src/site/markdown/configuration.md
index e7907a2f0ef..5aa39b39ea6 100644
--- a/maven/src/site/markdown/configuration.md
+++ b/maven/src/site/markdown/configuration.md
@@ -1,46 +1,46 @@
 Goals
 ====================
 
-Goal        | Description
-------------|-----------------------
-aggregate   | Runs dependency-check against the child projects and aggregates the results into a single report. **Warning**: if the aggregate goal is used within the site reporting a blank report will likely be present for any goal beyond site:site (i.e. site:stage or site:deploy will likely result in blank reports being staged or deployed); however, site:site will work. See issue [#325](https://github.com/dependency-check/DependencyCheck/issues/325) for more information.
-check       | Runs dependency-check against the project and generates a report.
-update-only | Updates the local cache of the NVD data from NIST.
-purge       | Deletes the local copy of the NVD. This is used to force a refresh of the data.
+| Goal        | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
+|-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| aggregate   | Runs dependency-check against the child projects and aggregates the results into a single report. **Warning**: if the aggregate goal is used within the site reporting a blank report will likely be present for any goal beyond site:site (i.e. site:stage or site:deploy will likely result in blank reports being staged or deployed); however, site:site will work. See issue [#325](https://github.com/dependency-check/DependencyCheck/issues/325) for more information. |
+| check       | Runs dependency-check against the project and generates a report.                                                                                                                                                                                                                                                                                                                                                                                                              |
+| update-only | Updates the local cache of the NVD data from NIST.                                                                                                                                                                                                                                                                                                                                                                                                                             |
+| purge       | Deletes the local copy of the NVD. This is used to force a refresh of the data.                                                                                                                                                                                                                                                                                                                                                                                                |
 
 Configuration
 ====================
 The following properties can be set on the dependency-check-maven plugin.
 
-Property                         | Description                        | Default Value
----------------------------------|------------------------------------|------------------
-autoUpdate                       | Sets whether auto-updating of the NVD CVE/CPE, retireJS and hosted suppressions data is enabled. It is not recommended that this be turned to false. | true
-format                           | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL). This configuration is ignored if `formats` is defined. This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
-formats                          | A list of report formats to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL). This configuration overrides the value from `format`. This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | &nbsp;
-junitFailOnCVSS                  | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure.   | 0
-prettyPrint                      | Whether the XML and JSON formatted reports should be pretty printed.                                               | false
-failBuildOnCVSS                  | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. More information on CVSS scores can be found at the [NVD](https://nvd.nist.gov/vuln-metrics/cvss) | 11
-failBuildOnAnyVulnerability      | Specifies that if any vulnerability is identified, the build will fail. | false
-failOnError                      | Whether the build should fail if there is an error executing the dependency-check analysis. | true
-name                             | The name of the report in the site. | dependency-check or dependency-check:aggregate
-outputDirectory                  | The location to write the report(s). This can be specified on the command line via `-Dodc.outputDirectory`. Note, this is not used if generating the report as part of a `mvn site` build. | 'target'
-scanSet                          | An optional collection of file sets that specify additional files and/or directories to analyze as part of the scan. If not specified, defaults to standard Maven conventions. This cannot be configured via the command line parameters (e.g. `-DscanSet=./path`) - use the below `scanDirectory` instead. Note that the scan sets specified should be relative from the base directory - do not use Maven project variable substitution (e.g. `${project.basedir}/src/webpack`). Using Maven project variable substitution can cause directories to be missed especially when using an aggregate build. | ['src/main/resources', 'src/main/filters', 'src/main/webapp', './package.json', './package-lock.json', './npm-shrinkwrap.json', './Gopkg.lock', './go.mod']
-scanDirectory                    | An optional collection of directories to include in the scan. This configuration should only be used via the command line - if configuring the scan directories within the `pom.xml` please consider using the above `scanSet`. | &nbsp;
-scanDependencies                 | Sets whether the dependencies should be scanned.                   | true
-scanPlugins                      | Sets whether the plugins and their dependencies should be scanned. | false
-skip                             | Skips the dependency-check analysis.                       | false
-skipProvidedScope                | Skip analysis for artifacts with Provided Scope.           | false
-skipRuntimeScope                 | Skip analysis for artifacts with Runtime Scope.            | false
-skipSystemScope                  | Skip analysis for artifacts with System Scope.             | false
-skipTestScope                    | Skip analysis for artifacts with Test Scope.               | true
-skipDependencyManagement         | Skip analysis for dependencyManagement sections.           | true
-skipArtifactType                 | A regular expression used to filter/skip artifact types.  This filters on the `type` of dependency as defined in the dependency section: jar, pom, test-jar, etc. | &nbsp;
-suppressionFiles                 | The file paths to the XML suppression files \- used to suppress [false positives](../general/suppression.html). The configuration value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/dependency-check/DependencyCheck/issues/1878#issuecomment-487533799) | &nbsp;
-failBuildOnUnusedSuppressionRule | Specifies that if any unused suppression rule is found, the build will fail. | false
-hintsFile                        | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html).       | &nbsp;
-enableExperimental               | Enable the [experimental analyzers](../analyzers/index.html). If not enabled the experimental analyzers (see below) will not be loaded or used. | false
-enableRetired                    | Enable the [retired analyzers](../analyzers/index.html). If not enabled the retired analyzers (see below) will not be loaded or used. | false
-versionCheckEnabled              | Whether dependency-check should check if a new version of dependency-check-maven exists. | true
+| Property                         | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | Default Value                                                                                                                                               |
+|----------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| autoUpdate                       | Sets whether auto-updating of the NVD CVE/CPE, retireJS and hosted suppressions data is enabled. It is not recommended that this be turned to false.                                                                                                                                                                                                                                                                                                                                                                                                                                                      | true                                                                                                                                                        |
+| format                           | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL). This configuration is ignored if `formats` is defined. This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true.                                                                                                                                                                                                                                                                                                                               | HTML                                                                                                                                                        |
+| formats                          | A list of report formats to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL). This configuration overrides the value from `format`. This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true.                                                                                                                                                                                                                                                                                                                         | &nbsp;                                                                                                                                                      |
+| junitFailOnCVSS                  | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 0                                                                                                                                                           |
+| prettyPrint                      | Whether the XML and JSON formatted reports should be pretty printed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | false                                                                                                                                                       |
+| failBuildOnCVSS                  | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. More information on CVSS scores can be found at the [NVD](https://nvd.nist.gov/vuln-metrics/cvss)                                                                                                                                                                                                                                                                                          | 11                                                                                                                                                          |
+| failBuildOnAnyVulnerability      | Specifies that if any vulnerability is identified, the build will fail.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | false                                                                                                                                                       |
+| failOnError                      | Whether the build should fail if there is an error executing the dependency-check analysis.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | true                                                                                                                                                        |
+| name                             | The name of the report in the site.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | dependency-check or dependency-check:aggregate                                                                                                              |
+| outputDirectory                  | The location to write the report(s). This can be specified on the command line via `-Dodc.outputDirectory`. Note, this is not used if generating the report as part of a `mvn site` build.                                                                                                                                                                                                                                                                                                                                                                                                                | 'target'                                                                                                                                                    |
+| scanSet                          | An optional collection of file sets that specify additional files and/or directories to analyze as part of the scan. If not specified, defaults to standard Maven conventions. This cannot be configured via the command line parameters (e.g. `-DscanSet=./path`) - use the below `scanDirectory` instead. Note that the scan sets specified should be relative from the base directory - do not use Maven project variable substitution (e.g. `${project.basedir}/src/webpack`). Using Maven project variable substitution can cause directories to be missed especially when using an aggregate build. | ['src/main/resources', 'src/main/filters', 'src/main/webapp', './package.json', './package-lock.json', './npm-shrinkwrap.json', './Gopkg.lock', './go.mod'] |
+| scanDirectory                    | An optional collection of directories to include in the scan. This configuration should only be used via the command line - if configuring the scan directories within the `pom.xml` please consider using the above `scanSet`.                                                                                                                                                                                                                                                                                                                                                                           | &nbsp;                                                                                                                                                      |
+| scanDependencies                 | Sets whether the dependencies should be scanned.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | true                                                                                                                                                        |
+| scanPlugins                      | Sets whether the plugins and their dependencies should be scanned.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | false                                                                                                                                                       |
+| skip                             | Skips the dependency-check analysis.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | false                                                                                                                                                       |
+| skipProvidedScope                | Skip analysis for artifacts with Provided Scope.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | false                                                                                                                                                       |
+| skipRuntimeScope                 | Skip analysis for artifacts with Runtime Scope.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | false                                                                                                                                                       |
+| skipSystemScope                  | Skip analysis for artifacts with System Scope.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | false                                                                                                                                                       |
+| skipTestScope                    | Skip analysis for artifacts with Test Scope.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | true                                                                                                                                                        |
+| skipDependencyManagement         | Skip analysis for dependencyManagement sections.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | true                                                                                                                                                        |
+| skipArtifactType                 | A regular expression used to filter/skip artifact types.  This filters on the `type` of dependency as defined in the dependency section: jar, pom, test-jar, etc.                                                                                                                                                                                                                                                                                                                                                                                                                                         | &nbsp;                                                                                                                                                      |
+| suppressionFiles                 | The file paths to the XML suppression files \- used to suppress [false positives](../general/suppression.html). The configuration value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/dependency-check/DependencyCheck/issues/1878#issuecomment-487533799)                                                                                                                                                                                                                                                               | &nbsp;                                                                                                                                                      |
+| failBuildOnUnusedSuppressionRule | Specifies that if any unused suppression rule is found, the build will fail.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | false                                                                                                                                                       |
+| hintsFile                        | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | &nbsp;                                                                                                                                                      |
+| enableExperimental               | Enable the [experimental analyzers](../analyzers/index.html). If not enabled the experimental analyzers (see below) will not be loaded or used.                                                                                                                                                                                                                                                                                                                                                                                                                                                           | false                                                                                                                                                       |
+| enableRetired                    | Enable the [retired analyzers](../analyzers/index.html). If not enabled the retired analyzers (see below) will not be loaded or used.                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | false                                                                                                                                                       |
+| versionCheckEnabled              | Whether dependency-check should check if a new version of dependency-check-maven exists.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | true                                                                                                                                                        |
 
 Analyzer Configuration
 ====================
@@ -50,76 +50,76 @@ Note, that specific analyzers will automatically disable themselves if no file
 types that they support are detected - so specifically disabling them may not
 be needed.
 
-Property                            | Description                                                                                                                                         | Default Value
-------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|------------------
-archiveAnalyzerEnabled              | Sets whether the Archive Analyzer will be used.                                                                                                     | true
-zipExtensions                       | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.                    | &nbsp;
-excludes                            | A list of exclude patterns to filter out maven artifacts from being scanned.                                                                        | &nbsp;
-jarAnalyzerEnabled                  | Sets whether Jar Analyzer will be used.                                                                                                             | true
-centralAnalyzerEnabled              | Sets whether Central Analyzer will be used; by default in the Maven plugin this analyzer is disabled as all information gained from Central is already available in the build. | false
-centralAnalyzerUseCache             | Sets whether the Central Analyer will cache results. Cached results expire after 30 days.                                                           | true
-dartAnalyzerEnabled                 | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be used.                                                                | true
-knownExploitedEnabled               | Sets whether the Known Exploited Vulnerability update and analyzer are enabled.                                                                     | true
-knownExploitedUrl                   | Sets URL to the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
-ossindexAnalyzerEnabled             | Sets whether the [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be enabled. This analyzer requires an internet connection.         | true
-ossindexAnalyzerUseCache            | Sets whether the OSS Index Analyzer will cache results. Cached results expire after 24 hours.                                                       | true
-ossIndexServerId                    | The id of [a server](https://maven.apache.org/settings.html#Servers) defined in the `settings.xml` to authenticate Sonatype OSS Index requests and profit from higher rate limits. Provide the OSS account email address as `username` and password or API token as `password`. | &nbsp;
-ossIndexUsername                    | OSS account email address as an alternative to the indirection through the `ossIndexServerId` (see above). Both `ossIndexUsername` and `ossIndexPassword` must be set to use this approach instead of the server ID. | &nbsp;
-ossIndexPassword                    | OSS password or API token as an alternative to the indirection through the `ossIndexServerId` (see above). Both `ossIndexUsername` and `ossIndexPassword` must be set to use this approach instead of the server ID. | &nbsp;
-ossindexAnalyzerUrl                 | The OSS Index server URL | https://ossindex.sonatype.org
-ossIndexWarnOnlyOnRemoteErrors      | Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution.    | false
-nexusAnalyzerEnabled                | Sets whether Nexus Analyzer will be used (requires Nexus Pro). This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true
-nexusUrl                            | Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled. | &nbsp;
-nexusServerId                       | The id of a server defined in the settings.xml that configures the credentials (username and password) for a Nexus server's REST API end point. When not specified the communication with the Nexus server's REST API will be unauthenticated. | &nbsp;
-nexusUsesProxy                      | Whether or not the defined proxy should be used when connecting to Nexus.                                                                           | true
-artifactoryAnalyzerEnabled          | Sets whether Artifactory analyzer will be used                                                                                                      | false
-artifactoryAnalyzerUrl              | The Artifactory server URL.                                                                                                                         | &nbsp;
-artifactoryAnalyzerUseProxy         | Whether Artifactory should be accessed through a proxy or not.                                                                                      | false
-artifactoryAnalyzerParallelAnalysis | Whether the Artifactory analyzer should be run in parallel or not                                                                                   | true
-artifactoryAnalyzerServerId         | The id of a server defined in the settings.xml to retrieve the credentials (username and API token) to connect to Artifactory instance. It is used in priority to artifactoryAnalyzerUsername and artifactoryAnalyzerApiToken | artifactory
-artifactoryAnalyzerUsername         | The user name (only used with API token) to connect to Artifactory instance                                                                         | &nbsp;
-artifactoryAnalyzerApiToken         | The API token to connect to Artifactory instance, only used if the username or the API key are not defined by artifactoryAnalyzerServerId,artifactoryAnalyzerUsername or artifactoryAnalyzerApiToken | &nbsp;
-artifactoryAnalyzerBearerToken      | The bearer token to connect to Artifactory instance                                                                                                 | &nbsp;
-pyDistributionAnalyzerEnabled       | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. `enableExperimental` must be set to true.       | true
-pyPackageAnalyzerEnabled            | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. `enableExperimental` must be set to true.            | true
-rubygemsAnalyzerEnabled             | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. `enableExperimental` must be set to true.              | true
-opensslAnalyzerEnabled              | Sets whether the openssl Analyzer should be used.                                                                                                   | true
-cmakeAnalyzerEnabled                | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. `enableExperimental` must be set to true.                   | true
-autoconfAnalyzerEnabled             | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. `enableExperimental` must be set to true.                | true
-pipAnalyzerEnabled                  | Sets whether the [experimental](../analyzers/index.html) pip Analyzer should be used. `enableExperimental` must be set to true.                     | true
-pipfileAnalyzerEnabled              | Sets whether the [experimental](../analyzers/index.html) Pipfile Analyzer should be used. `enableExperimental` must be set to true.                 | true
-poetryAnalyzerEnabled               | Sets whether the [experimental](../analyzers/index.html) Poetry Analyzer should be used. `enableExperimental` must be set to true.                  | true
-composerAnalyzerEnabled             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. `enableExperimental` must be set to true.  | true
-composerAnalyzerSkipDev             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should skip "packages-dev"                                 | false
-cpanfileAnalyzerEnabled             | Sets whether the [experimental](../analyzers/index.html) Perl CPAN File Analyzer should be used. `enableExperimental` must be set to true.          | true
-yarnAuditAnalyzerEnabled            | Sets whether the Yarn Audit Analyzer should be used. This analyzer requires yarn and an internet connection.  Use `nodeAuditSkipDevDependencies` to skip dev dependencies. | true
-pnpmAuditAnalyzerEnabled            | Sets whether the Pnpm Audit Analyzer should be used. This analyzer requires pnpm and an internet connection.  Use `nodeAuditSkipDevDependencies` to skip dev dependencies. | true
-pathToYarn                          | The path to `yarn`.                                                                                                                                 | &nbsp;
-pathToPnpm                          | The path to `pnpm`.                                                                                                                                 | &nbsp;
-nodeAnalyzerEnabled                 | Sets whether the [retired](../analyzers/index.html) Node.js Analyzer should be used.                                                                | true
-nodeAuditAnalyzerEnabled            | Sets whether the Node Audit Analyzer should be used. This analyzer requires an internet connection.                                                 | true
-nodeAuditAnalyzerUseCache           | Sets whether the Node Audit Analyzer will cache results. Cached results expire after 24 hours.                                                      | true
-nodeAuditSkipDevDependencies        | Sets whether the Node Audit Analyzer will skip devDependencies.                                                                                     | false
-nodeAuditAnalyzerUrl                | The Node Audit API URL for the Node Audit Analyzer.                                                                                                 | https://registry.npmjs.org/-/npm/v1/security/audits
-nodePackageSkipDevDependencies      | Sets whether the Node Package Analyzer will skip devDependencies.                                                                                   | false
-retireJsAnalyzerEnabled             | Sets whether the RetireJS Analyzer should be used.                                                                                                  | true
-retireJsForceUpdate                 | Sets whether the RetireJS Analyzer should update regardless of the `autoupdate` setting.                                                            | false
-retireJsUrl                         | The URL to the Retire JS repository. **Note** the file name must be `jsrepository.json`.                                                            | https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json
-nuspecAnalyzerEnabled               | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                                                           | true
-nugetconfAnalyzerEnabled            | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. `enableExperimental` must be set to true. | true
-libmanAnalyzerEnabled               | Sets whether the Libman Analyzer will be used.                                                                                                      | true
-cocoapodsAnalyzerEnabled            | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. `enableExperimental` must be set to true.               | true
-carthageAnalyzerEnabled             | Sets whether the [experimental](../analyzers/index.html) Carthage Analyzer should be used. `enableExperimental` must be set to true.                | true
-bundleAuditAnalyzerEnabled          | Sets whether the [experimental](../analyzers/index.html) Bundle Audit Analyzer should be used. `enableExperimental` must be set to true.            | true
-bundleAuditPath                     | Sets the path to the bundle audit executable; only used if bundle audit analyzer is enabled and experimental analyzers are enabled.                 | &nbsp;
-swiftPackageManagerAnalyzerEnabled  | Sets whether the [experimental](../analyzers/index.html) Swift Package Analyzer should be used. `enableExperimental` must be set to true.           | true
-swiftPackageResolvedAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Swift Package Resolved should be used. `enableExperimental` must be set to true.           | true
-assemblyAnalyzerEnabled             | Sets whether the .NET Assembly Analyzer should be used.                                                                                             | true
-msbuildAnalyzerEnabled              | Sets whether the MSBuild Analyzer should be used.                                                                                                   | true
-pathToCore                          | The path to dotnet core .NET assembly analysis on non-windows systems.                                                                              | &nbsp;
-golangDepEnabled                    | Sets whether or not the [experimental](../analyzers/index.html) Golang Dependency Analyzer should be used. `enableExperimental` must be set to true.| true
-golangModEnabled                    | Sets whether or not the [experimental](../analyzers/index.html) Goland Module Analyzer should be used; requires `go` to be installed. `enableExperimental` must be set to true. | true
-pathToGo                            | The path to `go`.                                                                                                                                   | &nbsp;
+| Property                            | Description                                                                                                                                                                                                                                                                     | Default Value                                                                            |
+|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|
+| archiveAnalyzerEnabled              | Sets whether the Archive Analyzer will be used.                                                                                                                                                                                                                                 | true                                                                                     |
+| zipExtensions                       | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.                                                                                                                                                | &nbsp;                                                                                   |
+| excludes                            | A list of exclude patterns to filter out maven artifacts from being scanned.                                                                                                                                                                                                    | &nbsp;                                                                                   |
+| jarAnalyzerEnabled                  | Sets whether Jar Analyzer will be used.                                                                                                                                                                                                                                         | true                                                                                     |
+| centralAnalyzerEnabled              | Sets whether Central Analyzer will be used; by default in the Maven plugin this analyzer is disabled as all information gained from Central is already available in the build.                                                                                                  | false                                                                                    |
+| centralAnalyzerUseCache             | Sets whether the Central Analyer will cache results. Cached results expire after 30 days.                                                                                                                                                                                       | true                                                                                     |
+| dartAnalyzerEnabled                 | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be used.                                                                                                                                                                                            | true                                                                                     |
+| knownExploitedEnabled               | Sets whether the Known Exploited Vulnerability update and analyzer are enabled.                                                                                                                                                                                                 | true                                                                                     |
+| knownExploitedUrl                   | Sets URL to the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                                                                                                                                            | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json      |
+| ossindexAnalyzerEnabled             | Sets whether the [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be enabled. This analyzer requires an internet connection.                                                                                                                                     | true                                                                                     |
+| ossindexAnalyzerUseCache            | Sets whether the OSS Index Analyzer will cache results. Cached results expire after 24 hours.                                                                                                                                                                                   | true                                                                                     |
+| ossIndexServerId                    | The id of [a server](https://maven.apache.org/settings.html#Servers) defined in the `settings.xml` to authenticate Sonatype OSS Index requests and profit from higher rate limits. Provide the OSS account email address as `username` and password or API token as `password`. | &nbsp;                                                                                   |
+| ossIndexUsername                    | OSS account email address as an alternative to the indirection through the `ossIndexServerId` (see above). Both `ossIndexUsername` and `ossIndexPassword` must be set to use this approach instead of the server ID.                                                            | &nbsp;                                                                                   |
+| ossIndexPassword                    | OSS password or API token as an alternative to the indirection through the `ossIndexServerId` (see above). Both `ossIndexUsername` and `ossIndexPassword` must be set to use this approach instead of the server ID.                                                            | &nbsp;                                                                                   |
+| ossindexAnalyzerUrl                 | The OSS Index server URL                                                                                                                                                                                                                                                        | https://ossindex.sonatype.org                                                            |
+| ossIndexWarnOnlyOnRemoteErrors      | Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution.                                                                                                                                | false                                                                                    |
+| nexusAnalyzerEnabled                | Sets whether Nexus Analyzer will be used (requires Nexus Pro). This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation.                                                                                    | true                                                                                     |
+| nexusUrl                            | Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled.                                                                                                                             | &nbsp;                                                                                   |
+| nexusServerId                       | The id of a server defined in the settings.xml that configures the credentials (username and password) for a Nexus server's REST API end point. When not specified the communication with the Nexus server's REST API will be unauthenticated.                                  | &nbsp;                                                                                   |
+| nexusUsesProxy                      | Whether or not the defined proxy should be used when connecting to Nexus.                                                                                                                                                                                                       | true                                                                                     |
+| artifactoryAnalyzerEnabled          | Sets whether Artifactory analyzer will be used                                                                                                                                                                                                                                  | false                                                                                    |
+| artifactoryAnalyzerUrl              | The Artifactory server URL.                                                                                                                                                                                                                                                     | &nbsp;                                                                                   |
+| artifactoryAnalyzerUseProxy         | Whether Artifactory should be accessed through a proxy or not.                                                                                                                                                                                                                  | false                                                                                    |
+| artifactoryAnalyzerParallelAnalysis | Whether the Artifactory analyzer should be run in parallel or not                                                                                                                                                                                                               | true                                                                                     |
+| artifactoryAnalyzerServerId         | The id of a server defined in the settings.xml to retrieve the credentials (username and API token) to connect to Artifactory instance. It is used in priority to artifactoryAnalyzerUsername and artifactoryAnalyzerApiToken                                                   | artifactory                                                                              |
+| artifactoryAnalyzerUsername         | The user name (only used with API token) to connect to Artifactory instance                                                                                                                                                                                                     | &nbsp;                                                                                   |
+| artifactoryAnalyzerApiToken         | The API token to connect to Artifactory instance, only used if the username or the API key are not defined by artifactoryAnalyzerServerId,artifactoryAnalyzerUsername or artifactoryAnalyzerApiToken                                                                            | &nbsp;                                                                                   |
+| artifactoryAnalyzerBearerToken      | The bearer token to connect to Artifactory instance                                                                                                                                                                                                                             | &nbsp;                                                                                   |
+| pyDistributionAnalyzerEnabled       | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. `enableExperimental` must be set to true.                                                                                                                                   | true                                                                                     |
+| pyPackageAnalyzerEnabled            | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. `enableExperimental` must be set to true.                                                                                                                                        | true                                                                                     |
+| rubygemsAnalyzerEnabled             | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. `enableExperimental` must be set to true.                                                                                                                                          | true                                                                                     |
+| opensslAnalyzerEnabled              | Sets whether the openssl Analyzer should be used.                                                                                                                                                                                                                               | true                                                                                     |
+| cmakeAnalyzerEnabled                | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                               | true                                                                                     |
+| autoconfAnalyzerEnabled             | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                            | true                                                                                     |
+| pipAnalyzerEnabled                  | Sets whether the [experimental](../analyzers/index.html) pip Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                                 | true                                                                                     |
+| pipfileAnalyzerEnabled              | Sets whether the [experimental](../analyzers/index.html) Pipfile Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                             | true                                                                                     |
+| poetryAnalyzerEnabled               | Sets whether the [experimental](../analyzers/index.html) Poetry Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                              | true                                                                                     |
+| composerAnalyzerEnabled             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                              | true                                                                                     |
+| composerAnalyzerSkipDev             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should skip "packages-dev"                                                                                                                                                             | false                                                                                    |
+| cpanfileAnalyzerEnabled             | Sets whether the [experimental](../analyzers/index.html) Perl CPAN File Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                      | true                                                                                     |
+| yarnAuditAnalyzerEnabled            | Sets whether the Yarn Audit Analyzer should be used. This analyzer requires yarn and an internet connection.  Use `nodeAuditSkipDevDependencies` to skip dev dependencies.                                                                                                      | true                                                                                     |
+| pnpmAuditAnalyzerEnabled            | Sets whether the Pnpm Audit Analyzer should be used. This analyzer requires pnpm and an internet connection.  Use `nodeAuditSkipDevDependencies` to skip dev dependencies.                                                                                                      | true                                                                                     |
+| pathToYarn                          | The path to `yarn`.                                                                                                                                                                                                                                                             | &nbsp;                                                                                   |
+| pathToPnpm                          | The path to `pnpm`.                                                                                                                                                                                                                                                             | &nbsp;                                                                                   |
+| nodeAnalyzerEnabled                 | Sets whether the [retired](../analyzers/index.html) Node.js Analyzer should be used.                                                                                                                                                                                            | true                                                                                     |
+| nodeAuditAnalyzerEnabled            | Sets whether the Node Audit Analyzer should be used. This analyzer requires an internet connection.                                                                                                                                                                             | true                                                                                     |
+| nodeAuditAnalyzerUseCache           | Sets whether the Node Audit Analyzer will cache results. Cached results expire after 24 hours.                                                                                                                                                                                  | true                                                                                     |
+| nodeAuditSkipDevDependencies        | Sets whether the Node Audit Analyzer will skip devDependencies.                                                                                                                                                                                                                 | false                                                                                    |
+| nodeAuditAnalyzerUrl                | The Node Audit API URL for the Node Audit Analyzer.                                                                                                                                                                                                                             | https://registry.npmjs.org/-/npm/v1/security/audits                                      |
+| nodePackageSkipDevDependencies      | Sets whether the Node Package Analyzer will skip devDependencies.                                                                                                                                                                                                               | false                                                                                    |
+| retireJsAnalyzerEnabled             | Sets whether the RetireJS Analyzer should be used.                                                                                                                                                                                                                              | true                                                                                     |
+| retireJsForceUpdate                 | Sets whether the RetireJS Analyzer should update regardless of the `autoupdate` setting.                                                                                                                                                                                        | false                                                                                    |
+| retireJsUrl                         | The URL to the Retire JS repository. **Note** the file name must be `jsrepository.json`.                                                                                                                                                                                        | https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json |
+| nuspecAnalyzerEnabled               | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                                                                                                                                                                                       | true                                                                                     |
+| nugetconfAnalyzerEnabled            | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. `enableExperimental` must be set to true.                                                                                                                            | true                                                                                     |
+| libmanAnalyzerEnabled               | Sets whether the Libman Analyzer will be used.                                                                                                                                                                                                                                  | true                                                                                     |
+| cocoapodsAnalyzerEnabled            | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                           | true                                                                                     |
+| carthageAnalyzerEnabled             | Sets whether the [experimental](../analyzers/index.html) Carthage Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                            | true                                                                                     |
+| bundleAuditAnalyzerEnabled          | Sets whether the [experimental](../analyzers/index.html) Bundle Audit Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                        | true                                                                                     |
+| bundleAuditPath                     | Sets the path to the bundle audit executable; only used if bundle audit analyzer is enabled and experimental analyzers are enabled.                                                                                                                                             | &nbsp;                                                                                   |
+| swiftPackageManagerAnalyzerEnabled  | Sets whether the [experimental](../analyzers/index.html) Swift Package Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                                       | true                                                                                     |
+| swiftPackageResolvedAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Swift Package Resolved should be used. `enableExperimental` must be set to true.                                                                                                                                       | true                                                                                     |
+| assemblyAnalyzerEnabled             | Sets whether the .NET Assembly Analyzer should be used.                                                                                                                                                                                                                         | true                                                                                     |
+| msbuildAnalyzerEnabled              | Sets whether the MSBuild Analyzer should be used.                                                                                                                                                                                                                               | true                                                                                     |
+| pathToCore                          | The path to dotnet core .NET assembly analysis on non-windows systems.                                                                                                                                                                                                          | &nbsp;                                                                                   |
+| golangDepEnabled                    | Sets whether or not the [experimental](../analyzers/index.html) Golang Dependency Analyzer should be used. `enableExperimental` must be set to true.                                                                                                                            | true                                                                                     |
+| golangModEnabled                    | Sets whether or not the [experimental](../analyzers/index.html) Goland Module Analyzer should be used; requires `go` to be installed. `enableExperimental` must be set to true.                                                                                                 | true                                                                                     |
+| pathToGo                            | The path to `go`.                                                                                                                                                                                                                                                               | &nbsp;                                                                                   |
 
 RetireJS Configuration
 ====================
@@ -136,10 +136,10 @@ to control the included JS files
     &lt;/retirejs&gt;
 </pre>
 
-Property            | Description                                                                                                                                                                                                            | Default Value
---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------
-filters             | A list of file content filters used to exclude JS files based on content. This is most commonly used to exclude JS files based on your organizations copyright so that your JS files do not get listed as a dependency.| &nbsp;
-filterNonVulnerable | A boolean controlling whether or not the Retire JS Analyzer should exclude non-vulnerable JS files from the report.                                                                                                    | false
+| Property            | Description                                                                                                                                                                                                             | Default Value |
+|---------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|
+| filters             | A list of file content filters used to exclude JS files based on content. This is most commonly used to exclude JS files based on your organizations copyright so that your JS files do not get listed as a dependency. | &nbsp;        |
+| filterNonVulnerable | A boolean controlling whether or not the Retire JS Analyzer should exclude non-vulnerable JS files from the report.                                                                                                     | false         |
 
 Advanced Configuration
 ====================
@@ -147,49 +147,49 @@ The following properties can be configured in the plugin. However, they are less
 
 Note that any passwords in the below configuration could be exposed if you use `-x` option to debug the build. It is always better to configure the credential in your settings.xml and use the configuration to set the server id instead of placeing the password directly in the pom.xml.
 
-Property                 | Description                                                                                                                                                                                                                                                                                                       | Default Value                                                       |
--------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------|
-nvdApiServerId           | The id of a server defined in the settings.xml that configures the credentials (password is used as ApiKey) for accessing the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key.                                                                                                                                                                            | &nbsp;                                                              |
-nvdApiKey                | If you don't want register token as password in settings.xml, you can specify Bearer token for accessing the NVD API, but be aware that if you use -X the secret will be written to the standard out. | &nbsp; |
-nvdApiEndpoint           | The NVD API endpoint URL; setting this is uncommon.                                                                                                                                                                                                                                                               | https://services.nvd.nist.gov/rest/json/cves/2.0                    |
-nvdMaxRetryCount         | The maximum number of retry requests for a single call to the NVD API.                                                                                                                                                                                                                                            | 10                                                                  |
-nvdApiDelay              | The number of milliseconds to wait between calls to the NVD API.                                                                                                                                                                                                                                                  | 3500 with an NVD API Key or 8000 without an API Key .               |
-nvdApiResultsPerPage     | The number records for a single page from NVD API (must be <=2000).                                                                                                                                                                                                                                               | 2000                                                                |
-nvdDatafeedUrl           | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz`                                                                                | &nbsp;                                         |
-nvdDatafeedServerId      | The id of a server defined in the settings.xml that configures the credentials (username and password) for accessing the NVD API Data feed.                                                                                                                                                                       | &nbsp;                                                              |
-nvdUser                  | If you don't want register user/password in settings.xml, you can specify Basic username for the NVD API Data feed.                                                                                                                                                                                               | &nbsp;                                                              |
-nvdPassword              | If you don't want register user/password in settings.xml, you can specify Basic password for the NVD API Data feed, but be aware that if you use -X the secret will be written to the standard out.                            | &nbsp; |
-nvdBearerToken           | If you don't want register token as password in settings.xml, you can specify Bearer token for the NVD API Data feed, but be aware that if you use -X the secret will be written to the standard out.                                 | &nbsp; |
-nvdValidForHours         | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours.                                                                                                                                                                                                                 | 4                                                                   |
-suppressionFileServerId  | The id of a server defined in the settings.xml that configures the credentials (username and password) for accessing the suppressionFiles.                                                                                                                                                                        | &nbsp;                                                              |
-suppressionFileUser      | If you don't want register user/password in settings.xml, you can specify Basic username.                                                                                                                                                                                | &nbsp;                                                              |
-suppressionFilePassword  | If you don't want register user/password in settings.xml, you can specify Basic password, but be aware that if you use -X the secret will be written to the standard out.                                    | &nbsp;                                                              |
-suppressionFileBearerToken | If you don't want register token as password in settings.xml, you can specify Bearer token, but be aware that if you use -X the secret will be written to the standard out.                                     | &nbsp;                                                              |
-connectionTimeout        | Sets the URL Connection Timeout (in milliseconds) used when downloading external data.                                                                                                                                                                                                                            | 10000                                                               |
-readTimeout              | Sets the URL Read Timeout  (in milliseconds) used when downloading external data.                                                                                                                                                                                                                                 | 60000                                                               |
-dataDirectory            | Sets the data directory to hold SQL CVEs contents. This should generally not be changed.                                                                                                                                                                                                                          | ~/.m2/repository/org/owasp/dependency-check-data/                   |
-databaseDriverName       | The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path.                                                                                                                                                                      | &nbsp;                                                              |
-databaseDriverPath       | The path to the database driver JAR file; only needs to be set if the driver is not in the class path.                                                                                                                                                                                                            | &nbsp;                                                              |
-connectionString         | The connection string used to connect to the database.   See using a [database server](../data/database.html).                                                                                                                                                                                                    | &nbsp;                                                              |
-serverId                 | The id of a server defined in the settings.xml; this can be used to encrypt the database password. See [password encryption](http://maven.apache.org/guides/mini/guide-encryption.html) for more information.                                                                                                     | &nbsp; |
-databaseUser             | The username used when connecting to the database.                                                                                                                                                                                                                                                                | &nbsp;                                                              |
-databasePassword         | The password used when connecting to the database.                                                                                                                                                                                                                                                                | &nbsp;                                                              |
-hostedSuppressionsEnabled      | Whether the hosted suppressions file will be used.                                                                                                                                                                                                                                                                | true |
-hostedSuppressionsForceUpdate  | Whether the hosted suppressions file will update regardless of the `autoupdate` setting.                                                                                                                                                                                                                          | false |
-hostedSuppressionsUrl          | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments.                                                                                                                                                                                                                 | https://dependency-check.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
-hostedSuppressionsValidForHours| Sets the number of hours to wait before checking for new updates from the NVD.                                                                                                                                                                                                                                    | 2 |
-hostedSuppressionsServerId | The id of a server defined in the settings.xml that configures the credentials for accessing a mirrored hostedSuppressions XML file.                                                                                                                                                                              | &nbsp; |
-hostedSuppressionsUser     | If you don't want register user/password in settings.xml, you can specify Basic username.                                                                                                                                                                                                                         | &nbsp; |
-hostedSuppressionsPassword | If you don't want register user/password in settings.xml, you can specify Basic password, but be aware that if you use -X the secret will be written to the standard out.     | &nbsp; |
-hostedSuppressionsBearerToken  | If you don't want register token as password in settings.xml, you can specify Bearer token, but be aware that if you use -X the secret will be written to the standard out.         | &nbsp; |
-retireJsUrlServerId      | The id of a server defined in the settings.xml to retrieve the credentials (Basic (username and password) or Bearer (password only)) to connect to RetireJS instance.                                                                                                                                             | &nbsp; |
-retireJsUser             | If you don't want register user/password in settings.xml, you can specify Basic username.                                                                                                                                                                                                                         | &nbsp; |
-retireJsPassword         | If you don't want register user/password in settings.xml, you can specify Basic password, but be aware that if you use -X the secret will be written to the standard out.                                                                                                                                         | &nbsp; |
-retireJsBearerToken      | If you don't want register token as password in settings.xml, you can specify Bearer token, but be aware that if you use -X the secret will be written to the standard out.                                                                                                                                       | &nbsp; |
-knownExploitedServerId    | The id of a server defined in the settings.xml that configures the credentials  (Basic (username and password) or Bearer (password only)) for accessing the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                                 | &nbsp; |
-knownExploitedUser        | If you don't want register user/password in settings.xml, you can specify Basic username.                                                                                                                                                                                                                        | &nbsp; |
-knownExploitedPassword    | If you don't want register user/password in settings.xml, you can specify Basic password, but be aware that if you use -X the secret will be written to the standard out.                                                                                                                                        | &nbsp; |
-knownExploitedBearerToken | If you don't want register token as password in settings.xml, you can specify Bearer token, but be aware that if you use -X the secret will be written to the standard out.                                                                                                                                      | &nbsp; |
+| Property                        | Description                                                                                                                                                                                                                          | Default Value                                                                             |
+|---------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|
+| nvdApiServerId                  | The id of a server defined in the settings.xml that configures the credentials (password is used as ApiKey) for accessing the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key.                             | &nbsp;                                                                                    |
+| nvdApiKey                       | If you don't want register token as password in settings.xml, you can specify Bearer token for accessing the NVD API, but be aware that if you use -X the secret will be written to the standard out.                                | &nbsp;                                                                                    |
+| nvdApiEndpoint                  | The NVD API endpoint URL; setting this is uncommon.                                                                                                                                                                                  | https://services.nvd.nist.gov/rest/json/cves/2.0                                          |
+| nvdMaxRetryCount                | The maximum number of retry requests for a single call to the NVD API.                                                                                                                                                               | 10                                                                                        |
+| nvdApiDelay                     | The number of milliseconds to wait between calls to the NVD API.                                                                                                                                                                     | 3500 with an NVD API Key or 8000 without an API Key .                                     |
+| nvdApiResultsPerPage            | The number records for a single page from NVD API (must be <=2000).                                                                                                                                                                  | 2000                                                                                      |
+| nvdDatafeedUrl                  | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/open-vulnerability-cli/blob/main/README.md#mirroring-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz` | &nbsp;                                                                                    |
+| nvdDatafeedServerId             | The id of a server defined in the settings.xml that configures the credentials (username and password) for accessing the NVD API Data feed.                                                                                          | &nbsp;                                                                                    |
+| nvdUser                         | If you don't want register user/password in settings.xml, you can specify Basic username for the NVD API Data feed.                                                                                                                  | &nbsp;                                                                                    |
+| nvdPassword                     | If you don't want register user/password in settings.xml, you can specify Basic password for the NVD API Data feed, but be aware that if you use -X the secret will be written to the standard out.                                  | &nbsp;                                                                                    |
+| nvdBearerToken                  | If you don't want register token as password in settings.xml, you can specify Bearer token for the NVD API Data feed, but be aware that if you use -X the secret will be written to the standard out.                                | &nbsp;                                                                                    |
+| nvdValidForHours                | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours.                                                                                                                                    | 4                                                                                         |
+| suppressionFileServerId         | The id of a server defined in the settings.xml that configures the credentials (username and password) for accessing the suppressionFiles.                                                                                           | &nbsp;                                                                                    |
+| suppressionFileUser             | If you don't want register user/password in settings.xml, you can specify Basic username.                                                                                                                                            | &nbsp;                                                                                    |
+| suppressionFilePassword         | If you don't want register user/password in settings.xml, you can specify Basic password, but be aware that if you use -X the secret will be written to the standard out.                                                            | &nbsp;                                                                                    |
+| suppressionFileBearerToken      | If you don't want register token as password in settings.xml, you can specify Bearer token, but be aware that if you use -X the secret will be written to the standard out.                                                          | &nbsp;                                                                                    |
+| connectionTimeout               | Sets the URL Connection Timeout (in milliseconds) used when downloading external data.                                                                                                                                               | 10000                                                                                     |
+| readTimeout                     | Sets the URL Read Timeout  (in milliseconds) used when downloading external data.                                                                                                                                                    | 60000                                                                                     |
+| dataDirectory                   | Sets the data directory to hold SQL CVEs contents. This should generally not be changed.                                                                                                                                             | ~/.m2/repository/org/owasp/dependency-check-data/                                         |
+| databaseDriverName              | The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path.                                                                                         | &nbsp;                                                                                    |
+| databaseDriverPath              | The path to the database driver JAR file; only needs to be set if the driver is not in the class path.                                                                                                                               | &nbsp;                                                                                    |
+| connectionString                | The connection string used to connect to the database.   See using a [database server](../data/database.html).                                                                                                                       | &nbsp;                                                                                    |
+| serverId                        | The id of a server defined in the settings.xml; this can be used to encrypt the database password. See [password encryption](http://maven.apache.org/guides/mini/guide-encryption.html) for more information.                        | &nbsp;                                                                                    |
+| databaseUser                    | The username used when connecting to the database.                                                                                                                                                                                   | &nbsp;                                                                                    |
+| databasePassword                | The password used when connecting to the database.                                                                                                                                                                                   | &nbsp;                                                                                    |
+| hostedSuppressionsEnabled       | Whether the hosted suppressions file will be used.                                                                                                                                                                                   | true                                                                                      |
+| hostedSuppressionsForceUpdate   | Whether the hosted suppressions file will update regardless of the `autoupdate` setting.                                                                                                                                             | false                                                                                     |
+| hostedSuppressionsUrl           | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments.                                                                                                                                    | https://dependency-check.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
+| hostedSuppressionsValidForHours | Sets the number of hours to wait before checking for new updates from the NVD.                                                                                                                                                       | 2                                                                                         |
+| hostedSuppressionsServerId      | The id of a server defined in the settings.xml that configures the credentials for accessing a mirrored hostedSuppressions XML file.                                                                                                 | &nbsp;                                                                                    |
+| hostedSuppressionsUser          | If you don't want register user/password in settings.xml, you can specify Basic username.                                                                                                                                            | &nbsp;                                                                                    |
+| hostedSuppressionsPassword      | If you don't want register user/password in settings.xml, you can specify Basic password, but be aware that if you use -X the secret will be written to the standard out.                                                            | &nbsp;                                                                                    |
+| hostedSuppressionsBearerToken   | If you don't want register token as password in settings.xml, you can specify Bearer token, but be aware that if you use -X the secret will be written to the standard out.                                                          | &nbsp;                                                                                    |
+| retireJsUrlServerId             | The id of a server defined in the settings.xml to retrieve the credentials (Basic (username and password) or Bearer (password only)) to connect to RetireJS instance.                                                                | &nbsp;                                                                                    |
+| retireJsUser                    | If you don't want register user/password in settings.xml, you can specify Basic username.                                                                                                                                            | &nbsp;                                                                                    |
+| retireJsPassword                | If you don't want register user/password in settings.xml, you can specify Basic password, but be aware that if you use -X the secret will be written to the standard out.                                                            | &nbsp;                                                                                    |
+| retireJsBearerToken             | If you don't want register token as password in settings.xml, you can specify Bearer token, but be aware that if you use -X the secret will be written to the standard out.                                                          | &nbsp;                                                                                    |
+| knownExploitedServerId          | The id of a server defined in the settings.xml that configures the credentials  (Basic (username and password) or Bearer (password only)) for accessing the CISA Known Exploited Vulnerabilities JSON data feed.                     | &nbsp;                                                                                    |
+| knownExploitedUser              | If you don't want register user/password in settings.xml, you can specify Basic username.                                                                                                                                            | &nbsp;                                                                                    |
+| knownExploitedPassword          | If you don't want register user/password in settings.xml, you can specify Basic password, but be aware that if you use -X the secret will be written to the standard out.                                                            | &nbsp;                                                                                    |
+| knownExploitedBearerToken       | If you don't want register token as password in settings.xml, you can specify Bearer token, but be aware that if you use -X the secret will be written to the standard out.                                                          | &nbsp;                                                                                    |
 
 Proxy Configuration
 ====================
@@ -197,6 +197,6 @@ Use [Maven's settings](https://maven.apache.org/settings.html#Proxies) to config
 dependency-check [proxy configuration](../data/proxy.html) page for additional problem solving techniques. If multiple proxies
 are configured in the Maven settings file you must tell dependency-check which proxy to use with the following property:
 
-Property             | Description                                                                          | Default Value |
----------------------|--------------------------------------------------------------------------------------|---------------|
-mavenSettingsProxyId | The id for the proxy, configured via settings.xml, that dependency-check should use. | &nbsp;        |
+| Property             | Description                                                                          | Default Value |
+|----------------------|--------------------------------------------------------------------------------------|---------------|
+| mavenSettingsProxyId | The id for the proxy, configured via settings.xml, that dependency-check should use. | &nbsp;        |
diff --git a/src/site/markdown/data/cachenvd.md b/src/site/markdown/data/cachenvd.md
index 1f257045fcf..5bfd7efa2cc 100644
--- a/src/site/markdown/data/cachenvd.md
+++ b/src/site/markdown/data/cachenvd.md
@@ -1,5 +1,5 @@
 Creating an offline cache for the NVD API
 =========================================
 
-The Open Vulnerability Project's [vuln CLI](https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data)
+The Open Vulnerability Project's [vuln CLI](https://github.com/jeremylong/open-vulnerability-cli/blob/main/README.md#mirroring-the-nvd-cve-data)
 can be used to create an offline copy of the data obtained from the NVD API.
diff --git a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md
index 6ac293927f5..9a083fbda61 100644
--- a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md
+++ b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md
@@ -1,12 +1,12 @@
 Tasks
 ====================
 
-Task                                               | Description
----------------------------------------------------|-----------------------
-[dependencyCheckAnalyze](configuration.html)       | Runs dependency-check against the project and generates a report.
-dependencyCheckAggregate                           | Runs dependency-check against a multi-project build and generates a report.
-[dependencyCheckUpdate](configuration-update.html) | Updates the local cache of the NVD data from NIST.
-[dependencyCheckPurge](configuration-purge.html)   | Deletes the local copy of the NVD. This is used to force a refresh of the data.
+| Task                                               | Description                                                                     |
+|----------------------------------------------------|---------------------------------------------------------------------------------|
+| [dependencyCheckAnalyze](configuration.html)       | Runs dependency-check against the project and generates a report.               |
+| dependencyCheckAggregate                           | Runs dependency-check against a multi-project build and generates a report.     |
+| [dependencyCheckUpdate](configuration-update.html) | Updates the local cache of the NVD data from NIST.                              |
+| [dependencyCheckPurge](configuration-purge.html)   | Deletes the local copy of the NVD. This is used to force a refresh of the data. |
 
 Configuration:
 ====================
@@ -25,28 +25,28 @@ apply plugin: 'org.owasp.dependencycheck'
 check.dependsOn dependencyCheckAggregate
 ```
 
-Property             | Description                                                                                                          | Default Value
----------------------|----------------------------------------------------------------------------------------------------------------------|------------------
-autoUpdate           | Sets whether auto-updating of the NVD API CVE data is enabled. It is not recommended that this be turned to false.   | true
-analyzedTypes        | The default artifact types that will be analyzed.                                                                    | ['jar', 'aar', 'js', 'war', 'ear', 'zip']
-format               | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                        | HTML
-formats              | A list of report formats to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                 | &nbsp;
-junitFailOnCVSS      | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure.     | 0
-failBuildOnCVSS      | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11; since the CVSS scores are 0-10, by default the build will never fail.  More information on CVSS scores can be found at the [NVD](https://nvd.nist.gov/vuln-metrics/cvss)| 11
-failOnError          | Fails the build if an error occurs during the dependency-check analysis.                                             | true
-outputDirectory      | The location to write the report(s). This directory will be located in the build directory.                          | ${buildDir}/reports
-skipTestGroups       | When set to true (the default) all dependency groups that being with 'test' will be skipped.                         | true
-suppressionFile      | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html). The configured value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799) | &nbsp;
-suppressionFiles     | A list of file paths to the XML suppression files \- used to suppress [false positives](../general/suppression.html). The configured values can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799) | &nbsp;
-hintsFile            | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html)                      | &nbsp;
-skip                 | If set to true dependency-check analysis will be skipped.                                                            | false
-skipConfigurations   | A list of configurations that will be skipped. This is mutually exclusive with the scanConfigurations property.      | `[]` which means no configuration is skipped.
-scanConfigurations   | A list of configurations that will be scanned, all other configurations are skipped. This is mutually exclusive with the skipConfigurations property. | `[]` which implicitly means all configurations are scanned.
-scanProjects         | A list of projects that will be scanned, all other projects are skipped. The list or projects to skip must include a preceding colon: `scanProjects = [':app']`. This is mutually exclusive with the `skipProjects` property. | `[]` which implicitly means all projects get scanned.
-skipProjects         | A list of projects that will be skipped.  The list or projects to skip must include a preceding colon: `skipProjects = [':sub1']`. This is mutually exclusive with the `scanProjects` property. | `[]` which means no projects are skipped.
-scanBuildEnv         | A boolean indicating whether to scan the `buildEnv`.                                                                 | false
-scanDependencies     | A boolean indicating whether to scan the `dependencies`.                                                             | true
-scanSet              | A list of directories that will be scanned for additional dependencies.                                              | ['src/main/resources','src/main/webapp', './package.json', './package-lock.json', './npm-shrinkwrap.json', './Gopkg.lock', './go.mod']
+| Property           | Description                                                                                                                                                                                                                                                                                                                               | Default Value                                                                                                                          |
+|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|
+| autoUpdate         | Sets whether auto-updating of the NVD API CVE data is enabled. It is not recommended that this be turned to false.                                                                                                                                                                                                                        | true                                                                                                                                   |
+| analyzedTypes      | The default artifact types that will be analyzed.                                                                                                                                                                                                                                                                                         | ['jar', 'aar', 'js', 'war', 'ear', 'zip']                                                                                              |
+| format             | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                             | HTML                                                                                                                                   |
+| formats            | A list of report formats to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                      | &nbsp;                                                                                                                                 |
+| junitFailOnCVSS    | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure.                                                                                                                                                                                                                          | 0                                                                                                                                      |
+| failBuildOnCVSS    | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11; since the CVSS scores are 0-10, by default the build will never fail.  More information on CVSS scores can be found at the [NVD](https://nvd.nist.gov/vuln-metrics/cvss)                                    | 11                                                                                                                                     |
+| failOnError        | Fails the build if an error occurs during the dependency-check analysis.                                                                                                                                                                                                                                                                  | true                                                                                                                                   |
+| outputDirectory    | The location to write the report(s). This directory will be located in the build directory.                                                                                                                                                                                                                                               | ${buildDir}/reports                                                                                                                    |
+| skipTestGroups     | When set to true (the default) all dependency groups that being with 'test' will be skipped.                                                                                                                                                                                                                                              | true                                                                                                                                   |
+| suppressionFile    | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html). The configured value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799)          | &nbsp;                                                                                                                                 |
+| suppressionFiles   | A list of file paths to the XML suppression files \- used to suppress [false positives](../general/suppression.html). The configured values can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799) | &nbsp;                                                                                                                                 |
+| hintsFile          | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html)                                                                                                                                                                                                                                           | &nbsp;                                                                                                                                 |
+| skip               | If set to true dependency-check analysis will be skipped.                                                                                                                                                                                                                                                                                 | false                                                                                                                                  |
+| skipConfigurations | A list of configurations that will be skipped. This is mutually exclusive with the scanConfigurations property.                                                                                                                                                                                                                           | `[]` which means no configuration is skipped.                                                                                          |
+| scanConfigurations | A list of configurations that will be scanned, all other configurations are skipped. This is mutually exclusive with the skipConfigurations property.                                                                                                                                                                                     | `[]` which implicitly means all configurations are scanned.                                                                            |
+| scanProjects       | A list of projects that will be scanned, all other projects are skipped. The list or projects to skip must include a preceding colon: `scanProjects = [':app']`. This is mutually exclusive with the `skipProjects` property.                                                                                                             | `[]` which implicitly means all projects get scanned.                                                                                  |
+| skipProjects       | A list of projects that will be skipped.  The list or projects to skip must include a preceding colon: `skipProjects = [':sub1']`. This is mutually exclusive with the `scanProjects` property.                                                                                                                                           | `[]` which means no projects are skipped.                                                                                              |
+| scanBuildEnv       | A boolean indicating whether to scan the `buildEnv`.                                                                                                                                                                                                                                                                                      | false                                                                                                                                  |
+| scanDependencies   | A boolean indicating whether to scan the `dependencies`.                                                                                                                                                                                                                                                                                  | true                                                                                                                                   |
+| scanSet            | A list of directories that will be scanned for additional dependencies.                                                                                                                                                                                                                                                                   | ['src/main/resources','src/main/webapp', './package.json', './package-lock.json', './npm-shrinkwrap.json', './Gopkg.lock', './go.mod'] |
 
 #### Example
 ```groovy
@@ -58,13 +58,13 @@ dependencyCheck {
 
 ### Proxy Configuration
 
-Config Group | Property          | Description                                | Default Value
--------------|-------------------|------------------------------------|------------------
-proxy        | server            | The proxy server; see the [proxy configuration](../data/proxy.html) page for more information. | &nbsp;
-proxy        | port              | The proxy port.                            | &nbsp;
-proxy        | username          | Defines the proxy user name.               | &nbsp;
-proxy        | password          | Defines the proxy password.                | &nbsp;
-proxy        | nonProxyHosts     | The list of hosts that do not use a proxy. | &nbsp;
+| Config Group | Property      | Description                                                                                    | Default Value |
+|--------------|---------------|------------------------------------------------------------------------------------------------|---------------|
+| proxy        | server        | The proxy server; see the [proxy configuration](../data/proxy.html) page for more information. | &nbsp;        |
+| proxy        | port          | The proxy port.                                                                                | &nbsp;        |
+| proxy        | username      | Defines the proxy user name.                                                                   | &nbsp;        |
+| proxy        | password      | Defines the proxy password.                                                                    | &nbsp;        |
+| proxy        | nonProxyHosts | The list of hosts that do not use a proxy.                                                     | &nbsp;        |
 
 #### Example
 ```groovy
@@ -78,36 +78,36 @@ dependencyCheck {
 
 The following properties can be configured in the dependencyCheck task. However, they are less frequently changed.
 
-Config Group | Property          | Description                                                                                                                                                     | Default Value                                                       |
--------------|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------|
-&nbsp;       | suppressionFileUser        | Credentials used for basic authentication for web-hosted suppression files                                                                             | &nbsp; |
-&nbsp;       | suppressionFilePassword    | Credentials used for basic authentication for web-hosted suppression files                                                                             | &nbsp; |
-&nbsp;       | suppressionFileBearerToken | Credentials used for bearer authentication for web-hosted suppression files                                                                            | &nbsp; |
-nvd          | apiKey            | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key                                                             | &nbsp;                                                              |
-nvd          | endpoint          | The NVD API endpoint URL; setting this is uncommon.                                                                                                             | https://services.nvd.nist.gov/rest/json/cves/2.0                    |
-nvd          | maxRetryCount     | The maximum number of retry requests for a single call to the NVD API.                                                                                          | 10                                                                  |
-nvd          | delay             | The number of milliseconds to wait between calls to the NVD API.                                                                                                | 3500 with an NVD API Key or 8000 without an API Key                 |
-nvd          | resultsPerPage    | The number records for a single page from NVD API (must be <=2000).                                                                                             | 2000                                                                |
-nvd          | datafeedUrl       | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data | &nbsp;           |
-nvd          | datafeedUser      | Credentials used for basic authentication for the NVD API Data feed.                                                                                            | &nbsp;                                                              |
-nvd          | datafeedPassword  | Credentials used for basic authentication for the NVD API Data feed.                                                                                            | &nbsp;                                                              |
-nvd          | datafeedBearerToken  | Credentials used for bearer authentication for the NVD API Data feed.                                                                                        | &nbsp;                                                              |
-nvd          | validForHours     | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours.                                                               | 4                                                                   |
-data         | directory         | Sets the data directory to hold SQL CVEs contents. This should generally not be changed.                                                                        | &nbsp;                                                              |
-data         | driver            | The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path.                    | &nbsp;                                                              |
-data         | driverPath        | The path to the database driver JAR file; only needs to be set if the driver is not in the class path.                                                          | &nbsp;                                                              |
-data         | connectionString  | The connection string used to connect to the database. See using a [database server](../data/database.html).                                                    | &nbsp;                                                              |
-data         | username          | The username used when connecting to the database.                                                                                                              | &nbsp;                                                              |
-data         | password          | The password used when connecting to the database.                                                                                                              | &nbsp;                                                              |
-slack        | enabled               | Whether or not slack notifications are enabled.                                                                   | false
-slack        | webhookUrl            | The custom incoming webhook URL to receive notifications.                                                         | &nbsp;
-hostedSuppressions | enabled         | Whether the hosted suppressions file will be used.                                                                | true
-hostedSuppressions | forceupdate     | Sets whether hosted suppressions file will update regardless of the `autoupdate` setting.                         | false
-hostedSuppressions | url             | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments.                 | https://dependency-check.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
-hostedSuppressions | user            | Credentials used for basic authentication for the hosted suppressions file.                                                                                     | &nbsp;                                                              |
-hostedSuppressions | password        | Credentials used for basic authentication for the hosted suppressions file.                                                                                     | &nbsp;                                                              |
-hostedSuppressions | bearerToken     | Credentials used for bearer authentication for the hosted suppressions file.                                                                                    | &nbsp;                                                              |
-hostedSuppressions | validForHours   | The number of hours to wait before checking for new updates of the hosted suppressions file .                     | 2
+| Config Group       | Property                   | Description                                                                                                                                                       | Default Value                                                                             |
+|--------------------|----------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|
+| &nbsp;             | suppressionFileUser        | Credentials used for basic authentication for web-hosted suppression files                                                                                        | &nbsp;                                                                                    |
+| &nbsp;             | suppressionFilePassword    | Credentials used for basic authentication for web-hosted suppression files                                                                                        | &nbsp;                                                                                    |
+| &nbsp;             | suppressionFileBearerToken | Credentials used for bearer authentication for web-hosted suppression files                                                                                       | &nbsp;                                                                                    |
+| nvd                | apiKey                     | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key                                                               | &nbsp;                                                                                    |
+| nvd                | endpoint                   | The NVD API endpoint URL; setting this is uncommon.                                                                                                               | https://services.nvd.nist.gov/rest/json/cves/2.0                                          |
+| nvd                | maxRetryCount              | The maximum number of retry requests for a single call to the NVD API.                                                                                            | 10                                                                                        |
+| nvd                | delay                      | The number of milliseconds to wait between calls to the NVD API.                                                                                                  | 3500 with an NVD API Key or 8000 without an API Key                                       |
+| nvd                | resultsPerPage             | The number records for a single page from NVD API (must be <=2000).                                                                                               | 2000                                                                                      |
+| nvd                | datafeedUrl                | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/open-vulnerability-cli/blob/main/README.md#mirroring-the-nvd-cve-data | &nbsp;                                                                                    |
+| nvd                | datafeedUser               | Credentials used for basic authentication for the NVD API Data feed.                                                                                              | &nbsp;                                                                                    |
+| nvd                | datafeedPassword           | Credentials used for basic authentication for the NVD API Data feed.                                                                                              | &nbsp;                                                                                    |
+| nvd                | datafeedBearerToken        | Credentials used for bearer authentication for the NVD API Data feed.                                                                                             | &nbsp;                                                                                    |
+| nvd                | validForHours              | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours.                                                                 | 4                                                                                         |
+| data               | directory                  | Sets the data directory to hold SQL CVEs contents. This should generally not be changed.                                                                          | &nbsp;                                                                                    |
+| data               | driver                     | The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path.                      | &nbsp;                                                                                    |
+| data               | driverPath                 | The path to the database driver JAR file; only needs to be set if the driver is not in the class path.                                                            | &nbsp;                                                                                    |
+| data               | connectionString           | The connection string used to connect to the database. See using a [database server](../data/database.html).                                                      | &nbsp;                                                                                    |
+| data               | username                   | The username used when connecting to the database.                                                                                                                | &nbsp;                                                                                    |
+| data               | password                   | The password used when connecting to the database.                                                                                                                | &nbsp;                                                                                    |
+| slack              | enabled                    | Whether or not slack notifications are enabled.                                                                                                                   | false                                                                                     |
+| slack              | webhookUrl                 | The custom incoming webhook URL to receive notifications.                                                                                                         | &nbsp;                                                                                    |
+| hostedSuppressions | enabled                    | Whether the hosted suppressions file will be used.                                                                                                                | true                                                                                      |
+| hostedSuppressions | forceupdate                | Sets whether hosted suppressions file will update regardless of the `autoupdate` setting.                                                                         | false                                                                                     |
+| hostedSuppressions | url                        | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments.                                                                 | https://dependency-check.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
+| hostedSuppressions | user                       | Credentials used for basic authentication for the hosted suppressions file.                                                                                       | &nbsp;                                                                                    |
+| hostedSuppressions | password                   | Credentials used for basic authentication for the hosted suppressions file.                                                                                       | &nbsp;                                                                                    |
+| hostedSuppressions | bearerToken                | Credentials used for bearer authentication for the hosted suppressions file.                                                                                      | &nbsp;                                                                                    |
+| hostedSuppressions | validForHours              | The number of hours to wait before checking for new updates of the hosted suppressions file .                                                                     | 2                                                                                         |
 
 #### Example
 ```groovy
@@ -123,80 +123,80 @@ analyzers by configuring the `analyzers` section. Note, specific file type analy
 disable themselves if no file types that they support are detected - so specifically disabling the
 analyzers is likely not needed.
 
-Config Group | Property              | Description                                                                                                       | Default Value
--------------|-----------------------|-------------------------------------------------------------------------------------------------------------------|------------------
-analyzers    | experimentalEnabled   | Sets whether the [experimental analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as experimental (see below) will not be used | false
-analyzers    | archiveEnabled        | Sets whether the Archive Analyzer will be used.                                                                   | true
-analyzers    | zipExtensions         | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
-analyzers    | jarEnabled            | Sets whether Jar Analyzer will be used.                                                                           | true
-analyzers    | dartEnabled           | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be used.                              | true
-analyzers    | centralEnabled        | Sets whether Central Analyzer will be used.                                                                                                                                                  | true
-analyzers    | nexusEnabled          | Sets whether Nexus Analyzer will be used (requires Nexus Pro). This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | false
-analyzers    | nexusUrl              | Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled. | &nbsp;
-analyzers    | nexusUsesProxy        | Whether or not the defined proxy should be used when connecting to Nexus.                                         | true
-analyzers    | pyDistributionEnabled | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. `experimentalEnabled` must be set to true. | true
-analyzers    | pyPackageEnabled      | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. `experimentalEnabled` must be set to true. | true
-analyzers    | rubygemsEnabled       | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. `experimentalEnabled` must be set to true. | true
-analyzers    | opensslEnabled        | Sets whether the openssl Analyzer should be used.                                                          | true
-analyzers    | nuspecEnabled         | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                  | true
-analyzers    | nugetconfEnabled      | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. `experimentalEnabled` must be set to true. | true
-analyzers    | assemblyEnabled       | Sets whether the .NET Assembly Analyzer should be used.                                                    | true
-analyzers    | msbuildEnabled        | Sets whether the MS Build Analyzer should be used.                                                         | true
-analyzers    | pathToDotnet          | The path to dotnet core - needed on some systems to analyze .net assemblies.                                      | &nbsp;
-analyzers    | cmakeEnabled          | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. `experimentalEnabled` must be set to true. | true
-analyzers    | autoconfEnabled       | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. `experimentalEnabled` must be set to true. | true
-analyzers    | composerEnabled       | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. `experimentalEnabled` must be set to true. | true
-analyzers    | composerSkipDev       | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should skip "packages-dev". | false
-analyzers    | cpanEnabled           | Sets whether the [experimental](../analyzers/index.html) Perl CPAN File Analyzer should be used. `experimentalEnabled` must be set to true. | true
-analyzers    | cocoapodsEnabled      | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. `experimentalEnabled` must be set to true. | true
-analyzers    | carthageEnabled       | Sets whether the [experimental](../analyzers/index.html) Carthage Analyzer should be used. `experimentalEnabled` must be set to true. | true
-analyzers    | swiftEnabled          | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer should be used. `experimentalEnabled` must be set to true. | true
-analyzers    | swiftPackageResolvedEnabled | Sets whether the [experimental](../analyzers/index.html) Swift Package Resolved Analyzer should be used. `experimentalEnabled` must be set to true. | true
-analyzers    | bundleAuditEnabled    | Sets whether the [experimental](../analyzers/index.html) Ruby Bundle Audit Analyzer should be used. `experimentalEnabled` must be set to true. | true
-analyzers    | pathToBundleAudit     | The path to bundle audit.                                                                                         | &nbsp;
-analyzers    | golangDepEnabled      | Sets whether the [experimental](../analyzers/index.html) Golang Dependency Analyzer should be used. `experimentalEnabled` must be set to true. | true
-analyzers    | golangModEnabled      | Sets whether the [experimental](../analyzers/index.html) Goland Module Analyzer should be used; requires `go` to be installed. `experimentalEnabled` must be set to true. | true
-analyzers    | pathToGo              | The path to `go`.                                                                                                 | &nbsp;
+| Config Group | Property                    | Description                                                                                                                                                                                  | Default Value |
+|--------------|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|
+| analyzers    | experimentalEnabled         | Sets whether the [experimental analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as experimental (see below) will not be used                        | false         |
+| analyzers    | archiveEnabled              | Sets whether the Archive Analyzer will be used.                                                                                                                                              | true          |
+| analyzers    | zipExtensions               | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.                                                             | &nbsp;        |
+| analyzers    | jarEnabled                  | Sets whether Jar Analyzer will be used.                                                                                                                                                      | true          |
+| analyzers    | dartEnabled                 | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be used.                                                                                                         | true          |
+| analyzers    | centralEnabled              | Sets whether Central Analyzer will be used.                                                                                                                                                  | true          |
+| analyzers    | nexusEnabled                | Sets whether Nexus Analyzer will be used (requires Nexus Pro). This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | false         |
+| analyzers    | nexusUrl                    | Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled.                                          | &nbsp;        |
+| analyzers    | nexusUsesProxy              | Whether or not the defined proxy should be used when connecting to Nexus.                                                                                                                    | true          |
+| analyzers    | pyDistributionEnabled       | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. `experimentalEnabled` must be set to true.                                               | true          |
+| analyzers    | pyPackageEnabled            | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. `experimentalEnabled` must be set to true.                                                    | true          |
+| analyzers    | rubygemsEnabled             | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. `experimentalEnabled` must be set to true.                                                      | true          |
+| analyzers    | opensslEnabled              | Sets whether the openssl Analyzer should be used.                                                                                                                                            | true          |
+| analyzers    | nuspecEnabled               | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                                                                                                    | true          |
+| analyzers    | nugetconfEnabled            | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. `experimentalEnabled` must be set to true.                                        | true          |
+| analyzers    | assemblyEnabled             | Sets whether the .NET Assembly Analyzer should be used.                                                                                                                                      | true          |
+| analyzers    | msbuildEnabled              | Sets whether the MS Build Analyzer should be used.                                                                                                                                           | true          |
+| analyzers    | pathToDotnet                | The path to dotnet core - needed on some systems to analyze .net assemblies.                                                                                                                 | &nbsp;        |
+| analyzers    | cmakeEnabled                | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. `experimentalEnabled` must be set to true.                                                           | true          |
+| analyzers    | autoconfEnabled             | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. `experimentalEnabled` must be set to true.                                                        | true          |
+| analyzers    | composerEnabled             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. `experimentalEnabled` must be set to true.                                          | true          |
+| analyzers    | composerSkipDev             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should skip "packages-dev".                                                                         | false         |
+| analyzers    | cpanEnabled                 | Sets whether the [experimental](../analyzers/index.html) Perl CPAN File Analyzer should be used. `experimentalEnabled` must be set to true.                                                  | true          |
+| analyzers    | cocoapodsEnabled            | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. `experimentalEnabled` must be set to true.                                                       | true          |
+| analyzers    | carthageEnabled             | Sets whether the [experimental](../analyzers/index.html) Carthage Analyzer should be used. `experimentalEnabled` must be set to true.                                                        | true          |
+| analyzers    | swiftEnabled                | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer should be used. `experimentalEnabled` must be set to true.                                           | true          |
+| analyzers    | swiftPackageResolvedEnabled | Sets whether the [experimental](../analyzers/index.html) Swift Package Resolved Analyzer should be used. `experimentalEnabled` must be set to true.                                          | true          |
+| analyzers    | bundleAuditEnabled          | Sets whether the [experimental](../analyzers/index.html) Ruby Bundle Audit Analyzer should be used. `experimentalEnabled` must be set to true.                                               | true          |
+| analyzers    | pathToBundleAudit           | The path to bundle audit.                                                                                                                                                                    | &nbsp;        |
+| analyzers    | golangDepEnabled            | Sets whether the [experimental](../analyzers/index.html) Golang Dependency Analyzer should be used. `experimentalEnabled` must be set to true.                                               | true          |
+| analyzers    | golangModEnabled            | Sets whether the [experimental](../analyzers/index.html) Goland Module Analyzer should be used; requires `go` to be installed. `experimentalEnabled` must be set to true.                    | true          |
+| analyzers    | pathToGo                    | The path to `go`.                                                                                                                                                                            | &nbsp;        |
 
 #### Additional Configuration
 
-Config Group | Property              | Description                                                                                                       | Default Value
--------------|-----------------------|-------------------------------------------------------------------------------------------------------------------|------------------
-artifactory  | enabled               | Sets whether Artifactory analyzer will be used.                                                                   | false
-artifactory  | url                   | The Artifactory server URL.                                                                                       | &nbsp;
-artifactory  | usesProxy             | Whether Artifactory should be accessed through a proxy or not.                                                    | false
-artifactory  | parallelAnalysis      | Whether the Artifactory analyzer should be run in parallel or not.                                                | true
-artifactory  | username              | The user name (only used with API token) to connect to Artifactory instance.                                      | &nbsp;
-artifactory  | apiToken              | The API token to connect to Artifactory instance, only used if the username or the API key are not defined by artifactoryAnalyzerServerId,artifactoryAnalyzerUsername or artifactoryAnalyzerApiToken | &nbsp;
-artifactory  | bearerToken           | The bearer token to connect to Artifactory instance.                                                              | &nbsp;
-kev          | enabled               | Sets whether the Known Exploited Vulnerability update and analyzer are enabled.                                   | true                                                                                     |
-kev          | url                   | The URL to (a mirror of) the CISA Known Exploited Vulnerabilities JSON data feed.                                 | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json      |
-kev          | user                  | Credentials used for basic authentication for the CISA Known Exploited Vulnerabilities JSON data feed.            | &nbsp;                                                                                   |
-kev          | password              | Credentials used for basic authentication for the CISA Known Exploited Vulnerabilities JSON data feed.            | &nbsp;                                                                                   |
-kev          | bearerToken           | Credentials used for bearer authentication for the CISA Known Exploited Vulnerabilities JSON data feed.           | &nbsp;                                                                                   |
-kev          | validForHours         | The number of hours to wait before checking for new updates of the hosted suppressions file .                     | 2                                                                                        |
-nodeAudit    | enabled               | Sets whether the Node Audit Analyzer should be used. This analyzer requires an internet connection.               | true
-nodeAudit    | useCache              | Sets whether the Node Audit Analyzer should cache results locally.                                                | true
-nodeAudit    | skipDevDependencies   | Sets whether the Node Audit Analyzer should skip devDependencies.                                                 | false
-nodeAudit    | pnpmEnabled           | Sets whether the Pnpm Audit Analyzer should be used. This analyzer requires yarn and an internet connection.      | true
-nodeAudit    | pnpmPath              | Sets the path to the `pnpm` executable.                                                                           | &nbsp;
-nodeAudit    | yarnEnabled           | Sets whether the Yarn Audit Analyzer should be used. This analyzer requires yarn and an internet connection.      | true
-nodeAudit    | yarnPath              | Sets the path to the `yarn` executable.                                                                           | &nbsp;
-nodeAudit    | pnpmEnabled           | Sets whether the Pnpm Audit Analyzer should be used. This analyzer requires pnpm and an internet connection.      | true
-nodeAudit    | pnpmPath              | The path to `pnpm`.                                                                                               | &nbsp;
-nodeAudit    | url                   | The node audit API url to use.                                                                                    | &nbsp;
-retirejs     | enabled               | Sets whether the RetireJS Analyzer should be used.                                                                | true
-retirejs     | forceupdate           | Sets whether the RetireJS Analyzer should update regardless of the `autoupdate` setting.                          | false
-retirejs     | retireJsUrl           | The URL to the Retire JS repository.                                                                              | https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json
-retirejs     | user                  | Credentials used for basic authentication for the Retire JS repository URL.                                       | &nbsp;                                                                                   |
-retirejs     | password              | Credentials used for basic authentication for the Retire JS repository URL.                                       | &nbsp;                                                                                   |
-retirejs     | bearerToken           | Credentials used for bearer authentication for the Retire JS repository URL.                                      | &nbsp;                                                                                   |
-retirejs     | filterNonVulnerable   | Configures the RetireJS Analyzer to remove non-vulnerable JS dependencies from the report.                        | false
-retirejs     | filters               | Configures the list of regular expessions used to filter JS files based on content.                               | &nbsp;
-ossIndex     | enabled               | Sets whether [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be used. This analyzer requires an internet connection. | true
-ossIndex     | username              | To authenticate Sonatype OSS Index requests and profit from higher rate limits, provide the OSS account email address as username. Provide both a username _and_ a password (see below) or none. | &nbsp;
-ossIndex     | password              | Password or API token to connect to Sonatype's OSS Index. Provide both a username (see above) _and_ a password or none. | &nbsp;
-ossIndex     | warnOnlyOnRemoteErrors| Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution. | false
+| Config Group | Property               | Description                                                                                                                                                                                          | Default Value                                                                            |
+|--------------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|
+| artifactory  | enabled                | Sets whether Artifactory analyzer will be used.                                                                                                                                                      | false                                                                                    |
+| artifactory  | url                    | The Artifactory server URL.                                                                                                                                                                          | &nbsp;                                                                                   |
+| artifactory  | usesProxy              | Whether Artifactory should be accessed through a proxy or not.                                                                                                                                       | false                                                                                    |
+| artifactory  | parallelAnalysis       | Whether the Artifactory analyzer should be run in parallel or not.                                                                                                                                   | true                                                                                     |
+| artifactory  | username               | The user name (only used with API token) to connect to Artifactory instance.                                                                                                                         | &nbsp;                                                                                   |
+| artifactory  | apiToken               | The API token to connect to Artifactory instance, only used if the username or the API key are not defined by artifactoryAnalyzerServerId,artifactoryAnalyzerUsername or artifactoryAnalyzerApiToken | &nbsp;                                                                                   |
+| artifactory  | bearerToken            | The bearer token to connect to Artifactory instance.                                                                                                                                                 | &nbsp;                                                                                   |
+| kev          | enabled                | Sets whether the Known Exploited Vulnerability update and analyzer are enabled.                                                                                                                      | true                                                                                     |
+| kev          | url                    | The URL to (a mirror of) the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                                                    | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json      |
+| kev          | user                   | Credentials used for basic authentication for the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                               | &nbsp;                                                                                   |
+| kev          | password               | Credentials used for basic authentication for the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                               | &nbsp;                                                                                   |
+| kev          | bearerToken            | Credentials used for bearer authentication for the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                              | &nbsp;                                                                                   |
+| kev          | validForHours          | The number of hours to wait before checking for new updates of the hosted suppressions file .                                                                                                        | 2                                                                                        |
+| nodeAudit    | enabled                | Sets whether the Node Audit Analyzer should be used. This analyzer requires an internet connection.                                                                                                  | true                                                                                     |
+| nodeAudit    | useCache               | Sets whether the Node Audit Analyzer should cache results locally.                                                                                                                                   | true                                                                                     |
+| nodeAudit    | skipDevDependencies    | Sets whether the Node Audit Analyzer should skip devDependencies.                                                                                                                                    | false                                                                                    |
+| nodeAudit    | pnpmEnabled            | Sets whether the Pnpm Audit Analyzer should be used. This analyzer requires yarn and an internet connection.                                                                                         | true                                                                                     |
+| nodeAudit    | pnpmPath               | Sets the path to the `pnpm` executable.                                                                                                                                                              | &nbsp;                                                                                   |
+| nodeAudit    | yarnEnabled            | Sets whether the Yarn Audit Analyzer should be used. This analyzer requires yarn and an internet connection.                                                                                         | true                                                                                     |
+| nodeAudit    | yarnPath               | Sets the path to the `yarn` executable.                                                                                                                                                              | &nbsp;                                                                                   |
+| nodeAudit    | pnpmEnabled            | Sets whether the Pnpm Audit Analyzer should be used. This analyzer requires pnpm and an internet connection.                                                                                         | true                                                                                     |
+| nodeAudit    | pnpmPath               | The path to `pnpm`.                                                                                                                                                                                  | &nbsp;                                                                                   |
+| nodeAudit    | url                    | The node audit API url to use.                                                                                                                                                                       | &nbsp;                                                                                   |
+| retirejs     | enabled                | Sets whether the RetireJS Analyzer should be used.                                                                                                                                                   | true                                                                                     |
+| retirejs     | forceupdate            | Sets whether the RetireJS Analyzer should update regardless of the `autoupdate` setting.                                                                                                             | false                                                                                    |
+| retirejs     | retireJsUrl            | The URL to the Retire JS repository.                                                                                                                                                                 | https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json |
+| retirejs     | user                   | Credentials used for basic authentication for the Retire JS repository URL.                                                                                                                          | &nbsp;                                                                                   |
+| retirejs     | password               | Credentials used for basic authentication for the Retire JS repository URL.                                                                                                                          | &nbsp;                                                                                   |
+| retirejs     | bearerToken            | Credentials used for bearer authentication for the Retire JS repository URL.                                                                                                                         | &nbsp;                                                                                   |
+| retirejs     | filterNonVulnerable    | Configures the RetireJS Analyzer to remove non-vulnerable JS dependencies from the report.                                                                                                           | false                                                                                    |
+| retirejs     | filters                | Configures the list of regular expessions used to filter JS files based on content.                                                                                                                  | &nbsp;                                                                                   |
+| ossIndex     | enabled                | Sets whether [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be used. This analyzer requires an internet connection.                                                                 | true                                                                                     |
+| ossIndex     | username               | To authenticate Sonatype OSS Index requests and profit from higher rate limits, provide the OSS account email address as username. Provide both a username _and_ a password (see below) or none.     | &nbsp;                                                                                   |
+| ossIndex     | password               | Password or API token to connect to Sonatype's OSS Index. Provide both a username (see above) _and_ a password or none.                                                                              | &nbsp;                                                                                   |
+| ossIndex     | warnOnlyOnRemoteErrors | Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution.                                                     | false                                                                                    |
 
 #### Example
 ```groovy
diff --git a/src/site/markdown/dependency-check-gradle/configuration-purge.md b/src/site/markdown/dependency-check-gradle/configuration-purge.md
index 7b7c4cbf14e..36ca804342b 100644
--- a/src/site/markdown/dependency-check-gradle/configuration-purge.md
+++ b/src/site/markdown/dependency-check-gradle/configuration-purge.md
@@ -1,12 +1,12 @@
 Tasks
 ====================
 
-Task                                                     | Description
----------------------------------------------------------|-----------------------
-[dependencyCheckAnalyze](configuration.html)             | Runs dependency-check against the project and generates a report.
-[dependencyCheckAggregate](configuration-aggregate.html) | Runs dependency-check against a multi-project build and generates a report.
-[dependencyCheckUpdate](configuration-update.html)       | Updates the local cache of the NVD data from NIST.
-dependencyCheckPurge                                     | Deletes the local copy of the NVD. This is used to force a refresh of the data.
+| Task                                                     | Description                                                                     |
+|----------------------------------------------------------|---------------------------------------------------------------------------------|
+| [dependencyCheckAnalyze](configuration.html)             | Runs dependency-check against the project and generates a report.               |
+| [dependencyCheckAggregate](configuration-aggregate.html) | Runs dependency-check against a multi-project build and generates a report.     |
+| [dependencyCheckUpdate](configuration-update.html)       | Updates the local cache of the NVD data from NIST.                              |
+| dependencyCheckPurge                                     | Deletes the local copy of the NVD. This is used to force a refresh of the data. |
 
 Configuration
 ====================
@@ -27,9 +27,9 @@ apply plugin: 'org.owasp.dependencycheck'
 $ gradle dependencyCheckPurge
 ```
 
-Property             | Description                        | Default Value
----------------------|------------------------------------|------------------
-failOnError          | Fails the build if an error occurs during the dependency-check analysis.                                           | true
+| Property    | Description                                                              | Default Value |
+|-------------|--------------------------------------------------------------------------|---------------|
+| failOnError | Fails the build if an error occurs during the dependency-check analysis. | true          |
 
 #### Example
 ```groovy
@@ -42,9 +42,9 @@ dependencyCheck {
 
 The following properties can be configured in the dependencyCheckPurge task. However, they are less frequently changed.
 
-Config Group | Property          | Description                                                                                 | Default Value
--------------|-------------------|---------------------------------------------------------------------------------------------|------------------
-data         | directory         | Sets the data directory to hold SQL CVEs contents. This should generally not be changed.    | &nbsp;
+| Config Group | Property  | Description                                                                              | Default Value |
+|--------------|-----------|------------------------------------------------------------------------------------------|---------------|
+| data         | directory | Sets the data directory to hold SQL CVEs contents. This should generally not be changed. | &nbsp;        |
 
 #### Example
 ```groovy
diff --git a/src/site/markdown/dependency-check-gradle/configuration-update.md b/src/site/markdown/dependency-check-gradle/configuration-update.md
index d95ec04bb32..9747efd57ed 100644
--- a/src/site/markdown/dependency-check-gradle/configuration-update.md
+++ b/src/site/markdown/dependency-check-gradle/configuration-update.md
@@ -1,12 +1,12 @@
 Tasks
 ====================
 
-Task                                                     | Description
----------------------------------------------------------|-----------------------
-[dependencyCheckAnalyze](configuration.html)             | Runs dependency-check against the project and generates a report.
-[dependencyCheckAggregate](configuration-aggregate.html) | Runs dependency-check against a multi-project build and generates a report.
-dependencyCheckUpdate                                    | Updates the local cache of the NVD data from NIST.
-[dependencyCheckPurge](configuration-purge.html)         | Deletes the local copy of the NVD. This is used to force a refresh of the data.
+| Task                                                     | Description                                                                     |
+|----------------------------------------------------------|---------------------------------------------------------------------------------|
+| [dependencyCheckAnalyze](configuration.html)             | Runs dependency-check against the project and generates a report.               |
+| [dependencyCheckAggregate](configuration-aggregate.html) | Runs dependency-check against a multi-project build and generates a report.     |
+| dependencyCheckUpdate                                    | Updates the local cache of the NVD data from NIST.                              |
+| [dependencyCheckPurge](configuration-purge.html)         | Deletes the local copy of the NVD. This is used to force a refresh of the data. |
 
 Configuration
 ====================
@@ -25,9 +25,9 @@ apply plugin: 'org.owasp.dependencycheck'
 check.dependsOn dependencyCheckUpdate
 ```
 
-Property             | Description                        | Default Value
----------------------|------------------------------------|------------------
-failOnError          | Fails the build if an error occurs during the dependency-check analysis.                                           | true
+| Property    | Description                                                              | Default Value |
+|-------------|--------------------------------------------------------------------------|---------------|
+| failOnError | Fails the build if an error occurs during the dependency-check analysis. | true          |
 
 #### Example
 ```groovy
@@ -38,13 +38,13 @@ dependencyCheck {
 
 ### Proxy Configuration
 
-Config Group | Property          | Description                                | Default Value
--------------|-------------------|--------------------------------------------|------------------
-proxy        | server            | The proxy server; see the [proxy configuration](../data/proxy.html) page for more information. | &nbsp;
-proxy        | port              | The proxy port.                            | &nbsp;
-proxy        | username          | Defines the proxy user name.               | &nbsp;
-proxy        | password          | Defines the proxy password.                | &nbsp;
-proxy        | nonProxyHosts     | The list of hosts that do not use a proxy. | &nbsp;
+| Config Group | Property      | Description                                                                                    | Default Value |
+|--------------|---------------|------------------------------------------------------------------------------------------------|---------------|
+| proxy        | server        | The proxy server; see the [proxy configuration](../data/proxy.html) page for more information. | &nbsp;        |
+| proxy        | port          | The proxy port.                                                                                | &nbsp;        |
+| proxy        | username      | Defines the proxy user name.                                                                   | &nbsp;        |
+| proxy        | password      | Defines the proxy password.                                                                    | &nbsp;        |
+| proxy        | nonProxyHosts | The list of hosts that do not use a proxy.                                                     | &nbsp;        |
 
 #### Example
 ```groovy
@@ -58,31 +58,31 @@ dependencyCheck {
 
 The following properties can be configured in the dependencyCheck task. However, they are less frequently changed.
 
-Config Group | Property          | Description                                                                                                                                                     | Default Value                                                       |
--------------|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------|
-nvd          | apiKey            | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key                                                             | &nbsp;                                                              |
-nvd          | endpoint          | The NVD API endpoint URL; setting this is uncommon.                                                                                                             | https://services.nvd.nist.gov/rest/json/cves/2.0                    |
-nvd          | maxRetryCount     | The maximum number of retry requests for a single call to the NVD API.                                                                                          | 10                                                                  |
-nvd          | delay             | The number of milliseconds to wait between calls to the NVD API.                                                                                                | 3500 with an NVD API Key or 8000 without an API Key .               |
-nvd          | resultsPerPage    | The number records for a single page from NVD API (must be <=2000).                                                                                             | 2000                                                                |
-nvd          | datafeedUrl       | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data | &nbsp;           |
-nvd          | datafeedUser      | Credentials used for basic authentication for the NVD API Data feed.                                                                                            | &nbsp;                                                              |
-nvd          | datafeedPassword  | Credentials used for basic authentication for the NVD API Data feed.                                                                                            | &nbsp;                                                              |
-nvd          | datafeedBearerToken  | Credentials used for bearer authentication for the NVD API Data feed.                                                                                        | &nbsp;                                                              |
-nvd          | validForHours     | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours.                                                               | 4                                                                   |
-data         | directory         | Sets the data directory to hold SQL CVEs contents. This should generally not be changed.                                                                        | ~/.gradle/dependency-check-data/                                    |
-data         | driver            | The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path.                    | &nbsp;                                                              |
-data         | driverPath        | The path to the database driver JAR file; only needs to be set if the driver is not in the class path.                                                          | &nbsp;                                                              |
-data         | connectionString  | The connection string used to connect to the database. See using a [database server](../data/database.html).                                                    | &nbsp;                                                              |
-data         | username          | The username used when connecting to the database.                                                                                                              | &nbsp;                                                              |
-data         | password          | The password used when connecting to the database.                                                                                                              | &nbsp;                                                              |
-hostedSuppressions | enabled         | Whether the hosted suppressions file will be used.                                                                                                              | true                                                                |
-hostedSuppressions | forceupdate     | Sets whether hosted suppressions file will update regardless of the `autoupdate` setting.                                                                       | false                                                               |
-hostedSuppressions | url             | The URL to (a mirror of) the hosted suppressions file.                                                                                                          | https://dependency-check.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
-hostedSuppressions | user            | Credentials used for basic authentication for the hosted suppressions file.                                                                                     | &nbsp;                                                              |
-hostedSuppressions | password        | Credentials used for basic authentication for the hosted suppressions file.                                                                                     | &nbsp;                                                              |
-hostedSuppressions | bearerToken     | Credentials used for bearer authentication for the hosted suppressions file.                                                                                    | &nbsp;                                                              |
-hostedSuppressions | validForHours   | The number of hours to wait before checking for new updates of the hosted suppressions file .                                                                   | 2                                                                   |
+| Config Group       | Property            | Description                                                                                                                                                       | Default Value                                                                             |
+|--------------------|---------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|
+| nvd                | apiKey              | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key                                                               | &nbsp;                                                                                    |
+| nvd                | endpoint            | The NVD API endpoint URL; setting this is uncommon.                                                                                                               | https://services.nvd.nist.gov/rest/json/cves/2.0                                          |
+| nvd                | maxRetryCount       | The maximum number of retry requests for a single call to the NVD API.                                                                                            | 10                                                                                        |
+| nvd                | delay               | The number of milliseconds to wait between calls to the NVD API.                                                                                                  | 3500 with an NVD API Key or 8000 without an API Key .                                     |
+| nvd                | resultsPerPage      | The number records for a single page from NVD API (must be <=2000).                                                                                               | 2000                                                                                      |
+| nvd                | datafeedUrl         | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/open-vulnerability-cli/blob/main/README.md#mirroring-the-nvd-cve-data | &nbsp;                                                                                    |
+| nvd                | datafeedUser        | Credentials used for basic authentication for the NVD API Data feed.                                                                                              | &nbsp;                                                                                    |
+| nvd                | datafeedPassword    | Credentials used for basic authentication for the NVD API Data feed.                                                                                              | &nbsp;                                                                                    |
+| nvd                | datafeedBearerToken | Credentials used for bearer authentication for the NVD API Data feed.                                                                                             | &nbsp;                                                                                    |
+| nvd                | validForHours       | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours.                                                                 | 4                                                                                         |
+| data               | directory           | Sets the data directory to hold SQL CVEs contents. This should generally not be changed.                                                                          | ~/.gradle/dependency-check-data/                                                          |
+| data               | driver              | The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path.                      | &nbsp;                                                                                    |
+| data               | driverPath          | The path to the database driver JAR file; only needs to be set if the driver is not in the class path.                                                            | &nbsp;                                                                                    |
+| data               | connectionString    | The connection string used to connect to the database. See using a [database server](../data/database.html).                                                      | &nbsp;                                                                                    |
+| data               | username            | The username used when connecting to the database.                                                                                                                | &nbsp;                                                                                    |
+| data               | password            | The password used when connecting to the database.                                                                                                                | &nbsp;                                                                                    |
+| hostedSuppressions | enabled             | Whether the hosted suppressions file will be used.                                                                                                                | true                                                                                      |
+| hostedSuppressions | forceupdate         | Sets whether hosted suppressions file will update regardless of the `autoupdate` setting.                                                                         | false                                                                                     |
+| hostedSuppressions | url                 | The URL to (a mirror of) the hosted suppressions file.                                                                                                            | https://dependency-check.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
+| hostedSuppressions | user                | Credentials used for basic authentication for the hosted suppressions file.                                                                                       | &nbsp;                                                                                    |
+| hostedSuppressions | password            | Credentials used for basic authentication for the hosted suppressions file.                                                                                       | &nbsp;                                                                                    |
+| hostedSuppressions | bearerToken         | Credentials used for bearer authentication for the hosted suppressions file.                                                                                      | &nbsp;                                                                                    |
+| hostedSuppressions | validForHours       | The number of hours to wait before checking for new updates of the hosted suppressions file .                                                                     | 2                                                                                         |
 
 #### Example
 ```groovy
@@ -97,17 +97,17 @@ Cached web datasources for several analyzers are configured inside the `analyzer
 taking relevance also in the update task. In addition to the above, the updateTask can be customized for retrieval
 of these resources by the following analyzer-specific properties underneath the `analyzers` section.
 
- Config Group | Property      | Description                                                                                             | Default Value                                                                            |
---------------|---------------|---------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|
- kev          | enabled       | Sets whether the Known Exploited Vulnerability update and analyzer are enabled.                         | true                                                                                     |
- kev          | url           | The URL to (a mirror of) the CISA Known Exploited Vulnerabilities JSON data feed.                       | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json      |
- kev          | user          | Credentials used for basic authentication for the CISA Known Exploited Vulnerabilities JSON data feed.  | &nbsp;                                                                                   |
- kev          | password      | Credentials used for basic authentication for the CISA Known Exploited Vulnerabilities JSON data feed.  | &nbsp;                                                                                   |
- kev          | bearerToken   | Credentials used for bearer authentication for the CISA Known Exploited Vulnerabilities JSON data feed. | &nbsp;                                                                                   |
- kev          | validForHours | The number of hours to wait before checking for new updates of the hosted suppressions file .           | 2                                                                                        |
- retirejs     | enabled       | Sets whether the RetireJS Analyzer should be used / the repository be updated.                          | true                                                                                     |
- retirejs     | retireJsUrl   | The URL to the Retire JS repository.                                                                    | https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json |
-retirejs     | user          | Credentials used for basic authentication for the Retire JS repository URL.                             | &nbsp;                                                                                   |
-retirejs     | password      | Credentials used for basic authentication for the Retire JS repository URL.                             | &nbsp;                                                                                   |
-retirejs     | bearerToken   | Credentials used for bearer authentication for the Retire JS repository URL.                            | &nbsp;                                                                                   |
- retirejs     | forceupdate   | Sets whether the Retire JS repository should update regardless of the `autoupdate` setting.             | false                                                                                    |
+| Config Group | Property      | Description                                                                                             | Default Value                                                                            |
+|--------------|---------------|---------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|
+| kev          | enabled       | Sets whether the Known Exploited Vulnerability update and analyzer are enabled.                         | true                                                                                     |
+| kev          | url           | The URL to (a mirror of) the CISA Known Exploited Vulnerabilities JSON data feed.                       | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json      |
+| kev          | user          | Credentials used for basic authentication for the CISA Known Exploited Vulnerabilities JSON data feed.  | &nbsp;                                                                                   |
+| kev          | password      | Credentials used for basic authentication for the CISA Known Exploited Vulnerabilities JSON data feed.  | &nbsp;                                                                                   |
+| kev          | bearerToken   | Credentials used for bearer authentication for the CISA Known Exploited Vulnerabilities JSON data feed. | &nbsp;                                                                                   |
+| kev          | validForHours | The number of hours to wait before checking for new updates of the hosted suppressions file .           | 2                                                                                        |
+| retirejs     | enabled       | Sets whether the RetireJS Analyzer should be used / the repository be updated.                          | true                                                                                     |
+| retirejs     | retireJsUrl   | The URL to the Retire JS repository.                                                                    | https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json |
+| retirejs     | user          | Credentials used for basic authentication for the Retire JS repository URL.                             | &nbsp;                                                                                   |
+| retirejs     | password      | Credentials used for basic authentication for the Retire JS repository URL.                             | &nbsp;                                                                                   |
+| retirejs     | bearerToken   | Credentials used for bearer authentication for the Retire JS repository URL.                            | &nbsp;                                                                                   |
+| retirejs     | forceupdate   | Sets whether the Retire JS repository should update regardless of the `autoupdate` setting.             | false                                                                                    |
diff --git a/src/site/markdown/dependency-check-gradle/configuration.md b/src/site/markdown/dependency-check-gradle/configuration.md
index 83cc788fb3c..ac1c5fae285 100644
--- a/src/site/markdown/dependency-check-gradle/configuration.md
+++ b/src/site/markdown/dependency-check-gradle/configuration.md
@@ -1,12 +1,12 @@
 Tasks
 ====================
 
-Task                                                     | Description
----------------------------------------------------------|-----------------------
-dependencyCheckAnalyze                                   | Runs dependency-check against the project and generates a report.
-[dependencyCheckAggregate](configuration-aggregate.html) | Runs dependency-check against a multi-project build and generates a report.
-[dependencyCheckUpdate](configuration-update.html)       | Updates the local cache of the NVD data from NIST.
-[dependencyCheckPurge](configuration-purge.html)         | Deletes the local copy of the NVD. This is used to force a refresh of the data.
+| Task                                                     | Description                                                                     |
+|----------------------------------------------------------|---------------------------------------------------------------------------------|
+| dependencyCheckAnalyze                                   | Runs dependency-check against the project and generates a report.               |
+| [dependencyCheckAggregate](configuration-aggregate.html) | Runs dependency-check against a multi-project build and generates a report.     |
+| [dependencyCheckUpdate](configuration-update.html)       | Updates the local cache of the NVD data from NIST.                              |
+| [dependencyCheckPurge](configuration-purge.html)         | Deletes the local copy of the NVD. This is used to force a refresh of the data. |
 
 Configuration:
 ====================
@@ -25,29 +25,29 @@ apply plugin: 'org.owasp.dependencycheck'
 check.dependsOn dependencyCheckAnalyze
 ```
 
-Property                         | Description                                                                                                                                                                                                                                                                                                                               | Default Value
----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------
-autoUpdate                       | Sets whether auto-updating of the NVD API CVE data is enabled. It is not recommended that this be turned to false.                                                                                                                                                                                                                        | true
-analyzedTypes                    | The default artifact types that will be analyzed.                                                                                                                                                                                                                                                                                         | ['jar', 'aar', 'js', 'war', 'ear', 'zip']
-format                           | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                             | HTML
-formats                          | A list of report formats to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                      | &nbsp;
-junitFailOnCVSS                  | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure.                                                                                                                                                                                                                          | 0
-failBuildOnCVSS                  | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11; since the CVSS scores are 0-10, by default the build will never fail. More information on CVSS scores can be found at the [NVD](https://nvd.nist.gov/vuln-metrics/cvss)                                     | 11
-failOnError                      | Fails the build if an error occurs during the dependency-check analysis.                                                                                                                                                                                                                                                                  | true
-outputDirectory                  | The location to write the report(s). This directory will be located in the build directory.                                                                                                                                                                                                                                               | ${buildDir}/reports
-skipTestGroups                   | When set to true (the default) all dependency groups that being with 'test' will be skipped.                                                                                                                                                                                                                                              | true
-suppressionFile                  | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html). The configured value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799)          | &nbsp;
-suppressionFiles                 | A list of file paths to the XML suppression files \- used to suppress [false positives](../general/suppression.html). The configured values can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799) | &nbsp;
-failBuildOnUnusedSuppressionRule | Specifies that if any unused suppression rule is found, the build will fail. This is best combined with a Gradle CLI `--warn` arg or `org.gradle.logging.level=warn` property so the unused rules are logged before task failure.                                                                                                         | false
-hintsFile                        | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html)                                                                                                                                                                                                                                           | &nbsp;
-skip                             | If set to true dependency-check analysis will be skipped.                                                                                                                                                                                                                                                                                 | false
-skipConfigurations               | A list of configurations that will be skipped. This is mutually exclusive with the scanConfigurations property.                                                                                                                                                                                                                           | `[]` which means no configuration is skipped.
-scanConfigurations               | A list of configurations that will be scanned, all other configurations are skipped. This is mutually exclusive with the skipConfigurations property.                                                                                                                                                                                     | `[]` which implicitly means all configurations get scanned.
-scanProjects                     | A list of projects that will be scanned, all other projects are skipped. The list or projects to skip must include a preceding colon: `scanProjects = [':app']`. This is mutually exclusive with the `skipProjects` property.                                                                                                             | `[]` which implicitly means all projects get scanned.
-skipProjects                     | A list of projects that will be skipped.  The list or projects to skip must include a preceding colon: `skipProjects = [':sub1']`. This is mutually exclusive with the `scanProjects` property.                                                                                                                                           | `[]` which means no projects are skipped.
-scanBuildEnv                     | A boolean indicating whether to scan the `buildEnv`.                                                                                                                                                                                                                                                                                      | false
-scanDependencies                 | A boolean indicating whether to scan the `dependencies`.                                                                                                                                                                                                                                                                                  | true
-scanSet                          | A list of directories that will be scanned for additional dependencies.                                                                                                                                                                                                                                                                   | ['src/main/resources','src/main/webapp']
+| Property                         | Description                                                                                                                                                                                                                                                                                                                               | Default Value                                               |
+|----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------|
+| autoUpdate                       | Sets whether auto-updating of the NVD API CVE data is enabled. It is not recommended that this be turned to false.                                                                                                                                                                                                                        | true                                                        |
+| analyzedTypes                    | The default artifact types that will be analyzed.                                                                                                                                                                                                                                                                                         | ['jar', 'aar', 'js', 'war', 'ear', 'zip']                   |
+| format                           | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                             | HTML                                                        |
+| formats                          | A list of report formats to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                      | &nbsp;                                                      |
+| junitFailOnCVSS                  | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure.                                                                                                                                                                                                                          | 0                                                           |
+| failBuildOnCVSS                  | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11; since the CVSS scores are 0-10, by default the build will never fail. More information on CVSS scores can be found at the [NVD](https://nvd.nist.gov/vuln-metrics/cvss)                                     | 11                                                          |
+| failOnError                      | Fails the build if an error occurs during the dependency-check analysis.                                                                                                                                                                                                                                                                  | true                                                        |
+| outputDirectory                  | The location to write the report(s). This directory will be located in the build directory.                                                                                                                                                                                                                                               | ${buildDir}/reports                                         |
+| skipTestGroups                   | When set to true (the default) all dependency groups that being with 'test' will be skipped.                                                                                                                                                                                                                                              | true                                                        |
+| suppressionFile                  | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html). The configured value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799)          | &nbsp;                                                      |
+| suppressionFiles                 | A list of file paths to the XML suppression files \- used to suppress [false positives](../general/suppression.html). The configured values can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799) | &nbsp;                                                      |
+| failBuildOnUnusedSuppressionRule | Specifies that if any unused suppression rule is found, the build will fail. This is best combined with a Gradle CLI `--warn` arg or `org.gradle.logging.level=warn` property so the unused rules are logged before task failure.                                                                                                         | false                                                       |
+| hintsFile                        | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html)                                                                                                                                                                                                                                           | &nbsp;                                                      |
+| skip                             | If set to true dependency-check analysis will be skipped.                                                                                                                                                                                                                                                                                 | false                                                       |
+| skipConfigurations               | A list of configurations that will be skipped. This is mutually exclusive with the scanConfigurations property.                                                                                                                                                                                                                           | `[]` which means no configuration is skipped.               |
+| scanConfigurations               | A list of configurations that will be scanned, all other configurations are skipped. This is mutually exclusive with the skipConfigurations property.                                                                                                                                                                                     | `[]` which implicitly means all configurations get scanned. |
+| scanProjects                     | A list of projects that will be scanned, all other projects are skipped. The list or projects to skip must include a preceding colon: `scanProjects = [':app']`. This is mutually exclusive with the `skipProjects` property.                                                                                                             | `[]` which implicitly means all projects get scanned.       |
+| skipProjects                     | A list of projects that will be skipped.  The list or projects to skip must include a preceding colon: `skipProjects = [':sub1']`. This is mutually exclusive with the `scanProjects` property.                                                                                                                                           | `[]` which means no projects are skipped.                   |
+| scanBuildEnv                     | A boolean indicating whether to scan the `buildEnv`.                                                                                                                                                                                                                                                                                      | false                                                       |
+| scanDependencies                 | A boolean indicating whether to scan the `dependencies`.                                                                                                                                                                                                                                                                                  | true                                                        |
+| scanSet                          | A list of directories that will be scanned for additional dependencies.                                                                                                                                                                                                                                                                   | ['src/main/resources','src/main/webapp']                    |
 
 #### Example
 ```groovy
@@ -65,36 +65,36 @@ Please see https://docs.gradle.org/current/userguide/build_environment.html#sec:
 
 The following properties can be configured in the dependencyCheck task. However, they are less frequently changed.
 
-Config Group | Property          | Description                                                                                                                                                     | Default Value
--------------|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------
-&nbsp;       | suppressionFileUser        | Credentials used for basic authentication for web-hosted suppression files                                                                             | &nbsp; |
-&nbsp;       | suppressionFilePassword    | Credentials used for basic authentication for web-hosted suppression files                                                                             | &nbsp; |
-&nbsp;       | suppressionFileBearerToken | Credentials used for bearer authentication for web-hosted suppression files                                                                            | &nbsp; |
-nvd          | apiKey            | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key                                                             | &nbsp;                                                              |
-nvd          | endpoint          | The NVD API endpoint URL; setting this is uncommon.                                                                                                             | https://services.nvd.nist.gov/rest/json/cves/2.0                            |
-nvd          | maxRetryCount     | The maximum number of retry requests for a single call to the NVD API.                                                                                          | 10                                                                  |
-nvd          | delay             | The number of milliseconds to wait between calls to the NVD API.                                                                                                | 3500 with an NVD API Key or 8000 without an API Key                 |
-nvd          | resultsPerPage    | The number records for a single page from NVD API (must be <=2000).                                                                                             | 2000                                                                |
-nvd          | datafeedUrl       | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data | &nbsp;                   |
-nvd          | datafeedUser      | Credentials used for basic authentication for the NVD API Data feed.                                                                                            | &nbsp;                                                              |
-nvd          | datafeedPassword  | Credentials used for basic authentication for the NVD API Data feed.                                                                                            | &nbsp;                                                              |
-nvd          | datafeedBearerToken  | Credentials used for bearer authentication for the NVD API Data feed.                                                                                        | &nbsp;                                                              |
-nvd          | validForHours     | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours.                                                               | 4                                                                   |
-data         | directory         | Sets the data directory to hold SQL CVEs contents. This should generally not be changed.                                                                        | &nbsp;                                                              |
-data         | driver            | The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path.                    | &nbsp;                                                              |
-data         | driverPath        | The path to the database driver JAR file; only needs to be set if the driver is not in the class path.                                                          | &nbsp;                                                              |
-data         | connectionString  | The connection string used to connect to the database. See using a [database server](../data/database.html).                                                    | &nbsp;                                                              |
-data         | username          | The username used when connecting to the database.                                                                                                              | &nbsp;                                                              |
-data         | password          | The password used when connecting to the database.                                                                                                              | &nbsp;                                                              |
-slack        | enabled               | Whether or not slack notifications are enabled.                                                                   | false
-slack        | webhookUrl            | The custom incoming webhook URL to receive notifications.                                                         | &nbsp;
-hostedSuppressions | enabled         | Whether the hosted suppressions file will be used.                                                                | true
-hostedSuppressions | forceupdate     | Sets whether hosted suppressions file will update regardless of the `autoupdate` setting.                         | false
-hostedSuppressions | url             | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments.                 | https://dependency-check.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
-hostedSuppressions | user            | Credentials used for basic authentication for the hosted suppressions file.                                                                                     | &nbsp;                                                              |
-hostedSuppressions | password        | Credentials used for basic authentication for the hosted suppressions file.                                                                                     | &nbsp;                                                              |
-hostedSuppressions | bearerToken     | Credentials used for bearer authentication for the hosted suppressions file.                                                                                    | &nbsp;                                                              |
-hostedSuppressions | validForHours   | The number of hours to wait before checking for new updates of the hosted suppressions file .                     | 2
+| Config Group       | Property                   | Description                                                                                                                                                       | Default Value                                                                             |
+|--------------------|----------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|
+| &nbsp;             | suppressionFileUser        | Credentials used for basic authentication for web-hosted suppression files                                                                                        | &nbsp;                                                                                    |
+| &nbsp;             | suppressionFilePassword    | Credentials used for basic authentication for web-hosted suppression files                                                                                        | &nbsp;                                                                                    |
+| &nbsp;             | suppressionFileBearerToken | Credentials used for bearer authentication for web-hosted suppression files                                                                                       | &nbsp;                                                                                    |
+| nvd                | apiKey                     | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key                                                               | &nbsp;                                                                                    |
+| nvd                | endpoint                   | The NVD API endpoint URL; setting this is uncommon.                                                                                                               | https://services.nvd.nist.gov/rest/json/cves/2.0                                          |
+| nvd                | maxRetryCount              | The maximum number of retry requests for a single call to the NVD API.                                                                                            | 10                                                                                        |
+| nvd                | delay                      | The number of milliseconds to wait between calls to the NVD API.                                                                                                  | 3500 with an NVD API Key or 8000 without an API Key                                       |
+| nvd                | resultsPerPage             | The number records for a single page from NVD API (must be <=2000).                                                                                               | 2000                                                                                      |
+| nvd                | datafeedUrl                | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/open-vulnerability-cli/blob/main/README.md#mirroring-the-nvd-cve-data | &nbsp;                                                                                    |
+| nvd                | datafeedUser               | Credentials used for basic authentication for the NVD API Data feed.                                                                                              | &nbsp;                                                                                    |
+| nvd                | datafeedPassword           | Credentials used for basic authentication for the NVD API Data feed.                                                                                              | &nbsp;                                                                                    |
+| nvd                | datafeedBearerToken        | Credentials used for bearer authentication for the NVD API Data feed.                                                                                             | &nbsp;                                                                                    |
+| nvd                | validForHours              | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours.                                                                 | 4                                                                                         |
+| data               | directory                  | Sets the data directory to hold SQL CVEs contents. This should generally not be changed.                                                                          | &nbsp;                                                                                    |
+| data               | driver                     | The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path.                      | &nbsp;                                                                                    |
+| data               | driverPath                 | The path to the database driver JAR file; only needs to be set if the driver is not in the class path.                                                            | &nbsp;                                                                                    |
+| data               | connectionString           | The connection string used to connect to the database. See using a [database server](../data/database.html).                                                      | &nbsp;                                                                                    |
+| data               | username                   | The username used when connecting to the database.                                                                                                                | &nbsp;                                                                                    |
+| data               | password                   | The password used when connecting to the database.                                                                                                                | &nbsp;                                                                                    |
+| slack              | enabled                    | Whether or not slack notifications are enabled.                                                                                                                   | false                                                                                     |
+| slack              | webhookUrl                 | The custom incoming webhook URL to receive notifications.                                                                                                         | &nbsp;                                                                                    |
+| hostedSuppressions | enabled                    | Whether the hosted suppressions file will be used.                                                                                                                | true                                                                                      |
+| hostedSuppressions | forceupdate                | Sets whether hosted suppressions file will update regardless of the `autoupdate` setting.                                                                         | false                                                                                     |
+| hostedSuppressions | url                        | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments.                                                                 | https://dependency-check.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
+| hostedSuppressions | user                       | Credentials used for basic authentication for the hosted suppressions file.                                                                                       | &nbsp;                                                                                    |
+| hostedSuppressions | password                   | Credentials used for basic authentication for the hosted suppressions file.                                                                                       | &nbsp;                                                                                    |
+| hostedSuppressions | bearerToken                | Credentials used for bearer authentication for the hosted suppressions file.                                                                                      | &nbsp;                                                                                    |
+| hostedSuppressions | validForHours              | The number of hours to wait before checking for new updates of the hosted suppressions file .                                                                     | 2                                                                                         |
 
 #### Example
 ```groovy
@@ -110,81 +110,81 @@ analyzers by configuring the `analyzers` section. Note, specific file type analy
 disable themselves if no file types that they support are detected - so specifically disabling the
 analyzers is likely not needed.
 
-Config Group | Property              | Description                                                                                                                                                                                  | Default Value
--------------|-----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------
-analyzers    | experimentalEnabled   | Sets whether the [experimental analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as experimental (see below) will not be used                        | false
-analyzers    | archiveEnabled        | Sets whether the Archive Analyzer will be used.                                                                                                                                              | true
-analyzers    | zipExtensions         | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.                                                             | &nbsp;
-analyzers    | jarEnabled            | Sets whether Jar Analyzer will be used.                                                                                                                                                      | true
-analyzers    | dartEnabled           | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be used.                                                                                                         | true
-analyzers    | centralEnabled        | Sets whether Central Analyzer will be used.                                                                                                                                                  | true
-analyzers    | nexusEnabled          | Sets whether Nexus Analyzer will be used (requires Nexus Pro). This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | false
-analyzers    | nexusUrl              | Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled.                                          | &nbsp;
-analyzers    | nexusUsesProxy        | Whether or not the defined proxy should be used when connecting to Nexus.                                                                                                                    | true
-analyzers    | pyDistributionEnabled | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. `experimentalEnabled` must be set to true.                                               | true
-analyzers    | pyPackageEnabled      | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. `experimentalEnabled` must be set to true.                                                    | true
-analyzers    | rubygemsEnabled       | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. `experimentalEnabled` must be set to true.                                                      | true
-analyzers    | opensslEnabled        | Sets whether the openssl Analyzer should be used.                                                                                                                                            | true
-analyzers    | nuspecEnabled         | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                                                                                                    | true
-analyzers    | nugetconfEnabled      | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. `experimentalEnabled` must be set to true.                                        | true
-analyzers    | assemblyEnabled       | Sets whether the .NET Assembly Analyzer should be used.                                                                                                                                      | true
-analyzers    | msbuildEnabled        | Sets whether the MS Build Analyzer should be used.                                                                                                                                           | true
-analyzers    | pathToDotnet          | The path to dotnet core - needed on some systems to analyze .net assemblies.                                                                                                                 | &nbsp;
-analyzers    | cmakeEnabled          | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. `experimentalEnabled` must be set to true.                                                           | true
-analyzers    | autoconfEnabled       | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. `experimentalEnabled` must be set to true.                                                        | true
-analyzers    | composerEnabled       | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. `experimentalEnabled` must be set to true.                                          | true
-analyzers    | composerSkipDev       | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should skip "packages-dev".                                                                         | false
-analyzers    | cpanEnabled           | Sets whether the [experimental](../analyzers/index.html) Perl CPAN File Analyzer should be used. `experimentalEnabled` must be set to true.                                                  | true
-analyzers    | cocoapodsEnabled      | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. `experimentalEnabled` must be set to true.                                                       | true
-analyzers    | carthageEnabled       | Sets whether the [experimental](../analyzers/index.html) Carthage Analyzer should be used. `experimentalEnabled` must be set to true.                                                        | true
-analyzers    | swiftEnabled          | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer should be used. `experimentalEnabled` must be set to true.                                           | true
-analyzers    | swiftPackageResolvedEnabled | Sets whether the [experimental](../analyzers/index.html) Swift Package Resolved Analyzer should be used. `experimentalEnabled` must be set to true.                                          | true
-analyzers    | bundleAuditEnabled    | Sets whether the [experimental](../analyzers/index.html) Ruby Bundle Audit Analyzer should be used. `experimentalEnabled` must be set to true.                                               | true
-analyzers    | pathToBundleAudit     | The path to bundle audit.                                                                                                                                                                    | &nbsp;
-analyzers    | retiredEnabled        | Sets whether the [retired analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as experimental (see below) will not be used                             | false
-analyzers    | golangDepEnabled      | Sets whether the [experimental](../analyzers/index.html) Golang Dependency Analyzer should be used. `experimentalEnabled` must be set to true.                                               | true
-analyzers    | golangModEnabled      | Sets whether the [experimental](../analyzers/index.html) Goland Module Analyzer should be used; requires `go` to be installed. `experimentalEnabled` must be set to true.                    | true
-analyzers    | pathToGo              | The path to `go`.                                                                                                                                                                            | &nbsp;
+| Config Group | Property                    | Description                                                                                                                                                                                  | Default Value |
+|--------------|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|
+| analyzers    | experimentalEnabled         | Sets whether the [experimental analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as experimental (see below) will not be used                        | false         |
+| analyzers    | archiveEnabled              | Sets whether the Archive Analyzer will be used.                                                                                                                                              | true          |
+| analyzers    | zipExtensions               | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.                                                             | &nbsp;        |
+| analyzers    | jarEnabled                  | Sets whether Jar Analyzer will be used.                                                                                                                                                      | true          |
+| analyzers    | dartEnabled                 | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be used.                                                                                                         | true          |
+| analyzers    | centralEnabled              | Sets whether Central Analyzer will be used.                                                                                                                                                  | true          |
+| analyzers    | nexusEnabled                | Sets whether Nexus Analyzer will be used (requires Nexus Pro). This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | false         |
+| analyzers    | nexusUrl                    | Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled.                                          | &nbsp;        |
+| analyzers    | nexusUsesProxy              | Whether or not the defined proxy should be used when connecting to Nexus.                                                                                                                    | true          |
+| analyzers    | pyDistributionEnabled       | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. `experimentalEnabled` must be set to true.                                               | true          |
+| analyzers    | pyPackageEnabled            | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. `experimentalEnabled` must be set to true.                                                    | true          |
+| analyzers    | rubygemsEnabled             | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. `experimentalEnabled` must be set to true.                                                      | true          |
+| analyzers    | opensslEnabled              | Sets whether the openssl Analyzer should be used.                                                                                                                                            | true          |
+| analyzers    | nuspecEnabled               | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                                                                                                    | true          |
+| analyzers    | nugetconfEnabled            | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. `experimentalEnabled` must be set to true.                                        | true          |
+| analyzers    | assemblyEnabled             | Sets whether the .NET Assembly Analyzer should be used.                                                                                                                                      | true          |
+| analyzers    | msbuildEnabled              | Sets whether the MS Build Analyzer should be used.                                                                                                                                           | true          |
+| analyzers    | pathToDotnet                | The path to dotnet core - needed on some systems to analyze .net assemblies.                                                                                                                 | &nbsp;        |
+| analyzers    | cmakeEnabled                | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. `experimentalEnabled` must be set to true.                                                           | true          |
+| analyzers    | autoconfEnabled             | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. `experimentalEnabled` must be set to true.                                                        | true          |
+| analyzers    | composerEnabled             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. `experimentalEnabled` must be set to true.                                          | true          |
+| analyzers    | composerSkipDev             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should skip "packages-dev".                                                                         | false         |
+| analyzers    | cpanEnabled                 | Sets whether the [experimental](../analyzers/index.html) Perl CPAN File Analyzer should be used. `experimentalEnabled` must be set to true.                                                  | true          |
+| analyzers    | cocoapodsEnabled            | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. `experimentalEnabled` must be set to true.                                                       | true          |
+| analyzers    | carthageEnabled             | Sets whether the [experimental](../analyzers/index.html) Carthage Analyzer should be used. `experimentalEnabled` must be set to true.                                                        | true          |
+| analyzers    | swiftEnabled                | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer should be used. `experimentalEnabled` must be set to true.                                           | true          |
+| analyzers    | swiftPackageResolvedEnabled | Sets whether the [experimental](../analyzers/index.html) Swift Package Resolved Analyzer should be used. `experimentalEnabled` must be set to true.                                          | true          |
+| analyzers    | bundleAuditEnabled          | Sets whether the [experimental](../analyzers/index.html) Ruby Bundle Audit Analyzer should be used. `experimentalEnabled` must be set to true.                                               | true          |
+| analyzers    | pathToBundleAudit           | The path to bundle audit.                                                                                                                                                                    | &nbsp;        |
+| analyzers    | retiredEnabled              | Sets whether the [retired analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as experimental (see below) will not be used                             | false         |
+| analyzers    | golangDepEnabled            | Sets whether the [experimental](../analyzers/index.html) Golang Dependency Analyzer should be used. `experimentalEnabled` must be set to true.                                               | true          |
+| analyzers    | golangModEnabled            | Sets whether the [experimental](../analyzers/index.html) Goland Module Analyzer should be used; requires `go` to be installed. `experimentalEnabled` must be set to true.                    | true          |
+| analyzers    | pathToGo                    | The path to `go`.                                                                                                                                                                            | &nbsp;        |
 
 #### Additional Configuration
 
-Config Group | Property              | Description                                                                                                       | Default Value
--------------|-----------------------|-------------------------------------------------------------------------------------------------------------------|------------------
-artifactory  | enabled               | Sets whether Artifactory analyzer will be used                                                                    | false
-artifactory  | url                   | The Artifactory server URL.                                                                                       | &nbsp;
-artifactory  | usesProxy             | Whether Artifactory should be accessed through a proxy or not.                                                    | false
-artifactory  | parallelAnalysis      | Whether the Artifactory analyzer should be run in parallel or not.                                                | true
-artifactory  | username              | The user name (only used with API token) to connect to Artifactory instance.                                      | &nbsp;
-artifactory  | apiToken              | The API token to connect to Artifactory instance, only used if the username or the API key are not defined by artifactoryAnalyzerServerId,artifactoryAnalyzerUsername or artifactoryAnalyzerApiToken | &nbsp;
-artifactory  | bearerToken           | The bearer token to connect to Artifactory instance                                                               | &nbsp;
-kev          | enabled               | Sets whether the Known Exploited Vulnerability update and analyzer are enabled.                                   | true                                                                                     |
-kev          | url                   | The URL to (a mirror of) the CISA Known Exploited Vulnerabilities JSON data feed.                                 | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json      |
-kev          | user                  | Credentials used for basic authentication for the CISA Known Exploited Vulnerabilities JSON data feed.            | &nbsp;                                                                                   |
-kev          | password              | Credentials used for basic authentication for the CISA Known Exploited Vulnerabilities JSON data feed.            | &nbsp;                                                                                   |
-kev          | bearerToken           | Credentials used for bearer authentication for the CISA Known Exploited Vulnerabilities JSON data feed.           | &nbsp;                                                                                   |
-kev          | validForHours         | The number of hours to wait before checking for new updates of the hosted suppressions file .                     | 2                                                                                        |
-nodeAudit    | enabled               | Sets whether the Node Audit Analyzer should be used. This analyzer requires an internet connection.               | true
-nodeAudit    | useCache              | Sets whether the Node Audit Analyzer should cache results locally.                                                | true
-nodeAudit    | skipDevDependencies   | Sets whether the Node Audit Analyzer should skip devDependencies.                                                 | false
-nodeAudit    | pnpmEnabled           | Sets whether the Pnpm Audit Analyzer should be used. This analyzer requires yarn and an internet connection.      | true
-nodeAudit    | pnpmPath              | Sets the path to the `pnpm` executable.                                                                           | &nbsp;
-nodeAudit    | yarnEnabled           | Sets whether the Yarn Audit Analyzer should be used. This analyzer requires yarn and an internet connection.      | true
-nodeAudit    | yarnPath              | Sets the path to the `yarn` executable.                                                                           | &nbsp;
-nodeAudit    | pnpmEnabled           | Sets whether the Pnpm Audit Analyzer should be used. This analyzer requires pnpm and an internet connection.      | true
-nodeAudit    | pnpmPath              | The path to `pnpm`.                                                                                               | &nbsp;
-nodeAudit    | url                   | The node audit API url to use.                                                                                    | &nbsp;
-retirejs     | enabled               | Sets whether the RetireJS Analyzer should be used.                                                                | true
-retirejs     | forceupdate           | Sets whether the RetireJS Analyzer should update regardless of the `autoupdate` setting.                          | false
-retirejs     | retireJsUrl           | The URL to the Retire JS repository.                                                                              | https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json
-retirejs     | user                  | Credentials used for basic authentication for the Retire JS repository URL.                                       | &nbsp;                                                                                   |
-retirejs     | password              | Credentials used for basic authentication for the Retire JS repository URL.                                       | &nbsp;                                                                                   |
-retirejs     | bearerToken           | Credentials used for bearer authentication for the Retire JS repository URL.                                      | &nbsp;                                                                                   |
-retirejs     | filterNonVulnerable   | Configures the RetireJS Analyzer to remove non-vulnerable JS dependencies from the report.                        | false
-retirejs     | filters               | Configures the list of regular expessions used to filter JS files based on content.                               | &nbsp;
-ossIndex     | enabled               | Sets whether Sonatype's [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be used. This analyzer requires an internet connection.                                                                  | true
-ossIndex     | username              | The optional user name to connect to Sonatype's OSS Index.                                                        | &nbsp;
-ossIndex     | password              | The optional passwod or API token to connect to Sonatype's OSS Index,                                             | &nbsp;
-ossIndex     | warnOnlyOnRemoteErrors| Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution. | false
+| Config Group | Property               | Description                                                                                                                                                                                          | Default Value                                                                            |
+|--------------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|
+| artifactory  | enabled                | Sets whether Artifactory analyzer will be used                                                                                                                                                       | false                                                                                    |
+| artifactory  | url                    | The Artifactory server URL.                                                                                                                                                                          | &nbsp;                                                                                   |
+| artifactory  | usesProxy              | Whether Artifactory should be accessed through a proxy or not.                                                                                                                                       | false                                                                                    |
+| artifactory  | parallelAnalysis       | Whether the Artifactory analyzer should be run in parallel or not.                                                                                                                                   | true                                                                                     |
+| artifactory  | username               | The user name (only used with API token) to connect to Artifactory instance.                                                                                                                         | &nbsp;                                                                                   |
+| artifactory  | apiToken               | The API token to connect to Artifactory instance, only used if the username or the API key are not defined by artifactoryAnalyzerServerId,artifactoryAnalyzerUsername or artifactoryAnalyzerApiToken | &nbsp;                                                                                   |
+| artifactory  | bearerToken            | The bearer token to connect to Artifactory instance                                                                                                                                                  | &nbsp;                                                                                   |
+| kev          | enabled                | Sets whether the Known Exploited Vulnerability update and analyzer are enabled.                                                                                                                      | true                                                                                     |
+| kev          | url                    | The URL to (a mirror of) the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                                                    | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json      |
+| kev          | user                   | Credentials used for basic authentication for the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                               | &nbsp;                                                                                   |
+| kev          | password               | Credentials used for basic authentication for the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                               | &nbsp;                                                                                   |
+| kev          | bearerToken            | Credentials used for bearer authentication for the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                              | &nbsp;                                                                                   |
+| kev          | validForHours          | The number of hours to wait before checking for new updates of the hosted suppressions file .                                                                                                        | 2                                                                                        |
+| nodeAudit    | enabled                | Sets whether the Node Audit Analyzer should be used. This analyzer requires an internet connection.                                                                                                  | true                                                                                     |
+| nodeAudit    | useCache               | Sets whether the Node Audit Analyzer should cache results locally.                                                                                                                                   | true                                                                                     |
+| nodeAudit    | skipDevDependencies    | Sets whether the Node Audit Analyzer should skip devDependencies.                                                                                                                                    | false                                                                                    |
+| nodeAudit    | pnpmEnabled            | Sets whether the Pnpm Audit Analyzer should be used. This analyzer requires yarn and an internet connection.                                                                                         | true                                                                                     |
+| nodeAudit    | pnpmPath               | Sets the path to the `pnpm` executable.                                                                                                                                                              | &nbsp;                                                                                   |
+| nodeAudit    | yarnEnabled            | Sets whether the Yarn Audit Analyzer should be used. This analyzer requires yarn and an internet connection.                                                                                         | true                                                                                     |
+| nodeAudit    | yarnPath               | Sets the path to the `yarn` executable.                                                                                                                                                              | &nbsp;                                                                                   |
+| nodeAudit    | pnpmEnabled            | Sets whether the Pnpm Audit Analyzer should be used. This analyzer requires pnpm and an internet connection.                                                                                         | true                                                                                     |
+| nodeAudit    | pnpmPath               | The path to `pnpm`.                                                                                                                                                                                  | &nbsp;                                                                                   |
+| nodeAudit    | url                    | The node audit API url to use.                                                                                                                                                                       | &nbsp;                                                                                   |
+| retirejs     | enabled                | Sets whether the RetireJS Analyzer should be used.                                                                                                                                                   | true                                                                                     |
+| retirejs     | forceupdate            | Sets whether the RetireJS Analyzer should update regardless of the `autoupdate` setting.                                                                                                             | false                                                                                    |
+| retirejs     | retireJsUrl            | The URL to the Retire JS repository.                                                                                                                                                                 | https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json |
+| retirejs     | user                   | Credentials used for basic authentication for the Retire JS repository URL.                                                                                                                          | &nbsp;                                                                                   |
+| retirejs     | password               | Credentials used for basic authentication for the Retire JS repository URL.                                                                                                                          | &nbsp;                                                                                   |
+| retirejs     | bearerToken            | Credentials used for bearer authentication for the Retire JS repository URL.                                                                                                                         | &nbsp;                                                                                   |
+| retirejs     | filterNonVulnerable    | Configures the RetireJS Analyzer to remove non-vulnerable JS dependencies from the report.                                                                                                           | false                                                                                    |
+| retirejs     | filters                | Configures the list of regular expessions used to filter JS files based on content.                                                                                                                  | &nbsp;                                                                                   |
+| ossIndex     | enabled                | Sets whether Sonatype's [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be used. This analyzer requires an internet connection.                                                      | true                                                                                     |
+| ossIndex     | username               | The optional user name to connect to Sonatype's OSS Index.                                                                                                                                           | &nbsp;                                                                                   |
+| ossIndex     | password               | The optional passwod or API token to connect to Sonatype's OSS Index,                                                                                                                                | &nbsp;                                                                                   |
+| ossIndex     | warnOnlyOnRemoteErrors | Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution.                                                     | false                                                                                    |
 
 #### Example
 ```groovy

From 5346f806793acfaf6d20ebfd1e2fb0cb29bd4b99 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sat, 24 May 2025 06:51:12 -0400
Subject: [PATCH 045/195] build(deps): bump
 org.apache.httpcomponents.client5:httpclient5 from 5.4.4 to 5.5 (#7659)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index a7dda393f3f..c78c1a91acf 100644
--- a/pom.xml
+++ b/pom.xml
@@ -147,7 +147,7 @@ Copyright (c) 2012 - Jeremy Long
         <commons-io.version>2.19.0</commons-io.version>
         <commons-lang3.version>3.17.0</commons-lang3.version>
         <commons-text.version>1.13.1</commons-text.version>
-        <httpcomponents.client.version>5.4.4</httpcomponents.client.version>
+        <httpcomponents.client.version>5.5</httpcomponents.client.version>
         <httpcomponents.core.version>5.3.4</httpcomponents.core.version>
         <!-- note that logging will be noisy and broken until we upgrade to 3.2
             See https://issues.apache.org/jira/browse/JCS-232 and

From 3ab1cbb2181029ec7aad528d5e6438e5baba39bd Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Tue, 27 May 2025 19:47:06 -0400
Subject: [PATCH 046/195] fix: update CPE pattern to remove FP (#7684)

---
 .../dependencycheck-base-suppression.xml      | 434 +++++++++---------
 1 file changed, 217 insertions(+), 217 deletions(-)

diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml
index 518a9329450..bd44cc24669 100644
--- a/core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/core/src/main/resources/dependencycheck-base-suppression.xml
@@ -19,7 +19,7 @@
         obvious fp - currently not returning any CVEs
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/joda\-time/joda\-time@.*$</packageUrl>
-        <cpe>cpe:/a:time_project:time</cpe>
+        <cpe regex="true">cpe:/a:time(_project)?:time</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -33,7 +33,7 @@
         obvious fp - currently not returning any CVEs
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.sonatype\.ossindex/ossindex\-service\-api@.*$</packageUrl>
-        <cpe>cpe:/a:service_project:service</cpe>
+        <cpe regex="true">cpe:/a:service(_project)?:service</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -54,7 +54,7 @@
             fp per #3940
             ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.james/apache\-mime4j\-storage@.*$</packageUrl>
-        <cpe>cpe:/a:storage_project:storage</cpe>
+        <cpe regex="true">cpe:/a:storage(_project)?:storage</cpe>
         <cpe>cpe:/a:apache:james</cpe>
     </suppress>
     <suppress base="true">
@@ -136,14 +136,14 @@
 	    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.seleniumhq\.selenium/selenium\-chromium\-driver@.*$</packageUrl>
         <cpe>cpe:/a:chromium:chromium</cpe>
-        <cpe>cpe:/a:chromium_project:chromium</cpe>
+        <cpe regex="true">cpe:/a:chromium(_project)?:chromium</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
 	    FP per #3756
 	    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.geronimo\.specs/geronimo\-ws\-metadata_2\.0_spec@.*$</packageUrl>
-        <cpe>cpe:/a:tad_web_project:tad_web</cpe>
+        <cpe regex="true">cpe:/a:tad_web(_project)?:tad_web</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -157,7 +157,7 @@
 	    FP per #3572
 	    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.directory\.server/apacheds\-i18n@.*$</packageUrl>
-        <cpe>cpe:/a:i18n_project:i18n</cpe>
+        <cpe regex="true">cpe:/a:i18n(_project)?:i18n</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -186,7 +186,7 @@
       	nio-stream-storage is not 'github.com/containers/storage'. see #3273
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.synchronoss\.cloud/nio\-stream\-storage@.*$</packageUrl>
-        <cpe>cpe:/a:storage_project:storage</cpe>
+        <cpe regex="true">cpe:/a:storage(_project)?:storage</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -195,14 +195,14 @@
         <gav regex="true">^io\.awspring\.cloud:spring-cloud-.*$</gav>
         <cpe>cpe:/a:pivotal_software:spring_framework</cpe>
         <cpe>cpe:/a:pivotal_software:spring_framework</cpe>
-        <cpe>cpe:/a:context_project:context</cpe>
+        <cpe regex="true">cpe:/a:context(_project)?:context</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per #3230
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.github\.x\-stream/mxparser@.*$</packageUrl>
-        <cpe>cpe:/a:xstream_project:xstream</cpe>
+        <cpe regex="true">cpe:/a:xstream(_project)?:xstream</cpe>
         <cpe>cpe:/a:oracle:jdk</cpe>
     </suppress>
     <suppress base="true">
@@ -271,14 +271,14 @@
         FP per #3005
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.google\.apis/google\-api\-services\-sqladmin@.*$</packageUrl>
-        <cpe>cpe:/a:www-sql_project:www-sql</cpe>
+        <cpe regex="true">cpe:/a:www-sql(_project)?:www-sql</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per #3005
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.google\.cloud\.sql/jdbc\-socket\-factory\-core@.*$</packageUrl>
-        <cpe>cpe:/a:www-sql_project:www-sql</cpe>
+        <cpe regex="true">cpe:/a:www-sql(_project)?:www-sql</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -416,7 +416,7 @@
         FP per #2940
         ]]></notes>
         <packageUrl regex="true">^pkg:npm/cross\-env@.*$</packageUrl>
-        <cpe>cpe:/a:crossenv_project:crossenv</cpe>
+        <cpe regex="true">cpe:/a:crossenv(_project)?:crossenv</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -661,65 +661,65 @@
         <cpe>cpe:/a:file_project:file</cpe>
         <cpe>cpe:/a:file:file</cpe>
         <cpe>cpe:/a:shim:shim</cpe>
-        <cpe>cpe:/a:shim_project:shim</cpe>        
-        <cpe>cpe:/a:date_project:date</cpe>
+        <cpe regex="true">cpe:/a:shim(_project)?:shim</cpe>
+        <cpe regex="true">cpe:/a:date(_project)?:date</cpe>
         <cpe>cpe:/a:net_dns:net_dns</cpe>
         <cpe>cpe:/a:nodejs:node.js</cpe>
         <cpe>cpe:/a:nodejs:nodejs</cpe>
-        <cpe>cpe:/a:context_project:context</cpe>
-        <cpe>cpe:/a:mail_project:mail</cpe>
-        <cpe>cpe:/a:ldap_project:ldap</cpe>
-        <cpe>cpe:/a:user_import_project:user_import</cpe>
+        <cpe regex="true">cpe:/a:context(_project)?:context</cpe>
+        <cpe regex="true">cpe:/a:mail(_project)?:mail</cpe>
+        <cpe regex="true">cpe:/a:ldap(_project)?:ldap</cpe>
+        <cpe regex="true">cpe:/a:user_import(_project)?:user_import</cpe>
         <cpe>cpe:/a:root:root</cpe>
-        <cpe>cpe:/a:xmlsec_project:xmlsec</cpe>
-        <cpe>cpe:/a:rest-client_project:rest-client</cpe>
-        <cpe>cpe:/a:hub_project:hub</cpe>
-        <cpe>cpe:/a:views_project:views</cpe>
-        <cpe>cpe:/a:restful_web_services_project:restful_web_services</cpe>
+        <cpe regex="true">cpe:/a:xmlsec(_project)?:xmlsec</cpe>
+        <cpe regex="true">cpe:/a:rest-client(_project)?:rest-client</cpe>
+        <cpe regex="true">cpe:/a:hub(_project)?:hub</cpe>
+        <cpe regex="true">cpe:/a:views(_project)?:views</cpe>
+        <cpe regex="true">cpe:/a:restful_web_services(_project)?:restful_web_services</cpe>
         <cpe>cpe:/a:php:php</cpe>
-        <cpe>cpe:/a:font_project:font</cpe>
-        <cpe>cpe:/a:amazon_aws_project:amazon_aws</cpe>
+        <cpe regex="true">cpe:/a:font(_project)?:font</cpe>
+        <cpe regex="true">cpe:/a:amazon_aws(_project)?:amazon_aws</cpe>
         <cpe>cpe:/a:google:android</cpe>
-        <cpe>cpe:/a:first_project:first</cpe>
+        <cpe regex="true">cpe:/a:first(_project)?:first</cpe>
         <cpe>cpe:/a:interact:interact</cpe>
-        <cpe>cpe:/a:finder_project:finder</cpe>
-        <cpe>cpe:/a:archiver_project:archiver</cpe>
-        <cpe>cpe:/a:r_project:r</cpe>
-        <cpe>cpe:/a:jwt_project:jwt</cpe>
-        <cpe>cpe:/a:git_project:git</cpe>
+        <cpe regex="true">cpe:/a:finder(_project)?:finder</cpe>
+        <cpe regex="true">cpe:/a:archiver(_project)?:archiver</cpe>
+        <cpe regex="true">cpe:/a:r(_project)?:r</cpe>
+        <cpe regex="true">cpe:/a:jwt(_project)?:jwt</cpe>
+        <cpe regex="true">cpe:/a:git(_project)?:git</cpe>
         <cpe>cpe:/a:git:git</cpe>
-        <cpe>cpe:/a:git_for_windows_project:git_for_windows</cpe>
+        <cpe regex="true">cpe:/a:git_for_windows(_project)?:git_for_windows</cpe>
         <cpe>cpe:/a:mono-project:mono</cpe>
         <cpe>cpe:/a:mono:mono</cpe>
-        <cpe>cpe:/a:mono_project:mono</cpe>
-        <cpe>cpe:/a:app_project:app</cpe>
-        <cpe>cpe:/a:json-jwt_project:json-jwt</cpe>
-        <cpe>cpe:/a:zip_project:zip</cpe>
-        <cpe>cpe:/a:echo_project:echo</cpe>
-        <cpe>cpe:/a:util-linux_project:util-linux</cpe>
-        <cpe>cpe:/a:bitmap_project:bitmap</cpe>
-        <cpe>cpe:/a:security-framework_project:security-framework</cpe>
+        <cpe regex="true">cpe:/a:mono(_project)?:mono</cpe>
+        <cpe regex="true">cpe:/a:app(_project)?:app</cpe>
+        <cpe regex="true">cpe:/a:json-jwt(_project)?:json-jwt</cpe>
+        <cpe regex="true">cpe:/a:zip(_project)?:zip</cpe>
+        <cpe regex="true">cpe:/a:echo(_project)?:echo</cpe>
+        <cpe regex="true">cpe:/a:util-linux(_project)?:util-linux</cpe>
+        <cpe regex="true">cpe:/a:bitmap(_project)?:bitmap</cpe>
+        <cpe regex="true">cpe:/a:security-framework(_project)?:security-framework</cpe>
         <cpe>cpe:/a:next:next</cpe>
         <cpe>cpe:/a:property_pro:property_pro</cpe>
         <cve>CVE-2020-10663</cve>
         <cpe>cpe:/a:facebook:facebook</cpe>
         <cpe>cpe:/a:gitlab:gitlab</cpe>
         <cpe>cpe:/a:delegate:delegate</cpe>
-        <cpe>cpe:/a:thread_project:thread</cpe>
-        <cpe>cpe:/a:data_tools_project:data_tools</cpe>
-        <cpe>cpe:/a:tag_project:tag</cpe>
+        <cpe regex="true">cpe:/a:thread(_project)?:thread</cpe>
+        <cpe regex="true">cpe:/a:data_tools(_project)?:data_tools</cpe>
+        <cpe regex="true">cpe:/a:tag(_project)?:tag</cpe>
         <cpe>cpe:/a:kubernetes:kubernetes</cpe>
-        <cpe>cpe:/a:websockets_project:websockets</cpe>
-        <cpe>cpe:/a:cron_project:cron</cpe>
-        <cpe>cpe:/a:html2pdf_project:html2pdf</cpe>
-        <cpe>cpe:/a:shadow_project:shadow</cpe>
+        <cpe regex="true">cpe:/a:websockets(_project)?:websockets</cpe>
+        <cpe regex="true">cpe:/a:cron(_project)?:cron</cpe>
+        <cpe regex="true">cpe:/a:html2pdf(_project)?:html2pdf</cpe>
+        <cpe regex="true">cpe:/a:shadow(_project)?:shadow</cpe>
         <cpe>cpe:/a:cde:cde</cpe>
         <cpe>cpe:/a:docker:docker</cpe>
         <cpe>cpe:/a:travis-ci:travis_ci</cpe>
-        <cpe>cpe:/a:storage_project:storage</cpe>
+        <cpe regex="true">cpe:/a:storage(_project)?:storage</cpe>
         <cpe>cpe:/a:pivotal_software:rabbitmq</cpe>
-        <cpe>cpe:/a:saml_project:saml</cpe>
-        <cpe>cpe:/a:yaml_project:yaml</cpe>
+        <cpe regex="true">cpe:/a:saml(_project)?:saml</cpe>
+        <cpe regex="true">cpe:/a:yaml(_project)?:yaml</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -747,7 +747,7 @@
         ]]></notes>
         <filePath regex="true">.*(\.(jar|ear|war|pom)|pom\.xml)$</filePath>
         <cpe>cpe:/a:dash:dash</cpe>
-        <cpe>cpe:/a:mustache.js_project:mustache.js</cpe>
+        <cpe  regex="true">cpe:/a:mustache.js(_project)?:mustache.js</cpe>
         <cpe>cpe:/a:microsoft:active_directory</cpe>
         <cpe>cpe:/a:microsoft:active_directory_federation_services</cpe>
         <cpe>cpe:/a:microsoft:active_directory_services</cpe>
@@ -756,14 +756,14 @@
         <cpe>cpe:/a:python:python</cpe>
         <cpe>cpe:/a:python_software_foundation:python</cpe>
         <cve>CVE-2017-16046</cve>
-        <cpe>cpe:/a:sqlserver_project:sqlserver</cpe>
+        <cpe  regex="true">cpe:/a:sqlserver(_project)?:sqlserver</cpe>
         <cpe>cpe:/a:auth0:auth0</cpe>
         <cpe>cpe:/a:github:github</cpe>
-        <cpe>cpe:/a:data-tools_project:data_tools</cpe>
-        <cpe>cpe:/a:flow_project:flow</cpe>
+        <cpe regex="true">cpe:/a:data-tools(_project)?:data_tools</cpe>
+        <cpe regex="true">cpe:/a:flow(_project)?:flow</cpe>
         <cpe>cpe:/a:ghost:ghost</cpe>
-        <cpe>cpe:/a:ws_project:ws</cpe>
-        <cpe>cpe:/a:i18n_project:i18n</cpe>
+        <cpe regex="true">cpe:/a:ws(_project)?:ws</cpe>
+        <cpe regex="true">cpe:/a:i18n(_project)?:i18n</cpe>
         <cpe>cpe:/a:redis:redis</cpe>
         <cpe>cpe:/a:perl:perl</cpe>
     </suppress>
@@ -772,7 +772,7 @@
         Suppresses false positives per #2511
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.vaadin/vaadin\-sass\-compiler@.*$</packageUrl>
-        <cpe>cpe:/a:compile-sass_project:compile-sass</cpe>
+        <cpe regex="true">cpe:/a:compile-sass(_project)?:compile-sass</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -793,7 +793,7 @@
         Suppresses false positives
         ]]></notes>
         <packageUrl regex="true">^pkg:npm/rc@.*$</packageUrl>
-        <cpe>cpe:/a:rc_project:rc</cpe>
+        <cpe regex="true">cpe:/a:rc(_project)?:rc</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -843,7 +843,7 @@
         Suppresses false positive per #3827 - this library is not the github.com/containers/storage project
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.smallrye/smallrye\-context\-propagation\-storage@.*$</packageUrl>
-        <cpe>cpe:/a:storage_project:storage</cpe>
+        <cpe regex="true">cpe:/a:storage(_project)?:storage</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -902,7 +902,7 @@
         Suppresses false positives per issue #1614.
         ]]></notes>
         <gav regex="true">^eu\.bitwalker:UserAgentUtils:.*$</gav>
-        <cpe>cpe:/a:useragent_project:useragent</cpe>
+        <cpe regex="true">cpe:/a:useragent(_project)?:useragent</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -930,7 +930,7 @@
         Suppresses false positives per issue #1590
         ]]></notes>
         <gav regex="true">^com\.cybersource:flex-server-sdk:.*$</gav>
-        <cpe>cpe:/a:flex_project:flex</cpe>
+        <cpe regex="true">cpe:/a:flex(_project)?:flex</cpe>
         <cpe>cpe:/a:id:id-software</cpe>
     </suppress>
     <suppress base="true">
@@ -952,7 +952,7 @@
         Suppresses false positives per issue #1587
         ]]></notes>
         <gav regex="true">^org\.apache\.felix:org\.apache\.felix\.configadmin:.*$</gav>
-        <cpe>cpe:/a:cm_project:cm</cpe>
+        <cpe regex="true">cpe:/a:cm(_project)?:cm</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -1002,7 +1002,7 @@
         FP per #2768
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.evolvis\.tartools/rfc822@.*$</packageUrl>
-        <cpe>cpe:/a:man-cgi_project:man-cgi</cpe>
+        <cpe regex="true">cpe:/a:man-cgi(_project)?:man-cgi</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -1111,7 +1111,7 @@
         Suppresses false positives per issue #1587
         ]]></notes>
         <gav regex="true">^com\.liferay:org\.apache\.felix\.configadmin:.*$</gav>
-        <cpe>cpe:/a:cm_project:cm</cpe>
+        <cpe regex="true">cpe:/a:cm(_project)?:cm</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -1269,14 +1269,14 @@
         Suppresses false positives per issue #2865
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/msal4j@.*$</packageUrl>
-        <cpe>cpe:/a:http_authentication_library_project:http_authentication_library</cpe>
+        <cpe regex="true">cpe:/a:http_authentication_library(_project)?:http_authentication_library</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         Suppresses false positives per issue #2896
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/msal4j@.*$</packageUrl>
-        <cpe>cpe:/a:http_authentication_library_project:http_authentication_library</cpe>
+        <cpe regex="true">cpe:/a:http_authentication_library(_project)?:http_authentication_library</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -1398,7 +1398,7 @@
         FP per #872
         ]]></notes>
         <packageUrl regex="true">^pkg:(generic|nuget)/Microsoft\.AspNetCore\.JsonPatch@.*$</packageUrl>
-        <cpe>cpe:/a:json-patch_project:json-patch</cpe>
+        <cpe regex="true">cpe:/a:json-patch(_project)?:json-patch</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -1419,21 +1419,21 @@
         FP per #1485
         ]]></notes>
         <gav regex="true">^org\.sonatype\.plexus:plexus-sec-dispatcher:.*$</gav>
-        <cpe>cpe:/a:sec_project:sec</cpe>
+        <cpe regex="true">cpe:/a:sec(_project)?:sec</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per #1479
         ]]></notes>
         <gav regex="true">^com.amazonaws:aws-java-sdk-simpleworkflow:.*$</gav>
-        <cpe>cpe:/a:flow_project:flow</cpe>
+        <cpe regex="true">cpe:/a:flow(_project)?:flow</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per #1479
         ]]></notes>
         <gav regex="true">^com.amazonaws:aws-java-sdk-swf-libraries:.*$</gav>
-        <cpe>cpe:/a:flow_project:flow</cpe>
+        <cpe regex="true">cpe:/a:flow(_project)?:flow</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -1631,7 +1631,7 @@
         FP found when researching #1091
         ]]></notes>
         <gav regex="true">^com\.nimbusds:nimbus-jose-jwt:.*$</gav>
-        <cpe>cpe:/a:jwt_project:jwt</cpe>
+        <cpe regex="true">cpe:/a:jwt(_project)?:jwt</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -1700,7 +1700,7 @@
         Suppresses false positives for components within guava.
         ]]></notes>        
         <packageUrl regex="true">^pkg:maven/com\.h3xstream\.retirejs/retirejs\-core@.*$</packageUrl>
-        <cpe>cpe:/a:xstream_project:xstream</cpe>
+        <cpe regex="true">cpe:/a:xstream(_project)?:xstream</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -1895,7 +1895,7 @@
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.gagravarr/vorbis\-java\-tika@.*$</packageUrl>
         <cpe>cpe:/a:apache:tika</cpe>
-        <cpe>cpe:/a:flac_project:flac</cpe>
+        <cpe regex="true">cpe:/a:flac(_project)?:flac</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -1975,7 +1975,7 @@
         FP per #1659
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.ops4j\.pax\..*$</packageUrl>
-        <cpe>cpe:/a:pax_project:pax</cpe>
+        <cpe regex="true">cpe:/a:pax(_project)?:pax</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2030,7 +2030,7 @@
         <cpe>cpe:/a:apache:apache_http_server</cpe>
         <cpe>cpe:/a:apache:directory_studio</cpe>
         <cpe>cpe:/a:apache:ldap_studio</cpe>
-        <cpe>cpe:/a:net-ldap_project:net-ldap</cpe>
+        <cpe regex="true">cpe:/a:net-ldap(_project)?:net-ldap</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2228,8 +2228,8 @@
         Grizzly is not Async Http Client
         ]]></notes>
         <gav regex="true">^org\.glassfish\.grizzly:grizzly-http-client:.*$</gav>
-        <cpe>cpe:/a:async-http-client_project:async-http-client</cpe>
-        <cpe>cpe:/a:asynchttpclient_project:async-http-client</cpe>
+        <cpe regex="true">cpe:/a:async-http-client(_project)?:async-http-client</cpe>
+        <cpe regex="true">cpe:/a:asynchttpclient(_project)?:async-http-client</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2371,7 +2371,7 @@
         FP per #3829 the eclipse Microprofile config file provider project is not the Jenkins config file provider plugin
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.eclipse\.microprofile\.config/.*@.*$</packageUrl>
-        <cpe>cpe:/a:config_file_provider_project:config_file_provider</cpe>
+        <cpe regex="true">cpe:/a:config_file_provider(_project)?:config_file_provider</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2393,8 +2393,8 @@
         Pyro is a python project.
         ]]></notes>
         <filePath regex="true">.*(\.(jar|ear|war|pom)|pom\.xml)</filePath>
-        <cpe>cpe:/a:services_project:services</cpe>
-        <cpe>cpe:/a:pyro_project:pyro</cpe>
+        <cpe regex="true">cpe:/a:services(_project)?:services</cpe>
+        <cpe regex="true">cpe:/a:pyro(_project)?:pyro</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2422,7 +2422,7 @@
         false positive per issue #777
         ]]></notes>
         <gav regex="true">^org\.glassfish\.jersey\.ext:jersey-metainf-services:.*$</gav>
-        <cpe>cpe:/a:services_project:services:</cpe>
+        <cpe regex="true">cpe:/a:services(_project)?:services:</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2480,17 +2480,17 @@
         False positives per issue #2873
         ]]></notes>
         <packageUrl regex="true">^pkg:npm/faye\-websocket@.*$</packageUrl>
-        <cpe>cpe:/a:faye_project:faye</cpe>
+        <cpe regex="true">cpe:/a:faye(_project)?:faye</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         Node.js false positives per issues #512 and #510
         ]]></notes>
         <filePath regex="true">.*package\.json$</filePath>
-        <cpe>cpe:/a:file_project:file</cpe>
+        <cpe regex="true">cpe:/a:file(_project)?:file</cpe>
         <cpe>cpe:/a:file:file</cpe>
         <cpe>cpe:/a:shim:shim</cpe>
-        <cpe>cpe:/a:shim_project:shim</cpe>
+        <cpe regex="true">cpe:/a:shim(_project)?:shim</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2667,14 +2667,14 @@
         <filePath regex="true">.*activerecord.*oracle.*\.gemspec</filePath>
         <cpe>cpe:/a:ruby-i18n:i18n</cpe>
         <cpe>cpe:/a:mikel_lindsaar:mail</cpe>
-        <cpe>cpe:/a:rest-client_project:rest-client</cpe>
+        <cpe regex="true">cpe:/a:rest-client(_project)?:rest-client</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         false positives per issue #915
         ]]></notes>
         <gav regex="true">^net\.thisptr:jackson-jq:.*$</gav>
-        <cpe>cpe:/a:jq_project:jq</cpe>
+        <cpe regex="true">cpe:/a:jq(_project)?:jq</cpe>
         <cpe>cpe:/a:id:id-software</cpe>
     </suppress>
     <suppress base="true">
@@ -2713,7 +2713,7 @@
         false positives per issue #915
         ]]></notes>
         <gav regex="true">^javax\.validation:validation-api:.*$</gav>
-        <cpe>cpe:/a:bean_project:bean</cpe>
+        <cpe regex="true">cpe:/a:bean(_project)?:bean</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2727,49 +2727,49 @@
         FP per #1398
         ]]></notes>
         <gav regex="true">^net\.lingala\.zip4j:zip4j:.*$</gav>
-        <cpe>cpe:/a:zip_project:zip</cpe>
+        <cpe regex="true">cpe:/a:zip(_project)?:zip</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per #1398
         ]]></notes>
         <gav regex="true">^net\.java\.truevfs:truevfs-comp-zip:.*$</gav>
-        <cpe>cpe:/a:zip_project:zip</cpe>
+        <cpe regex="true">cpe:/a:zip(_project)?:zip</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per #1398
         ]]></notes>
         <gav regex="true">^net\.java\.truevfs:truevfs-driver-zip:.*$</gav>
-        <cpe>cpe:/a:zip_project:zip</cpe>
+        <cpe regex="true">cpe:/a:zip(_project)?:zip</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per #1424
         ]]></notes>
         <gav regex="true">^stax:stax-api:.*$</gav>
-        <cpe>cpe:/a:st_project:st</cpe>
+        <cpe regex="true">cpe:/a:st(_project)?:st</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         false positive per issue #894
         ]]></notes>
         <gav regex="true">^org\.apache\.pdfbox:fontbox:.*$</gav>
-        <cpe>cpe:/a:font_project:font</cpe>
+        <cpe regex="true">cpe:/a:font(_project)?:font</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         false positive per issue #1093
         ]]></notes>
         <gav regex="true">^com\.itextpdf:font-asian:.*$</gav>
-        <cpe>cpe:/a:font_project:font</cpe>
+        <cpe regex="true">cpe:/a:font(_project)?:font</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         false positive per issue #859
         ]]></notes>
         <gav regex="true">^org\.kohsuke:github-api:.*$</gav>
-        <cpe>cpe:/a:hub_project:hub</cpe>
+        <cpe regex="true">cpe:/a:hub(_project)?:hub</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2783,22 +2783,22 @@
         False positive per issue #1068
         ]]></notes>
         <gav regex="true">^org\.asynchttpclient:netty-codec-dns:.*$</gav>
-        <cpe>cpe:/a:dns-sync_project:dns-sync</cpe>
+        <cpe regex="true">cpe:/a:dns-sync(_project)?:dns-sync</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         False positive per issue #1068
         ]]></notes>
         <gav regex="true">^org\.asynchttpclient:async-http-client-netty-utils:.*$</gav>
-        <cpe>cpe:/a:async-http-client_project:async-http-client</cpe>
-        <cpe>cpe:/a:asynchttpclient_project:async-http-client</cpe>
+        <cpe regex="true">cpe:/a:async-http-client(_project)?:async-http-client</cpe>
+        <cpe regex="true">cpe:/a:asynchttpclient(_project)?:async-http-client</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         False positive per issue #1068
         ]]></notes>   
         <gav regex="true">^org\.asynchttpclient:netty-resolver-dns:.*$</gav>
-        <cpe>cpe:/a:dns-sync_project:dns-sync</cpe>
+        <cpe regex="true">cpe:/a:dns-sync(_project)?:dns-sync</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2827,7 +2827,7 @@
         file name: xbean-finder-3.11.1.jar
         ]]></notes>
         <gav regex="true">^org\.apache\.xbean:xbean-finder:.*$</gav>
-        <cpe>cpe:/a:finder_project:finder</cpe>
+        <cpe regex="true">cpe:/a:finder(_project)?:finder</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2841,7 +2841,7 @@
         false positive per issue #871
         ]]></notes>
         <gav regex="true">^org\.sonatype\..*$</gav>
-        <cpe>cpe:/a:spice_project:spice</cpe>
+        <cpe regex="true">cpe:/a:spice(_project)?:spice</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2862,7 +2862,7 @@
         file name: jersey-core-1.11.jar
         ]]></notes>
         <gav regex="true">^com\.sun\.jersey:jersey-core:.*$</gav>
-        <cpe>cpe:/a:restful_web_services_project:restful_web_services</cpe>
+        <cpe regex="true">cpe:/a:restful_web_services(_project)?:restful_web_services</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2948,8 +2948,8 @@
         FP on sttp for http-client
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.softwaremill\.sttp.*$</packageUrl>
-        <cpe>cpe:/a:async-http-client_project:async-http-client</cpe>
-        <cpe>cpe:/a:asynchttpclient_project:async-http-client</cpe>
+        <cpe regex="true">cpe:/a:async-http-client(_project)?:async-http-client</cpe>
+        <cpe regex="true">cpe:/a:asynchttpclient(_project)?:async-http-client</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -3035,7 +3035,7 @@
         FP per issue #1003
         ]]></notes>   
         <gav regex="true">^org\.mapstruct:mapstruct:.*$</gav>
-        <cpe>cpe:/a:bean_project:bean</cpe>
+        <cpe regex="true">cpe:/a:bean(_project)?:bean</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -3110,7 +3110,7 @@
         general FP cleanup: com.amazonaws is a drupal project
         ]]></notes>
         <gav regex="true">^com\.amazonaws:jmespath-java:.*$</gav>
-        <cpe>cpe:/a:amazon_aws_project:amazon_aws</cpe>
+        <cpe regex="true">cpe:/a:amazon_aws(_project)?:amazon_aws</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -3204,14 +3204,14 @@
         general FP cleanup
         ]]></notes>
         <gav regex="true">^org\.codehaus\.plexus:plexus-utils:.*$</gav>
-        <cpe>cpe:/a:spice_project:spice</cpe>
+        <cpe regex="true">cpe:/a:spice(_project)?:spice</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP #1064
         ]]></notes>
         <gav regex="true">^org\.projectlombok:lombok:.*$</gav>
-        <cpe>cpe:/a:spice_project:spice</cpe>
+        <cpe regex="true">cpe:/a:spice(_project)?:spice</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -3596,7 +3596,7 @@
         caused by cpe:/a:gpg-pgp_project::gpg-pgp and cpe:/a:openpgp:openpgp
         ]]></notes>
         <gav regex="true">^name\.neuhalfen\.projects\.crypto\.bouncycastle\.openpgp:bouncy-gpg:.*$</gav>
-        <cpe>cpe:/a:gpg-pgp_project::gpg-pgp</cpe>
+        <cpe regex="true">cpe:/a:gpg-pgp(_project)?::gpg-pgp</cpe>
         <cpe>cpe:/a:openpgp:openpgp</cpe>
     </suppress>
     <suppress base="true">
@@ -3665,7 +3665,7 @@
         false positive per #3271 on org.apache.sis.storage
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.sis\.storage/sis\-.*$</packageUrl>
-        <cpe>cpe:/a:storage_project:storage</cpe>
+        <cpe regex="true">cpe:/a:storage(_project)?:storage</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -3695,7 +3695,7 @@
         false positive per #3284 on com.amazonaws:aws-java-sdk-storagegateway
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.amazonaws/aws\-java\-sdk\-storagegateway@.*$</packageUrl>
-        <cpe>cpe:/a:storage_project:storage</cpe>
+        <cpe regex="true">cpe:/a:storage(_project)?:storage</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -3837,14 +3837,14 @@
         suppress false CPE for mssql-on-azure backend for django #3500
         ]]></notes>
         <packageUrl regex="true">^pkg:pypi/mssql\-django@.*$</packageUrl>
-        <cpe>cpe:/a:django_project:django</cpe>
+        <cpe regex="true">cpe:/a:django(_project)?:django</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         file name: fast-uuid-0.1.jar #3336
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.eatthepath/fast\-uuid@.*$</packageUrl>
-        <cpe>cpe:/a:fast_ber_project:fast_ber</cpe>
+        <cpe regex="true">cpe:/a:fast_ber(_project)?:fast_ber</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -3920,42 +3920,42 @@
         file name: 'DateTime::Format::MySQL', '0.04'
         ]]></notes>
         <packageUrl regex="true">^pkg:cpan/DateTime%3A%3AFormat/MySQL@.*$</packageUrl>
-        <cpe>cpe:/a:www-sql_project:www-sql</cpe>
+        <cpe regex="true">cpe:/a:www-sql(_project)?:www-sql</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         file name: 'MARC::File::XML', '1.0.1'
         ]]></notes>
         <packageUrl regex="true">^pkg:cpan/MARC%3A%3AFile.*$</packageUrl>
-        <cpe>cpe:/a:file_project:file</cpe>
+        <cpe regex="true">cpe:/a:file(_project)?:file</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         file name: 'File::Spec', '0'
         ]]></notes>
         <packageUrl regex="true">^pkg:cpan/(IO%3A%3A)?File.*$</packageUrl>
-        <cpe>cpe:/a:file_project:file</cpe>
+        <cpe regex="true">cpe:/a:file(_project)?:file</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         file name: 'SQL::Abstract', '0'
         ]]></notes>
         <packageUrl regex="true">^pkg:cpan/SQL/.*$</packageUrl>
-        <cpe>cpe:/a:www-sql_project:www-sql</cpe>
+        <cpe regex="true">cpe:/a:www-sql(_project)?:www-sql</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         file name: 'DBIx::Class::InflateColumn::DateTime', '0'
         ]]></notes>
         <packageUrl regex="true">^pkg:cpan/.*DateTime.*$</packageUrl>
-        <cpe>cpe:/a:time_project:time</cpe>
+        <cpe regex="true">cpe:/a:time(_project)?:time</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         file name: 'Dist::Zilla::Plugin::Git::NextVersion', '1.120370'
         ]]></notes>
         <packageUrl regex="true">^pkg:cpan/Dist%3A%3AZilla%3A%3APlugin%3A%3AGit.*$</packageUrl>
-        <cpe>cpe:/a:git_project:git</cpe>
+        <cpe regex="true">cpe:/a:git(_project)?:git</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4111,7 +4111,7 @@
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.netty/netty-tcnative-boringssl-static@.*$</packageUrl>
         <cpe>cpe:/a:chromium:chromium</cpe>
-        <cpe>cpe:/a:chromium_project:chromium</cpe>
+        <cpe regex="true">cpe:/a:chromium(_project)?:chromium</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4190,7 +4190,7 @@
         FP per issue #4227 simple-xml-safe is a security-patched fork of the unmaintained simple-xml
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.carrotsearch\.thirdparty/simple-xml-safe@.*$</packageUrl>
-        <cpe>cpe:/a:simplexml_project:simplexml</cpe>
+        <cpe regex="true">cpe:/a:simplexml(_project)?:simplexml</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4241,7 +4241,7 @@
    	    FP per issue #4368, #4384, #4369 async_project:async is an npm package
    	    ]]></notes>
         <packageUrl regex="true">^pkg:maven/.*async.*@.*$</packageUrl>
-        <cpe>cpe:/a:async_project:async</cpe>
+        <cpe regex="true">cpe:/a:async(_project)?:async</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4295,7 +4295,7 @@
         <packageUrl regex="true">^pkg:maven/org\.pac4j/ratpack\-pac4j@.*$</packageUrl>
         <cpe>cpe:/a:pac4j:pac4j</cpe>
         <cpe>cpe:/a:ratpack:ratpack</cpe>
-        <cpe>cpe:/a:ratpack_project:ratpack</cpe>
+        <cpe regex="true">cpe:/a:ratpack(_project)?:ratpack</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4432,7 +4432,7 @@
         FP per issue #4518; http-swagger is a SwagGo Go-librarie, not one of the swagger.io libraries
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.swagger/.*$</packageUrl>
-        <cpe>cpe:/a:http-swagger_project:http-swagger</cpe>
+        <cpe regex="true">cpe:/a:http-swagger(_project)?:http-swagger</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4446,7 +4446,7 @@
         FP per issue #4554; archiver_project:archiver is a go-module, not the NPM package
         ]]></notes>
         <packageUrl regex="true">^pkg:npm/archiver@.*$</packageUrl>
-        <cpe>cpe:/a:archiver_project:archiver</cpe>
+        <cpe regex="true">cpe:/a:archiver(_project)?:archiver</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4532,7 +4532,7 @@
         <cpe>cpe:/a:pivotal_software:spring_security</cpe>
         <cpe>cpe:/a:vmware:spring_security</cpe>
         <cpe>cpe:/a:vmware:springsource_spring_security</cpe>
-        <cpe>cpe:/a:security-framework_project:security-framework</cpe>
+        <cpe regex="true">cpe:/a:security-framework(_project)?:security-framework</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4542,7 +4542,7 @@
         <cpe>cpe:/a:vmware:springsource_spring_security</cpe>
         <cpe>cpe:/a:vmware:spring_security</cpe>
         <cpe>cpe:/a:pivotal_software:spring_security</cpe>
-        <cpe>cpe:/a:security-framework_project:security-framework</cpe>
+        <cpe regex="true">cpe:/a:security-framework(_project)?:security-framework</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4551,7 +4551,7 @@
         <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring-security-jwt@.*$</packageUrl>
         <cpe>cpe:/a:pivotal:spring_security_oauth</cpe>
         <cpe>cpe:/a:pivotal_software:spring_security_oauth</cpe>
-        <cpe>cpe:/a:jwt_project:jwt</cpe>
+        <cpe regex="true">cpe:/a:jwt(_project)?:jwt</cpe>
     </suppress>
 
     <suppress base="true">
@@ -4559,7 +4559,7 @@
         FP per issue #4576; spring-security-saml2-core is an (end-of-life) extension project separate from spring-security https://github.com/spring-projects/spring-security-saml
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework\.security\.extensions/spring-security-saml2-core@.*$</packageUrl>
-        <cpe>cpe:/a:saml_project:saml</cpe>
+        <cpe regex="true">cpe:/a:saml(_project)?:saml</cpe>
         <cpe>cpe:/a:vmware:spring_security</cpe>
     </suppress>
     <suppress base="true">
@@ -4570,7 +4570,7 @@
         <cpe>cpe:/a:pivotal_software:spring_security</cpe>
         <cpe>cpe:/a:vmware:springsource_spring_security</cpe>
         <cpe>cpe:/a:vmware:spring_security</cpe>
-        <cpe>cpe:/a:security-framework_project:security-framework</cpe>
+        <cpe regex="true">cpe:/a:security-framework(_project)?:security-framework</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4580,7 +4580,7 @@
         <cpe>cpe:/a:pivotal_software:spring_security</cpe>
         <cpe>cpe:/a:vmware:springsource_spring_security</cpe>
         <cpe>cpe:/a:vmware:spring_security</cpe>
-        <cpe>cpe:/a:security-framework_project:security-framework</cpe>
+        <cpe regex="true">cpe:/a:security-framework(_project)?:security-framework</cpe>
     </suppress>
 
     <suppress base="true">
@@ -4755,7 +4755,7 @@
         False positives per issue #642
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework/spring-context@.*$</packageUrl>
-        <cpe>cpe:/a:context_project:context</cpe>
+        <cpe regex="true">cpe:/a:context(_project)?:context</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4769,7 +4769,7 @@
         False positive per issue #700 and #3579
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework\.cloud/spring-cloud-.*$</packageUrl>
-        <cpe>cpe:/a:context_project:context</cpe>
+        <cpe regex="true">cpe:/a:context(_project)?:context</cpe>
         <cpe>cpe:/a:pivotal_software:spring_batch</cpe>
     </suppress>
     <suppress base="true">
@@ -4801,7 +4801,7 @@
         spring ldap cleanup per issue #1060
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework\.ldap/spring-ldap-core@.*$</packageUrl>
-        <cpe>cpe:/a:net-ldap_project:net-ldap</cpe>
+        <cpe regex="true">cpe:/a:net-ldap(_project)?:net-ldap</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4909,7 +4909,7 @@
         FP because cpe make reference to IonicaBizau/parse-url dependency
         ]]></notes>
         <packageUrl regex="true">^pkg:npm/parseurl@.*$</packageUrl>
-        <cpe>cpe:/a:parse-url_project:parse-url</cpe>
+        <cpe regex="true">cpe:/a:parse-url(_project)?:parse-url</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4930,14 +4930,14 @@
         FP per issue #4852
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.graphql-java-kickstart/graphql-java-kickstart@.*$</packageUrl>
-        <cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
+        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #4803
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/net\.sourceforge\.htmlunit/htmlunit-cssparser@.*$</packageUrl>
-        <cpe>cpe:/a:htmlunit_project:htmlunit</cpe>
+        <cpe regex="true">cpe:/a:htmlunit(_project)?:htmlunit</cpe>
     </suppress>
 
     <suppress base="true">
@@ -4945,49 +4945,49 @@
         FP per issue #4853
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.graphql-java-kickstart/graphql-java-servlet@.*$</packageUrl>
-        <cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
+        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #4859
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.apollographql\.federation/federation-graphql-java-support@.*$</packageUrl>
-        <cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
+        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #4851
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.graphql-java/graphql-java-extended-scalars@.*$</packageUrl>
-        <cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
+        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #4860
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.apollographql\.federation/federation-graphql-java-support-api@.*$</packageUrl>
-        <cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
+        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #4862
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.github\.graphql-java/graphql-java-annotations@.*$</packageUrl>
-        <cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
+        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #4863
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.graphql-java/java-dataloader@.*$</packageUrl>
-        <cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
+        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #4854
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.graphql-java-kickstart/graphql-java-tools@.*$</packageUrl>
-        <cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
+        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5099,7 +5099,7 @@
         FP per issue #4907
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/net\.minidev/accessors-smart@.*$</packageUrl>
-        <cpe>cpe:/a:json-smart_project:json-smart-v1</cpe>
+        <cpe regex="true">cpe:/a:json-smart(_project)?:json-smart-v1</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5134,7 +5134,7 @@
         FP per issue #4962
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.github\.pagehelper/pagehelper-spring-boot-starter@.*$</packageUrl>
-        <cpe>cpe:/a:pagehelper_project:pagehelper</cpe>
+        <cpe regex="true">cpe:/a:pagehelper(_project)?:pagehelper</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5190,7 +5190,7 @@
         FP per issue #2575, #4820
         ]]></notes>
         <packageUrl regex="true">^pkg:cocoapods/GoogleUtilities%2FAppDelegateSwizzler@.*$</packageUrl>
-        <cpe>cpe:/a:app_project:app</cpe>
+        <cpe regex="true">cpe:/a:app(_project)?:app</cpe>
         <cpe>cpe:/a:delegate:delegate</cpe>
     </suppress>
     <suppress base="true">
@@ -5224,7 +5224,7 @@
            FP per issue https://github.com/dependency-check/DependencyCheck/issues/5060
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.msgpack/.*@.*$</packageUrl>
-        <cpe>cpe:/a:messagepack_project:messagepack</cpe>
+        <cpe regex="true">cpe:/a:messagepack(_project)?:messagepack</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5357,21 +5357,21 @@
         FP per issue #4693
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.zipkin\.reporter2/zipkin-reporter@.*$</packageUrl>
-        <cpe>cpe:/a:pki-core_project:pki-core</cpe>
+        <cpe regex="true">cpe:/a:pki-core(_project)?:pki-core</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #4692
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.zipkin\.zipkin2/zipkin@.*$</packageUrl>
-        <cpe>cpe:/a:pki-core_project:pki-core</cpe>
+        <cpe regex="true">cpe:/a:pki-core(_project)?:pki-core</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #4669
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.junit\.jupiter/junit-jupiter-engine@.*$</packageUrl>
-        <cpe>cpe:/a:fan_platform_project:fan_platform</cpe>
+        <cpe regex="true">cpe:/a:fan_platform(_project)?:fan_platform</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5407,7 +5407,7 @@
         FP per issue #5083
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.github\.pagehelper/pagehelper-spring-boot-autoconfigure@.*$</packageUrl>
-        <cpe>cpe:/a:pagehelper_project:pagehelper</cpe>
+        <cpe regex="true">cpe:/a:pagehelper(_project)?:pagehelper</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5464,7 +5464,7 @@
         FP per issue #5131
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.zipkin\.zipkin2/zipkin-collector@.*$</packageUrl>
-        <cpe>cpe:/a:pki-core_project:pki-core</cpe>
+        <cpe regex="true">cpe:/a:pki-core(_project)?:pki-core</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5520,21 +5520,21 @@
        FP per issue #5212
        ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.github\.java-json-tools/json-patch@.*$</packageUrl>
-        <cpe>cpe:/a:json-patch_project:json-patch</cpe>
+        <cpe regex="true">cpe:/a:json-patch(_project)?:json-patch</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
        FP per issue #5217
        ]]></notes>
         <packageUrl regex="true">^pkg:maven/net\.pwall\.json/json-pointer@.*$</packageUrl>
-        <cpe>cpe:/a:json-pointer_project:json-pointer</cpe>
+        <cpe regex="true">cpe:/a:json-pointer(_project)?:json-pointer</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
        FP per issue #5275
        ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.graphql-java-kickstart/graphql-spring-boot-starter@.*$</packageUrl>
-        <cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
+        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5555,21 +5555,21 @@
        FP per issue #5280
        ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.camel/camel-ftp@.*$</packageUrl>
-        <cpe>cpe:/a:ftp_project:ftp</cpe>
+        <cpe regex="true">cpe:/a:ftp(_project)?:ftp</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
        FP per issue #5253
        ]]></notes>
         <packageUrl regex="true">^pkg:npm/jsonpointer@.*$</packageUrl>
-        <cpe>cpe:/a:json-pointer_project:json-pointer</cpe>
+        <cpe regex="true">cpe:/a:json-pointer(_project)?:json-pointer</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
        FP per issue #5252
        ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.google\.flatbuffers/flatbuffers-java@.*$</packageUrl>
-        <cpe>cpe:/a:flat_project:flat</cpe>
+        <cpe regex="true">cpe:/a:flat(_project)?:flat</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5593,7 +5593,7 @@
         FP per issue #5367
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.graphql\-java\-kickstart/.*$</packageUrl>
-        <cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
+        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5616,7 +5616,7 @@
         FP per #5502
         ]]></notes>
         <packageUrl regex="true">^(?!pkg:maven/org\.json/json@).+$</packageUrl>
-        <cpe>cpe:/a:json-java_project:json-java</cpe>
+        <cpe regex="true">cpe:/a:json-java(_project)?:json-java</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5624,7 +5624,7 @@
         FP per #5454
         ]]></notes>
         <packageUrl regex="true">^(?!pkg:npm/flat@).+$</packageUrl>
-        <cpe>cpe:/a:flat_project:flat</cpe>
+        <cpe regex="true">cpe:/a:flat(_project)?:flat</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5638,7 +5638,7 @@
         FP per issue #5381, apollo_project:apollo is a PHP project unrelated to apollographql
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.apollographql\.apollo/.*$</packageUrl>
-        <cpe>cpe:/a:apollo_project:apollo</cpe>
+        <cpe regex="true">cpe:/a:apollo(_project)?:apollo</cpe>
     </suppress>
     <!-- generated suppressions added to main in 8.1.1 -->
     <suppress base="true">
@@ -5646,7 +5646,7 @@
         FP per issue #5333
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.graphql-java-kickstart/graphql-kickstart-spring-support@.*$</packageUrl>
-        <cpe>cpe:/a:graphql-java_project:graphql-java</cpe>
+        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5667,21 +5667,21 @@
         FP per issue #5373
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.locationtech\.spatial4j/spatial4j@.*$</packageUrl>
-        <cpe>cpe:/a:voyager_project:voyager</cpe>
+        <cpe regex="true">cpe:/a:voyager(_project)?:voyager</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #5372
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.locationtech\.spatial4j/spatial4j@.*$</packageUrl>
-        <cpe>cpe:/a:smiley_project:smiley</cpe>
+        <cpe regex="true">cpe:/a:smiley(_project)?:smiley</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #5380
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/dev\.ludovic\.netlib/lapack@.*$</packageUrl>
-        <cpe>cpe:/a:lapack_project:lapack</cpe>
+        <cpe regex="true">cpe:/a:lapack(_project)?:lapack</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5702,7 +5702,7 @@
         FP per issue #5325
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.enterprisedt/edtFTPj@.*$</packageUrl>
-        <cpe>cpe:/a:ftp_project:ftp</cpe>
+        <cpe regex="true">cpe:/a:ftp(_project)?:ftp</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5730,7 +5730,7 @@
         FP per issue #5501
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.jsonschema2pojo/jsonschema2pojo-jdk-annotation@.*$</packageUrl>
-        <cpe>cpe:/a:json-schema_project:json-schema</cpe>
+        <cpe regex="true">cpe:/a:json-schema(_project)?:json-schema</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5779,14 +5779,14 @@
         FP per issue #5491
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/azure-cosmosdb@.*$</packageUrl>
-        <cpe>cpe:/a:www-sql_project:www-sql</cpe>
+        <cpe regex="true">cpe:/a:www-sql(_project)?:www-sql</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #5490
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/azure-cosmosdb@.*$</packageUrl>
-        <cpe>cpe:/a:async_project:async</cpe>
+        <cpe regex="true">cpe:/a:async(_project)?:async</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5800,7 +5800,7 @@
         FP per issue #5462
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.ws\.commons\.axiom/axiom-impl@.*$</packageUrl>
-        <cpe>cpe:/a:web_project:web</cpe>
+        <cpe regex="true">cpe:/a:web(_project)?:web</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5837,7 +5837,7 @@
         FP per issue #5593
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.camel\.springboot/camel-ftp-starter@.*$</packageUrl>
-        <cpe>cpe:/a:ftp_project:ftp</cpe>
+        <cpe regex="true">cpe:/a:ftp(_project)?:ftp</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5865,7 +5865,7 @@
         FP per issue #5622
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/net\.minidev/accessors-smart@.*$</packageUrl>
-        <cpe>cpe:/a:json-smart_project:json-smart</cpe>
+        <cpe regex="true">cpe:/a:json-smart(_project)?:json-smart</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5914,7 +5914,7 @@
         FP per issue #5685
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.bouncycastle/bcpg-jdk15on@.*$</packageUrl>
-        <cpe>cpe:/a:open_cas_project:open_cas</cpe>
+        <cpe regex="true">cpe:/a:open_cas(_project)?:open_cas</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5956,7 +5956,7 @@
         FP per issue #5737
         ]]></notes>
         <packageUrl regex="true">^pkg:nuget/MagicFileEncoding@.*$</packageUrl>
-        <cpe>cpe:/a:file_project:file</cpe>
+        <cpe regex="true">cpe:/a:file(_project)?:file</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5991,7 +5991,7 @@
         FP per issue #5754 #6441
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.swagger\.parser\.v3/swagger-parser-safe-url-resolver@.*$</packageUrl>
-        <cpe>cpe:/a:parse-url_project:</cpe>
+        <cpe regex="true">cpe:/a:parse-url(_project)?:</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6005,28 +6005,28 @@
         FP per issue #5753
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.bazaarvoice\.jolt/json-utils@.*$</packageUrl>
-        <cpe>cpe:/a:utils_project:utils</cpe>
+        <cpe regex="true">cpe:/a:utils(_project)?:utils</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #5765
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework\.integration/spring-integration-ftp@.*$</packageUrl>
-        <cpe>cpe:/a:ftp_project:ftp</cpe>
+        <cpe regex="true">cpe:/a:ftp(_project)?:ftp</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #5766
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.mockftpserver/MockFtpServer@.*$</packageUrl>
-        <cpe>cpe:/a:ftp_project:ftp</cpe>
+        <cpe regex="true">cpe:/a:ftp(_project)?:ftp</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #5770
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.sun\.xml\.bind\.jaxb/isorelax@.*$</packageUrl>
-        <cpe>cpe:/a:xml_library_project:xml_library</cpe>
+        <cpe regex="true">cpe:/a:xml_library_project:xml_library</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6057,7 +6057,7 @@
         FP per issue #5785
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/cloud\.localstack/localstack-utils@.*$</packageUrl>
-        <cpe>cpe:/a:utils_project:utils</cpe>
+        <cpe>cpe:/a:utils(_project)?:utils</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6078,7 +6078,7 @@
         FP per issue #5777
         ]]></notes>
         <packageUrl regex="true">^pkg:nuget/RazorEngine\.NetCore@.*$</packageUrl>
-        <cpe>cpe:/a:razorengine_project:razorengine</cpe>
+        <cpe regex="true">cpe:/a:razorengine(_project)?:razorengine</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6127,14 +6127,14 @@
         FP per issue #5796
         ]]></notes>
         <packageUrl regex="true">^pkg:nuget/Microsoft\.Win32\.SystemEvents@.*$</packageUrl>
-        <cpe>cpe:/a:events_project:events</cpe>
+        <cpe regex="true">cpe:/a:events(_project)?:events</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         hand-curated better suppression for FP per issue #5797
         ]]></notes>
         <packageUrl regex="true">^(?!pkg:maven/net\.pwall\.json/jsonutil).*$</packageUrl>
-        <cpe>cpe:/a:jsonutil_project:jsonutil</cpe>
+        <cpe regex="true">cpe:/a:jsonutil(_project)?:jsonutil</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6143,7 +6143,7 @@
         bundled suppression-file
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.apollographql\.apollo3/.*$</packageUrl>
-        <cpe>cpe:/a:apollo_project:apollo</cpe>
+        <cpe regex="true">cpe:/a:apollo(_project)?:apollo</cpe>
     </suppress>
 
     <suppress base="true">
@@ -6151,7 +6151,7 @@
         FP per issue #5794
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.apollographql\.apollo3/apollo-annotations-jvm@.*$</packageUrl>
-        <cpe>cpe:/a:apollo_project:apollo</cpe>
+        <cpe regex="true">cpe:/a:apollo(_project)?:apollo</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6172,14 +6172,14 @@
         FP per issue #5821
         ]]></notes>
         <packageUrl regex="true">^pkg:npm/wordwrap@.*$</packageUrl>
-        <cpe>cpe:/a:word-wrap_project:word-wrap</cpe>
+        <cpe regex="true">cpe:/a:word-wrap(_project)?:word-wrap</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #5829
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.exactpro\.th2/netty-bytebuf-utils@.*$</packageUrl>
-        <cpe>cpe:/a:utils_project:utils</cpe>
+        <cpe regex="true">cpe:/a:utils(_project)?:utils</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6193,14 +6193,14 @@
         FP per issue #5843
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.avro/avro@.*$</packageUrl>
-        <cpe>cpe:/a:avro_project:avro</cpe>
+        <cpe regex="true">cpe:/a:avro(_project)?:avro</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #5846
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/commons-logging/commons-logging@.*$</packageUrl>
-        <cpe>cpe:/a:morgan_project:morgan</cpe>
+        <cpe regex="true">cpe:/a:morgan(_project)?:morgan</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6270,7 +6270,7 @@
         FP per issue #5879
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.netty\.incubator/netty-incubator-codec-classes-quic@.*$</packageUrl>
-        <cpe>cpe:/a:quic_project:quic</cpe>
+        <cpe regex="true">cpe:/a:quic(_project)?:quic</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6356,14 +6356,14 @@
    FP per issue #5910
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.adobe\.cq/core\.wcm\.components\.core@.*$</packageUrl>
-        <cpe>cpe:/a:oembed_project:oembed</cpe>
+        <cpe regex="true">cpe:/a:oembed(_project)?:oembed</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
    FP per issue #5911
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.adobe\.cq/core\.wcm\.components\.core@.*$</packageUrl>
-        <cpe>cpe:/a:xml_library_project:xml_library</cpe>
+        <cpe regex="true">cpe:/a:xml_library(_project)?:xml_library</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6398,7 +6398,7 @@
    FP per issue #5913
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.projectreactor\.netty\.incubator/reactor-netty-incubator-quic@.*$</packageUrl>
-        <cpe>cpe:/a:quic_project:quic</cpe>
+        <cpe regex="true">cpe:/a:quic(_project)?:quic</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6419,7 +6419,7 @@
    FP per issue #5956
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.netty\.incubator/netty-incubator-codec-native-quic@.*$</packageUrl>
-        <cpe>cpe:/a:quic_project:quic</cpe>
+        <cpe regex="true">cpe:/a:quic(_project)?:quic</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6440,7 +6440,7 @@
    FP per issue #5968
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.netty\.incubator/netty-incubator-codec-native-quic@.*$</packageUrl>
-        <cpe>cpe:/a:chromium_project:chromium</cpe>
+        <cpe regex="true">cpe:/a:chromium(_project)?:chromium</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6468,7 +6468,7 @@
    FP per issue #6056
    ]]></notes>
         <packageUrl regex="true">^pkg:nuget/Serilog\.Sinks\.Async@.*$</packageUrl>
-        <cpe>cpe:/a:async_project:async</cpe>
+        <cpe regex="true">cpe:/a:async(_project)?:async</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6503,7 +6503,7 @@
    FP per issue #6169
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/commons-net/commons-net@.*$</packageUrl>
-        <cpe>cpe:/a:ftp_project:ftp</cpe>
+        <cpe regex="true">cpe:/a:ftp(_project)?:ftp</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6524,7 +6524,7 @@
    FP per issue #6242
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.jruby\.rack/jruby-rack@.*$</packageUrl>
-        <cpe>cpe:/a:rack_project:rack</cpe>
+        <cpe regex="true">cpe:/a:rack(_project)?:rack</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6545,7 +6545,7 @@
    FP per issue #6340
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.idealista/format-preserving-encryption@.*$</packageUrl>
-        <cpe>cpe:/a:vega_project:vega</cpe>
+        <cpe regex="true">cpe:/a:vega(_project)?:vega</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6559,7 +6559,7 @@
    FP per issue #6369
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.wildfly\.security\.elytron-web/undertow-server@.*$</packageUrl>
-        <cpe>cpe:/a:web_project:web</cpe>
+        <cpe regex="true">cpe:/a:web(_project)?:web</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6587,7 +6587,7 @@
    FP per issue #6421
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.swagger/swagger-parser-safe-url-resolver@.*$</packageUrl>
-        <cpe>cpe:/a:parse-url_project:parse-url</cpe>
+        <cpe regex="true">cpe:/a:parse-url(_project)?:parse-url</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6608,7 +6608,7 @@
    FP per issue #6463
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.ktor/ktor-server-metrics-micrometer-jvm@.*$</packageUrl>
-        <cpe>cpe:/a:csm_server_project:csm_server</cpe>
+        <cpe regex="true">cpe:/a:csm_server(_project)?:csm_server</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6735,35 +6735,35 @@
         FP per issue #6696
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.lz4/lz4-java@.*$</packageUrl>
-        <cpe>cpe:/a:lz4_project:lz4</cpe>
+        <cpe regex="true">cpe:/a:lz4(_project)?:lz4</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #6695
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.logging\.log4j/log4j-slf4j2-impl@.*$</packageUrl>
-        <cpe>cpe:/a:log4js_project:log4js</cpe>
+        <cpe regex="true">cpe:/a:log4js(_project)?:log4js</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #6694
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.ktor/ktor-server-call-logging-jvm@.*$</packageUrl>
-        <cpe>cpe:/a:call_project:call</cpe>
+        <cpe regex="true">cpe:/a:call(_project)?:call</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #6693
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.ktor/ktor-client-content-negotiation-jvm@.*$</packageUrl>
-        <cpe>cpe:/a:content_project:content</cpe>
+        <cpe regex="true">cpe:/a:content(_project)?:content</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #6692
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.hibernate\.validator/hibernate-validator@.*$</packageUrl>
-        <cpe>cpe:/a:validator_project:validator</cpe>
+        <cpe regex="true">cpe:/a:validator(_project)?:validator</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6784,7 +6784,7 @@
         FP per issue #6707
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.prometheus/prometheus-metrics-model@.*$</packageUrl>
-        <cpe>cpe:/a:model_project:model</cpe>
+        <cpe regex="true">cpe:/a:model(_project)?:model</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6841,14 +6841,14 @@
         FP per issue #6856
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring-security-oauth2-authorization-server@.*$</packageUrl>
-        <cpe>cpe:/a:oauth2-server_project:oauth2-server</cpe>
+        <cpe regex="true">cpe:/a:oauth2-server(_project)?:oauth2-server</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #6855
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/commons-validator/commons-validator@.*$</packageUrl>
-        <cpe>cpe:/a:validator_project:validator</cpe>
+        <cpe regex="true">cpe:/a:validator(_project)?:validator</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6862,7 +6862,7 @@
         FP per issue #6906
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.jeecgframework/autopoi-web@.*$</packageUrl>
-        <cpe>cpe:/a:web_project:web</cpe>
+        <cpe regex="true">cpe:/a:web(_project)?:web</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6876,14 +6876,14 @@
         FP per issue #6874
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring-boot-starter-cache@.*$</packageUrl>
-        <cpe>cpe:/a:cache_project:cache</cpe>
+        <cpe regex="true">cpe:/a:cache(_project)?:cache</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #6873
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/javax\.cache/cache-api@.*$</packageUrl>
-        <cpe>cpe:/a:cache_project:cache</cpe>
+        <cpe regex="true">cpe:/a:cache(_project)?:cache</cpe>
     </suppress>
 
     <suppress base="true">
@@ -6933,14 +6933,14 @@
         cpe:/a:services_project:services is Drupal services module in PHP #6448
         ]]></notes>
         <filePath regex="true">.*(\.(dll|jar|ear|war|pom|nupkg|nuspec|aar)|pom\.xml|package.json|packages.config)$</filePath>
-        <cpe>cpe:/a:services_project:services</cpe>
+        <cpe regex="true">cpe:/a:services(_project)?:services</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #6851
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.github\.reactivecircus\.cache4k/cache4k-jvm@.*$</packageUrl>
-        <cpe>cpe:/a:cache_project:cache</cpe>
+        <cpe regex="true">cpe:/a:cache(_project)?:cache</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6961,7 +6961,7 @@
         FP per issue #6991
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.apollographql\.federation/federation-graphql-java-support@.*$</packageUrl>
-        <cpe>cpe:/a:apollo_project:apollo</cpe>
+        <cpe regex="true">cpe:/a:apollo(_project)?:apollo</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[

From 8e74247f62abccc7694a179ddc605e37f26ca5e7 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 29 May 2025 06:50:11 -0400
Subject: [PATCH 047/195] build(deps): bump org.postgresql:postgresql from
 42.7.5 to 42.7.6 (#7690)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 core/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/pom.xml b/core/pom.xml
index d24457724c9..8ba52cb2782 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -466,7 +466,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                 <dependency>
                     <groupId>org.postgresql</groupId>
                     <artifactId>postgresql</artifactId>
-                    <version>42.7.5</version>
+                    <version>42.7.6</version>
                 </dependency>
             </dependencies>
             <build>

From dce88bb7c720ef080fdc1898c46f0c1bdda37be9 Mon Sep 17 00:00:00 2001
From: Jack Green <JackPGreen@Gmail.com>
Date: Sat, 31 May 2025 16:50:13 +0100
Subject: [PATCH 048/195] docs: Make `Vulnerability Sources` in `Related Work`
 clearer (#7691)

---
 src/site/markdown/related.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/site/markdown/related.md b/src/site/markdown/related.md
index 0a35d57ea2b..a77a18a681c 100644
--- a/src/site/markdown/related.md
+++ b/src/site/markdown/related.md
@@ -13,12 +13,11 @@ Related FOSS Projects
 
 Vulnerability Sources
 ------------------------
-The following are sources of vulnerability information. Dependency-check only uses information in the National Vulnerability
-Database (NVD). The other sources listed below contain vulnerability information that may not be included in the NVD.
+The following are sources of vulnerability information. Dependency-check only uses information in the [National Vulnerability
+Database (NVD)](https://nvd.nist.gov/). The other sources listed below contain vulnerability information that may not be included in the NVD.
 
 * [vFeed](http://www.toolswatch.org/vfeed)
 * [OSVDB](http://osvdb.org/)
-* [National Vulnerability Database](https://nvd.nist.gov/)
 * [Sonatype OSS Index](https://ossindex.sonatype.org/)
 
 Related Commercial Products

From 991397caa078daf7204d4db30bba57a9b42d8a01 Mon Sep 17 00:00:00 2001
From: Nicolas Humblot <contact@nicolashumblot.fr>
Date: Sat, 31 May 2025 17:50:57 +0200
Subject: [PATCH 049/195] refactor: improve logs and add exception stack trace
 for YarnAuditAnalyzer (#7694)

---
 .../owasp/dependencycheck/analyzer/NodePackageAnalyzer.java | 3 ++-
 .../owasp/dependencycheck/analyzer/YarnAuditAnalyzer.java   | 6 ++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
index d59d58f1ede..650bcf9ce8c 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
@@ -196,7 +196,8 @@ private boolean isNodeAuditEnabled(Engine engine) {
                     try {
                         ((AbstractNpmAnalyzer) a).prepareFileTypeAnalyzer(engine);
                     } catch (InitializationException ex) {
-                        LOGGER.debug("Error initializing the {}", a.getName());
+                        String message = "Error initializing the " + a.getName();
+                        LOGGER.debug(message, ex);
                     }
                 }
                 return a.isEnabled();
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzer.java
index 52ad40c958d..25c7f0b58e6 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzer.java
@@ -188,12 +188,14 @@ protected void prepareFileTypeAnalyzer(Engine engine) throws InitializationExcep
                     case yarnExecutableNotFoundExitValue:
                     default:
                         this.setEnabled(false);
-                        LOGGER.warn("The {} has been disabled. Yarn executable was not found.", getName());
+                        LOGGER.warn("The {} has been disabled after receiving exit value {}. Yarn executable was not " +
+                                        "found or received a non-zero exit value.", getName(), exitValue);
                 }
             }
         } catch (Exception ex) {
             this.setEnabled(false);
-            LOGGER.warn("The {} has been disabled. Yarn executable was not found.", getName());
+            LOGGER.warn("The {} has been disabled after receiving an exception. This can occur when Yarn executable " +
+                    "is not found.", getName());
             throw new InitializationException("Unable to read yarn audit output.", ex);
         }
     }

From 4ff0e58e3207a750e911006ecb15ee1fadf46c41 Mon Sep 17 00:00:00 2001
From: Valters Jansons <sigv@users.noreply.github.com>
Date: Sat, 31 May 2025 18:52:22 +0300
Subject: [PATCH 050/195] fix: Simplify PHP framework suppression for Composer
 (#7693)

---
 .../dependencycheck-base-suppression.xml      | 22 +++----------------
 1 file changed, 3 insertions(+), 19 deletions(-)

diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml
index bd44cc24669..b0c61d70f73 100644
--- a/core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/core/src/main/resources/dependencycheck-base-suppression.xml
@@ -358,29 +358,13 @@
         <cpe>cpe:/a:openid:openid</cpe>
         <cpe>cpe:/a:openid:openid_connect</cpe>
     </suppress>
-    <suppress base="true">
-        <notes><![CDATA[
-        FP per #2972
-        hyphenated PHP library vendor names
-        ]]></notes>
-        <packageUrl regex="true">^pkg:composer/php\-.*$</packageUrl>
-        <cpe>cpe:/a:php:php</cpe>
-    </suppress>
-    <suppress base="true">
-        <notes><![CDATA[
-        FP per #2972 + #7444
-        hyphenated PHP library product names (prefix)
-        ]]></notes>
-        <packageUrl regex="true">^pkg:composer/[^/]+/php[\-_].*$</packageUrl>
-        <cpe>cpe:/a:php:php</cpe>
-    </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per #2972 + #7444
-        hyphenated PHP library product names (suffix)
-        including number suffix, e.g., `symfony/polyfill-php80`
+        hyphenated PHP library product names
+        (PHP framework will not be loaded via Composer)
         ]]></notes>
-        <packageUrl regex="true">^pkg:composer/[^/]+/.*[\-_]php[0-9]*@.*$</packageUrl>
+        <packageUrl regex="true">^pkg:composer/[^/]+/[^/]+@.*$</packageUrl>
         <cpe>cpe:/a:php:php</cpe>
     </suppress>
     <suppress base="true">

From c479c3ca84854f91f158dfda7a5d08d332d9600a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 2 Jun 2025 01:47:58 +0000
Subject: [PATCH 051/195] build(deps): bump junit.version from 5.12.2 to 5.13.0

Bumps `junit.version` from 5.12.2 to 5.13.0.

Updates `org.junit.jupiter:junit-jupiter-api` from 5.12.2 to 5.13.0
- [Release notes](https://github.com/junit-team/junit5/releases)
- [Commits](https://github.com/junit-team/junit5/compare/r5.12.2...r5.13.0)

Updates `org.junit.jupiter:junit-jupiter-engine` from 5.12.2 to 5.13.0
- [Release notes](https://github.com/junit-team/junit5/releases)
- [Commits](https://github.com/junit-team/junit5/compare/r5.12.2...r5.13.0)

Updates `org.junit.jupiter:junit-jupiter-params` from 5.12.2 to 5.13.0
- [Release notes](https://github.com/junit-team/junit5/releases)
- [Commits](https://github.com/junit-team/junit5/compare/r5.12.2...r5.13.0)

---
updated-dependencies:
- dependency-name: org.junit.jupiter:junit-jupiter-api
  dependency-version: 5.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: org.junit.jupiter:junit-jupiter-engine
  dependency-version: 5.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: org.junit.jupiter:junit-jupiter-params
  dependency-version: 5.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index c78c1a91acf..bf522af9c21 100644
--- a/pom.xml
+++ b/pom.xml
@@ -154,7 +154,7 @@ Copyright (c) 2012 - Jeremy Long
             https://github.com/apache/commons-jcs/pull/120 -->
         <commons-jcs-core.version>3.2.1</commons-jcs-core.version>
         <aho-corasick-double-array-trie.version>1.2.3</aho-corasick-double-array-trie.version>
-        <junit.version>5.12.2</junit.version>
+        <junit.version>5.13.0</junit.version>
         <hamcrest.version>3.0</hamcrest.version>
         <mockito.version>5.18.0</mockito.version>
         <jsoup.version>1.20.1</jsoup.version>

From 2b72dd1c43776b9e070dd34f71275e8aa16de7c6 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 2 Jun 2025 01:49:03 +0000
Subject: [PATCH 052/195] build(deps): bump
 org.apache.maven.plugins:maven-clean-plugin

Bumps [org.apache.maven.plugins:maven-clean-plugin](https://github.com/apache/maven-clean-plugin) from 3.4.1 to 3.5.0.
- [Release notes](https://github.com/apache/maven-clean-plugin/releases)
- [Commits](https://github.com/apache/maven-clean-plugin/compare/maven-clean-plugin-3.4.1...maven-clean-plugin-3.5.0)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-clean-plugin
  dependency-version: 3.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index c78c1a91acf..99c5f766b57 100644
--- a/pom.xml
+++ b/pom.xml
@@ -218,7 +218,7 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-clean-plugin</artifactId>
-                    <version>3.4.1</version>
+                    <version>3.5.0</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>

From 011d4ad9d60407941261a56bc70c88953d9ea0d6 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Mon, 2 Jun 2025 06:54:32 -0400
Subject: [PATCH 053/195] fix(fp): fixes nuget FP on Redis (#7702)

---
 .../main/resources/dependencycheck-base-suppression.xml    | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml
index b0c61d70f73..617fcef0abc 100644
--- a/core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/core/src/main/resources/dependencycheck-base-suppression.xml
@@ -7015,4 +7015,11 @@
         <packageUrl regex="true">^pkg:nuget/IronPython@.*$</packageUrl>
         <cpe>cpe:/a:python:python</cpe>
     </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        FP per issue #7444
+        ]]></notes>
+        <packageUrl regex="true">^pkg:nuget/.+\.Redis\..*$</packageUrl>
+        <cpe>cpe:2.3:a:redis:redis</cpe>
+    </suppress>
 </suppressions>

From 0e0cd58ee2d3ce75979b6160e6b1ad5fbeb34d8b Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Wed, 4 Jun 2025 06:42:10 -0400
Subject: [PATCH 054/195] fix: remove vulnerable transitive dependency -
 beanutils (#7705)

---
 pom.xml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pom.xml b/pom.xml
index b8261e8d7f2..a268dad6c7d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -992,6 +992,12 @@ Copyright (c) 2012 - Jeremy Long
                 <groupId>commons-validator</groupId>
                 <artifactId>commons-validator</artifactId>
                 <version>1.9.0</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>commons-beanutils</groupId>
+                        <artifactId>commons-beanutils</artifactId>
+                    </exclusion>
+                </exclusions>
             </dependency>
             <dependency>
                 <groupId>org.apache.commons</groupId>

From 6296163ecb5292f6b335f29abfb007a4324b1ede Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Wed, 4 Jun 2025 06:57:11 -0400
Subject: [PATCH 055/195] fix(fp): remove iicu4j FP resolves #7706

---
 .../dependencycheck-base-suppression.xml      | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml
index 617fcef0abc..4ea5b8df2c3 100644
--- a/core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/core/src/main/resources/dependencycheck-base-suppression.xml
@@ -2630,6 +2630,40 @@
         <cpe>cpe:/a:apple:java</cpe>
         <cpe>cpe:/a:unicode:unicode:</cpe>
     </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        False positive per issue #7706; DUPlICATE of above rule
+        the CVEs listed are in the C++ part of the ICU project (and are currently all CVEs listed
+        against ICU project; nevertheless we should not suppress the CPE itself to avoid false negatives
+        when the CVE is in the icu4j (cpe:2.3:a:icu-project:international_components_for_unicode:*:*:*:*:*:java:*:*
+        / cpe:2.3:a:unicode:international_components_for_unicode:*:*:*:*:*:java:*:*) CPE
+        cpe cpe:/a:unicode:unicode is the unicode specification
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.graalvm\.shadowed/icu4j@.*$</packageUrl>
+        <cve>CVE-2020-21913</cve>
+        <cve>CVE-2014-9654</cve>
+        <cve>CVE-2014-9911</cve>
+        <cve>CVE-2016-6293</cve>
+        <cve>CVE-2016-7415</cve>
+        <cve>CVE-2017-14952</cve>
+        <cve>CVE-2017-17484</cve>
+        <cve>CVE-2015-5922</cve>
+        <cve>CVE-2007-4771</cve>
+        <cve>CVE-2020-10531</cve>
+        <cve>CVE-2011-4599</cve>
+        <cve>CVE-2014-7923</cve>
+        <cve>CVE-2014-7926</cve>
+        <cve>CVE-2014-7940</cve>
+        <cve>CVE-2014-8146</cve>
+        <cve>CVE-2014-8147</cve>
+        <cve>CVE-2017-7867</cve>
+        <cve>CVE-2017-7868</cve>
+        <cve>CVE-2007-4770</cve>
+        <cve>CVE-2017-15396</cve>
+        <cve>CVE-2017-15422</cve>
+        <cpe>cpe:/a:apple:java</cpe>
+        <cpe>cpe:/a:unicode:unicode:</cpe>
+    </suppress>
     <suppress base="true">
         <notes><![CDATA[
         False positive per issue #854

From 116fdab1f0cb15a72ad4b7ac1cfd70ccb0b0237c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 6 Jun 2025 01:10:01 +0000
Subject: [PATCH 056/195] build(deps): bump golang from 1.24.3-alpine to
 1.24.4-alpine

Bumps golang from 1.24.3-alpine to 1.24.4-alpine.

---
updated-dependencies:
- dependency-name: golang
  dependency-version: 1.24.4-alpine
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 47db6128226..9763c4b6ef4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.24.3-alpine AS go
+FROM golang:1.24.4-alpine AS go
 
 FROM azul/zulu-openjdk-alpine:21 AS jlink
 

From 4cde0d7ffe680e814afd2f1ee21f209d01954c67 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 6 Jun 2025 01:28:30 +0000
Subject: [PATCH 057/195] build(deps-dev): bump io.netty:netty-codec-http

Bumps [io.netty:netty-codec-http](https://github.com/netty/netty) from 4.2.1.Final to 4.2.2.Final.
- [Commits](https://github.com/netty/netty/compare/netty-4.2.1.Final...netty-4.2.2.Final)

---
updated-dependencies:
- dependency-name: io.netty:netty-codec-http
  dependency-version: 4.2.2.Final
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 utils/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/pom.xml b/utils/pom.xml
index 5be0d49bcd6..c738b43e158 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -95,7 +95,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-codec-http</artifactId>
-            <version>4.2.1.Final</version>
+            <version>4.2.2.Final</version>
             <scope>test</scope>
         </dependency>
         <dependency>

From 624c3ca9325f524aa5d80a6af6127daa803190e1 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 7 Jun 2025 06:41:00 -0400
Subject: [PATCH 058/195] docs: release 12.1.2

---
 CHANGELOG.md | 14 ++++++++++++++
 README.md    |  2 +-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6fbdc8f6fea..d7bbd9e34d9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,19 @@
 # Change Log
 
+## [Version 12.1.2](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.2) (2025-06-07)
+
+- fix: Allow configuring OSS Index user/pw directly (#7640)
+- fix: remove vulnerable transitive dependency - beanutils (#7705)
+- fix: Simplify PHP framework suppression for Composer (#7693)
+- fix: update CPE pattern to remove FP (#7684)
+- fix(cli): Patch generated Windows shell script for JAVACMD installs with spaces (#7653)
+- fix: Resolve various WCAG accessibility / css issues in the HTML report (#7629)
+- fix: #7510 Display a dedicated message when receiving an HTTP 403 (#7575)
+- docs: Make `Vulnerability Sources` in `Related Work` clearer (#7691)
+- docs: #7610 add a reference to NVD mirroring in getting started documentation (#7611)
+
+See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/96?closed=1)
+
 ## [Version 12.1.1](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.1) (2025-04-05)
 
 - fix: resolve NVD data Parse error `com.fasterxml.jackson.core.JsonParseException: Unexpected character (']' (code 93))`
diff --git a/README.md b/README.md
index 142df4a70e7..bb8e0cb2545 100644
--- a/README.md
+++ b/README.md
@@ -363,7 +363,7 @@ Dependency-Check makes use of several other open source libraries. Please see th
 
 This product uses the NVD API but is not endorsed or certified by the NVD.
 
-Copyright (c) 2012-2024 Jeremy Long. All Rights Reserved.
+Copyright (c) 2012-2025 Jeremy Long. All Rights Reserved.
 
   [wiki]: https://github.com/dependency-check/DependencyCheck/wiki
   [notices]: https://github.com/dependency-check/DependencyCheck/blob/main/NOTICE.txt

From 4744206d58204a9e5e6020dc5f42ebce36bc30eb Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 7 Jun 2025 06:43:50 -0400
Subject: [PATCH 059/195] build: prepare release v12.1.2

---
 ant/pom.xml       |  4 ++--
 archetype/pom.xml |  6 +++---
 cli/pom.xml       | 10 +++-------
 core/pom.xml      |  4 ++--
 maven/pom.xml     |  4 ++--
 pom.xml           |  6 +++---
 utils/pom.xml     |  4 ++--
 7 files changed, 17 insertions(+), 21 deletions(-)

diff --git a/ant/pom.xml b/ant/pom.xml
index a13058037cc..9a4a111fa9f 100644
--- a/ant/pom.xml
+++ b/ant/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.2-SNAPSHOT</version>
+        <version>12.1.2</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/ant</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.2</tag>
     </scm>
     <build>
         <resources>
diff --git a/archetype/pom.xml b/archetype/pom.xml
index 3fa3ab642c3..6707d84107b 100644
--- a/archetype/pom.xml
+++ b/archetype/pom.xml
@@ -20,20 +20,20 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.2-SNAPSHOT</version>
+        <version>12.1.2</version>
     </parent>
     <artifactId>dependency-check-plugin</artifactId>
     <name>Dependency-Check Plugin Archetype</name>
     <packaging>jar</packaging>
     <properties>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-04-05T11:25:33Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-06-07T10:41:28Z</project.build.outputTimestamp>
     </properties>
     <scm>
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/archetype</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-      <tag>HEAD</tag>
+      <tag>v12.1.2</tag>
   </scm>
     <build>
         <plugins>
diff --git a/cli/pom.xml b/cli/pom.xml
index 67fe720840c..552442ca7dd 100644
--- a/cli/pom.xml
+++ b/cli/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.2-SNAPSHOT</version>
+        <version>12.1.2</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/cli</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.2</tag>
     </scm>
     <build>
         <finalName>dependency-check-${project.version}</finalName>
@@ -116,11 +116,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
                         <configuration>
                             <!-- Hack/workaround for https://github.com/mojohaus/appassembler/issues/114 -->
                             <target>
-                                <replace file="${project.build.directory}/release/bin/dependency-check.bat"
-                                         token="%JAVACMD% %JAVA_OPTS%"
-                                         value="&quot;%JAVACMD%&quot; %JAVA_OPTS%"
-                                         failOnNoReplacements="true"
-                                />
+                                <replace file="${project.build.directory}/release/bin/dependency-check.bat" token="%JAVACMD% %JAVA_OPTS%" value="&quot;%JAVACMD%&quot; %JAVA_OPTS%" failOnNoReplacements="true" />
                             </target>
                         </configuration>
                     </execution>
diff --git a/core/pom.xml b/core/pom.xml
index 8ba52cb2782..609516eed3b 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.2-SNAPSHOT</version>
+        <version>12.1.2</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/core</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.2</tag>
     </scm>
     <build>
         <resources>
diff --git a/maven/pom.xml b/maven/pom.xml
index 49dd1791637..715a04cc1c3 100644
--- a/maven/pom.xml
+++ b/maven/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.2-SNAPSHOT</version>
+        <version>12.1.2</version>
     </parent>
     <artifactId>dependency-check-maven</artifactId>
     <packaging>maven-plugin</packaging>
@@ -34,7 +34,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/master/maven</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.2</tag>
     </scm>
     <prerequisites>
         <maven>3.6.3</maven>
diff --git a/pom.xml b/pom.xml
index a268dad6c7d..6c17ce25fda 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>12.1.2-SNAPSHOT</version>
+    <version>12.1.2</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -94,7 +94,7 @@ Copyright (c) 2012 - Jeremy Long
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck</url>
         <developerConnection>scm:git:https://github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.2</tag>
     </scm>
     <issueManagement>
         <system>github</system>
@@ -113,7 +113,7 @@ Copyright (c) 2012 - Jeremy Long
     <properties>
         <maven.compiler.release>11</maven.compiler.release>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-04-05T11:25:33Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-06-07T10:41:28Z</project.build.outputTimestamp>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <github.global.server>github</github.global.server>
diff --git a/utils/pom.xml b/utils/pom.xml
index c738b43e158..069d9f3e7a5 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.2-SNAPSHOT</version>
+        <version>12.1.2</version>
    </parent>
 
     <artifactId>dependency-check-utils</artifactId>
@@ -30,7 +30,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/utils</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.2</tag>
     </scm>
     <properties>
         <spotbugs.onlyAnalyze>org.owasp.dependencycheck.utils.*</spotbugs.onlyAnalyze>

From 7f9b258072e7cd901f22da079cae9c70b2517272 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 7 Jun 2025 06:43:51 -0400
Subject: [PATCH 060/195] build: prepare for next development iteration

---
 ant/pom.xml       | 4 ++--
 archetype/pom.xml | 6 +++---
 cli/pom.xml       | 4 ++--
 core/pom.xml      | 4 ++--
 maven/pom.xml     | 4 ++--
 pom.xml           | 6 +++---
 utils/pom.xml     | 4 ++--
 7 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/ant/pom.xml b/ant/pom.xml
index 9a4a111fa9f..73ab5decf22 100644
--- a/ant/pom.xml
+++ b/ant/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.2</version>
+        <version>12.1.3-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/ant</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.2</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <build>
         <resources>
diff --git a/archetype/pom.xml b/archetype/pom.xml
index 6707d84107b..dffcca77497 100644
--- a/archetype/pom.xml
+++ b/archetype/pom.xml
@@ -20,20 +20,20 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.2</version>
+        <version>12.1.3-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-plugin</artifactId>
     <name>Dependency-Check Plugin Archetype</name>
     <packaging>jar</packaging>
     <properties>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-06-07T10:41:28Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-06-07T10:43:51Z</project.build.outputTimestamp>
     </properties>
     <scm>
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/archetype</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-      <tag>v12.1.2</tag>
+      <tag>HEAD</tag>
   </scm>
     <build>
         <plugins>
diff --git a/cli/pom.xml b/cli/pom.xml
index 552442ca7dd..914547e8e83 100644
--- a/cli/pom.xml
+++ b/cli/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.2</version>
+        <version>12.1.3-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/cli</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.2</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <build>
         <finalName>dependency-check-${project.version}</finalName>
diff --git a/core/pom.xml b/core/pom.xml
index 609516eed3b..15e58c29aff 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.2</version>
+        <version>12.1.3-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/core</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.2</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <build>
         <resources>
diff --git a/maven/pom.xml b/maven/pom.xml
index 715a04cc1c3..d20b293cfac 100644
--- a/maven/pom.xml
+++ b/maven/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.2</version>
+        <version>12.1.3-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-maven</artifactId>
     <packaging>maven-plugin</packaging>
@@ -34,7 +34,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/master/maven</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.2</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <prerequisites>
         <maven>3.6.3</maven>
diff --git a/pom.xml b/pom.xml
index 6c17ce25fda..2a142a7e0c8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>12.1.2</version>
+    <version>12.1.3-SNAPSHOT</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -94,7 +94,7 @@ Copyright (c) 2012 - Jeremy Long
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck</url>
         <developerConnection>scm:git:https://github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.2</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <issueManagement>
         <system>github</system>
@@ -113,7 +113,7 @@ Copyright (c) 2012 - Jeremy Long
     <properties>
         <maven.compiler.release>11</maven.compiler.release>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-06-07T10:41:28Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-06-07T10:43:51Z</project.build.outputTimestamp>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <github.global.server>github</github.global.server>
diff --git a/utils/pom.xml b/utils/pom.xml
index 069d9f3e7a5..cfb74659eb9 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.2</version>
+        <version>12.1.3-SNAPSHOT</version>
    </parent>
 
     <artifactId>dependency-check-utils</artifactId>
@@ -30,7 +30,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/utils</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.2</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <properties>
         <spotbugs.onlyAnalyze>org.owasp.dependencycheck.utils.*</spotbugs.onlyAnalyze>

From 7fdad34da4f5f4c8eedcdd2ecc2a5f4c8e68fc7c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 9 Jun 2025 01:13:18 +0000
Subject: [PATCH 061/195] build(deps): bump org.semver4j:semver4j from 5.7.0 to
 5.7.1

Bumps [org.semver4j:semver4j](https://github.com/semver4j/semver4j) from 5.7.0 to 5.7.1.
- [Release notes](https://github.com/semver4j/semver4j/releases)
- [Commits](https://github.com/semver4j/semver4j/compare/v5.7.0...v5.7.1)

---
updated-dependencies:
- dependency-name: org.semver4j:semver4j
  dependency-version: 5.7.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 2a142a7e0c8..404fc9b6706 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1022,7 +1022,7 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>org.semver4j</groupId>
                 <artifactId>semver4j</artifactId>
-                <version>5.7.0</version>
+                <version>5.7.1</version>
             </dependency>
             <dependency>
                 <groupId>org.jetbrains</groupId>

From a58584fc2de442f9e25000d82f1b30d90b088906 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 9 Jun 2025 06:20:34 -0400
Subject: [PATCH 062/195] build(deps): bump junit.version from 5.13.0 to 5.13.1
 (#7719)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 2a142a7e0c8..f54935739e7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -154,7 +154,7 @@ Copyright (c) 2012 - Jeremy Long
             https://github.com/apache/commons-jcs/pull/120 -->
         <commons-jcs-core.version>3.2.1</commons-jcs-core.version>
         <aho-corasick-double-array-trie.version>1.2.3</aho-corasick-double-array-trie.version>
-        <junit.version>5.13.0</junit.version>
+        <junit.version>5.13.1</junit.version>
         <hamcrest.version>3.0</hamcrest.version>
         <mockito.version>5.18.0</mockito.version>
         <jsoup.version>1.20.1</jsoup.version>

From f9e6b79d1d9782a0805990536ac138e128c105c9 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Tue, 10 Jun 2025 07:22:35 -0400
Subject: [PATCH 063/195] fix: correct regex matches introduced in 12.1.2
 (#7726)

---
 .../dependencycheck-base-suppression.xml      | 428 +++++++++---------
 1 file changed, 214 insertions(+), 214 deletions(-)

diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml
index 4ea5b8df2c3..462d50edda0 100644
--- a/core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/core/src/main/resources/dependencycheck-base-suppression.xml
@@ -19,7 +19,7 @@
         obvious fp - currently not returning any CVEs
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/joda\-time/joda\-time@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:time(_project)?:time</cpe>
+        <cpe regex="true">cpe:/a:time(_project)?:time.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -33,7 +33,7 @@
         obvious fp - currently not returning any CVEs
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.sonatype\.ossindex/ossindex\-service\-api@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:service(_project)?:service</cpe>
+        <cpe regex="true">cpe:/a:service(_project)?:service.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -54,7 +54,7 @@
             fp per #3940
             ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.james/apache\-mime4j\-storage@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:storage(_project)?:storage</cpe>
+        <cpe regex="true">cpe:/a:storage(_project)?:storage.*</cpe>
         <cpe>cpe:/a:apache:james</cpe>
     </suppress>
     <suppress base="true">
@@ -136,14 +136,14 @@
 	    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.seleniumhq\.selenium/selenium\-chromium\-driver@.*$</packageUrl>
         <cpe>cpe:/a:chromium:chromium</cpe>
-        <cpe regex="true">cpe:/a:chromium(_project)?:chromium</cpe>
+        <cpe regex="true">cpe:/a:chromium(_project)?:chromium.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
 	    FP per #3756
 	    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.geronimo\.specs/geronimo\-ws\-metadata_2\.0_spec@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:tad_web(_project)?:tad_web</cpe>
+        <cpe regex="true">cpe:/a:tad_web(_project)?:tad_web.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -157,7 +157,7 @@
 	    FP per #3572
 	    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.directory\.server/apacheds\-i18n@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:i18n(_project)?:i18n</cpe>
+        <cpe regex="true">cpe:/a:i18n(_project)?:i18n.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -186,7 +186,7 @@
       	nio-stream-storage is not 'github.com/containers/storage'. see #3273
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.synchronoss\.cloud/nio\-stream\-storage@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:storage(_project)?:storage</cpe>
+        <cpe regex="true">cpe:/a:storage(_project)?:storage.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -195,14 +195,14 @@
         <gav regex="true">^io\.awspring\.cloud:spring-cloud-.*$</gav>
         <cpe>cpe:/a:pivotal_software:spring_framework</cpe>
         <cpe>cpe:/a:pivotal_software:spring_framework</cpe>
-        <cpe regex="true">cpe:/a:context(_project)?:context</cpe>
+        <cpe regex="true">cpe:/a:context(_project)?:context.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per #3230
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.github\.x\-stream/mxparser@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:xstream(_project)?:xstream</cpe>
+        <cpe regex="true">cpe:/a:xstream(_project)?:xstream.*</cpe>
         <cpe>cpe:/a:oracle:jdk</cpe>
     </suppress>
     <suppress base="true">
@@ -271,14 +271,14 @@
         FP per #3005
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.google\.apis/google\-api\-services\-sqladmin@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:www-sql(_project)?:www-sql</cpe>
+        <cpe regex="true">cpe:/a:www-sql(_project)?:www-sql.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per #3005
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.google\.cloud\.sql/jdbc\-socket\-factory\-core@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:www-sql(_project)?:www-sql</cpe>
+        <cpe regex="true">cpe:/a:www-sql(_project)?:www-sql.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -400,7 +400,7 @@
         FP per #2940
         ]]></notes>
         <packageUrl regex="true">^pkg:npm/cross\-env@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:crossenv(_project)?:crossenv</cpe>
+        <cpe regex="true">cpe:/a:crossenv(_project)?:crossenv.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -645,65 +645,65 @@
         <cpe>cpe:/a:file_project:file</cpe>
         <cpe>cpe:/a:file:file</cpe>
         <cpe>cpe:/a:shim:shim</cpe>
-        <cpe regex="true">cpe:/a:shim(_project)?:shim</cpe>
-        <cpe regex="true">cpe:/a:date(_project)?:date</cpe>
+        <cpe regex="true">cpe:/a:shim(_project)?:shim.*</cpe>
+        <cpe regex="true">cpe:/a:date(_project)?:date.*</cpe>
         <cpe>cpe:/a:net_dns:net_dns</cpe>
         <cpe>cpe:/a:nodejs:node.js</cpe>
         <cpe>cpe:/a:nodejs:nodejs</cpe>
-        <cpe regex="true">cpe:/a:context(_project)?:context</cpe>
-        <cpe regex="true">cpe:/a:mail(_project)?:mail</cpe>
-        <cpe regex="true">cpe:/a:ldap(_project)?:ldap</cpe>
-        <cpe regex="true">cpe:/a:user_import(_project)?:user_import</cpe>
+        <cpe regex="true">cpe:/a:context(_project)?:context.*</cpe>
+        <cpe regex="true">cpe:/a:mail(_project)?:mail.*</cpe>
+        <cpe regex="true">cpe:/a:ldap(_project)?:ldap.*</cpe>
+        <cpe regex="true">cpe:/a:user_import(_project)?:user_import.*</cpe>
         <cpe>cpe:/a:root:root</cpe>
-        <cpe regex="true">cpe:/a:xmlsec(_project)?:xmlsec</cpe>
-        <cpe regex="true">cpe:/a:rest-client(_project)?:rest-client</cpe>
-        <cpe regex="true">cpe:/a:hub(_project)?:hub</cpe>
-        <cpe regex="true">cpe:/a:views(_project)?:views</cpe>
-        <cpe regex="true">cpe:/a:restful_web_services(_project)?:restful_web_services</cpe>
+        <cpe regex="true">cpe:/a:xmlsec(_project)?:xmlsec.*</cpe>
+        <cpe regex="true">cpe:/a:rest-client(_project)?:rest-client.*</cpe>
+        <cpe regex="true">cpe:/a:hub(_project)?:hub.*</cpe>
+        <cpe regex="true">cpe:/a:views(_project)?:views.*</cpe>
+        <cpe regex="true">cpe:/a:restful_web_services(_project)?:restful_web_services.*</cpe>
         <cpe>cpe:/a:php:php</cpe>
-        <cpe regex="true">cpe:/a:font(_project)?:font</cpe>
-        <cpe regex="true">cpe:/a:amazon_aws(_project)?:amazon_aws</cpe>
+        <cpe regex="true">cpe:/a:font(_project)?:font.*</cpe>
+        <cpe regex="true">cpe:/a:amazon_aws(_project)?:amazon_aws.*</cpe>
         <cpe>cpe:/a:google:android</cpe>
-        <cpe regex="true">cpe:/a:first(_project)?:first</cpe>
+        <cpe regex="true">cpe:/a:first(_project)?:first.*</cpe>
         <cpe>cpe:/a:interact:interact</cpe>
-        <cpe regex="true">cpe:/a:finder(_project)?:finder</cpe>
-        <cpe regex="true">cpe:/a:archiver(_project)?:archiver</cpe>
-        <cpe regex="true">cpe:/a:r(_project)?:r</cpe>
-        <cpe regex="true">cpe:/a:jwt(_project)?:jwt</cpe>
-        <cpe regex="true">cpe:/a:git(_project)?:git</cpe>
+        <cpe regex="true">cpe:/a:finder(_project)?:finder.*</cpe>
+        <cpe regex="true">cpe:/a:archiver(_project)?:archiver.*</cpe>
+        <cpe regex="true">cpe:/a:r(_project)?:r.*</cpe>
+        <cpe regex="true">cpe:/a:jwt(_project)?:jwt.*</cpe>
+        <cpe regex="true">cpe:/a:git(_project)?:git.*</cpe>
         <cpe>cpe:/a:git:git</cpe>
-        <cpe regex="true">cpe:/a:git_for_windows(_project)?:git_for_windows</cpe>
+        <cpe regex="true">cpe:/a:git_for_windows(_project)?:git_for_windows.*</cpe>
         <cpe>cpe:/a:mono-project:mono</cpe>
         <cpe>cpe:/a:mono:mono</cpe>
-        <cpe regex="true">cpe:/a:mono(_project)?:mono</cpe>
-        <cpe regex="true">cpe:/a:app(_project)?:app</cpe>
-        <cpe regex="true">cpe:/a:json-jwt(_project)?:json-jwt</cpe>
-        <cpe regex="true">cpe:/a:zip(_project)?:zip</cpe>
-        <cpe regex="true">cpe:/a:echo(_project)?:echo</cpe>
-        <cpe regex="true">cpe:/a:util-linux(_project)?:util-linux</cpe>
-        <cpe regex="true">cpe:/a:bitmap(_project)?:bitmap</cpe>
-        <cpe regex="true">cpe:/a:security-framework(_project)?:security-framework</cpe>
+        <cpe regex="true">cpe:/a:mono(_project)?:mono.*</cpe>
+        <cpe regex="true">cpe:/a:app(_project)?:app.*</cpe>
+        <cpe regex="true">cpe:/a:json-jwt(_project)?:json-jwt.*</cpe>
+        <cpe regex="true">cpe:/a:zip(_project)?:zip.*</cpe>
+        <cpe regex="true">cpe:/a:echo(_project)?:echo.*</cpe>
+        <cpe regex="true">cpe:/a:util-linux(_project)?:util-linux.*</cpe>
+        <cpe regex="true">cpe:/a:bitmap(_project)?:bitmap.*</cpe>
+        <cpe regex="true">cpe:/a:security-framework(_project)?:security-framework.*</cpe>
         <cpe>cpe:/a:next:next</cpe>
         <cpe>cpe:/a:property_pro:property_pro</cpe>
         <cve>CVE-2020-10663</cve>
         <cpe>cpe:/a:facebook:facebook</cpe>
         <cpe>cpe:/a:gitlab:gitlab</cpe>
         <cpe>cpe:/a:delegate:delegate</cpe>
-        <cpe regex="true">cpe:/a:thread(_project)?:thread</cpe>
-        <cpe regex="true">cpe:/a:data_tools(_project)?:data_tools</cpe>
-        <cpe regex="true">cpe:/a:tag(_project)?:tag</cpe>
+        <cpe regex="true">cpe:/a:thread(_project)?:thread.*</cpe>
+        <cpe regex="true">cpe:/a:data_tools(_project)?:data_tools.*</cpe>
+        <cpe regex="true">cpe:/a:tag(_project)?:tag.*</cpe>
         <cpe>cpe:/a:kubernetes:kubernetes</cpe>
-        <cpe regex="true">cpe:/a:websockets(_project)?:websockets</cpe>
-        <cpe regex="true">cpe:/a:cron(_project)?:cron</cpe>
-        <cpe regex="true">cpe:/a:html2pdf(_project)?:html2pdf</cpe>
-        <cpe regex="true">cpe:/a:shadow(_project)?:shadow</cpe>
+        <cpe regex="true">cpe:/a:websockets(_project)?:websockets.*</cpe>
+        <cpe regex="true">cpe:/a:cron(_project)?:cron.*</cpe>
+        <cpe regex="true">cpe:/a:html2pdf(_project)?:html2pdf.*</cpe>
+        <cpe regex="true">cpe:/a:shadow(_project)?:shadow.*</cpe>
         <cpe>cpe:/a:cde:cde</cpe>
         <cpe>cpe:/a:docker:docker</cpe>
         <cpe>cpe:/a:travis-ci:travis_ci</cpe>
-        <cpe regex="true">cpe:/a:storage(_project)?:storage</cpe>
+        <cpe regex="true">cpe:/a:storage(_project)?:storage.*</cpe>
         <cpe>cpe:/a:pivotal_software:rabbitmq</cpe>
-        <cpe regex="true">cpe:/a:saml(_project)?:saml</cpe>
-        <cpe regex="true">cpe:/a:yaml(_project)?:yaml</cpe>
+        <cpe regex="true">cpe:/a:saml(_project)?:saml.*</cpe>
+        <cpe regex="true">cpe:/a:yaml(_project)?:yaml.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -743,11 +743,11 @@
         <cpe  regex="true">cpe:/a:sqlserver(_project)?:sqlserver</cpe>
         <cpe>cpe:/a:auth0:auth0</cpe>
         <cpe>cpe:/a:github:github</cpe>
-        <cpe regex="true">cpe:/a:data-tools(_project)?:data_tools</cpe>
-        <cpe regex="true">cpe:/a:flow(_project)?:flow</cpe>
+        <cpe regex="true">cpe:/a:data-tools(_project)?:data_tools.*</cpe>
+        <cpe regex="true">cpe:/a:flow(_project)?:flow.*</cpe>
         <cpe>cpe:/a:ghost:ghost</cpe>
-        <cpe regex="true">cpe:/a:ws(_project)?:ws</cpe>
-        <cpe regex="true">cpe:/a:i18n(_project)?:i18n</cpe>
+        <cpe regex="true">cpe:/a:ws(_project)?:ws.*</cpe>
+        <cpe regex="true">cpe:/a:i18n(_project)?:i18n.*</cpe>
         <cpe>cpe:/a:redis:redis</cpe>
         <cpe>cpe:/a:perl:perl</cpe>
     </suppress>
@@ -756,7 +756,7 @@
         Suppresses false positives per #2511
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.vaadin/vaadin\-sass\-compiler@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:compile-sass(_project)?:compile-sass</cpe>
+        <cpe regex="true">cpe:/a:compile-sass(_project)?:compile-sass.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -777,7 +777,7 @@
         Suppresses false positives
         ]]></notes>
         <packageUrl regex="true">^pkg:npm/rc@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:rc(_project)?:rc</cpe>
+        <cpe regex="true">cpe:/a:rc(_project)?:rc.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -827,7 +827,7 @@
         Suppresses false positive per #3827 - this library is not the github.com/containers/storage project
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.smallrye/smallrye\-context\-propagation\-storage@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:storage(_project)?:storage</cpe>
+        <cpe regex="true">cpe:/a:storage(_project)?:storage.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -886,7 +886,7 @@
         Suppresses false positives per issue #1614.
         ]]></notes>
         <gav regex="true">^eu\.bitwalker:UserAgentUtils:.*$</gav>
-        <cpe regex="true">cpe:/a:useragent(_project)?:useragent</cpe>
+        <cpe regex="true">cpe:/a:useragent(_project)?:useragent.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -914,7 +914,7 @@
         Suppresses false positives per issue #1590
         ]]></notes>
         <gav regex="true">^com\.cybersource:flex-server-sdk:.*$</gav>
-        <cpe regex="true">cpe:/a:flex(_project)?:flex</cpe>
+        <cpe regex="true">cpe:/a:flex(_project)?:flex.*</cpe>
         <cpe>cpe:/a:id:id-software</cpe>
     </suppress>
     <suppress base="true">
@@ -936,7 +936,7 @@
         Suppresses false positives per issue #1587
         ]]></notes>
         <gav regex="true">^org\.apache\.felix:org\.apache\.felix\.configadmin:.*$</gav>
-        <cpe regex="true">cpe:/a:cm(_project)?:cm</cpe>
+        <cpe regex="true">cpe:/a:cm(_project)?:cm.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -986,7 +986,7 @@
         FP per #2768
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.evolvis\.tartools/rfc822@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:man-cgi(_project)?:man-cgi</cpe>
+        <cpe regex="true">cpe:/a:man-cgi(_project)?:man-cgi.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -1095,7 +1095,7 @@
         Suppresses false positives per issue #1587
         ]]></notes>
         <gav regex="true">^com\.liferay:org\.apache\.felix\.configadmin:.*$</gav>
-        <cpe regex="true">cpe:/a:cm(_project)?:cm</cpe>
+        <cpe regex="true">cpe:/a:cm(_project)?:cm.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -1253,14 +1253,14 @@
         Suppresses false positives per issue #2865
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/msal4j@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:http_authentication_library(_project)?:http_authentication_library</cpe>
+        <cpe regex="true">cpe:/a:http_authentication_library(_project)?:http_authentication_library.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         Suppresses false positives per issue #2896
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/msal4j@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:http_authentication_library(_project)?:http_authentication_library</cpe>
+        <cpe regex="true">cpe:/a:http_authentication_library(_project)?:http_authentication_library.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -1382,7 +1382,7 @@
         FP per #872
         ]]></notes>
         <packageUrl regex="true">^pkg:(generic|nuget)/Microsoft\.AspNetCore\.JsonPatch@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:json-patch(_project)?:json-patch</cpe>
+        <cpe regex="true">cpe:/a:json-patch(_project)?:json-patch.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -1403,21 +1403,21 @@
         FP per #1485
         ]]></notes>
         <gav regex="true">^org\.sonatype\.plexus:plexus-sec-dispatcher:.*$</gav>
-        <cpe regex="true">cpe:/a:sec(_project)?:sec</cpe>
+        <cpe regex="true">cpe:/a:sec(_project)?:sec.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per #1479
         ]]></notes>
         <gav regex="true">^com.amazonaws:aws-java-sdk-simpleworkflow:.*$</gav>
-        <cpe regex="true">cpe:/a:flow(_project)?:flow</cpe>
+        <cpe regex="true">cpe:/a:flow(_project)?:flow.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per #1479
         ]]></notes>
         <gav regex="true">^com.amazonaws:aws-java-sdk-swf-libraries:.*$</gav>
-        <cpe regex="true">cpe:/a:flow(_project)?:flow</cpe>
+        <cpe regex="true">cpe:/a:flow(_project)?:flow.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -1615,7 +1615,7 @@
         FP found when researching #1091
         ]]></notes>
         <gav regex="true">^com\.nimbusds:nimbus-jose-jwt:.*$</gav>
-        <cpe regex="true">cpe:/a:jwt(_project)?:jwt</cpe>
+        <cpe regex="true">cpe:/a:jwt(_project)?:jwt.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -1684,7 +1684,7 @@
         Suppresses false positives for components within guava.
         ]]></notes>        
         <packageUrl regex="true">^pkg:maven/com\.h3xstream\.retirejs/retirejs\-core@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:xstream(_project)?:xstream</cpe>
+        <cpe regex="true">cpe:/a:xstream(_project)?:xstream.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -1879,7 +1879,7 @@
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.gagravarr/vorbis\-java\-tika@.*$</packageUrl>
         <cpe>cpe:/a:apache:tika</cpe>
-        <cpe regex="true">cpe:/a:flac(_project)?:flac</cpe>
+        <cpe regex="true">cpe:/a:flac(_project)?:flac.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -1959,7 +1959,7 @@
         FP per #1659
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.ops4j\.pax\..*$</packageUrl>
-        <cpe regex="true">cpe:/a:pax(_project)?:pax</cpe>
+        <cpe regex="true">cpe:/a:pax(_project)?:pax.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2014,7 +2014,7 @@
         <cpe>cpe:/a:apache:apache_http_server</cpe>
         <cpe>cpe:/a:apache:directory_studio</cpe>
         <cpe>cpe:/a:apache:ldap_studio</cpe>
-        <cpe regex="true">cpe:/a:net-ldap(_project)?:net-ldap</cpe>
+        <cpe regex="true">cpe:/a:net-ldap(_project)?:net-ldap.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2212,8 +2212,8 @@
         Grizzly is not Async Http Client
         ]]></notes>
         <gav regex="true">^org\.glassfish\.grizzly:grizzly-http-client:.*$</gav>
-        <cpe regex="true">cpe:/a:async-http-client(_project)?:async-http-client</cpe>
-        <cpe regex="true">cpe:/a:asynchttpclient(_project)?:async-http-client</cpe>
+        <cpe regex="true">cpe:/a:async-http-client(_project)?:async-http-client.*</cpe>
+        <cpe regex="true">cpe:/a:asynchttpclient(_project)?:async-http-client.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2355,7 +2355,7 @@
         FP per #3829 the eclipse Microprofile config file provider project is not the Jenkins config file provider plugin
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.eclipse\.microprofile\.config/.*@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:config_file_provider(_project)?:config_file_provider</cpe>
+        <cpe regex="true">cpe:/a:config_file_provider(_project)?:config_file_provider.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2377,8 +2377,8 @@
         Pyro is a python project.
         ]]></notes>
         <filePath regex="true">.*(\.(jar|ear|war|pom)|pom\.xml)</filePath>
-        <cpe regex="true">cpe:/a:services(_project)?:services</cpe>
-        <cpe regex="true">cpe:/a:pyro(_project)?:pyro</cpe>
+        <cpe regex="true">cpe:/a:services(_project)?:services.*</cpe>
+        <cpe regex="true">cpe:/a:pyro(_project)?:pyro.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2406,7 +2406,7 @@
         false positive per issue #777
         ]]></notes>
         <gav regex="true">^org\.glassfish\.jersey\.ext:jersey-metainf-services:.*$</gav>
-        <cpe regex="true">cpe:/a:services(_project)?:services:</cpe>
+        <cpe regex="true">cpe:/a:services(_project)?:services:.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2464,17 +2464,17 @@
         False positives per issue #2873
         ]]></notes>
         <packageUrl regex="true">^pkg:npm/faye\-websocket@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:faye(_project)?:faye</cpe>
+        <cpe regex="true">cpe:/a:faye(_project)?:faye.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         Node.js false positives per issues #512 and #510
         ]]></notes>
         <filePath regex="true">.*package\.json$</filePath>
-        <cpe regex="true">cpe:/a:file(_project)?:file</cpe>
+        <cpe regex="true">cpe:/a:file(_project)?:file.*</cpe>
         <cpe>cpe:/a:file:file</cpe>
         <cpe>cpe:/a:shim:shim</cpe>
-        <cpe regex="true">cpe:/a:shim(_project)?:shim</cpe>
+        <cpe regex="true">cpe:/a:shim(_project)?:shim.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2685,14 +2685,14 @@
         <filePath regex="true">.*activerecord.*oracle.*\.gemspec</filePath>
         <cpe>cpe:/a:ruby-i18n:i18n</cpe>
         <cpe>cpe:/a:mikel_lindsaar:mail</cpe>
-        <cpe regex="true">cpe:/a:rest-client(_project)?:rest-client</cpe>
+        <cpe regex="true">cpe:/a:rest-client(_project)?:rest-client.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         false positives per issue #915
         ]]></notes>
         <gav regex="true">^net\.thisptr:jackson-jq:.*$</gav>
-        <cpe regex="true">cpe:/a:jq(_project)?:jq</cpe>
+        <cpe regex="true">cpe:/a:jq(_project)?:jq.*</cpe>
         <cpe>cpe:/a:id:id-software</cpe>
     </suppress>
     <suppress base="true">
@@ -2731,7 +2731,7 @@
         false positives per issue #915
         ]]></notes>
         <gav regex="true">^javax\.validation:validation-api:.*$</gav>
-        <cpe regex="true">cpe:/a:bean(_project)?:bean</cpe>
+        <cpe regex="true">cpe:/a:bean(_project)?:bean.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2745,49 +2745,49 @@
         FP per #1398
         ]]></notes>
         <gav regex="true">^net\.lingala\.zip4j:zip4j:.*$</gav>
-        <cpe regex="true">cpe:/a:zip(_project)?:zip</cpe>
+        <cpe regex="true">cpe:/a:zip(_project)?:zip.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per #1398
         ]]></notes>
         <gav regex="true">^net\.java\.truevfs:truevfs-comp-zip:.*$</gav>
-        <cpe regex="true">cpe:/a:zip(_project)?:zip</cpe>
+        <cpe regex="true">cpe:/a:zip(_project)?:zip.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per #1398
         ]]></notes>
         <gav regex="true">^net\.java\.truevfs:truevfs-driver-zip:.*$</gav>
-        <cpe regex="true">cpe:/a:zip(_project)?:zip</cpe>
+        <cpe regex="true">cpe:/a:zip(_project)?:zip.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per #1424
         ]]></notes>
         <gav regex="true">^stax:stax-api:.*$</gav>
-        <cpe regex="true">cpe:/a:st(_project)?:st</cpe>
+        <cpe regex="true">cpe:/a:st(_project)?:st.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         false positive per issue #894
         ]]></notes>
         <gav regex="true">^org\.apache\.pdfbox:fontbox:.*$</gav>
-        <cpe regex="true">cpe:/a:font(_project)?:font</cpe>
+        <cpe regex="true">cpe:/a:font(_project)?:font.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         false positive per issue #1093
         ]]></notes>
         <gav regex="true">^com\.itextpdf:font-asian:.*$</gav>
-        <cpe regex="true">cpe:/a:font(_project)?:font</cpe>
+        <cpe regex="true">cpe:/a:font(_project)?:font.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         false positive per issue #859
         ]]></notes>
         <gav regex="true">^org\.kohsuke:github-api:.*$</gav>
-        <cpe regex="true">cpe:/a:hub(_project)?:hub</cpe>
+        <cpe regex="true">cpe:/a:hub(_project)?:hub.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2801,22 +2801,22 @@
         False positive per issue #1068
         ]]></notes>
         <gav regex="true">^org\.asynchttpclient:netty-codec-dns:.*$</gav>
-        <cpe regex="true">cpe:/a:dns-sync(_project)?:dns-sync</cpe>
+        <cpe regex="true">cpe:/a:dns-sync(_project)?:dns-sync.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         False positive per issue #1068
         ]]></notes>
         <gav regex="true">^org\.asynchttpclient:async-http-client-netty-utils:.*$</gav>
-        <cpe regex="true">cpe:/a:async-http-client(_project)?:async-http-client</cpe>
-        <cpe regex="true">cpe:/a:asynchttpclient(_project)?:async-http-client</cpe>
+        <cpe regex="true">cpe:/a:async-http-client(_project)?:async-http-client.*</cpe>
+        <cpe regex="true">cpe:/a:asynchttpclient(_project)?:async-http-client.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         False positive per issue #1068
         ]]></notes>   
         <gav regex="true">^org\.asynchttpclient:netty-resolver-dns:.*$</gav>
-        <cpe regex="true">cpe:/a:dns-sync(_project)?:dns-sync</cpe>
+        <cpe regex="true">cpe:/a:dns-sync(_project)?:dns-sync.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2845,7 +2845,7 @@
         file name: xbean-finder-3.11.1.jar
         ]]></notes>
         <gav regex="true">^org\.apache\.xbean:xbean-finder:.*$</gav>
-        <cpe regex="true">cpe:/a:finder(_project)?:finder</cpe>
+        <cpe regex="true">cpe:/a:finder(_project)?:finder.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2859,7 +2859,7 @@
         false positive per issue #871
         ]]></notes>
         <gav regex="true">^org\.sonatype\..*$</gav>
-        <cpe regex="true">cpe:/a:spice(_project)?:spice</cpe>
+        <cpe regex="true">cpe:/a:spice(_project)?:spice.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2880,7 +2880,7 @@
         file name: jersey-core-1.11.jar
         ]]></notes>
         <gav regex="true">^com\.sun\.jersey:jersey-core:.*$</gav>
-        <cpe regex="true">cpe:/a:restful_web_services(_project)?:restful_web_services</cpe>
+        <cpe regex="true">cpe:/a:restful_web_services(_project)?:restful_web_services.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -2966,8 +2966,8 @@
         FP on sttp for http-client
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.softwaremill\.sttp.*$</packageUrl>
-        <cpe regex="true">cpe:/a:async-http-client(_project)?:async-http-client</cpe>
-        <cpe regex="true">cpe:/a:asynchttpclient(_project)?:async-http-client</cpe>
+        <cpe regex="true">cpe:/a:async-http-client(_project)?:async-http-client.*</cpe>
+        <cpe regex="true">cpe:/a:asynchttpclient(_project)?:async-http-client.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -3053,7 +3053,7 @@
         FP per issue #1003
         ]]></notes>   
         <gav regex="true">^org\.mapstruct:mapstruct:.*$</gav>
-        <cpe regex="true">cpe:/a:bean(_project)?:bean</cpe>
+        <cpe regex="true">cpe:/a:bean(_project)?:bean.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -3128,7 +3128,7 @@
         general FP cleanup: com.amazonaws is a drupal project
         ]]></notes>
         <gav regex="true">^com\.amazonaws:jmespath-java:.*$</gav>
-        <cpe regex="true">cpe:/a:amazon_aws(_project)?:amazon_aws</cpe>
+        <cpe regex="true">cpe:/a:amazon_aws(_project)?:amazon_aws.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -3222,14 +3222,14 @@
         general FP cleanup
         ]]></notes>
         <gav regex="true">^org\.codehaus\.plexus:plexus-utils:.*$</gav>
-        <cpe regex="true">cpe:/a:spice(_project)?:spice</cpe>
+        <cpe regex="true">cpe:/a:spice(_project)?:spice.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP #1064
         ]]></notes>
         <gav regex="true">^org\.projectlombok:lombok:.*$</gav>
-        <cpe regex="true">cpe:/a:spice(_project)?:spice</cpe>
+        <cpe regex="true">cpe:/a:spice(_project)?:spice.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -3614,7 +3614,7 @@
         caused by cpe:/a:gpg-pgp_project::gpg-pgp and cpe:/a:openpgp:openpgp
         ]]></notes>
         <gav regex="true">^name\.neuhalfen\.projects\.crypto\.bouncycastle\.openpgp:bouncy-gpg:.*$</gav>
-        <cpe regex="true">cpe:/a:gpg-pgp(_project)?::gpg-pgp</cpe>
+        <cpe regex="true">cpe:/a:gpg-pgp(_project)?::gpg-pgp.*</cpe>
         <cpe>cpe:/a:openpgp:openpgp</cpe>
     </suppress>
     <suppress base="true">
@@ -3683,7 +3683,7 @@
         false positive per #3271 on org.apache.sis.storage
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.sis\.storage/sis\-.*$</packageUrl>
-        <cpe regex="true">cpe:/a:storage(_project)?:storage</cpe>
+        <cpe regex="true">cpe:/a:storage(_project)?:storage.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -3713,7 +3713,7 @@
         false positive per #3284 on com.amazonaws:aws-java-sdk-storagegateway
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.amazonaws/aws\-java\-sdk\-storagegateway@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:storage(_project)?:storage</cpe>
+        <cpe regex="true">cpe:/a:storage(_project)?:storage.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -3855,14 +3855,14 @@
         suppress false CPE for mssql-on-azure backend for django #3500
         ]]></notes>
         <packageUrl regex="true">^pkg:pypi/mssql\-django@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:django(_project)?:django</cpe>
+        <cpe regex="true">cpe:/a:django(_project)?:django.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         file name: fast-uuid-0.1.jar #3336
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.eatthepath/fast\-uuid@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:fast_ber(_project)?:fast_ber</cpe>
+        <cpe regex="true">cpe:/a:fast_ber(_project)?:fast_ber.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -3938,42 +3938,42 @@
         file name: 'DateTime::Format::MySQL', '0.04'
         ]]></notes>
         <packageUrl regex="true">^pkg:cpan/DateTime%3A%3AFormat/MySQL@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:www-sql(_project)?:www-sql</cpe>
+        <cpe regex="true">cpe:/a:www-sql(_project)?:www-sql.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         file name: 'MARC::File::XML', '1.0.1'
         ]]></notes>
         <packageUrl regex="true">^pkg:cpan/MARC%3A%3AFile.*$</packageUrl>
-        <cpe regex="true">cpe:/a:file(_project)?:file</cpe>
+        <cpe regex="true">cpe:/a:file(_project)?:file.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         file name: 'File::Spec', '0'
         ]]></notes>
         <packageUrl regex="true">^pkg:cpan/(IO%3A%3A)?File.*$</packageUrl>
-        <cpe regex="true">cpe:/a:file(_project)?:file</cpe>
+        <cpe regex="true">cpe:/a:file(_project)?:file.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         file name: 'SQL::Abstract', '0'
         ]]></notes>
         <packageUrl regex="true">^pkg:cpan/SQL/.*$</packageUrl>
-        <cpe regex="true">cpe:/a:www-sql(_project)?:www-sql</cpe>
+        <cpe regex="true">cpe:/a:www-sql(_project)?:www-sql.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         file name: 'DBIx::Class::InflateColumn::DateTime', '0'
         ]]></notes>
         <packageUrl regex="true">^pkg:cpan/.*DateTime.*$</packageUrl>
-        <cpe regex="true">cpe:/a:time(_project)?:time</cpe>
+        <cpe regex="true">cpe:/a:time(_project)?:time.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         file name: 'Dist::Zilla::Plugin::Git::NextVersion', '1.120370'
         ]]></notes>
         <packageUrl regex="true">^pkg:cpan/Dist%3A%3AZilla%3A%3APlugin%3A%3AGit.*$</packageUrl>
-        <cpe regex="true">cpe:/a:git(_project)?:git</cpe>
+        <cpe regex="true">cpe:/a:git(_project)?:git.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4129,7 +4129,7 @@
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.netty/netty-tcnative-boringssl-static@.*$</packageUrl>
         <cpe>cpe:/a:chromium:chromium</cpe>
-        <cpe regex="true">cpe:/a:chromium(_project)?:chromium</cpe>
+        <cpe regex="true">cpe:/a:chromium(_project)?:chromium.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4208,7 +4208,7 @@
         FP per issue #4227 simple-xml-safe is a security-patched fork of the unmaintained simple-xml
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.carrotsearch\.thirdparty/simple-xml-safe@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:simplexml(_project)?:simplexml</cpe>
+        <cpe regex="true">cpe:/a:simplexml(_project)?:simplexml.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4259,7 +4259,7 @@
    	    FP per issue #4368, #4384, #4369 async_project:async is an npm package
    	    ]]></notes>
         <packageUrl regex="true">^pkg:maven/.*async.*@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:async(_project)?:async</cpe>
+        <cpe regex="true">cpe:/a:async(_project)?:async.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4313,7 +4313,7 @@
         <packageUrl regex="true">^pkg:maven/org\.pac4j/ratpack\-pac4j@.*$</packageUrl>
         <cpe>cpe:/a:pac4j:pac4j</cpe>
         <cpe>cpe:/a:ratpack:ratpack</cpe>
-        <cpe regex="true">cpe:/a:ratpack(_project)?:ratpack</cpe>
+        <cpe regex="true">cpe:/a:ratpack(_project)?:ratpack.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4450,7 +4450,7 @@
         FP per issue #4518; http-swagger is a SwagGo Go-librarie, not one of the swagger.io libraries
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.swagger/.*$</packageUrl>
-        <cpe regex="true">cpe:/a:http-swagger(_project)?:http-swagger</cpe>
+        <cpe regex="true">cpe:/a:http-swagger(_project)?:http-swagger.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4464,7 +4464,7 @@
         FP per issue #4554; archiver_project:archiver is a go-module, not the NPM package
         ]]></notes>
         <packageUrl regex="true">^pkg:npm/archiver@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:archiver(_project)?:archiver</cpe>
+        <cpe regex="true">cpe:/a:archiver(_project)?:archiver.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4550,7 +4550,7 @@
         <cpe>cpe:/a:pivotal_software:spring_security</cpe>
         <cpe>cpe:/a:vmware:spring_security</cpe>
         <cpe>cpe:/a:vmware:springsource_spring_security</cpe>
-        <cpe regex="true">cpe:/a:security-framework(_project)?:security-framework</cpe>
+        <cpe regex="true">cpe:/a:security-framework(_project)?:security-framework.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4560,7 +4560,7 @@
         <cpe>cpe:/a:vmware:springsource_spring_security</cpe>
         <cpe>cpe:/a:vmware:spring_security</cpe>
         <cpe>cpe:/a:pivotal_software:spring_security</cpe>
-        <cpe regex="true">cpe:/a:security-framework(_project)?:security-framework</cpe>
+        <cpe regex="true">cpe:/a:security-framework(_project)?:security-framework.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4569,7 +4569,7 @@
         <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring-security-jwt@.*$</packageUrl>
         <cpe>cpe:/a:pivotal:spring_security_oauth</cpe>
         <cpe>cpe:/a:pivotal_software:spring_security_oauth</cpe>
-        <cpe regex="true">cpe:/a:jwt(_project)?:jwt</cpe>
+        <cpe regex="true">cpe:/a:jwt(_project)?:jwt.*</cpe>
     </suppress>
 
     <suppress base="true">
@@ -4577,7 +4577,7 @@
         FP per issue #4576; spring-security-saml2-core is an (end-of-life) extension project separate from spring-security https://github.com/spring-projects/spring-security-saml
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework\.security\.extensions/spring-security-saml2-core@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:saml(_project)?:saml</cpe>
+        <cpe regex="true">cpe:/a:saml(_project)?:saml.*</cpe>
         <cpe>cpe:/a:vmware:spring_security</cpe>
     </suppress>
     <suppress base="true">
@@ -4588,7 +4588,7 @@
         <cpe>cpe:/a:pivotal_software:spring_security</cpe>
         <cpe>cpe:/a:vmware:springsource_spring_security</cpe>
         <cpe>cpe:/a:vmware:spring_security</cpe>
-        <cpe regex="true">cpe:/a:security-framework(_project)?:security-framework</cpe>
+        <cpe regex="true">cpe:/a:security-framework(_project)?:security-framework.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4598,7 +4598,7 @@
         <cpe>cpe:/a:pivotal_software:spring_security</cpe>
         <cpe>cpe:/a:vmware:springsource_spring_security</cpe>
         <cpe>cpe:/a:vmware:spring_security</cpe>
-        <cpe regex="true">cpe:/a:security-framework(_project)?:security-framework</cpe>
+        <cpe regex="true">cpe:/a:security-framework(_project)?:security-framework.*</cpe>
     </suppress>
 
     <suppress base="true">
@@ -4773,7 +4773,7 @@
         False positives per issue #642
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework/spring-context@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:context(_project)?:context</cpe>
+        <cpe regex="true">cpe:/a:context(_project)?:context.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4787,7 +4787,7 @@
         False positive per issue #700 and #3579
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework\.cloud/spring-cloud-.*$</packageUrl>
-        <cpe regex="true">cpe:/a:context(_project)?:context</cpe>
+        <cpe regex="true">cpe:/a:context(_project)?:context.*</cpe>
         <cpe>cpe:/a:pivotal_software:spring_batch</cpe>
     </suppress>
     <suppress base="true">
@@ -4819,7 +4819,7 @@
         spring ldap cleanup per issue #1060
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework\.ldap/spring-ldap-core@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:net-ldap(_project)?:net-ldap</cpe>
+        <cpe regex="true">cpe:/a:net-ldap(_project)?:net-ldap.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4927,7 +4927,7 @@
         FP because cpe make reference to IonicaBizau/parse-url dependency
         ]]></notes>
         <packageUrl regex="true">^pkg:npm/parseurl@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:parse-url(_project)?:parse-url</cpe>
+        <cpe regex="true">cpe:/a:parse-url(_project)?:parse-url.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -4948,14 +4948,14 @@
         FP per issue #4852
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.graphql-java-kickstart/graphql-java-kickstart@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java</cpe>
+        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #4803
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/net\.sourceforge\.htmlunit/htmlunit-cssparser@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:htmlunit(_project)?:htmlunit</cpe>
+        <cpe regex="true">cpe:/a:htmlunit(_project)?:htmlunit.*</cpe>
     </suppress>
 
     <suppress base="true">
@@ -4963,49 +4963,49 @@
         FP per issue #4853
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.graphql-java-kickstart/graphql-java-servlet@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java</cpe>
+        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #4859
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.apollographql\.federation/federation-graphql-java-support@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java</cpe>
+        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #4851
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.graphql-java/graphql-java-extended-scalars@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java</cpe>
+        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #4860
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.apollographql\.federation/federation-graphql-java-support-api@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java</cpe>
+        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #4862
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.github\.graphql-java/graphql-java-annotations@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java</cpe>
+        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #4863
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.graphql-java/java-dataloader@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java</cpe>
+        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #4854
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.graphql-java-kickstart/graphql-java-tools@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java</cpe>
+        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5117,7 +5117,7 @@
         FP per issue #4907
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/net\.minidev/accessors-smart@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:json-smart(_project)?:json-smart-v1</cpe>
+        <cpe regex="true">cpe:/a:json-smart(_project)?:json-smart-v1.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5152,7 +5152,7 @@
         FP per issue #4962
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.github\.pagehelper/pagehelper-spring-boot-starter@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:pagehelper(_project)?:pagehelper</cpe>
+        <cpe regex="true">cpe:/a:pagehelper(_project)?:pagehelper.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5208,7 +5208,7 @@
         FP per issue #2575, #4820
         ]]></notes>
         <packageUrl regex="true">^pkg:cocoapods/GoogleUtilities%2FAppDelegateSwizzler@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:app(_project)?:app</cpe>
+        <cpe regex="true">cpe:/a:app(_project)?:app.*</cpe>
         <cpe>cpe:/a:delegate:delegate</cpe>
     </suppress>
     <suppress base="true">
@@ -5242,7 +5242,7 @@
            FP per issue https://github.com/dependency-check/DependencyCheck/issues/5060
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.msgpack/.*@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:messagepack(_project)?:messagepack</cpe>
+        <cpe regex="true">cpe:/a:messagepack(_project)?:messagepack.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5375,21 +5375,21 @@
         FP per issue #4693
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.zipkin\.reporter2/zipkin-reporter@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:pki-core(_project)?:pki-core</cpe>
+        <cpe regex="true">cpe:/a:pki-core(_project)?:pki-core.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #4692
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.zipkin\.zipkin2/zipkin@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:pki-core(_project)?:pki-core</cpe>
+        <cpe regex="true">cpe:/a:pki-core(_project)?:pki-core.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #4669
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.junit\.jupiter/junit-jupiter-engine@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:fan_platform(_project)?:fan_platform</cpe>
+        <cpe regex="true">cpe:/a:fan_platform(_project)?:fan_platform.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5425,7 +5425,7 @@
         FP per issue #5083
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.github\.pagehelper/pagehelper-spring-boot-autoconfigure@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:pagehelper(_project)?:pagehelper</cpe>
+        <cpe regex="true">cpe:/a:pagehelper(_project)?:pagehelper.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5482,7 +5482,7 @@
         FP per issue #5131
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.zipkin\.zipkin2/zipkin-collector@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:pki-core(_project)?:pki-core</cpe>
+        <cpe regex="true">cpe:/a:pki-core(_project)?:pki-core.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5538,21 +5538,21 @@
        FP per issue #5212
        ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.github\.java-json-tools/json-patch@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:json-patch(_project)?:json-patch</cpe>
+        <cpe regex="true">cpe:/a:json-patch(_project)?:json-patch.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
        FP per issue #5217
        ]]></notes>
         <packageUrl regex="true">^pkg:maven/net\.pwall\.json/json-pointer@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:json-pointer(_project)?:json-pointer</cpe>
+        <cpe regex="true">cpe:/a:json-pointer(_project)?:json-pointer.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
        FP per issue #5275
        ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.graphql-java-kickstart/graphql-spring-boot-starter@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java</cpe>
+        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5573,21 +5573,21 @@
        FP per issue #5280
        ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.camel/camel-ftp@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:ftp(_project)?:ftp</cpe>
+        <cpe regex="true">cpe:/a:ftp(_project)?:ftp.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
        FP per issue #5253
        ]]></notes>
         <packageUrl regex="true">^pkg:npm/jsonpointer@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:json-pointer(_project)?:json-pointer</cpe>
+        <cpe regex="true">cpe:/a:json-pointer(_project)?:json-pointer.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
        FP per issue #5252
        ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.google\.flatbuffers/flatbuffers-java@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:flat(_project)?:flat</cpe>
+        <cpe regex="true">cpe:/a:flat(_project)?:flat.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5611,7 +5611,7 @@
         FP per issue #5367
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.graphql\-java\-kickstart/.*$</packageUrl>
-        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java</cpe>
+        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5634,7 +5634,7 @@
         FP per #5502
         ]]></notes>
         <packageUrl regex="true">^(?!pkg:maven/org\.json/json@).+$</packageUrl>
-        <cpe regex="true">cpe:/a:json-java(_project)?:json-java</cpe>
+        <cpe regex="true">cpe:/a:json-java(_project)?:json-java.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5642,7 +5642,7 @@
         FP per #5454
         ]]></notes>
         <packageUrl regex="true">^(?!pkg:npm/flat@).+$</packageUrl>
-        <cpe regex="true">cpe:/a:flat(_project)?:flat</cpe>
+        <cpe regex="true">cpe:/a:flat(_project)?:flat.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5656,7 +5656,7 @@
         FP per issue #5381, apollo_project:apollo is a PHP project unrelated to apollographql
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.apollographql\.apollo/.*$</packageUrl>
-        <cpe regex="true">cpe:/a:apollo(_project)?:apollo</cpe>
+        <cpe regex="true">cpe:/a:apollo(_project)?:apollo.*</cpe>
     </suppress>
     <!-- generated suppressions added to main in 8.1.1 -->
     <suppress base="true">
@@ -5664,7 +5664,7 @@
         FP per issue #5333
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.graphql-java-kickstart/graphql-kickstart-spring-support@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java</cpe>
+        <cpe regex="true">cpe:/a:graphql-java(_project)?:graphql-java.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5685,21 +5685,21 @@
         FP per issue #5373
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.locationtech\.spatial4j/spatial4j@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:voyager(_project)?:voyager</cpe>
+        <cpe regex="true">cpe:/a:voyager(_project)?:voyager.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #5372
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.locationtech\.spatial4j/spatial4j@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:smiley(_project)?:smiley</cpe>
+        <cpe regex="true">cpe:/a:smiley(_project)?:smiley.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #5380
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/dev\.ludovic\.netlib/lapack@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:lapack(_project)?:lapack</cpe>
+        <cpe regex="true">cpe:/a:lapack(_project)?:lapack.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5720,7 +5720,7 @@
         FP per issue #5325
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.enterprisedt/edtFTPj@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:ftp(_project)?:ftp</cpe>
+        <cpe regex="true">cpe:/a:ftp(_project)?:ftp.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5748,7 +5748,7 @@
         FP per issue #5501
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.jsonschema2pojo/jsonschema2pojo-jdk-annotation@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:json-schema(_project)?:json-schema</cpe>
+        <cpe regex="true">cpe:/a:json-schema(_project)?:json-schema.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5797,14 +5797,14 @@
         FP per issue #5491
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/azure-cosmosdb@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:www-sql(_project)?:www-sql</cpe>
+        <cpe regex="true">cpe:/a:www-sql(_project)?:www-sql.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #5490
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.microsoft\.azure/azure-cosmosdb@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:async(_project)?:async</cpe>
+        <cpe regex="true">cpe:/a:async(_project)?:async.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5818,7 +5818,7 @@
         FP per issue #5462
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.ws\.commons\.axiom/axiom-impl@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:web(_project)?:web</cpe>
+        <cpe regex="true">cpe:/a:web(_project)?:web.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5855,7 +5855,7 @@
         FP per issue #5593
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.camel\.springboot/camel-ftp-starter@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:ftp(_project)?:ftp</cpe>
+        <cpe regex="true">cpe:/a:ftp(_project)?:ftp.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5883,7 +5883,7 @@
         FP per issue #5622
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/net\.minidev/accessors-smart@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:json-smart(_project)?:json-smart</cpe>
+        <cpe regex="true">cpe:/a:json-smart(_project)?:json-smart.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5932,7 +5932,7 @@
         FP per issue #5685
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.bouncycastle/bcpg-jdk15on@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:open_cas(_project)?:open_cas</cpe>
+        <cpe regex="true">cpe:/a:open_cas(_project)?:open_cas.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -5974,7 +5974,7 @@
         FP per issue #5737
         ]]></notes>
         <packageUrl regex="true">^pkg:nuget/MagicFileEncoding@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:file(_project)?:file</cpe>
+        <cpe regex="true">cpe:/a:file(_project)?:file.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6009,7 +6009,7 @@
         FP per issue #5754 #6441
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.swagger\.parser\.v3/swagger-parser-safe-url-resolver@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:parse-url(_project)?:</cpe>
+        <cpe regex="true">cpe:/a:parse-url(_project)?:.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6023,28 +6023,28 @@
         FP per issue #5753
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.bazaarvoice\.jolt/json-utils@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:utils(_project)?:utils</cpe>
+        <cpe regex="true">cpe:/a:utils(_project)?:utils.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #5765
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework\.integration/spring-integration-ftp@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:ftp(_project)?:ftp</cpe>
+        <cpe regex="true">cpe:/a:ftp(_project)?:ftp.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #5766
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.mockftpserver/MockFtpServer@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:ftp(_project)?:ftp</cpe>
+        <cpe regex="true">cpe:/a:ftp(_project)?:ftp.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #5770
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.sun\.xml\.bind\.jaxb/isorelax@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:xml_library_project:xml_library</cpe>
+        <cpe regex="true">cpe:/a:xml_library_project:xml_library.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6096,7 +6096,7 @@
         FP per issue #5777
         ]]></notes>
         <packageUrl regex="true">^pkg:nuget/RazorEngine\.NetCore@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:razorengine(_project)?:razorengine</cpe>
+        <cpe regex="true">cpe:/a:razorengine(_project)?:razorengine.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6145,14 +6145,14 @@
         FP per issue #5796
         ]]></notes>
         <packageUrl regex="true">^pkg:nuget/Microsoft\.Win32\.SystemEvents@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:events(_project)?:events</cpe>
+        <cpe regex="true">cpe:/a:events(_project)?:events.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         hand-curated better suppression for FP per issue #5797
         ]]></notes>
         <packageUrl regex="true">^(?!pkg:maven/net\.pwall\.json/jsonutil).*$</packageUrl>
-        <cpe regex="true">cpe:/a:jsonutil(_project)?:jsonutil</cpe>
+        <cpe regex="true">cpe:/a:jsonutil(_project)?:jsonutil.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6161,7 +6161,7 @@
         bundled suppression-file
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.apollographql\.apollo3/.*$</packageUrl>
-        <cpe regex="true">cpe:/a:apollo(_project)?:apollo</cpe>
+        <cpe regex="true">cpe:/a:apollo(_project)?:apollo.*</cpe>
     </suppress>
 
     <suppress base="true">
@@ -6169,7 +6169,7 @@
         FP per issue #5794
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.apollographql\.apollo3/apollo-annotations-jvm@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:apollo(_project)?:apollo</cpe>
+        <cpe regex="true">cpe:/a:apollo(_project)?:apollo.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6190,14 +6190,14 @@
         FP per issue #5821
         ]]></notes>
         <packageUrl regex="true">^pkg:npm/wordwrap@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:word-wrap(_project)?:word-wrap</cpe>
+        <cpe regex="true">cpe:/a:word-wrap(_project)?:word-wrap.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #5829
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.exactpro\.th2/netty-bytebuf-utils@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:utils(_project)?:utils</cpe>
+        <cpe regex="true">cpe:/a:utils(_project)?:utils.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6211,14 +6211,14 @@
         FP per issue #5843
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.avro/avro@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:avro(_project)?:avro</cpe>
+        <cpe regex="true">cpe:/a:avro(_project)?:avro.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #5846
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/commons-logging/commons-logging@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:morgan(_project)?:morgan</cpe>
+        <cpe regex="true">cpe:/a:morgan(_project)?:morgan.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6288,7 +6288,7 @@
         FP per issue #5879
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.netty\.incubator/netty-incubator-codec-classes-quic@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:quic(_project)?:quic</cpe>
+        <cpe regex="true">cpe:/a:quic(_project)?:quic.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6374,14 +6374,14 @@
    FP per issue #5910
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.adobe\.cq/core\.wcm\.components\.core@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:oembed(_project)?:oembed</cpe>
+        <cpe regex="true">cpe:/a:oembed(_project)?:oembed.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
    FP per issue #5911
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.adobe\.cq/core\.wcm\.components\.core@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:xml_library(_project)?:xml_library</cpe>
+        <cpe regex="true">cpe:/a:xml_library(_project)?:xml_library.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6416,7 +6416,7 @@
    FP per issue #5913
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.projectreactor\.netty\.incubator/reactor-netty-incubator-quic@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:quic(_project)?:quic</cpe>
+        <cpe regex="true">cpe:/a:quic(_project)?:quic.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6437,7 +6437,7 @@
    FP per issue #5956
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.netty\.incubator/netty-incubator-codec-native-quic@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:quic(_project)?:quic</cpe>
+        <cpe regex="true">cpe:/a:quic(_project)?:quic.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6458,7 +6458,7 @@
    FP per issue #5968
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.netty\.incubator/netty-incubator-codec-native-quic@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:chromium(_project)?:chromium</cpe>
+        <cpe regex="true">cpe:/a:chromium(_project)?:chromium.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6486,7 +6486,7 @@
    FP per issue #6056
    ]]></notes>
         <packageUrl regex="true">^pkg:nuget/Serilog\.Sinks\.Async@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:async(_project)?:async</cpe>
+        <cpe regex="true">cpe:/a:async(_project)?:async.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6521,7 +6521,7 @@
    FP per issue #6169
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/commons-net/commons-net@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:ftp(_project)?:ftp</cpe>
+        <cpe regex="true">cpe:/a:ftp(_project)?:ftp.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6542,7 +6542,7 @@
    FP per issue #6242
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.jruby\.rack/jruby-rack@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:rack(_project)?:rack</cpe>
+        <cpe regex="true">cpe:/a:rack(_project)?:rack.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6563,7 +6563,7 @@
    FP per issue #6340
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.idealista/format-preserving-encryption@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:vega(_project)?:vega</cpe>
+        <cpe regex="true">cpe:/a:vega(_project)?:vega.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6577,7 +6577,7 @@
    FP per issue #6369
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.wildfly\.security\.elytron-web/undertow-server@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:web(_project)?:web</cpe>
+        <cpe regex="true">cpe:/a:web(_project)?:web.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6605,7 +6605,7 @@
    FP per issue #6421
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.swagger/swagger-parser-safe-url-resolver@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:parse-url(_project)?:parse-url</cpe>
+        <cpe regex="true">cpe:/a:parse-url(_project)?:parse-url.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6626,7 +6626,7 @@
    FP per issue #6463
    ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.ktor/ktor-server-metrics-micrometer-jvm@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:csm_server(_project)?:csm_server</cpe>
+        <cpe regex="true">cpe:/a:csm_server(_project)?:csm_server.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6753,35 +6753,35 @@
         FP per issue #6696
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.lz4/lz4-java@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:lz4(_project)?:lz4</cpe>
+        <cpe regex="true">cpe:/a:lz4(_project)?:lz4.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #6695
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.logging\.log4j/log4j-slf4j2-impl@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:log4js(_project)?:log4js</cpe>
+        <cpe regex="true">cpe:/a:log4js(_project)?:log4js.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #6694
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.ktor/ktor-server-call-logging-jvm@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:call(_project)?:call</cpe>
+        <cpe regex="true">cpe:/a:call(_project)?:call.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #6693
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.ktor/ktor-client-content-negotiation-jvm@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:content(_project)?:content</cpe>
+        <cpe regex="true">cpe:/a:content(_project)?:content.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #6692
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.hibernate\.validator/hibernate-validator@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:validator(_project)?:validator</cpe>
+        <cpe regex="true">cpe:/a:validator(_project)?:validator.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6802,7 +6802,7 @@
         FP per issue #6707
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.prometheus/prometheus-metrics-model@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:model(_project)?:model</cpe>
+        <cpe regex="true">cpe:/a:model(_project)?:model.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6859,14 +6859,14 @@
         FP per issue #6856
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring-security-oauth2-authorization-server@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:oauth2-server(_project)?:oauth2-server</cpe>
+        <cpe regex="true">cpe:/a:oauth2-server(_project)?:oauth2-server.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #6855
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/commons-validator/commons-validator@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:validator(_project)?:validator</cpe>
+        <cpe regex="true">cpe:/a:validator(_project)?:validator.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6880,7 +6880,7 @@
         FP per issue #6906
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.jeecgframework/autopoi-web@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:web(_project)?:web</cpe>
+        <cpe regex="true">cpe:/a:web(_project)?:web.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6894,14 +6894,14 @@
         FP per issue #6874
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring-boot-starter-cache@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:cache(_project)?:cache</cpe>
+        <cpe regex="true">cpe:/a:cache(_project)?:cache.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #6873
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/javax\.cache/cache-api@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:cache(_project)?:cache</cpe>
+        <cpe regex="true">cpe:/a:cache(_project)?:cache.*</cpe>
     </suppress>
 
     <suppress base="true">
@@ -6951,14 +6951,14 @@
         cpe:/a:services_project:services is Drupal services module in PHP #6448
         ]]></notes>
         <filePath regex="true">.*(\.(dll|jar|ear|war|pom|nupkg|nuspec|aar)|pom\.xml|package.json|packages.config)$</filePath>
-        <cpe regex="true">cpe:/a:services(_project)?:services</cpe>
+        <cpe regex="true">cpe:/a:services(_project)?:services.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #6851
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.github\.reactivecircus\.cache4k/cache4k-jvm@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:cache(_project)?:cache</cpe>
+        <cpe regex="true">cpe:/a:cache(_project)?:cache.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
@@ -6979,7 +6979,7 @@
         FP per issue #6991
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.apollographql\.federation/federation-graphql-java-support@.*$</packageUrl>
-        <cpe regex="true">cpe:/a:apollo(_project)?:apollo</cpe>
+        <cpe regex="true">cpe:/a:apollo(_project)?:apollo.*</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[

From 84d3436c7c0aaaf7151d69a09fd732c0afd550ab Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Tue, 10 Jun 2025 07:24:53 -0400
Subject: [PATCH 064/195] docs: release 12.1.3

---
 CHANGELOG.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d7bbd9e34d9..0ce7d1f529e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Change Log
 
+## [Version 12.1.3](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.3) (2025-06-10)
+
+- fix: correct regex matches introduced in 12.1.2 (#7726)
+- build(deps): bump org.semver4j:semver4j from 5.7.0 to 5.7.1 (#7718)
+- build(deps): bump junit.version from 5.13.0 to 5.13.1 (#7719)
+
+See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/97?closed=1)
+
 ## [Version 12.1.2](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.2) (2025-06-07)
 
 - fix: Allow configuring OSS Index user/pw directly (#7640)

From dfd437e49289247a41e89e8341e2de755a40ec66 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Tue, 10 Jun 2025 07:27:53 -0400
Subject: [PATCH 065/195] build: prepare release v12.1.3

---
 ant/pom.xml       | 4 ++--
 archetype/pom.xml | 6 +++---
 cli/pom.xml       | 4 ++--
 core/pom.xml      | 4 ++--
 maven/pom.xml     | 4 ++--
 pom.xml           | 6 +++---
 utils/pom.xml     | 4 ++--
 7 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/ant/pom.xml b/ant/pom.xml
index 73ab5decf22..c2e777074f0 100644
--- a/ant/pom.xml
+++ b/ant/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.3-SNAPSHOT</version>
+        <version>12.1.3</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/ant</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.3</tag>
     </scm>
     <build>
         <resources>
diff --git a/archetype/pom.xml b/archetype/pom.xml
index dffcca77497..247cabeee68 100644
--- a/archetype/pom.xml
+++ b/archetype/pom.xml
@@ -20,20 +20,20 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.3-SNAPSHOT</version>
+        <version>12.1.3</version>
     </parent>
     <artifactId>dependency-check-plugin</artifactId>
     <name>Dependency-Check Plugin Archetype</name>
     <packaging>jar</packaging>
     <properties>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-06-07T10:43:51Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-06-10T11:25:28Z</project.build.outputTimestamp>
     </properties>
     <scm>
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/archetype</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-      <tag>HEAD</tag>
+      <tag>v12.1.3</tag>
   </scm>
     <build>
         <plugins>
diff --git a/cli/pom.xml b/cli/pom.xml
index 914547e8e83..89671a6b4f1 100644
--- a/cli/pom.xml
+++ b/cli/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.3-SNAPSHOT</version>
+        <version>12.1.3</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/cli</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.3</tag>
     </scm>
     <build>
         <finalName>dependency-check-${project.version}</finalName>
diff --git a/core/pom.xml b/core/pom.xml
index 15e58c29aff..821174b15bc 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.3-SNAPSHOT</version>
+        <version>12.1.3</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/core</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.3</tag>
     </scm>
     <build>
         <resources>
diff --git a/maven/pom.xml b/maven/pom.xml
index d20b293cfac..d840ff5f17b 100644
--- a/maven/pom.xml
+++ b/maven/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.3-SNAPSHOT</version>
+        <version>12.1.3</version>
     </parent>
     <artifactId>dependency-check-maven</artifactId>
     <packaging>maven-plugin</packaging>
@@ -34,7 +34,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/master/maven</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.3</tag>
     </scm>
     <prerequisites>
         <maven>3.6.3</maven>
diff --git a/pom.xml b/pom.xml
index b6f7648de0b..8083fda35cc 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>12.1.3-SNAPSHOT</version>
+    <version>12.1.3</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -94,7 +94,7 @@ Copyright (c) 2012 - Jeremy Long
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck</url>
         <developerConnection>scm:git:https://github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.3</tag>
     </scm>
     <issueManagement>
         <system>github</system>
@@ -113,7 +113,7 @@ Copyright (c) 2012 - Jeremy Long
     <properties>
         <maven.compiler.release>11</maven.compiler.release>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-06-07T10:43:51Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-06-10T11:25:28Z</project.build.outputTimestamp>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <github.global.server>github</github.global.server>
diff --git a/utils/pom.xml b/utils/pom.xml
index cfb74659eb9..464397ad38a 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.3-SNAPSHOT</version>
+        <version>12.1.3</version>
    </parent>
 
     <artifactId>dependency-check-utils</artifactId>
@@ -30,7 +30,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/utils</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.3</tag>
     </scm>
     <properties>
         <spotbugs.onlyAnalyze>org.owasp.dependencycheck.utils.*</spotbugs.onlyAnalyze>

From 720bc1cd180c668a4f6de02a6fda6d10526f43a1 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Tue, 10 Jun 2025 07:27:54 -0400
Subject: [PATCH 066/195] build: prepare for next development iteration

---
 ant/pom.xml       | 4 ++--
 archetype/pom.xml | 6 +++---
 cli/pom.xml       | 4 ++--
 core/pom.xml      | 4 ++--
 maven/pom.xml     | 4 ++--
 pom.xml           | 6 +++---
 utils/pom.xml     | 4 ++--
 7 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/ant/pom.xml b/ant/pom.xml
index c2e777074f0..2672fd42130 100644
--- a/ant/pom.xml
+++ b/ant/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.3</version>
+        <version>12.1.4-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/ant</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.3</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <build>
         <resources>
diff --git a/archetype/pom.xml b/archetype/pom.xml
index 247cabeee68..97fcfb61fd0 100644
--- a/archetype/pom.xml
+++ b/archetype/pom.xml
@@ -20,20 +20,20 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.3</version>
+        <version>12.1.4-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-plugin</artifactId>
     <name>Dependency-Check Plugin Archetype</name>
     <packaging>jar</packaging>
     <properties>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-06-10T11:25:28Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-06-10T11:27:54Z</project.build.outputTimestamp>
     </properties>
     <scm>
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/archetype</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-      <tag>v12.1.3</tag>
+      <tag>HEAD</tag>
   </scm>
     <build>
         <plugins>
diff --git a/cli/pom.xml b/cli/pom.xml
index 89671a6b4f1..f1679dc91c2 100644
--- a/cli/pom.xml
+++ b/cli/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.3</version>
+        <version>12.1.4-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/cli</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.3</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <build>
         <finalName>dependency-check-${project.version}</finalName>
diff --git a/core/pom.xml b/core/pom.xml
index 821174b15bc..8f55be37e16 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.3</version>
+        <version>12.1.4-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/core</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.3</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <build>
         <resources>
diff --git a/maven/pom.xml b/maven/pom.xml
index d840ff5f17b..57853b1d107 100644
--- a/maven/pom.xml
+++ b/maven/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.3</version>
+        <version>12.1.4-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-maven</artifactId>
     <packaging>maven-plugin</packaging>
@@ -34,7 +34,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/master/maven</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.3</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <prerequisites>
         <maven>3.6.3</maven>
diff --git a/pom.xml b/pom.xml
index 8083fda35cc..cb7e9ec1a7c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>12.1.3</version>
+    <version>12.1.4-SNAPSHOT</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -94,7 +94,7 @@ Copyright (c) 2012 - Jeremy Long
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck</url>
         <developerConnection>scm:git:https://github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.3</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <issueManagement>
         <system>github</system>
@@ -113,7 +113,7 @@ Copyright (c) 2012 - Jeremy Long
     <properties>
         <maven.compiler.release>11</maven.compiler.release>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-06-10T11:25:28Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-06-10T11:27:54Z</project.build.outputTimestamp>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <github.global.server>github</github.global.server>
diff --git a/utils/pom.xml b/utils/pom.xml
index 464397ad38a..090d0832711 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.3</version>
+        <version>12.1.4-SNAPSHOT</version>
    </parent>
 
     <artifactId>dependency-check-utils</artifactId>
@@ -30,7 +30,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/utils</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.3</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <properties>
         <spotbugs.onlyAnalyze>org.owasp.dependencycheck.utils.*</spotbugs.onlyAnalyze>

From 3544e9123ed4657d939a549baf83a276d48ab2f5 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 12 Jun 2025 06:17:06 -0400
Subject: [PATCH 067/195] build(deps): bump org.postgresql:postgresql from
 42.7.6 to 42.7.7 (#7737)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 core/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/pom.xml b/core/pom.xml
index 8f55be37e16..77ee0af07c2 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -466,7 +466,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                 <dependency>
                     <groupId>org.postgresql</groupId>
                     <artifactId>postgresql</artifactId>
-                    <version>42.7.6</version>
+                    <version>42.7.7</version>
                 </dependency>
             </dependencies>
             <build>

From 36aa3ff3b4f3c4f09f5c1a9b4f66bcc6c12f7102 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Thu, 12 Jun 2025 06:17:31 -0400
Subject: [PATCH 068/195] fix(fp): resolves several false positives related to
 CVE-2021-41033 (#7736)

---
 .../main/resources/dependencycheck-base-suppression.xml    | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml
index 462d50edda0..9c805ab2b6e 100644
--- a/core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/core/src/main/resources/dependencycheck-base-suppression.xml
@@ -7056,4 +7056,11 @@
         <packageUrl regex="true">^pkg:nuget/.+\.Redis\..*$</packageUrl>
         <cpe>cpe:2.3:a:redis:redis</cpe>
     </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        FP per issue #7664
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/(?!.*org\.eclipse\.equinox\.p2).*$</packageUrl>
+        <cve>CVE-2021-41033</cve>
+    </suppress>
 </suppressions>

From 37cdb97bfe37ce9552f37c7d35811d77097c31ce Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 16 Jun 2025 05:44:33 -0400
Subject: [PATCH 069/195] build(deps): bump jackson.version from 2.19.0 to
 2.19.1 (#7743)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index cb7e9ec1a7c..1586dfabc15 100644
--- a/pom.xml
+++ b/pom.xml
@@ -171,7 +171,7 @@ Copyright (c) 2012 - Jeremy Long
         <groovy-all.version>2.4.21</groovy-all.version>
         <gmavenplus-plugin.version>4.2.0</gmavenplus-plugin.version>
         <com.h3xstream.retirejs.core.version>3.0.4</com.h3xstream.retirejs.core.version>
-        <jackson.version>2.19.0</jackson.version>
+        <jackson.version>2.19.1</jackson.version>
         <!--necessary for some IDEs to be able to execute test cases (Netbeans)-->
         <surefireArgLine />
         <mock-server.version>5.15.0</mock-server.version>

From 0a4931be4771d7b68037f9ea0f594c1b7521aedd Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 24 Jun 2025 02:39:34 +0000
Subject: [PATCH 070/195] build(deps): bump org.jsoup:jsoup from 1.20.1 to
 1.21.1

Bumps [org.jsoup:jsoup](https://github.com/jhy/jsoup) from 1.20.1 to 1.21.1.
- [Release notes](https://github.com/jhy/jsoup/releases)
- [Changelog](https://github.com/jhy/jsoup/blob/master/CHANGES.md)
- [Commits](https://github.com/jhy/jsoup/compare/jsoup-1.20.1...jsoup-1.21.1)

---
updated-dependencies:
- dependency-name: org.jsoup:jsoup
  dependency-version: 1.21.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 1586dfabc15..dacee15a01c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -157,7 +157,7 @@ Copyright (c) 2012 - Jeremy Long
         <junit.version>5.13.1</junit.version>
         <hamcrest.version>3.0</hamcrest.version>
         <mockito.version>5.18.0</mockito.version>
-        <jsoup.version>1.20.1</jsoup.version>
+        <jsoup.version>1.21.1</jsoup.version>
         <commons-compress.version>1.27.1</commons-compress.version>
         <org.apache.maven.shared.file-management.version>3.2.0</org.apache.maven.shared.file-management.version>
         <maven-plugin-testing-harness.version>3.3.0</maven-plugin-testing-harness.version>

From b1cd3a2909fb79b76072f5a8c4fbb077690c2a05 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 24 Jun 2025 03:10:53 +0000
Subject: [PATCH 071/195] build(deps): bump org.semver4j:semver4j from 5.7.1 to
 5.8.0

Bumps [org.semver4j:semver4j](https://github.com/semver4j/semver4j) from 5.7.1 to 5.8.0.
- [Release notes](https://github.com/semver4j/semver4j/releases)
- [Commits](https://github.com/semver4j/semver4j/compare/v5.7.1...v5.8.0)

---
updated-dependencies:
- dependency-name: org.semver4j:semver4j
  dependency-version: 5.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 1586dfabc15..64c597c8a60 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1022,7 +1022,7 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>org.semver4j</groupId>
                 <artifactId>semver4j</artifactId>
-                <version>5.7.1</version>
+                <version>5.8.0</version>
             </dependency>
             <dependency>
                 <groupId>org.jetbrains</groupId>

From 3bad34535e798435dd90176f79360d44cc4eca49 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 25 Jun 2025 01:59:37 +0000
Subject: [PATCH 072/195] build(deps): bump junit.version from 5.13.1 to 5.13.2

Bumps `junit.version` from 5.13.1 to 5.13.2.

Updates `org.junit.jupiter:junit-jupiter-api` from 5.13.1 to 5.13.2
- [Release notes](https://github.com/junit-team/junit-framework/releases)
- [Commits](https://github.com/junit-team/junit-framework/compare/r5.13.1...r5.13.2)

Updates `org.junit.jupiter:junit-jupiter-engine` from 5.13.1 to 5.13.2
- [Release notes](https://github.com/junit-team/junit-framework/releases)
- [Commits](https://github.com/junit-team/junit-framework/compare/r5.13.1...r5.13.2)

Updates `org.junit.jupiter:junit-jupiter-params` from 5.13.1 to 5.13.2
- [Release notes](https://github.com/junit-team/junit-framework/releases)
- [Commits](https://github.com/junit-team/junit-framework/compare/r5.13.1...r5.13.2)

---
updated-dependencies:
- dependency-name: org.junit.jupiter:junit-jupiter-api
  dependency-version: 5.13.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.junit.jupiter:junit-jupiter-engine
  dependency-version: 5.13.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.junit.jupiter:junit-jupiter-params
  dependency-version: 5.13.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 1586dfabc15..f1576465626 100644
--- a/pom.xml
+++ b/pom.xml
@@ -154,7 +154,7 @@ Copyright (c) 2012 - Jeremy Long
             https://github.com/apache/commons-jcs/pull/120 -->
         <commons-jcs-core.version>3.2.1</commons-jcs-core.version>
         <aho-corasick-double-array-trie.version>1.2.3</aho-corasick-double-array-trie.version>
-        <junit.version>5.13.1</junit.version>
+        <junit.version>5.13.2</junit.version>
         <hamcrest.version>3.0</hamcrest.version>
         <mockito.version>5.18.0</mockito.version>
         <jsoup.version>1.20.1</jsoup.version>

From 1a5202ed5b8d06a0024c5d0cf166ed700ce785d4 Mon Sep 17 00:00:00 2001
From: Sam Umbach <samumbach@gmail.com>
Date: Thu, 26 Jun 2025 13:49:16 -0400
Subject: [PATCH 073/195] docs: fix minor typos in false positive issue
 template (#7763)

---
 .github/ISSUE_TEMPLATE/false-positive-report.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE/false-positive-report.yml b/.github/ISSUE_TEMPLATE/false-positive-report.yml
index b14906835fc..107c6842ff6 100644
--- a/.github/ISSUE_TEMPLATE/false-positive-report.yml
+++ b/.github/ISSUE_TEMPLATE/false-positive-report.yml
@@ -27,7 +27,7 @@ body:
     id: cpe
     attributes:
       label: CPE
-      description: Please enter the single Common Platform enumeration (CPE) as identified in the HTML Report. Only a **single CPE** can be specified. **Please put backtic characters around the CPE to ensure it displays correctly**.
+      description: Please enter the single Common Platform enumeration (CPE) as identified in the HTML Report. Only a **single CPE** can be specified. **Please put backtick characters around the CPE to ensure it displays correctly**.
       placeholder: ex. `cpe:2.3:a:apache:log4j:2.12.1:*:*:*:*:*:*:*`
     validations:
       required: true
@@ -35,7 +35,7 @@ body:
     id: cve
     attributes:
       label: CVE
-      description: The vulnerability name as identified in the HTML Report. If specifying a CPE this is not necassary; if entered please enter only a **signle CVE**; if multiple CVE should be suppressed please enter multiple FP reports. This is optional and may not be needed as most FP reports are due to an incorrect CPE.
+      description: The vulnerability name as identified in the HTML Report. If specifying a CPE this is not necessary; if entered please enter only a **single CVE**; if multiple CVE should be suppressed please enter multiple FP reports. This is optional and may not be needed as most FP reports are due to an incorrect CPE.
       placeholder: ex. CVE-2021-44228
     validations:
       required: false
@@ -66,4 +66,4 @@ body:
       label: Description
       description: Additional information regarding the false positive report.
     validations:
-      required: false
\ No newline at end of file
+      required: false

From a7cc0923b140a8b7dc2a4b45e882417529e73e97 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcel=20St=C3=B6r?= <marcelstoer@users.noreply.github.com>
Date: Thu, 26 Jun 2025 22:13:22 +0200
Subject: [PATCH 074/195] chore: add marcelstoer to the FP approvers list
 (#7771)

---
 .github/workflows/false-positive-approvals.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/false-positive-approvals.yml b/.github/workflows/false-positive-approvals.yml
index 66ab4f96fb2..0ed3f464834 100644
--- a/.github/workflows/false-positive-approvals.yml
+++ b/.github/workflows/false-positive-approvals.yml
@@ -18,6 +18,7 @@ jobs:
       (github.event.comment.user.login == 'jeremylong' ||
       github.event.comment.user.login == 'aikebah' || 
       github.event.comment.user.login == 'nhumblot' ||
+      github.event.comment.user.login == 'marcelstoer' ||
       github.event.comment.user.login == 'chadlwilson') }}
     runs-on: ubuntu-latest
     steps:

From 7cdf6c1a866c9c8776b833a821da683ca55dd70a Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Thu, 26 Jun 2025 16:14:07 -0400
Subject: [PATCH 075/195] build: remove weekly coverity scan (#7770)

---
 .github/workflows/coverity.yml | 37 ----------------------------------
 1 file changed, 37 deletions(-)
 delete mode 100644 .github/workflows/coverity.yml

diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
deleted file mode 100644
index a4ef6b2aea6..00000000000
--- a/.github/workflows/coverity.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-name: coverity-scan
-on:
-  schedule:
-    - cron: '0 0 * * SAT'
-
-permissions:
-  contents: read
-
-jobs:
-  scan:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up JDK 11
-        id: jdk-11
-        uses: actions/setup-java@v4
-        with:
-          java-version: 11
-          distribution: 'zulu'
-      - name: Get coverity cli
-        run: |
-          wget https://scan.coverity.com/download/linux64 --no-verbose --post-data "token=${{ secrets.COVERITY_TOKEN }}&project=dependency-check%2FDependencyCheck" -O coverity_tool.tgz
-          mkdir coverity_tool
-          tar xzf coverity_tool.tgz --strip 1 -C coverity_tool
-      - name: Perform coverity scan
-        run: |
-          export PATH=`pwd`/coverity_tool/bin:$PATH
-          cov-build --dir cov-int mvn -DskipTests=true package --no-transfer-progress --batch-mode
-      - name: Submit coverity scan
-        run: |
-          tar czvf scan.tgz cov-int
-          curl --form token=${{ secrets.COVERITY_TOKEN }} \
-               --form email=jeremy.long@gmail.com \
-               --form file=@scan.tgz \
-               --form version="main" \
-               --form description="Weekly Scan" \
-               https://scan.coverity.com/builds?project=dependency-check%2FDependencyCheck

From b43f73b01491a795cbbc953d51a90fa92bf6a917 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 27 Jun 2025 10:25:22 -0400
Subject: [PATCH 076/195] build(deps): bump
 com.github.spotbugs:spotbugs-maven-plugin from 4.9.3.0 to 4.9.3.1 (#7772)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index c9e4276b05d..71910f8c4e8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -137,7 +137,7 @@ Copyright (c) 2012 - Jeremy Long
         <maven-project-info-reports-plugin.version>3.9.0</maven-project-info-reports-plugin.version>
         <maven-surefire-report-plugin.version>3.5.3</maven-surefire-report-plugin.version>
         <jacoco-maven-plugin.version>0.8.13</jacoco-maven-plugin.version>
-        <spotbugs.maven.plugin.version>4.9.3.0</spotbugs.maven.plugin.version>
+        <spotbugs.maven.plugin.version>4.9.3.1</spotbugs.maven.plugin.version>
         <taglist-maven-plugin.version>3.2.1</taglist-maven-plugin.version>
         <versions-maven-plugin.version>2.18.0</versions-maven-plugin.version>
         <jetbrains.annotations.version>26.0.2</jetbrains.annotations.version>

From 5fa111d1f912a3f5b4e79f711197dd4d73e2baf6 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Fri, 27 Jun 2025 10:38:58 -0400
Subject: [PATCH 077/195] docs: copyright year (#7773)

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 71910f8c4e8..44d9c1ada49 100644
--- a/pom.xml
+++ b/pom.xml
@@ -803,7 +803,7 @@ Copyright (c) 2012 - Jeremy Long
                         </reports>
                         <configuration>
                             <failOnError>false</failOnError>
-                            <bottom>Copyright© 2012-24 Jeremy Long. All Rights Reserved.</bottom>
+                            <bottom>Copyright© 2012-25 Jeremy Long. All Rights Reserved.</bottom>
                             <sourceFileExcludes>
                                 <exclude>**/generated-sources/**/*.java</exclude>
                             </sourceFileExcludes>

From 0734bb4bd04af60a5aca93f8000482a6838e7365 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 30 Jun 2025 02:18:08 +0000
Subject: [PATCH 078/195] build(deps): bump
 com.github.spotbugs:spotbugs-maven-plugin

Bumps [com.github.spotbugs:spotbugs-maven-plugin](https://github.com/spotbugs/spotbugs-maven-plugin) from 4.9.3.1 to 4.9.3.2.
- [Release notes](https://github.com/spotbugs/spotbugs-maven-plugin/releases)
- [Commits](https://github.com/spotbugs/spotbugs-maven-plugin/compare/spotbugs-maven-plugin-4.9.3.1...spotbugs-maven-plugin-4.9.3.2)

---
updated-dependencies:
- dependency-name: com.github.spotbugs:spotbugs-maven-plugin
  dependency-version: 4.9.3.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 44d9c1ada49..2daddf53f2a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -137,7 +137,7 @@ Copyright (c) 2012 - Jeremy Long
         <maven-project-info-reports-plugin.version>3.9.0</maven-project-info-reports-plugin.version>
         <maven-surefire-report-plugin.version>3.5.3</maven-surefire-report-plugin.version>
         <jacoco-maven-plugin.version>0.8.13</jacoco-maven-plugin.version>
-        <spotbugs.maven.plugin.version>4.9.3.1</spotbugs.maven.plugin.version>
+        <spotbugs.maven.plugin.version>4.9.3.2</spotbugs.maven.plugin.version>
         <taglist-maven-plugin.version>3.2.1</taglist-maven-plugin.version>
         <versions-maven-plugin.version>2.18.0</versions-maven-plugin.version>
         <jetbrains.annotations.version>26.0.2</jetbrains.annotations.version>

From 2675754b328f88cf5448ef81cbb0c42d77740e77 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 2 Jul 2025 11:57:31 -0400
Subject: [PATCH 079/195] build(deps): bump
 org.apache.maven.plugins:maven-invoker-plugin from 3.9.0 to 3.9.1 (#7775)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 2daddf53f2a..9d5f1d9aa95 100644
--- a/pom.xml
+++ b/pom.xml
@@ -340,7 +340,7 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-invoker-plugin</artifactId>
-                    <version>3.9.0</version>
+                    <version>3.9.1</version>
                     <dependencies>
                         <dependency>
                             <groupId>org.codehaus.groovy</groupId>

From 4caa786a879f75bc9d7798cb5ef32825c152d926 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 3 Jul 2025 08:38:28 -0400
Subject: [PATCH 080/195] build(deps): bump
 org.apache.maven.plugins:maven-gpg-plugin from 3.2.7 to 3.2.8 (#7780)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index 9d5f1d9aa95..7de0128b0a1 100644
--- a/pom.xml
+++ b/pom.xml
@@ -253,7 +253,7 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-gpg-plugin</artifactId>
-                    <version>3.2.7</version>
+                    <version>3.2.8</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -1385,7 +1385,7 @@ Copyright (c) 2012 - Jeremy Long
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-gpg-plugin</artifactId>
-                        <version>3.2.7</version>
+                        <version>3.2.8</version>
                         <executions>
                             <execution>
                                 <id>sign-artifacts</id>

From 2bf4e0de824cd46b6f1da0c0cd0c5916084b0805 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sat, 5 Jul 2025 16:52:00 -0400
Subject: [PATCH 081/195] build(deps): bump
 org.apache.maven.plugins:maven-enforcer-plugin from 3.5.0 to 3.6.0 (#7781)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 7de0128b0a1..21a04e212c3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -238,7 +238,7 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-enforcer-plugin</artifactId>
-                    <version>3.5.0</version>
+                    <version>3.6.0</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>

From ebe6f0da6ff7c80e45e35935f63e1c5d1e8e45e5 Mon Sep 17 00:00:00 2001
From: floverfelt <foverfelt@gmail.com>
Date: Sun, 6 Jul 2025 08:41:51 -0400
Subject: [PATCH 082/195] fix: Add null checking when parsing the license json
 in AbstractNpmAnalyzer. (#7784)

---
 .../dependencycheck/analyzer/AbstractNpmAnalyzer.java      | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractNpmAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractNpmAnalyzer.java
index 0943648b428..a02e3d40d74 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractNpmAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractNpmAnalyzer.java
@@ -393,8 +393,11 @@ public void gatherEvidence(final JsonObject json, Dependency dependency) {
                     }
                 }
                 dependency.setLicense(sb.toString());
-            } else {
-                dependency.setLicense(json.getJsonObject("license").getString("type"));
+            } else if (value instanceof JsonObject) {
+                final JsonObject object = (JsonObject) value;
+                if (object.containsKey("type") && !object.isNull("type")) {
+                    dependency.setLicense(object.getString("type"));
+                }
             }
         }
     }

From 9195c3fc745aee76e32c534fde6966b5aa6ae309 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 7 Jul 2025 01:22:38 +0000
Subject: [PATCH 083/195] build(deps): bump junit.version from 5.13.2 to 5.13.3

Bumps `junit.version` from 5.13.2 to 5.13.3.

Updates `org.junit.jupiter:junit-jupiter-api` from 5.13.2 to 5.13.3
- [Release notes](https://github.com/junit-team/junit-framework/releases)
- [Commits](https://github.com/junit-team/junit-framework/compare/r5.13.2...r5.13.3)

Updates `org.junit.jupiter:junit-jupiter-engine` from 5.13.2 to 5.13.3
- [Release notes](https://github.com/junit-team/junit-framework/releases)
- [Commits](https://github.com/junit-team/junit-framework/compare/r5.13.2...r5.13.3)

Updates `org.junit.jupiter:junit-jupiter-params` from 5.13.2 to 5.13.3
- [Release notes](https://github.com/junit-team/junit-framework/releases)
- [Commits](https://github.com/junit-team/junit-framework/compare/r5.13.2...r5.13.3)

---
updated-dependencies:
- dependency-name: org.junit.jupiter:junit-jupiter-api
  dependency-version: 5.13.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.junit.jupiter:junit-jupiter-engine
  dependency-version: 5.13.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.junit.jupiter:junit-jupiter-params
  dependency-version: 5.13.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 21a04e212c3..8e02b9ca01e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -154,7 +154,7 @@ Copyright (c) 2012 - Jeremy Long
             https://github.com/apache/commons-jcs/pull/120 -->
         <commons-jcs-core.version>3.2.1</commons-jcs-core.version>
         <aho-corasick-double-array-trie.version>1.2.3</aho-corasick-double-array-trie.version>
-        <junit.version>5.13.2</junit.version>
+        <junit.version>5.13.3</junit.version>
         <hamcrest.version>3.0</hamcrest.version>
         <mockito.version>5.18.0</mockito.version>
         <jsoup.version>1.21.1</jsoup.version>

From 9187ca9daa6434866f57ec48be08773fde420746 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 7 Jul 2025 01:23:13 +0000
Subject: [PATCH 084/195] build(deps): bump
 org.codehaus.gmavenplus:gmavenplus-plugin

Bumps [org.codehaus.gmavenplus:gmavenplus-plugin](https://github.com/groovy/GMavenPlus) from 4.2.0 to 4.2.1.
- [Release notes](https://github.com/groovy/GMavenPlus/releases)
- [Commits](https://github.com/groovy/GMavenPlus/compare/4.2.0...4.2.1)

---
updated-dependencies:
- dependency-name: org.codehaus.gmavenplus:gmavenplus-plugin
  dependency-version: 4.2.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 21a04e212c3..ecdb4852615 100644
--- a/pom.xml
+++ b/pom.xml
@@ -169,7 +169,7 @@ Copyright (c) 2012 - Jeremy Long
         <maven-artifact-transfer.version>0.13.1</maven-artifact-transfer.version>
         <maven-common-artifact-filters.version>3.4.0</maven-common-artifact-filters.version>
         <groovy-all.version>2.4.21</groovy-all.version>
-        <gmavenplus-plugin.version>4.2.0</gmavenplus-plugin.version>
+        <gmavenplus-plugin.version>4.2.1</gmavenplus-plugin.version>
         <com.h3xstream.retirejs.core.version>3.0.4</com.h3xstream.retirejs.core.version>
         <jackson.version>2.19.1</jackson.version>
         <!--necessary for some IDEs to be able to execute test cases (Netbeans)-->

From a43fa474c62befd014857803c6580317a4320352 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Mon, 7 Jul 2025 07:37:05 -0400
Subject: [PATCH 085/195] docs: update development pre-reqs

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index bb8e0cb2545..e7c2c81015b 100644
--- a/README.md
+++ b/README.md
@@ -175,7 +175,7 @@ For instructions on the use of the Ant Task, please see the [dependency-check-an
 
 For installation to pass, you must have the following components installed:
 * Java: `java -version` 11.0
-* Maven: `mvn -version` 3.5.0 and higher
+* Maven: `mvn -version` 3.6.3 and higher
 
 Tests cases require:
 * dotnet core version 8.0

From 4c7c1157456b14af6bb7d5c72def167a048f4cc2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 9 Jul 2025 07:55:11 -0400
Subject: [PATCH 086/195] build(deps): bump golang from 1.24.4-alpine to
 1.24.5-alpine (#7797)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 9763c4b6ef4..a73a0cd3b5f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.24.4-alpine AS go
+FROM golang:1.24.5-alpine AS go
 
 FROM azul/zulu-openjdk-alpine:21 AS jlink
 

From 907f3f7c00c0c950fe29978bc3d146788a2143f8 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 10 Jul 2025 07:00:58 -0400
Subject: [PATCH 087/195] build(deps): bump org.apache.commons:commons-lang3
 from 3.17.0 to 3.18.0 (#7803)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index b3b4b7c2161..dd80adc8102 100644
--- a/pom.xml
+++ b/pom.xml
@@ -145,7 +145,7 @@ Copyright (c) 2012 - Jeremy Long
         <com.h2database.version>2.3.232</com.h2database.version>
         <commons-cli.version>1.9.0</commons-cli.version>
         <commons-io.version>2.19.0</commons-io.version>
-        <commons-lang3.version>3.17.0</commons-lang3.version>
+        <commons-lang3.version>3.18.0</commons-lang3.version>
         <commons-text.version>1.13.1</commons-text.version>
         <httpcomponents.client.version>5.5</httpcomponents.client.version>
         <httpcomponents.core.version>5.3.4</httpcomponents.core.version>

From 5d81c4ce8b414d59440a76d749f6d764f3e56a4a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 11 Jul 2025 07:23:07 -0400
Subject: [PATCH 088/195] build(deps): bump commons-validator:commons-validator
 from 1.9.0 to 1.10.0 (#7802)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index dd80adc8102..b0c13dfa2ba 100644
--- a/pom.xml
+++ b/pom.xml
@@ -991,7 +991,7 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>commons-validator</groupId>
                 <artifactId>commons-validator</artifactId>
-                <version>1.9.0</version>
+                <version>1.10.0</version>
                 <exclusions>
                     <exclusion>
                         <groupId>commons-beanutils</groupId>

From 29967c39025a9816d7ddb0e95201a6df90ce6f62 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sun, 13 Jul 2025 06:36:55 -0400
Subject: [PATCH 089/195] build: utilize central publishing (#7810)

---
 .github/workflows/build.yml   | 14 +++++++-------
 .github/workflows/release.yml | 14 +++++++-------
 pom.xml                       | 26 +++++++++-----------------
 settings.xml                  | 10 ++++------
 4 files changed, 27 insertions(+), 37 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e9847615dd6..65129e10e60 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -20,7 +20,7 @@ jobs:
       - name: Install gpg secret key
         id: install-gpg-key
         run: |
-          cat <(echo -e "${{ secrets.OSSRH_GPG_SECRET_KEY }}") | gpg --batch --import
+          cat <(echo -e "${{ secrets.GPG_PRIVATE_KEY }}") | gpg --batch --import
           gpg --list-secret-keys --keyid-format LONG
       - uses: actions/checkout@v4
       - name: Check Maven Cache
@@ -52,19 +52,19 @@ jobs:
         with:
           java-version: 11
           distribution: 'zulu'
-          server-id: ossrh
-          server-username: ${{ secrets.OSSRH_USERNAME }}
-          server-password: ${{ secrets.OSSRH_TOKEN }}
+          server-id: central
+          server-username: ${{ secrets.CENTRAL_USER }}
+          server-password: ${{ secrets.CENTRAL_PASSWORD }}
       - uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
         with:
           version: 6.0.2
       - name: Build Snapshot with Maven
         id: build-snapshot
         env:
-          MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
-          MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
+          CENTRAL_USERNAME: ${{ secrets.CENTRAL_USER }}
+          CENTRAL_PASSWORD: ${{ secrets.CENTRAL_PASSWORD }}
           NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
-        run: mvn -V -s settings.xml -Prelease clean package verify source:jar javadoc:jar gpg:sign deploy -DreleaseTesting --no-transfer-progress --batch-mode -Dgpg.passphrase=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
+        run: mvn -V -s settings.xml -Prelease clean package verify source:jar javadoc:jar gpg:sign deploy -DreleaseTesting --no-transfer-progress --batch-mode -Dgpg.passphrase=${{ secrets.GPG_PRIVATE_KEY_PASSWORD }}
       - name: SARIF Multitool
         uses: microsoft/sarif-actions@v0.1
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 081eb1e67ad..5e4ad160d1d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -24,7 +24,7 @@ jobs:
       - name: Install gpg secret key
         id: install-gpg-key
         run: |
-          cat <(echo -e "${{ secrets.OSSRH_GPG_SECRET_KEY }}") | gpg --batch --import
+          cat <(echo -e "${{ secrets.GPG_PRIVATE_KEY }}") | gpg --batch --import
           gpg --list-secret-keys --keyid-format LONG
       - uses: actions/checkout@v4
       - name: Check Maven Cache
@@ -54,9 +54,9 @@ jobs:
         with:
           java-version: 11
           distribution: 'zulu'
-          server-id: ossrh
-          server-username: ${{ secrets.OSSRH_USERNAME }}
-          server-password: ${{ secrets.OSSRH_TOKEN }}
+          server-id: central
+          server-username: ${{ secrets.CENTRAL_USER }}
+          server-password: ${{ secrets.CENTRAL_PASSWORD }}
       - uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
         with:
           version: 6.0.2
@@ -72,11 +72,11 @@ jobs:
         id: build-release
         timeout-minutes: 120
         env:
-          MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
-          MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
+          CENTRAL_USERNAME: ${{ secrets.CENTRAL_USER }}
+          CENTRAL_PASSWORD: ${{ secrets.CENTRAL_PASSWORD }}
           NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
         run: |
-          mvn -V -s settings.xml -Prelease "-DnexusUrl=https://oss.sonatype.org/" clean package source:jar javadoc:jar gpg:sign deploy site site:stage -DreleaseTesting --no-transfer-progress --batch-mode -Dgpg.passphrase=${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
+          mvn -V -s settings.xml -Prelease clean package source:jar javadoc:jar gpg:sign deploy site site:stage -DreleaseTesting --no-transfer-progress --batch-mode -Dgpg.passphrase=${{ secrets.GPG_PRIVATE_KEY_PASSWORD }}
       - name: Archive code coverage results
         id: archive-coverage
         uses: actions/upload-artifact@v4
diff --git a/pom.xml b/pom.xml
index b0c13dfa2ba..75417181450 100644
--- a/pom.xml
+++ b/pom.xml
@@ -177,14 +177,6 @@ Copyright (c) 2012 - Jeremy Long
         <mock-server.version>5.15.0</mock-server.version>
     </properties>
     <distributionManagement>
-        <snapshotRepository>
-            <id>ossrh</id>
-            <url>https://oss.sonatype.org/content/repositories/snapshots</url>
-        </snapshotRepository>
-        <repository>
-            <id>ossrh</id>
-            <url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
-        </repository>
         <site>
             <id>gh-pages</id>
             <name>gh-pages</name>
@@ -271,9 +263,9 @@ Copyright (c) 2012 - Jeremy Long
                     <version>3.1.1</version>
                 </plugin>
                 <plugin>
-                    <groupId>org.sonatype.plugins</groupId>
-                    <artifactId>nexus-staging-maven-plugin</artifactId>
-                    <version>1.7.0</version>
+                    <groupId>org.sonatype.central</groupId>
+                    <artifactId>central-publishing-maven-plugin</artifactId>
+                    <version>0.8.0</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -730,14 +722,14 @@ Copyright (c) 2012 - Jeremy Long
                 </configuration>
             </plugin>
             <plugin>
-                <groupId>org.sonatype.plugins</groupId>
-                <artifactId>nexus-staging-maven-plugin</artifactId>
+                <groupId>org.sonatype.central</groupId>
+                <artifactId>central-publishing-maven-plugin</artifactId>
+                <version>0.8.0</version>
                 <extensions>true</extensions>
                 <configuration>
-                    <serverId>ossrh</serverId>
-                    <nexusUrl>https://oss.sonatype.org/</nexusUrl>
-                    <autoReleaseAfterClose>true</autoReleaseAfterClose>
-                    <stagingProgressTimeoutMinutes>120</stagingProgressTimeoutMinutes>
+                    <publishingServerId>central</publishingServerId>
+                    <autoPublish>true</autoPublish>
+                    <waitUntil>published</waitUntil>
                 </configuration>
             </plugin>
             <plugin>
diff --git a/settings.xml b/settings.xml
index 2b4e4a8a752..1c149a8bf7f 100644
--- a/settings.xml
+++ b/settings.xml
@@ -4,17 +4,15 @@
                           https://maven.apache.org/xsd/settings-1.0.0.xsd">
     <servers>
         <server>
-            <id>ossrh</id>
-            <username>${env.MAVEN_USERNAME}</username>
-            <password>${env.MAVEN_PASSWORD}</password>
+            <id>central</id>
+            <username>${env.CENTRAL_USER}</username>
+            <password>${env.CENTRAL_PASSWORD}</password>
         </server>
     </servers>
     <profiles>
         <profile>
             <id>default</id>
-            <properties>
-
-            </properties>
+            <properties></properties>
         </profile>
     </profiles>
     <activeProfiles>

From 9724fd4eb3aebd82d875340f6ca0f23715b7454a Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sun, 13 Jul 2025 14:42:01 -0400
Subject: [PATCH 090/195] build: use correct environment variables for
 publishing (#7812)

---
 .github/workflows/build.yml   | 7 ++++---
 .github/workflows/release.yml | 7 ++++---
 settings.xml                  | 4 ++--
 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 65129e10e60..357e6b76054 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -61,10 +61,11 @@ jobs:
       - name: Build Snapshot with Maven
         id: build-snapshot
         env:
-          CENTRAL_USERNAME: ${{ secrets.CENTRAL_USER }}
-          CENTRAL_PASSWORD: ${{ secrets.CENTRAL_PASSWORD }}
+          MAVEN_USERNAME: ${{ secrets.CENTRAL_USER }}
+          MAVEN_PASSWORD: ${{ secrets.CENTRAL_PASSWORD }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PRIVATE_KEY_PASSWORD }}
           NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
-        run: mvn -V -s settings.xml -Prelease clean package verify source:jar javadoc:jar gpg:sign deploy -DreleaseTesting --no-transfer-progress --batch-mode -Dgpg.passphrase=${{ secrets.GPG_PRIVATE_KEY_PASSWORD }}
+        run: mvn -V -s settings.xml -Prelease clean package verify source:jar javadoc:jar gpg:sign deploy -DreleaseTesting --no-transfer-progress --batch-mode
       - name: SARIF Multitool
         uses: microsoft/sarif-actions@v0.1
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5e4ad160d1d..3ae315d3902 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -72,11 +72,12 @@ jobs:
         id: build-release
         timeout-minutes: 120
         env:
-          CENTRAL_USERNAME: ${{ secrets.CENTRAL_USER }}
-          CENTRAL_PASSWORD: ${{ secrets.CENTRAL_PASSWORD }}
+          MAVEN_USERNAME: ${{ secrets.CENTRAL_USER }}
+          MAVEN_PASSWORD: ${{ secrets.CENTRAL_PASSWORD }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PRIVATE_KEY_PASSWORD }}
           NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
         run: |
-          mvn -V -s settings.xml -Prelease clean package source:jar javadoc:jar gpg:sign deploy site site:stage -DreleaseTesting --no-transfer-progress --batch-mode -Dgpg.passphrase=${{ secrets.GPG_PRIVATE_KEY_PASSWORD }}
+          mvn -V -s settings.xml -Prelease clean package source:jar javadoc:jar gpg:sign deploy site site:stage -DreleaseTesting --no-transfer-progress --batch-mode
       - name: Archive code coverage results
         id: archive-coverage
         uses: actions/upload-artifact@v4
diff --git a/settings.xml b/settings.xml
index 1c149a8bf7f..a04922c86e5 100644
--- a/settings.xml
+++ b/settings.xml
@@ -5,8 +5,8 @@
     <servers>
         <server>
             <id>central</id>
-            <username>${env.CENTRAL_USER}</username>
-            <password>${env.CENTRAL_PASSWORD}</password>
+            <username>${env.MAVEN_USERNAME}</username>
+            <password>${env.MAVEN_PASSWORD}</password>
         </server>
     </servers>
     <profiles>

From 8ac68cc1239a8a52f86ae4b8c9112775d3488937 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sun, 13 Jul 2025 16:37:15 -0400
Subject: [PATCH 091/195] build: remove unused code coverage (#7813)

---
 .github/workflows/build.yml   | 28 ++++++++++++++--------------
 .github/workflows/release.yml | 28 ++++++++++++++--------------
 2 files changed, 28 insertions(+), 28 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 357e6b76054..75b3a11186f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -101,20 +101,20 @@ jobs:
             ant/target/*.zip
             cli/target/*.zip
 
-  publish_coverage:
-    name: publish code coverage reports  
-    runs-on: ubuntu-latest 
-    needs: build
-    steps:
-      - name: Download coverage reports
-        uses: actions/download-artifact@v4
-        with:
-          name: code-coverage-report
-      - name: Run codacy-coverage-reporter
-        uses: codacy/codacy-coverage-reporter-action@master
-        with:
-          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
-          coverage-reports: utils/target/jacoco-results/jacoco.xml,core/target/jacoco-results/jacoco.xml,maven/target/jacoco-results/jacoco.xml,ant/target/jacoco-results/jacoco.xml,cli/target/jacoco-results/jacoco.xml
+#  publish_coverage:
+#    name: publish code coverage reports
+#    runs-on: ubuntu-latest
+#    needs: build
+#    steps:
+#      - name: Download coverage reports
+#        uses: actions/download-artifact@v4
+#        with:
+#          name: code-coverage-report
+#      - name: Run codacy-coverage-reporter
+#        uses: codacy/codacy-coverage-reporter-action@master
+#        with:
+#          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
+#          coverage-reports: utils/target/jacoco-results/jacoco.xml,core/target/jacoco-results/jacoco.xml,maven/target/jacoco-results/jacoco.xml,ant/target/jacoco-results/jacoco.xml,cli/target/jacoco-results/jacoco.xml
 
   docker:
     permissions:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3ae315d3902..6e05798cdd3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -108,20 +108,20 @@ jobs:
           retention-days: 7
           path: target/staging/
 
-  publish_coverage:
-    name: publish code coverage reports  
-    runs-on: ubuntu-latest 
-    needs: build
-    steps:
-      - name: Download coverage reports
-        uses: actions/download-artifact@v4
-        with:
-          name: code-coverage-report
-      - name: Run codacy-coverage-reporter
-        uses: codacy/codacy-coverage-reporter-action@master
-        with:
-          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
-          coverage-reports: utils/target/jacoco-results/jacoco.xml,core/target/jacoco-results/jacoco.xml,maven/target/jacoco-results/jacoco.xml,ant/target/jacoco-results/jacoco.xml,cli/target/jacoco-results/jacoco.xml
+#  publish_coverage:
+#    name: publish code coverage reports
+#    runs-on: ubuntu-latest
+#    needs: build
+#    steps:
+#      - name: Download coverage reports
+#        uses: actions/download-artifact@v4
+#        with:
+#          name: code-coverage-report
+#      - name: Run codacy-coverage-reporter
+#        uses: codacy/codacy-coverage-reporter-action@master
+#        with:
+#          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
+#          coverage-reports: utils/target/jacoco-results/jacoco.xml,core/target/jacoco-results/jacoco.xml,maven/target/jacoco-results/jacoco.xml,ant/target/jacoco-results/jacoco.xml,cli/target/jacoco-results/jacoco.xml
 
   docker:
     name: Publish Docker

From 1b97f1ddd9f9817496f0824f8e1763394c95f5fc Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 15 Jul 2025 04:06:08 +0000
Subject: [PATCH 092/195] build(deps-dev): bump io.netty:netty-codec-http

Bumps [io.netty:netty-codec-http](https://github.com/netty/netty) from 4.2.2.Final to 4.2.3.Final.
- [Commits](https://github.com/netty/netty/compare/netty-4.2.2.Final...netty-4.2.3.Final)

---
updated-dependencies:
- dependency-name: io.netty:netty-codec-http
  dependency-version: 4.2.3.Final
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 utils/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/pom.xml b/utils/pom.xml
index 090d0832711..3d3f2610be2 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -95,7 +95,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-codec-http</artifactId>
-            <version>4.2.2.Final</version>
+            <version>4.2.3.Final</version>
             <scope>test</scope>
         </dependency>
         <dependency>

From e134044a6215e128c4708d235bbfb77a1c14099f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 16 Jul 2025 08:46:47 -0400
Subject: [PATCH 093/195] build(deps): bump
 org.apache.maven.plugins:maven-enforcer-plugin from 3.6.0 to 3.6.1 (#7817)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 75417181450..e591ab203e2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -230,7 +230,7 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-enforcer-plugin</artifactId>
-                    <version>3.6.0</version>
+                    <version>3.6.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>

From e257e82a87db2eb9bf38ee0c4df82720b215a004 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Thu, 17 Jul 2025 06:43:38 -0400
Subject: [PATCH 094/195] docs: request FP reporters use the latest version of
 ODC. (#7820)

---
 .github/ISSUE_TEMPLATE/false-positive-report.yml | 2 ++
 SECURITY.md                                      | 6 +++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE/false-positive-report.yml b/.github/ISSUE_TEMPLATE/false-positive-report.yml
index 107c6842ff6..080828b4c7f 100644
--- a/.github/ISSUE_TEMPLATE/false-positive-report.yml
+++ b/.github/ISSUE_TEMPLATE/false-positive-report.yml
@@ -6,6 +6,8 @@ body:
   - type: markdown
     attributes:
       value: |
+        **Ensure you are using the latest version of dependency-check.**
+        
         **Automation is used to process most false positives reports**; failure to follow these guidelines will delay the process:
         
           - Only enter a **single (1) Package URL**.
diff --git a/SECURITY.md b/SECURITY.md
index ec0093618a1..a8fac4b22db 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -3,9 +3,9 @@
 ## Supported Versions
 
 | Version   | Supported          |
-| ----------|--------------------|
-| 10.0.2+   | :white_check_mark: |
-| <= 10.0.1 | :x:                |
+|-----------|--------------------|
+| 12.2.3+   | :white_check_mark: |
+| <= 12.1.2 | :x:                |
 
 ## Reporting a Vulnerability
 

From 8d692e48d4d74a1957714be10b9e3c3e280b9495 Mon Sep 17 00:00:00 2001
From: Julien Huon <39379095+julienhuon@users.noreply.github.com>
Date: Fri, 18 Jul 2025 23:59:31 +0200
Subject: [PATCH 095/195] feat: Migration to Alpine 3.22 (#7822)

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index a73a0cd3b5f..0df99e4b2ba 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,7 +4,7 @@ FROM azul/zulu-openjdk-alpine:21 AS jlink
 
 RUN "$JAVA_HOME/bin/jlink" --compress=2 --module-path /opt/java/openjdk/jmods --add-modules java.base,java.compiler,java.datatransfer,jdk.crypto.ec,java.desktop,java.instrument,java.logging,java.management,java.naming,java.rmi,java.scripting,java.security.sasl,java.sql,java.transaction.xa,java.xml,jdk.unsupported --output /jlinked
 
-FROM mcr.microsoft.com/dotnet/runtime:8.0-alpine3.18
+FROM mcr.microsoft.com/dotnet/runtime:8.0-alpine3.22
 
 ARG VERSION
 ARG POSTGRES_DRIVER_VERSION=42.7.5

From dd52a681a864716efe07e69ee62036c95ff3337a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 21 Jul 2025 01:32:47 +0000
Subject: [PATCH 096/195] build(deps): bump jackson.version from 2.19.1 to
 2.19.2

---
updated-dependencies:
- dependency-name: com.fasterxml.jackson:jackson-bom
  dependency-version: 2.19.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: com.fasterxml.jackson.datatype:jackson-datatype-jsr310
  dependency-version: 2.19.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: com.fasterxml.jackson.core:jackson-databind
  dependency-version: 2.19.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: com.fasterxml.jackson.core:jackson-core
  dependency-version: 2.19.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index e591ab203e2..9977784a3d4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -171,7 +171,7 @@ Copyright (c) 2012 - Jeremy Long
         <groovy-all.version>2.4.21</groovy-all.version>
         <gmavenplus-plugin.version>4.2.1</gmavenplus-plugin.version>
         <com.h3xstream.retirejs.core.version>3.0.4</com.h3xstream.retirejs.core.version>
-        <jackson.version>2.19.1</jackson.version>
+        <jackson.version>2.19.2</jackson.version>
         <!--necessary for some IDEs to be able to execute test cases (Netbeans)-->
         <surefireArgLine />
         <mock-server.version>5.15.0</mock-server.version>

From 0c0bc0ae886142bfbe598cd7cd7b18a1b853694f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 21 Jul 2025 07:42:44 -0400
Subject: [PATCH 097/195] build(deps): bump commons-io:commons-io from 2.19.0
 to 2.20.0 (#7826)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index e591ab203e2..95c048f0176 100644
--- a/pom.xml
+++ b/pom.xml
@@ -144,7 +144,7 @@ Copyright (c) 2012 - Jeremy Long
         <findbugs.spotbugs.version>4.9.3</findbugs.spotbugs.version>
         <com.h2database.version>2.3.232</com.h2database.version>
         <commons-cli.version>1.9.0</commons-cli.version>
-        <commons-io.version>2.19.0</commons-io.version>
+        <commons-io.version>2.20.0</commons-io.version>
         <commons-lang3.version>3.18.0</commons-lang3.version>
         <commons-text.version>1.13.1</commons-text.version>
         <httpcomponents.client.version>5.5</httpcomponents.client.version>

From 41a0ae42fe703a9ec9cc4eb858119c6c89d85e9c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 22 Jul 2025 03:19:36 +0000
Subject: [PATCH 098/195] build(deps): bump junit.version from 5.13.3 to 5.13.4

Bumps `junit.version` from 5.13.3 to 5.13.4.

Updates `org.junit.jupiter:junit-jupiter-api` from 5.13.3 to 5.13.4
- [Release notes](https://github.com/junit-team/junit-framework/releases)
- [Commits](https://github.com/junit-team/junit-framework/compare/r5.13.3...r5.13.4)

Updates `org.junit.jupiter:junit-jupiter-engine` from 5.13.3 to 5.13.4
- [Release notes](https://github.com/junit-team/junit-framework/releases)
- [Commits](https://github.com/junit-team/junit-framework/compare/r5.13.3...r5.13.4)

Updates `org.junit.jupiter:junit-jupiter-params` from 5.13.3 to 5.13.4
- [Release notes](https://github.com/junit-team/junit-framework/releases)
- [Commits](https://github.com/junit-team/junit-framework/compare/r5.13.3...r5.13.4)

---
updated-dependencies:
- dependency-name: org.junit.jupiter:junit-jupiter-api
  dependency-version: 5.13.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.junit.jupiter:junit-jupiter-engine
  dependency-version: 5.13.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.junit.jupiter:junit-jupiter-params
  dependency-version: 5.13.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 95c048f0176..50af308e2a0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -154,7 +154,7 @@ Copyright (c) 2012 - Jeremy Long
             https://github.com/apache/commons-jcs/pull/120 -->
         <commons-jcs-core.version>3.2.1</commons-jcs-core.version>
         <aho-corasick-double-array-trie.version>1.2.3</aho-corasick-double-array-trie.version>
-        <junit.version>5.13.3</junit.version>
+        <junit.version>5.13.4</junit.version>
         <hamcrest.version>3.0</hamcrest.version>
         <mockito.version>5.18.0</mockito.version>
         <jsoup.version>1.21.1</jsoup.version>

From 5793eba2f65ca4f91cef0b761ba5ec3bca085fa8 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 25 Jul 2025 01:08:03 +0000
Subject: [PATCH 099/195] build(deps): bump org.apache.commons:commons-text
 from 1.13.1 to 1.14.0

Bumps [org.apache.commons:commons-text](https://github.com/apache/commons-text) from 1.13.1 to 1.14.0.
- [Changelog](https://github.com/apache/commons-text/blob/master/RELEASE-NOTES.txt)
- [Commits](https://github.com/apache/commons-text/compare/rel/commons-text-1.13.1...rel/commons-text-1.14.0)

---
updated-dependencies:
- dependency-name: org.apache.commons:commons-text
  dependency-version: 1.14.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index e4dc7d25857..6749a9f2cd1 100644
--- a/pom.xml
+++ b/pom.xml
@@ -146,7 +146,7 @@ Copyright (c) 2012 - Jeremy Long
         <commons-cli.version>1.9.0</commons-cli.version>
         <commons-io.version>2.20.0</commons-io.version>
         <commons-lang3.version>3.18.0</commons-lang3.version>
-        <commons-text.version>1.13.1</commons-text.version>
+        <commons-text.version>1.14.0</commons-text.version>
         <httpcomponents.client.version>5.5</httpcomponents.client.version>
         <httpcomponents.core.version>5.3.4</httpcomponents.core.version>
         <!-- note that logging will be noisy and broken until we upgrade to 3.2

From 9fd451b229bee6bb8bd01aa89dd2ffa2872f02bc Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 25 Jul 2025 01:08:08 +0000
Subject: [PATCH 100/195] build(deps): bump commons-codec:commons-codec from
 1.18.0 to 1.19.0

Bumps [commons-codec:commons-codec](https://github.com/apache/commons-codec) from 1.18.0 to 1.19.0.
- [Changelog](https://github.com/apache/commons-codec/blob/master/RELEASE-NOTES.txt)
- [Commits](https://github.com/apache/commons-codec/compare/rel/commons-codec-1.18.0...rel/commons-codec-1.19.0)

---
updated-dependencies:
- dependency-name: commons-codec:commons-codec
  dependency-version: 1.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index e4dc7d25857..7af1da8e359 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1150,7 +1150,7 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>commons-codec</groupId>
                 <artifactId>commons-codec</artifactId>
-                <version>1.18.0</version>
+                <version>1.19.0</version>
             </dependency>
             <dependency>
                 <groupId>com.h3xstream.retirejs</groupId>

From a9f313af4a27b0e9c08b2e534afa7328440e36d4 Mon Sep 17 00:00:00 2001
From: Thomas Bergmann <T.Bergmann@intershop.de>
Date: Fri, 4 Jul 2025 07:42:10 +0200
Subject: [PATCH 101/195] fix: classloading problem with fat jars (#7786)

---
 .../dependencycheck/analyzer/AbstractSuppressionAnalyzer.java | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
index e5b9284179f..f03d2f6157f 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
@@ -200,6 +200,10 @@ private void loadPackagedSuppressionBaseData(final SuppressionParser parser, fin
         String suppressionFileLocation = jarLocation.getFile();
         if (suppressionFileLocation.endsWith(".jar")) {
             suppressionFileLocation = "jar:file:" + suppressionFileLocation + "!/" + BASE_SUPPRESSION_FILE;
+        } else if (suppressionFileLocation.startsWith("nested:") && suppressionFileLocation.endsWith(".jar!/")) {
+            // suppressionFileLocation -> nested:/app/app.jar/!BOOT-INF/lib/dependency-check-core-<version>.jar!/
+            // goal->                 jar:nested:/app/app.jar/!BOOT-INF/lib/dependency-check-core-<version>.jar!/dependencycheck-base-suppression.xml
+            suppressionFileLocation = "jar:" + suppressionFileLocation + BASE_SUPPRESSION_FILE;
         } else {
             suppressionFileLocation = "file:" + suppressionFileLocation + BASE_SUPPRESSION_FILE;
         }

From 7f92ad943072ec6111432b6c5e327fa74e05023a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcel=20St=C3=B6r?= <marcelstoer@users.noreply.github.com>
Date: Tue, 29 Jul 2025 22:43:02 +0200
Subject: [PATCH 102/195] Improve Artifactory handler log message

Fixes #7837
---
 .../data/artifactory/ArtifactorySearch.java   | 17 +++++-
 .../ArtifactorySearchResponseHandler.java     | 31 +++++++---
 .../ArtifactorySearchResponseHandlerTest.java | 59 ++++++++++++-------
 3 files changed, 73 insertions(+), 34 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearch.java b/core/src/main/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearch.java
index 8674103c388..630e8af0d0b 100644
--- a/core/src/main/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearch.java
+++ b/core/src/main/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearch.java
@@ -52,6 +52,13 @@
 @ThreadSafe
 public class ArtifactorySearch {
 
+    /**
+     * Required to add all extra information of the found artifact.
+     * Source: https://jfrog.com/help/r/jfrog-rest-apis/property-search
+     */
+    @SuppressWarnings("JavadocLinkAsPlainText")
+    public static final String X_RESULT_DETAIL_HEADER = "X-Result-Detail";
+
     /**
      * Used for logging.
      */
@@ -108,9 +115,13 @@ public List<MavenArtifact> search(Dependency dependency) throws IOException {
         final StringBuilder msg = new StringBuilder("Could not connect to Artifactory at")
                 .append(url);
         try {
-            final BasicHeader artifactoryResultDetail = new BasicHeader("X-Result-Detail", "info");
-            return Downloader.getInstance().fetchAndHandle(url, new ArtifactorySearchResponseHandler(dependency), List.of(artifactoryResultDetail),
-                    allowUsingProxy);
+            final BasicHeader artifactoryResultDetail = new BasicHeader(X_RESULT_DETAIL_HEADER, "info");
+            return Downloader.getInstance().fetchAndHandle(
+                    url,
+                    new ArtifactorySearchResponseHandler(url, dependency),
+                    List.of(artifactoryResultDetail),
+                    allowUsingProxy
+            );
         } catch (TooManyRequestsException e) {
             throw new IOException(msg.append(" (429): Too manu requests").toString(), e);
         } catch (URISyntaxException e) {
diff --git a/core/src/main/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchResponseHandler.java b/core/src/main/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchResponseHandler.java
index adaf1bc1ecc..711bfc657e0 100644
--- a/core/src/main/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchResponseHandler.java
+++ b/core/src/main/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchResponseHandler.java
@@ -32,6 +32,7 @@
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStreamReader;
+import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.List;
@@ -39,6 +40,8 @@
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import static org.owasp.dependencycheck.data.artifactory.ArtifactorySearch.X_RESULT_DETAIL_HEADER;
+
 class ArtifactorySearchResponseHandler implements HttpClientResponseHandler<List<MavenArtifact>> {
     /**
      * Pattern to match the path returned by the Artifactory AQL API.
@@ -61,13 +64,20 @@ class ArtifactorySearchResponseHandler implements HttpClientResponseHandler<List
     private final Dependency expectedDependency;
 
     /**
-     * Creates a responsehandler for the response on a single dependency-search attempt.
+     * The search request URL i.e., the location at which to search artifacts with checksum information
+     */
+    private final URL sourceUrl;
+
+    /**
+     * Creates a response handler for the response on a single dependency-search attempt.
      *
+     * @param sourceUrl The search request URL
      * @param dependency The dependency that is expected to be in the response when found (for validating the FileItem(s) in the response)
      */
-    ArtifactorySearchResponseHandler(Dependency dependency) {
+    ArtifactorySearchResponseHandler(URL sourceUrl, Dependency dependency) {
         this.fileImplReader = new ObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false).readerFor(FileImpl.class);
         this.expectedDependency = dependency;
+        this.sourceUrl = sourceUrl;
     }
 
     protected boolean init(JsonParser parser) throws IOException {
@@ -114,7 +124,7 @@ private boolean checkHashes(ChecksumsImpl checksums) {
             match = false;
         }
         final String sha256sum = expectedDependency.getSha256sum();
-        /* For sha256 we need to validate that the checksum is non-null in the artifactory response.
+        /* For SHA-256, we need to validate that the checksum is non-null in the artifactory response.
          * Extract from Artifactory documentation:
          * New artifacts that are uploaded to Artifactory 5.5 and later will automatically have their SHA-256 checksum calculated.
          * However, artifacts that were already hosted in Artifactory before the upgrade will not have their SHA-256 checksum in the database yet.
@@ -132,7 +142,7 @@ private boolean checkHashes(ChecksumsImpl checksums) {
      * Process the Artifactory response.
      *
      * @param response the HTTP response
-     * @return a list of the Maven Artifact informations that match the searched dependency hash
+     * @return a list of the Maven Artifact information that matches the searched dependency hash
      * @throws FileNotFoundException When a matching artifact is not found
      * @throws IOException           thrown if there is an I/O error
      */
@@ -149,8 +159,11 @@ public List<MavenArtifact> handleResponse(ClassicHttpResponse response) throws I
                     final FileImpl file = fileImplReader.readValue(parser);
 
                     if (file.getChecksums() == null) {
-                        LOGGER.warn("No checksums found in artifactory search result of uri {}. Please make sure that header X-Result-Detail is retained on any (reverse)-proxy, loadbalancer or WebApplicationFirewall in the network path to your Artifactory Server",
-                                file.getUri());
+                        LOGGER.warn(
+                                "No checksums found in Artifactory search result for '{}'. " +
+                                "Specifically, the result set contains URI '{}' but it is missing the 'checksums' property. " +
+                                "Please make sure that the '{}' header is retained on any (reverse-)proxy, load-balancer or Web Application Firewall in the network path to your Artifactory server.",
+                                sourceUrl, file.getUri(), X_RESULT_DETAIL_HEADER);
                         continue;
                     }
 
@@ -174,7 +187,7 @@ public List<MavenArtifact> handleResponse(ClassicHttpResponse response) throws I
         }
         if (result.isEmpty()) {
             throw new FileNotFoundException("Artifact " + expectedDependency
-                    + " not found in Artifactory; discovered sha1 hits not recognized as matching maven artifacts");
+                    + " not found in Artifactory; discovered SHA1 hits not recognized as matching Maven artifacts");
         }
         return result;
     }
@@ -182,10 +195,10 @@ public List<MavenArtifact> handleResponse(ClassicHttpResponse response) throws I
     /**
      * Validate the FileImpl result for usability as a dependency.
      * <br/>
-     * Checks that the actually matches all known hashes and the path appears to match a maven repository G/A/V pattern.
+     * Checks that the file actually matches all known hashes and the path appears to match a maven repository G/A/V pattern.
      *
      * @param file The FileImpl from an Artifactory search response
-     * @return An Optional with the Matcher for the file path to retrieve the Maven G/A/V coordinates in case result is usable for further
+     * @return An Optional with the Matcher for the file path to retrieve the Maven G/A/V coordinates in case the result is usable for further
      * processing, otherwise an empty Optional.
      */
     private Optional<Matcher> validateUsability(FileImpl file) {
diff --git a/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchResponseHandlerTest.java b/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchResponseHandlerTest.java
index 00dada71ec8..861aaf1f9cb 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchResponseHandlerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/artifactory/ArtifactorySearchResponseHandlerTest.java
@@ -33,6 +33,8 @@
 import java.io.ByteArrayInputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import java.util.List;
 
@@ -41,8 +43,20 @@
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
+@SuppressWarnings("resource")
 class ArtifactorySearchResponseHandlerTest extends BaseTest {
 
+    private static final URL TEST_URL;
+    private static final String EXCEPTION_MESSAGE = "Artifact Dependency{ fileName='null', actualFilePath='null', filePath='null', packagePath='null'} not found in Artifactory; discovered SHA1 hits not recognized as matching Maven artifacts";
+
+    static {
+        try {
+            TEST_URL = new URL("https://example.com/artifactory/api/search/checksum?sha1=43515aa4b2f4bce7c431145e8c0a7bcc441e0532");
+        } catch (MalformedURLException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
     @BeforeEach
     @Override
     public void setUp() throws Exception {
@@ -88,7 +102,7 @@ void shouldProcessCorrectlyArtifactoryAnswerWithoutSha256() throws IOException {
 
 
         // When
-        final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(dependency);
+        final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(TEST_URL, dependency);
         final List<MavenArtifact> mavenArtifacts = handler.handleResponse(response);
 
         // Then
@@ -118,7 +132,7 @@ void shouldProcessCorrectlyArtifactoryAnswerWithMultipleMatches() throws IOExcep
 
 
         // When
-        final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(dependency);
+        final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(TEST_URL, dependency);
         final List<MavenArtifact> mavenArtifacts = handler.handleResponse(response);
 
         // Then
@@ -152,6 +166,7 @@ void shouldProcessCorrectlyForMissingXResultDetailHeader() throws IOException {
         final ListAppender<ILoggingEvent> listAppender = new ListAppender<>();
         listAppender.start();
         sutLogger.addAppender(listAppender);
+        final String logMessage = "No checksums found in Artifactory search result for '{}'. Specifically, the result set contains URI '{}' but it is missing the 'checksums' property. Please make sure that the '{}' header is retained on any (reverse-)proxy, load-balancer or Web Application Firewall in the network path to your Artifactory server.";
 
         // Given
         final Dependency dependency = new Dependency();
@@ -167,32 +182,32 @@ void shouldProcessCorrectlyForMissingXResultDetailHeader() throws IOException {
 
 
         // When
-        final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(dependency);
+        final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(TEST_URL, dependency);
 
         FileNotFoundException e = assertThrows(FileNotFoundException.class, () -> handler.handleResponse(response),
                 "Result with no details due to missing X-Result-Detail header, should throw an exception!");
 
         // Then
-        assertEquals("Artifact Dependency{ fileName='freemarker-2.3.33.jar', actualFilePath='null', filePath='null', packagePath='null'} not found in Artifactory; discovered sha1 hits not recognized as matching maven artifacts",
+        assertEquals("Artifact Dependency{ fileName='freemarker-2.3.33.jar', actualFilePath='null', filePath='null', packagePath='null'} not found in Artifactory; discovered SHA1 hits not recognized as matching Maven artifacts",
                 e.getMessage());
 
-        // There should be a WARN-log for for each of the results regarding the absence of X-Result-Detail header driven attributes
+        // There should be a WARN-log for each of the results regarding the absence of X-Result-Detail header driven attributes
         final List<ILoggingEvent> logsList = listAppender.list;
         assertEquals(2, logsList.size(), "Number of log entries for the ArtifactorySearchResponseHandler");
 
         ILoggingEvent logEvent = logsList.get(0);
         assertEquals(Level.WARN, logEvent.getLevel());
-        assertEquals("No checksums found in artifactory search result of uri {}. Please make sure that header X-Result-Detail is retained on any (reverse)-proxy, loadbalancer or WebApplicationFirewall in the network path to your Artifactory Server", logEvent.getMessage());
+        assertEquals(logMessage, logEvent.getMessage());
         Object[] args = logEvent.getArgumentArray();
-        assertEquals(1, args.length);
-        assertEquals("https://artifactory.example.com:443/artifactory/api/storage/maven-central-cache/org/freemarker/freemarker/2.3.33/freemarker-2.3.33.jar", args[0]);
+        assertEquals(3, args.length);
+        assertEquals("https://artifactory.example.com:443/artifactory/api/storage/maven-central-cache/org/freemarker/freemarker/2.3.33/freemarker-2.3.33.jar", args[1]);
 
         logEvent = logsList.get(1);
         assertEquals(Level.WARN, logEvent.getLevel());
-        assertEquals("No checksums found in artifactory search result of uri {}. Please make sure that header X-Result-Detail is retained on any (reverse)-proxy, loadbalancer or WebApplicationFirewall in the network path to your Artifactory Server", logEvent.getMessage());
+        assertEquals(logMessage, logEvent.getMessage());
         args = logEvent.getArgumentArray();
-        assertEquals(1, args.length);
-        assertEquals("https://artifactory.example.com:443/artifactory/api/storage/gradle-plugins-extended-cache/org/freemarker/freemarker/2.3.33/freemarker-2.3.33.jar", args[0]);
+        assertEquals(3, args.length);
+        assertEquals("https://artifactory.example.com:443/artifactory/api/storage/gradle-plugins-extended-cache/org/freemarker/freemarker/2.3.33/freemarker-2.3.33.jar", args[1]);
 
         // Remove our manually injected additional appender
         sutLogger.detachAppender(listAppender);
@@ -212,7 +227,7 @@ void shouldHandleNoMatches() throws IOException {
         when(responseEntity.getContent()).thenReturn(new ByteArrayInputStream(payload));
 
         // When
-        final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(dependency);
+        final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(TEST_URL, dependency);
         FileNotFoundException e = assertThrows(FileNotFoundException.class, () -> handler.handleResponse(response),
                 "No Match found, should throw an exception!");
         // Then
@@ -298,7 +313,7 @@ void shouldProcessCorrectlyArtifactoryAnswer() throws IOException {
         when(responseEntity.getContent()).thenReturn(new ByteArrayInputStream(payload));
 
         // When
-        final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(dependency);
+        final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(TEST_URL, dependency);
         final List<MavenArtifact> mavenArtifacts = handler.handleResponse(response);
 
         // Then
@@ -419,13 +434,13 @@ void shouldProcessCorrectlyArtifactoryAnswerMisMatchMd5() throws IOException {
         when(responseEntity.getContent()).thenReturn(new ByteArrayInputStream(payload));
 
         // When
-        final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(dependency);
+        final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(TEST_URL, dependency);
         FileNotFoundException e = assertThrows(FileNotFoundException.class, () -> handler.handleResponse(response),
                 "MD5 mismatching should throw an exception!");
 
         // Then
         assertEquals("Artifact " + dependency
-                + " not found in Artifactory; discovered sha1 hits not recognized as matching maven artifacts", e.getMessage());
+                + " not found in Artifactory; discovered SHA1 hits not recognized as matching Maven artifacts", e.getMessage());
     }
 
     @Test
@@ -442,12 +457,12 @@ void shouldProcessCorrectlyArtifactoryAnswerMisMatchSha1() throws IOException {
         when(responseEntity.getContent()).thenReturn(new ByteArrayInputStream(payload));
 
         // When
-        final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(dependency);
+        final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(TEST_URL, dependency);
         FileNotFoundException e = assertThrows(FileNotFoundException.class, () -> handler.handleResponse(response),
                 "SHA1 mismatching should throw an exception!");
 
         // Then
-        assertEquals("Artifact Dependency{ fileName='null', actualFilePath='null', filePath='null', packagePath='null'} not found in Artifactory; discovered sha1 hits not recognized as matching maven artifacts", e.getMessage());
+        assertEquals(EXCEPTION_MESSAGE, e.getMessage());
     }
 
     @Test
@@ -464,12 +479,12 @@ void shouldProcessCorrectlyArtifactoryAnswerMisMatchSha256() throws IOException
         when(responseEntity.getContent()).thenReturn(new ByteArrayInputStream(payload));
 
         // When
-        final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(dependency);
+        final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(TEST_URL, dependency);
         FileNotFoundException e = assertThrows(FileNotFoundException.class, () -> handler.handleResponse(response),
                 "SHA256 mismatching should throw an exception!");
 
         // Then
-        assertEquals("Artifact Dependency{ fileName='null', actualFilePath='null', filePath='null', packagePath='null'} not found in Artifactory; discovered sha1 hits not recognized as matching maven artifacts", e.getMessage());
+        assertEquals(EXCEPTION_MESSAGE, e.getMessage());
     }
 
     @Test
@@ -487,12 +502,12 @@ void shouldThrowNotFoundWhenPatternCannotBeParsed() throws IOException {
         when(responseEntity.getContent()).thenReturn(new ByteArrayInputStream(payload));
 
         // When
-        final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(dependency);
+        final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(TEST_URL, dependency);
         FileNotFoundException e = assertThrows(FileNotFoundException.class, () -> handler.handleResponse(response),
                 "Maven GAV pattern mismatch for filepath should throw a not found exception!");
 
             // Then
-            assertEquals("Artifact Dependency{ fileName='null', actualFilePath='null', filePath='null', packagePath='null'} not found in Artifactory; discovered sha1 hits not recognized as matching maven artifacts", e.getMessage());
+            assertEquals(EXCEPTION_MESSAGE, e.getMessage());
     }
 
     @Test
@@ -509,7 +524,7 @@ void shouldSkipResultsWherePatternCannotBeParsed() throws IOException {
         when(responseEntity.getContent()).thenReturn(new ByteArrayInputStream(payload));
 
         // When
-        final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(dependency);
+        final ArtifactorySearchResponseHandler handler = new ArtifactorySearchResponseHandler(TEST_URL, dependency);
         List<MavenArtifact> result = handler.handleResponse(response);
         // Then
         assertEquals(1, result.size());

From 4c33e0a50df8e4b2b268572b071e3fcafc10a921 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 30 Jul 2025 01:11:23 +0000
Subject: [PATCH 103/195] build(deps): bump org.apache.commons:commons-compress

Bumps [org.apache.commons:commons-compress](https://github.com/apache/commons-compress) from 1.27.1 to 1.28.0.
- [Changelog](https://github.com/apache/commons-compress/blob/master/RELEASE-NOTES.txt)
- [Commits](https://github.com/apache/commons-compress/compare/rel/commons-compress-1.27.1...rel/commons-compress-1.28.0)

---
updated-dependencies:
- dependency-name: org.apache.commons:commons-compress
  dependency-version: 1.28.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 7bb90338d3a..e78caae313d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -158,7 +158,7 @@ Copyright (c) 2012 - Jeremy Long
         <hamcrest.version>3.0</hamcrest.version>
         <mockito.version>5.18.0</mockito.version>
         <jsoup.version>1.21.1</jsoup.version>
-        <commons-compress.version>1.27.1</commons-compress.version>
+        <commons-compress.version>1.28.0</commons-compress.version>
         <org.apache.maven.shared.file-management.version>3.2.0</org.apache.maven.shared.file-management.version>
         <maven-plugin-testing-harness.version>3.3.0</maven-plugin-testing-harness.version>
         <maven-plugin-annotations.version>3.15.1</maven-plugin-annotations.version>

From e16e8517faf4a05eca03e3662844a62696f5a2f3 Mon Sep 17 00:00:00 2001
From: Gilbert Handy <ghandy2@salmon.egh.csc.com>
Date: Thu, 31 Jul 2025 18:08:54 +0000
Subject: [PATCH 104/195] fix: Return unsorted vulnerabilities in new HashSet,
 avoiding CoMod

---
 .../java/org/owasp/dependencycheck/dependency/Dependency.java   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
index ad6538d979a..ad33bd8a585 100644
--- a/core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
+++ b/core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
@@ -625,7 +625,7 @@ public synchronized Set<Vulnerability> getVulnerabilities(boolean sorted) {
         if (sorted) {
             vulnerabilitySet = new TreeSet<>(vulnerabilities);
         } else {
-            vulnerabilitySet = vulnerabilities;
+            vulnerabilitySet = new HashSet<>(vulnerabilities);
         }
         return Collections.unmodifiableSet(vulnerabilitySet);
     }

From db8dd161d775956c0c6428ec1925b270323eae30 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 6 Aug 2025 01:56:01 +0000
Subject: [PATCH 105/195] build(deps): bump actions/download-artifact from 4 to
 5

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4 to 5.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/build.yml   | 4 ++--
 .github/workflows/release.yml | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 75b3a11186f..8436d096b2f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -107,7 +107,7 @@ jobs:
 #    needs: build
 #    steps:
 #      - name: Download coverage reports
-#        uses: actions/download-artifact@v4
+#        uses: actions/download-artifact@v5
 #        with:
 #          name: code-coverage-report
 #      - name: Run codacy-coverage-reporter
@@ -138,7 +138,7 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-maven-
       - name: Download release build
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           name: archive-snapshot
       - name: Build Docker Image
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6e05798cdd3..ab2f88bdf77 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -114,7 +114,7 @@ jobs:
 #    needs: build
 #    steps:
 #      - name: Download coverage reports
-#        uses: actions/download-artifact@v4
+#        uses: actions/download-artifact@v5
 #        with:
 #          name: code-coverage-report
 #      - name: Run codacy-coverage-reporter
@@ -146,7 +146,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
       - name: Download release build
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           name: archive-release
       - name: Build Docker Image
@@ -173,7 +173,7 @@ jobs:
           VERSION=$( mvn help:evaluate -Dexpression=project.version -q -DforceStdout )
           echo "VERSION=$VERSION" >> $GITHUB_ENV
       - name: Download release build
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           name: archive-release
       - name: Create Release
@@ -248,7 +248,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
       - name: Download Site
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           name: archive-site
           path: target/staging

From b7d8867756684e5e32f904f6fe81326a6ef64fcb Mon Sep 17 00:00:00 2001
From: Stephan Druskat <sdruskat@users.noreply.github.com>
Date: Wed, 6 Aug 2025 11:57:12 +0200
Subject: [PATCH 106/195] docs: Document poetry-based analysis behaviour in
 Python analyzer (#7855)

---
 src/site/markdown/analyzers/python.md | 30 ++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/src/site/markdown/analyzers/python.md b/src/site/markdown/analyzers/python.md
index 002251470ab..1a2dcc6bab2 100644
--- a/src/site/markdown/analyzers/python.md
+++ b/src/site/markdown/analyzers/python.md
@@ -12,4 +12,32 @@ is grouped into vendor, product, and version buckets. Other analyzers later
 use this evidence to identify any Common Platform Enumeration (CPE)
 identifiers that apply.
 
-Files Types Scanned: py, whl, egg, zip, PKG-INFO, and METADATA
\ No newline at end of file
+Files Types Scanned: py, whl, egg, zip, PKG-INFO, and METADATA
+
+Analyzing packages built with `poetry build`
+--------------------------------------------
+
+Note that running `dependency-check` on Python packages built with
+[Poetry](https://python-poetry.org)'s
+[`poetry build`](https://python-poetry.org/docs/cli/#build) command
+**may throw an error**:
+
+`[ERROR] Python 'pyproject.toml' found and there is not a 'poetry.lock' or
+'requirements.txt' - analysis will be incomplete`
+
+This is **known behaviour** (see
+[#6356](https://github.com/dependency-check/DependencyCheck/issues/6356))
+and is due to the analyzer analyzing the contents of the tarball
+that has been built (in `dist/<package>-<version>.tar.gz` if built using Poetry
+defaults). As per [PEP 517](https://peps.python.org/pep-0517/), the tarball
+contains the `pyproject.toml` manifest, but not the `poetry.lock` file
+that [freezes](https://python-poetry.org/docs/cli/#lock) dependencies at
+the versions used to build the project.
+
+To **circumvent this error**, exclude the tarball or the whole build target
+directory by running `dependency-check` with `--exclude "dist/**"`.
+
+***WARNING:*** This will not analyze the build artifact itself, but only the lock
+file. If dependencies have diverged between the two artifacts - e.g., after
+updating a depdendency and locking it without building again - the dependencies
+in the build artifact may be affected by vulnerabilities that will go undetected!

From 6b033f616ad919514810de6f475475b780a1c272 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 8 Aug 2025 07:22:41 -0400
Subject: [PATCH 107/195] build(deps): bump golang from 1.24.5-alpine to
 1.24.6-alpine (#7858)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 0df99e4b2ba..31054fe624a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.24.5-alpine AS go
+FROM golang:1.24.6-alpine AS go
 
 FROM azul/zulu-openjdk-alpine:21 AS jlink
 

From 3483ace6739e09ab8422b9151c230e5810da5d5c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 11 Aug 2025 10:57:08 -0400
Subject: [PATCH 108/195] build(deps): bump
 com.github.spotbugs:spotbugs-annotations from 4.9.3 to 4.9.4 (#7859)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index e78caae313d..bca8d62f20d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -141,7 +141,7 @@ Copyright (c) 2012 - Jeremy Long
         <taglist-maven-plugin.version>3.2.1</taglist-maven-plugin.version>
         <versions-maven-plugin.version>2.18.0</versions-maven-plugin.version>
         <jetbrains.annotations.version>26.0.2</jetbrains.annotations.version>
-        <findbugs.spotbugs.version>4.9.3</findbugs.spotbugs.version>
+        <findbugs.spotbugs.version>4.9.4</findbugs.spotbugs.version>
         <com.h2database.version>2.3.232</com.h2database.version>
         <commons-cli.version>1.9.0</commons-cli.version>
         <commons-io.version>2.20.0</commons-io.version>

From 01cf58ab627323d9e9df134955888dbdfdf95a30 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 13 Aug 2025 07:55:24 -0400
Subject: [PATCH 109/195] build(deps): bump actions/checkout from 4 to 5
 (#7861)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml                    | 4 ++--
 .github/workflows/codeql-analysis.yml          | 2 +-
 .github/workflows/false-positive-approvals.yml | 2 +-
 .github/workflows/false-positive-ops.yml       | 2 +-
 .github/workflows/publish-suppressions.yml     | 2 +-
 .github/workflows/pull_requests.yml            | 6 +++---
 .github/workflows/purge-cache.yml              | 2 +-
 .github/workflows/release.yml                  | 8 ++++----
 8 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8436d096b2f..c1abe6f547f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -22,7 +22,7 @@ jobs:
         run: |
           cat <(echo -e "${{ secrets.GPG_PRIVATE_KEY }}") | gpg --batch --import
           gpg --list-secret-keys --keyid-format LONG
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check Maven Cache
         id: maven-cache
         uses: actions/cache@v4
@@ -128,7 +128,7 @@ jobs:
       DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Check Maven Cache
         id: maven-cache
         uses: actions/cache@v4
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 665a11d4f62..d8cfbaa48b6 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -33,7 +33,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
diff --git a/.github/workflows/false-positive-approvals.yml b/.github/workflows/false-positive-approvals.yml
index 0ed3f464834..5103bfb1461 100644
--- a/.github/workflows/false-positive-approvals.yml
+++ b/.github/workflows/false-positive-approvals.yml
@@ -22,7 +22,7 @@ jobs:
       github.event.comment.user.login == 'chadlwilson') }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           ref: generatedSuppressions
       - uses: actions/setup-node@v4.4.0
diff --git a/.github/workflows/false-positive-ops.yml b/.github/workflows/false-positive-ops.yml
index 783b9427fe3..832ebc87cfe 100644
--- a/.github/workflows/false-positive-ops.yml
+++ b/.github/workflows/false-positive-ops.yml
@@ -32,7 +32,7 @@ jobs:
                 repo: context.repo.repo
               })
               )
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           path: odc
       - name: Parse False Positive Issue
diff --git a/.github/workflows/publish-suppressions.yml b/.github/workflows/publish-suppressions.yml
index bfe7fe68fc4..e20f8893b23 100644
--- a/.github/workflows/publish-suppressions.yml
+++ b/.github/workflows/publish-suppressions.yml
@@ -12,7 +12,7 @@ jobs:
     name: Publish Suppressions
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           ref: generatedSuppressions
       - uses: actions/setup-node@v4.4.0
diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml
index ceee74e7455..413e226d0fd 100644
--- a/.github/workflows/pull_requests.yml
+++ b/.github/workflows/pull_requests.yml
@@ -14,7 +14,7 @@ jobs:
       contents: read
     runs-on: ubuntu-latest 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check Maven Cache
         id: maven-cache
         uses: actions/cache@v4
@@ -72,7 +72,7 @@ jobs:
       contents: read
     runs-on: ubuntu-latest 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check Maven Cache
         id: maven-cache
         uses: actions/cache@v4
@@ -120,7 +120,7 @@ jobs:
       contents: read
     runs-on: ubuntu-latest 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check Maven Cache
         id: maven-cache
         uses: actions/cache@v4
diff --git a/.github/workflows/purge-cache.yml b/.github/workflows/purge-cache.yml
index babd4553f67..9820e850a90 100644
--- a/.github/workflows/purge-cache.yml
+++ b/.github/workflows/purge-cache.yml
@@ -10,7 +10,7 @@ jobs:
     name: Purge GitHub Cache
     runs-on: ubuntu-latest 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check Maven Cache
         id: maven-cache
         uses: actions/cache@v4
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ab2f88bdf77..61a3a597c85 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -26,7 +26,7 @@ jobs:
         run: |
           cat <(echo -e "${{ secrets.GPG_PRIVATE_KEY }}") | gpg --batch --import
           gpg --list-secret-keys --keyid-format LONG
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Check Maven Cache
         id: maven-cache
         uses: actions/cache@v4
@@ -144,7 +144,7 @@ jobs:
           path: ~/OWASP-Dependency-Check
           key: docker-repo
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Download release build
         uses: actions/download-artifact@v5
         with:
@@ -166,7 +166,7 @@ jobs:
     needs: build
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Get version
         id: get-version
         run: |
@@ -246,7 +246,7 @@ jobs:
     needs: build
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Download Site
         uses: actions/download-artifact@v5
         with:

From 97169271423ce4d20a2ef2e2226371d252ca6bbb Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 14 Aug 2025 07:02:34 -0400
Subject: [PATCH 110/195] build(deps): bump amannn/action-semantic-pull-request
 from 5.5.3 to 6.0.1 (#7867)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/lint-pr.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/lint-pr.yml b/.github/workflows/lint-pr.yml
index d990c5ae5a2..a2bf957b8e6 100644
--- a/.github/workflows/lint-pr.yml
+++ b/.github/workflows/lint-pr.yml
@@ -18,6 +18,6 @@ jobs:
       statuses: write
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v5.5.3
+      - uses: amannn/action-semantic-pull-request@v6.0.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file

From 3ec985d7a67ba0d9e0b592547842c3fea29aaa3b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 15 Aug 2025 05:47:32 -0400
Subject: [PATCH 111/195] build(deps-dev): bump io.netty:netty-codec-http from
 4.2.3.Final to 4.2.4.Final (#7866)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 utils/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/pom.xml b/utils/pom.xml
index 3d3f2610be2..45754c7f851 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -95,7 +95,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-codec-http</artifactId>
-            <version>4.2.3.Final</version>
+            <version>4.2.4.Final</version>
             <scope>test</scope>
         </dependency>
         <dependency>

From 1fd50d5ed5af979bd65ce601dbddb8e12dc5b3a6 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 18 Aug 2025 01:32:22 +0000
Subject: [PATCH 112/195] build(deps): bump
 org.apache.maven.plugins:maven-javadoc-plugin

Bumps [org.apache.maven.plugins:maven-javadoc-plugin](https://github.com/apache/maven-javadoc-plugin) from 3.11.2 to 3.11.3.
- [Release notes](https://github.com/apache/maven-javadoc-plugin/releases)
- [Commits](https://github.com/apache/maven-javadoc-plugin/compare/maven-javadoc-plugin-3.11.2...maven-javadoc-plugin-3.11.3)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-javadoc-plugin
  dependency-version: 3.11.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index bca8d62f20d..b0741a7a35d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -131,7 +131,7 @@ Copyright (c) 2012 - Jeremy Long
         <doxia-base.version>2.0.0</doxia-base.version>
         <maven-antrun-plugin.version>3.1.0</maven-antrun-plugin.version>
         <maven-dependency-plugin.version>3.8.1</maven-dependency-plugin.version>
-        <maven-javadoc-plugin.version>3.11.2</maven-javadoc-plugin.version>
+        <maven-javadoc-plugin.version>3.11.3</maven-javadoc-plugin.version>
         <!-- upgrading beyond 2.5 breaks maven site-->
         <maven-jxr-plugin.version>2.5</maven-jxr-plugin.version>
         <maven-project-info-reports-plugin.version>3.9.0</maven-project-info-reports-plugin.version>

From 9123eafabc491d444fb2cc5114c788093056b873 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 18 Aug 2025 07:23:34 -0400
Subject: [PATCH 113/195] build(deps): bump golang from 1.24.6-alpine to
 1.25.0-alpine (#7865)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 31054fe624a..d4f821eb1b9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.24.6-alpine AS go
+FROM golang:1.25.0-alpine AS go
 
 FROM azul/zulu-openjdk-alpine:21 AS jlink
 

From 2957400f03f2bb2cb02d6351d82c5274cdd22c81 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 19 Aug 2025 07:52:55 -0400
Subject: [PATCH 114/195] build(deps): bump mockito.version from 5.18.0 to
 5.19.0 (#7874)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index b0741a7a35d..72ecd6ae0cc 100644
--- a/pom.xml
+++ b/pom.xml
@@ -156,7 +156,7 @@ Copyright (c) 2012 - Jeremy Long
         <aho-corasick-double-array-trie.version>1.2.3</aho-corasick-double-array-trie.version>
         <junit.version>5.13.4</junit.version>
         <hamcrest.version>3.0</hamcrest.version>
-        <mockito.version>5.18.0</mockito.version>
+        <mockito.version>5.19.0</mockito.version>
         <jsoup.version>1.21.1</jsoup.version>
         <commons-compress.version>1.28.0</commons-compress.version>
         <org.apache.maven.shared.file-management.version>3.2.0</org.apache.maven.shared.file-management.version>

From f55001a0a4f31ac1aff7c8d4a22683f5ee9c0de1 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 22 Aug 2025 07:11:52 -0400
Subject: [PATCH 115/195] build(deps): bump actions/setup-java from 4 to 5
 (#7883)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml         | 2 +-
 .github/workflows/pull_requests.yml | 6 +++---
 .github/workflows/release.yml       | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index c1abe6f547f..fbef9282d26 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -48,7 +48,7 @@ jobs:
           dotnet-version: '8.0.x'
       - name: Set up JDK 11
         id: jdk-11
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
           java-version: 11
           distribution: 'zulu'
diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml
index 413e226d0fd..73d62c7c6fe 100644
--- a/.github/workflows/pull_requests.yml
+++ b/.github/workflows/pull_requests.yml
@@ -28,7 +28,7 @@ jobs:
           dotnet-version: '8.0.x'
       - name: Set up JDK 11
         id: jdk-11
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
           java-version: 11
           distribution: 'zulu'
@@ -86,7 +86,7 @@ jobs:
           dotnet-version: '8.0.x'
       - name: Set up JDK 11
         id: jdk-11
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
           java-version: 11
           distribution: 'zulu'
@@ -131,7 +131,7 @@ jobs:
             ${{ runner.os }}-maven-
       - name: Set up JDK 11
         id: jdk-11
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
           java-version: 11
           distribution: 'zulu'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 61a3a597c85..6105f498654 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -50,7 +50,7 @@ jobs:
           dotnet-version: '8.0.x'
       - name: Set up JDK 11
         id: jdk-11
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
           java-version: 11
           distribution: 'zulu'

From 15c9491f4b17b4e0c006723bb8041b47dea90802 Mon Sep 17 00:00:00 2001
From: Konrad Windszus <kwin@apache.org>
Date: Fri, 22 Aug 2025 13:42:10 +0200
Subject: [PATCH 116/195] docs: Clarify format of exclude patterns (#7879)

---
 .../owasp/dependencycheck/maven/BaseDependencyCheckMojo.java | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
index ed643eb8c10..5b04b95a31a 100644
--- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -1169,8 +1169,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
     private Retirejs retirejs;
 
     /**
-     * The list of artifacts (and their transitive dependencies) to exclude from
-     * the check.
+     * The list of patterns to exclude from the check. This is matched against the project dependencies (and will implicitly also remove transitive dependencies from matching dependencies). 
+     * Each pattern has the format {@code [groupId]:[artifactId]:[type]:[version]}. You can leave out unspecified parts (which is equal to using {@code *}).
+     * Examples: {@code org.apache.*} would match all artifacts whose group id starts with {@code org.apache.}, and {@code :::*-SNAPSHOT} would match all snapshot artifacts.
      */
     @Parameter(property = "odc.excludes")
     private List<String> excludes;

From b7702a696f6daa0099aa1e218fa45d61718f4d4f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sun, 24 Aug 2025 07:23:48 -0400
Subject: [PATCH 117/195] build(deps): bump
 com.github.spotbugs:spotbugs-maven-plugin from 4.9.3.2 to 4.9.4.0 (#7882)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 72ecd6ae0cc..f888930c1d8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -137,7 +137,7 @@ Copyright (c) 2012 - Jeremy Long
         <maven-project-info-reports-plugin.version>3.9.0</maven-project-info-reports-plugin.version>
         <maven-surefire-report-plugin.version>3.5.3</maven-surefire-report-plugin.version>
         <jacoco-maven-plugin.version>0.8.13</jacoco-maven-plugin.version>
-        <spotbugs.maven.plugin.version>4.9.3.2</spotbugs.maven.plugin.version>
+        <spotbugs.maven.plugin.version>4.9.4.0</spotbugs.maven.plugin.version>
         <taglist-maven-plugin.version>3.2.1</taglist-maven-plugin.version>
         <versions-maven-plugin.version>2.18.0</versions-maven-plugin.version>
         <jetbrains.annotations.version>26.0.2</jetbrains.annotations.version>

From 577cf94f7f68cde6e826c2838b318387ab034d7f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 25 Aug 2025 06:35:30 -0400
Subject: [PATCH 118/195] build(deps): bump amannn/action-semantic-pull-request
 from 6.0.1 to 6.1.1 (#7886)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/lint-pr.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/lint-pr.yml b/.github/workflows/lint-pr.yml
index a2bf957b8e6..0c4125f1bd8 100644
--- a/.github/workflows/lint-pr.yml
+++ b/.github/workflows/lint-pr.yml
@@ -18,6 +18,6 @@ jobs:
       statuses: write
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v6.0.1
+      - uses: amannn/action-semantic-pull-request@v6.1.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file

From 2dd7324527fb998c0ee1f8080a1ccf24b74169e9 Mon Sep 17 00:00:00 2001
From: Tim <149380950+timnieder@users.noreply.github.com>
Date: Mon, 25 Aug 2025 13:28:40 +0200
Subject: [PATCH 119/195] fix: npe when processing cve with empty configuration
 (#7888)

---
 .../dependencycheck/data/nvd/ecosystem/CveEcosystemMapper.java   | 1 +
 .../main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java   | 1 +
 .../org/owasp/dependencycheck/data/nvdcve/CveItemOperator.java   | 1 +
 3 files changed, 3 insertions(+)

diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nvd/ecosystem/CveEcosystemMapper.java b/core/src/main/java/org/owasp/dependencycheck/data/nvd/ecosystem/CveEcosystemMapper.java
index 1a713cd9022..f201ffddae7 100644
--- a/core/src/main/java/org/owasp/dependencycheck/data/nvd/ecosystem/CveEcosystemMapper.java
+++ b/core/src/main/java/org/owasp/dependencycheck/data/nvd/ecosystem/CveEcosystemMapper.java
@@ -84,6 +84,7 @@ public String getEcosystem(DefCveItem cve) {
     private boolean hasMultipleVendorProductConfigurations(DefCveItem cve) {
         if (cve.getCve().getConfigurations() != null && !cve.getCve().getConfigurations().isEmpty()) {
             final List<CpeMatch> cpeEntries = cve.getCve().getConfigurations().stream()
+                    .filter(config -> config.getNodes() != null)
                     .map(Config::getNodes)
                     .flatMap(List::stream)
                     .filter(cpe -> cpe.getCpeMatch() != null)
diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java b/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
index fbc52a29677..1e4b64baff1 100644
--- a/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
+++ b/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
@@ -1611,6 +1611,7 @@ private List<VulnerableSoftware> parseCpes(DefCveItem cve) throws CpeValidationE
         final List<VulnerableSoftware> software = new ArrayList<>();
 
         final List<CpeMatch> cpeEntries = cve.getCve().getConfigurations().stream()
+                .filter(config -> config.getNodes() != null)
                 .map(Config::getNodes)
                 .flatMap(List::stream)
                 .map(Node::getCpeMatch)
diff --git a/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperator.java b/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperator.java
index 53603228358..9d22ec4093b 100644
--- a/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperator.java
+++ b/core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveItemOperator.java
@@ -222,6 +222,7 @@ boolean testCveCpeStartWithFilter(final DefCveItem cve) {
         if (cve.getCve().getConfigurations() != null) {
             //cycle through to see if this is a CPE we care about (use the CPE filters
             return cve.getCve().getConfigurations().stream()
+                    .filter(config -> config.getNodes() != null)
                     .map(Config::getNodes)
                     .flatMap(List::stream)
                     .filter(Objects::nonNull)

From 840b13a1d6258d161d9ed1455a61d5546aef0f64 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sun, 31 Aug 2025 07:44:25 -0400
Subject: [PATCH 120/195] fix: correctly utilize CVSSv4 from ossindex (#7899)

---
 .../analyzer/OssIndexAnalyzer.java            |   5 +-
 .../owasp/dependencycheck/utils/CvssUtil.java | 129 ++++++++++++++++++
 2 files changed, 133 insertions(+), 1 deletion(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
index 185189a1d50..265fb7c97c2 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
@@ -19,6 +19,7 @@
 
 import io.github.jeremylong.openvulnerability.client.nvd.CvssV2;
 import io.github.jeremylong.openvulnerability.client.nvd.CvssV2Data;
+import io.github.jeremylong.openvulnerability.client.nvd.CvssV4;
 import org.sonatype.ossindex.service.api.componentreport.ComponentReport;
 import org.sonatype.ossindex.service.api.componentreport.ComponentReportVulnerability;
 import org.sonatype.ossindex.service.api.cvss.Cvss2Severity;
@@ -321,7 +322,9 @@ private Vulnerability transform(final ComponentReport report, final ComponentRep
         final double cvssScore = source.getCvssScore() != null ? source.getCvssScore().doubleValue() : -1;
 
         if (source.getCvssVector() != null) {
-            if (source.getCvssVector().startsWith("CVSS:3")) {
+            if (source.getCvssVector().startsWith("CVSS:4")) {
+                result.setCvssV4(CvssUtil.vectorToCvssV4("ossindex", CvssV4.Type.PRIMARY, cvssScore, source.getCvssVector()));
+            } else if (source.getCvssVector().startsWith("CVSS:3")) {
                 result.setCvssV3(CvssUtil.vectorToCvssV3(source.getCvssVector(), cvssScore));
             } else {
                 // convert cvss details
diff --git a/core/src/main/java/org/owasp/dependencycheck/utils/CvssUtil.java b/core/src/main/java/org/owasp/dependencycheck/utils/CvssUtil.java
index cae334833d9..c5f6c620dcb 100644
--- a/core/src/main/java/org/owasp/dependencycheck/utils/CvssUtil.java
+++ b/core/src/main/java/org/owasp/dependencycheck/utils/CvssUtil.java
@@ -21,9 +21,14 @@
 import io.github.jeremylong.openvulnerability.client.nvd.CvssV2Data;
 import io.github.jeremylong.openvulnerability.client.nvd.CvssV3;
 import io.github.jeremylong.openvulnerability.client.nvd.CvssV3Data;
+
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
+
+import io.github.jeremylong.openvulnerability.client.nvd.CvssV4;
+import io.github.jeremylong.openvulnerability.client.nvd.CvssV4Data;
 import org.sonatype.ossindex.service.api.cvss.Cvss3Severity;
 
 /**
@@ -36,6 +41,7 @@ public final class CvssUtil {
     private CvssUtil() {
         //empty constructor for utility class.
     }
+
     /**
      * The CVSS v3 Base Metrics (that are required by the spec for any CVSS v3
      * Vector String)
@@ -221,6 +227,129 @@ public static CvssV3 vectorToCvssV3(String vectorString, Double baseScore) {
                 baseSeverity, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null);
         final CvssV3 cvss = new CvssV3(null, null, data, null, null);
         return cvss;
+    }
+
+    private static CvssV4Data.SeverityType toSeverityType(double baseScore) {
+        if (baseScore == 0.0) {
+            return CvssV4Data.SeverityType.NONE;
+        } else if (baseScore >= 0.1 && baseScore <= 3.9) {
+            return CvssV4Data.SeverityType.LOW;
+        } else if (baseScore >= 4.0 && baseScore <= 6.9) {
+            return CvssV4Data.SeverityType.MEDIUM;
+        } else if (baseScore >= 7.0 && baseScore <= 8.9) {
+            return CvssV4Data.SeverityType.HIGH;
+        } else if (baseScore >= 9.0 && baseScore <= 10.0) {
+            return CvssV4Data.SeverityType.CRITICAL;
+        } else {
+            throw new IllegalArgumentException("Invalid CVSS base score: " + baseScore);
+        }
+    }
+
+    /**
+     * Convert a CVSSv4 vector String into a CvssV4 Object.
+     *
+     * @param source the source of the CVSS data
+     * @param type the type of CVSS data (primary or secondary)
+     * @param baseScore the base score
+     * @param vectorString the vector string
+     * @return the CVSSv4 object
+     */
+    public static CvssV4 vectorToCvssV4(String source, CvssV4.Type type, Double baseScore, String vectorString) {
+        // Remove "CVSS:" prefix and split by "/"
+        String[] parts = vectorString.replaceFirst("^CVSS:", "").split("/");
+        Map<String, String> values = new HashMap<>();
+        for (String part : parts) {
+            String[] kv = part.split(":");
+            if (kv.length == 2) {
+                values.put(kv[0], kv[1]);
+            }
+        }
+
+        CvssV4Data.Version version = CvssV4Data.Version.fromValue(values.getOrDefault("4.0", "4.0"));
+
+        CvssV4Data.AttackVectorType attackVector = values.containsKey("AV") ? CvssV4Data.AttackVectorType.fromValue(values.get("AV")) : null;
+        CvssV4Data.AttackComplexityType attackComplexity = values.containsKey("AC") ? CvssV4Data.AttackComplexityType.fromValue(values.get("AC")) : null;
+        CvssV4Data.AttackRequirementsType attackRequirements = values.containsKey("AT") ? CvssV4Data.AttackRequirementsType.fromValue(values.get("AT")) : null;
+        CvssV4Data.PrivilegesRequiredType privilegesRequired = values.containsKey("PR") ? CvssV4Data.PrivilegesRequiredType.fromValue(values.get("PR")) : null;
+        CvssV4Data.UserInteractionType userInteraction = values.containsKey("UI") ? CvssV4Data.UserInteractionType.fromValue(values.get("UI")) : null;
+        CvssV4Data.CiaType vulnConfidentialityImpact = values.containsKey("VC") ? CvssV4Data.CiaType.fromValue(values.get("VC")) : null;
+        CvssV4Data.CiaType vulnIntegrityImpact = values.containsKey("VI") ? CvssV4Data.CiaType.fromValue(values.get("VI")) : null;
+        CvssV4Data.CiaType vulnAvailabilityImpact = values.containsKey("VA") ? CvssV4Data.CiaType.fromValue(values.get("VA")) : null;
+        CvssV4Data.CiaType subConfidentialityImpact = values.containsKey("SC") ? CvssV4Data.CiaType.fromValue(values.get("SC")) : null;
+        CvssV4Data.CiaType subIntegrityImpact = values.containsKey("SI") ? CvssV4Data.CiaType.fromValue(values.get("SI")) : null;
+        CvssV4Data.CiaType subAvailabilityImpact = values.containsKey("SA") ? CvssV4Data.CiaType.fromValue(values.get("SA")) : null;
+        CvssV4Data.ExploitMaturityType exploitMaturity = values.containsKey("E") ? CvssV4Data.ExploitMaturityType.fromValue(values.get("E")) : CvssV4Data.ExploitMaturityType.NOT_DEFINED;
+        CvssV4Data.CiaRequirementType confidentialityRequirement = values.containsKey("CR") ? CvssV4Data.CiaRequirementType.fromValue(values.get("CR")) : CvssV4Data.CiaRequirementType.NOT_DEFINED;
+        CvssV4Data.CiaRequirementType integrityRequirement = values.containsKey("IR") ? CvssV4Data.CiaRequirementType.fromValue(values.get("IR")) : CvssV4Data.CiaRequirementType.NOT_DEFINED;
+        CvssV4Data.CiaRequirementType availabilityRequirement = values.containsKey("AR") ? CvssV4Data.CiaRequirementType.fromValue(values.get("AR")) : CvssV4Data.CiaRequirementType.NOT_DEFINED;
+        CvssV4Data.ModifiedAttackVectorType modifiedAttackVector = values.containsKey("MAV") ? CvssV4Data.ModifiedAttackVectorType.fromValue(values.get("MAV")) : CvssV4Data.ModifiedAttackVectorType.NOT_DEFINED;
+        CvssV4Data.ModifiedAttackComplexityType modifiedAttackComplexity = values.containsKey("MAC") ? CvssV4Data.ModifiedAttackComplexityType.fromValue(values.get("MAC")) : CvssV4Data.ModifiedAttackComplexityType.NOT_DEFINED;
+        CvssV4Data.ModifiedAttackRequirementsType modifiedAttackRequirements = values.containsKey("MAT") ? CvssV4Data.ModifiedAttackRequirementsType.fromValue(values.get("MAT")) : CvssV4Data.ModifiedAttackRequirementsType.NOT_DEFINED;
+        CvssV4Data.ModifiedPrivilegesRequiredType modifiedPrivilegesRequired = values.containsKey("MPR") ? CvssV4Data.ModifiedPrivilegesRequiredType.fromValue(values.get("MPR")) : CvssV4Data.ModifiedPrivilegesRequiredType.NOT_DEFINED;
+        CvssV4Data.ModifiedUserInteractionType modifiedUserInteraction = values.containsKey("MUI") ? CvssV4Data.ModifiedUserInteractionType.fromValue(values.get("MUI")) : CvssV4Data.ModifiedUserInteractionType.NOT_DEFINED;
+        CvssV4Data.ModifiedCiaType modifiedVulnConfidentialityImpact = values.containsKey("MVC") ? CvssV4Data.ModifiedCiaType.fromValue(values.get("MVC")) : CvssV4Data.ModifiedCiaType.NOT_DEFINED;
+        CvssV4Data.ModifiedCiaType modifiedVulnIntegrityImpact = values.containsKey("MVI") ? CvssV4Data.ModifiedCiaType.fromValue(values.get("MVI")) : CvssV4Data.ModifiedCiaType.NOT_DEFINED;
+        CvssV4Data.ModifiedCiaType modifiedVulnAvailabilityImpact = values.containsKey("MVA") ? CvssV4Data.ModifiedCiaType.fromValue(values.get("MVA")) : CvssV4Data.ModifiedCiaType.NOT_DEFINED;
+        CvssV4Data.ModifiedSubCType modifiedSubConfidentialityImpact = values.containsKey("MSC") ? CvssV4Data.ModifiedSubCType.fromValue(values.get("MSC")) : CvssV4Data.ModifiedSubCType.NOT_DEFINED;
+        CvssV4Data.ModifiedSubIaType modifiedSubIntegrityImpact = values.containsKey("MSI") ? CvssV4Data.ModifiedSubIaType.fromValue(values.get("MSI")) : CvssV4Data.ModifiedSubIaType.NOT_DEFINED;
+        CvssV4Data.ModifiedSubIaType modifiedSubAvailabilityImpact = values.containsKey("MSA") ? CvssV4Data.ModifiedSubIaType.fromValue(values.get("MSA")) : CvssV4Data.ModifiedSubIaType.NOT_DEFINED;
+        CvssV4Data.SafetyType safety = values.containsKey("S") ? CvssV4Data.SafetyType.fromValue(values.get("S")) : CvssV4Data.SafetyType.NOT_DEFINED;
+        CvssV4Data.AutomatableType automatable = values.containsKey("AU") ? CvssV4Data.AutomatableType.fromValue(values.get("AU")) : CvssV4Data.AutomatableType.NOT_DEFINED;
+        CvssV4Data.RecoveryType recovery = values.containsKey("R") ? CvssV4Data.RecoveryType.fromValue(values.get("R")) : CvssV4Data.RecoveryType.NOT_DEFINED;
+        CvssV4Data.ValueDensityType valueDensity = values.containsKey("V") ? CvssV4Data.ValueDensityType.fromValue(values.get("V")) : CvssV4Data.ValueDensityType.NOT_DEFINED;
+        CvssV4Data.VulnerabilityResponseEffortType vulnerabilityResponseEffort = values.containsKey("RE") ? CvssV4Data.VulnerabilityResponseEffortType.fromValue(values.get("RE")) : CvssV4Data.VulnerabilityResponseEffortType.NOT_DEFINED;
+        CvssV4Data.ProviderUrgencyType providerUrgency = values.containsKey("U") ? CvssV4Data.ProviderUrgencyType.fromValue(values.get("U")) : CvssV4Data.ProviderUrgencyType.NOT_DEFINED;
+
+        CvssV4Data.SeverityType baseSeverity = toSeverityType(baseScore);
+        // Scores and severities are not present in the vector string, set to null/defaults
+        Double threatScore = null;
+        CvssV4Data.SeverityType threatSeverity = null;
+        Double environmentalScore = null;
+        CvssV4Data.SeverityType environmentalSeverity = null;
+
+        CvssV4Data cvssData = new CvssV4Data(
+                version,
+                vectorString,
+                attackVector,
+                attackComplexity,
+                attackRequirements,
+                privilegesRequired,
+                userInteraction,
+                vulnConfidentialityImpact,
+                vulnIntegrityImpact,
+                vulnAvailabilityImpact,
+                subConfidentialityImpact,
+                subIntegrityImpact,
+                subAvailabilityImpact,
+                exploitMaturity,
+                confidentialityRequirement,
+                integrityRequirement,
+                availabilityRequirement,
+                modifiedAttackVector,
+                modifiedAttackComplexity,
+                modifiedAttackRequirements,
+                modifiedPrivilegesRequired,
+                modifiedUserInteraction,
+                modifiedVulnConfidentialityImpact,
+                modifiedVulnIntegrityImpact,
+                modifiedVulnAvailabilityImpact,
+                modifiedSubConfidentialityImpact,
+                modifiedSubIntegrityImpact,
+                modifiedSubAvailabilityImpact,
+                safety,
+                automatable,
+                recovery,
+                valueDensity,
+                vulnerabilityResponseEffort,
+                providerUrgency,
+                baseScore,
+                baseSeverity,
+                threatScore,
+                threatSeverity,
+                environmentalScore,
+                environmentalSeverity
+        );
 
+        return new CvssV4(source, type, cvssData);
     }
 }

From f3de85180d72d3bdd6b55c72b5afd6933dfc7f5f Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Tue, 2 Sep 2025 07:44:49 -0400
Subject: [PATCH 121/195] fix: add CVSSv4 to suppressed entries in JSON report
 (#7900)

---
 .../main/resources/templates/jsonReport.vsl   | 130 ++++++++++++++++++
 1 file changed, 130 insertions(+)

diff --git a/core/src/main/resources/templates/jsonReport.vsl b/core/src/main/resources/templates/jsonReport.vsl
index 05387cb7cbd..336ed9eef46 100644
--- a/core/src/main/resources/templates/jsonReport.vsl
+++ b/core/src/main/resources/templates/jsonReport.vsl
@@ -447,6 +447,136 @@
 #if($vuln.cvssV3.cvssData.version),"version": "$enc.json($vuln.cvssV3.cvssData.version)"#end
                     },
 #end
+#if($vuln.cvssV4)
+                    "cvssv4": {
+#if($vuln.cvssV4.cvssData.vectorString)
+                        "vectorString": "$enc.json($vuln.cvssV4.cvssData.vectorString)"
+#end
+#if($vuln.cvssV4.source)
+                        ,"source": "$enc.json($vuln.cvssV4.source)"
+#end
+#if($vuln.cvssV4.type)
+                        ,"type": "$enc.json($vuln.cvssV4.type)"
+#end
+#if($vuln.cvssV4.cvssData.version)
+                        ,"version": "$enc.json($vuln.cvssV4.cvssData.version)"
+#end
+#if($vuln.cvssV4.cvssData.attackVector)
+                        ,"attackVector": "$enc.json($vuln.cvssV4.cvssData.attackVector)"
+#end
+#if($vuln.cvssV4.cvssData.attackComplexity)
+                        ,"attackComplexity": "$enc.json($vuln.cvssV4.cvssData.attackComplexity)"
+#end
+#if($vuln.cvssV4.cvssData.attackRequirements)
+                        ,"attackRequirements": "$enc.json($vuln.cvssV4.cvssData.attackRequirements)"
+#end
+#if($vuln.cvssV4.cvssData.privilegesRequired)
+                        ,"privilegesRequired": "$enc.json($vuln.cvssV4.cvssData.privilegesRequired)"
+#end
+#if($vuln.cvssV4.cvssData.userInteraction)
+                        ,"userInteraction": "$enc.json($vuln.cvssV4.cvssData.userInteraction)"
+#end
+#if($vuln.cvssV4.cvssData.vulnerableSystemConfidentiality)
+                        ,"vulnerableSystemConfidentiality": "$enc.json($vuln.cvssV4.cvssData.vulnerableSystemConfidentiality)"
+#end
+#if($vuln.cvssV4.cvssData.vulnerableSystemIntegrity)
+                        ,"vulnerableSystemIntegrity": "$enc.json($vuln.cvssV4.cvssData.vulnerableSystemIntegrity)"
+#end
+#if($vuln.cvssV4.cvssData.vulnerableSystemAvailability)
+                        ,"vulnerableSystemAvailability": "$enc.json($vuln.cvssV4.cvssData.vulnerableSystemAvailability)"
+#end
+#if($vuln.cvssV4.cvssData.subsequentSystemConfidentiality)
+                        ,"subsequentSystemConfidentiality": "$enc.json($vuln.cvssV4.cvssData.subsequentSystemConfidentiality)"
+#end
+#if($vuln.cvssV4.cvssData.subsequentSystemIntegrity)
+                        ,"subsequentSystemIntegrity": "$enc.json($vuln.cvssV4.cvssData.subsequentSystemIntegrity)"
+#end
+#if($vuln.cvssV4.cvssData.subsequentSystemAvailability)
+                        ,"subsequentSystemAvailability": "$enc.json($vuln.cvssV4.cvssData.subsequentSystemAvailability)"
+#end
+#if($vuln.cvssV4.cvssData.exploitMaturity)
+                        ,"exploitMaturity": "$enc.json($vuln.cvssV4.cvssData.exploitMaturity)"
+#end
+#if($vuln.cvssV4.cvssData.confidentialityRequirements)
+                        ,"confidentialityRequirements": "$enc.json($vuln.cvssV4.cvssData.confidentialityRequirements)"
+#end
+#if($vuln.cvssV4.cvssData.integrityRequirements)
+                        ,"integrityRequirements": "$enc.json($vuln.cvssV4.cvssData.integrityRequirements)"
+#end
+#if($vuln.cvssV4.cvssData.availabilityRequirements)
+                        ,"availabilityRequirements": "$enc.json($vuln.cvssV4.cvssData.availabilityRequirements)"
+#end
+#if($vuln.cvssV4.cvssData.modifiedAttackVector)
+                        ,"modifiedAttackVector": "$enc.json($vuln.cvssV4.cvssData.modifiedAttackVector)"
+#end
+#if($vuln.cvssV4.cvssData.modifiedAttackComplexity)
+                        ,"modifiedAttackComplexity": "$enc.json($vuln.cvssV4.cvssData.modifiedAttackComplexity)"
+#end
+#if($vuln.cvssV4.cvssData.modifiedAttackRequirements)
+                        ,"modifiedAttackRequirements": "$enc.json($vuln.cvssV4.cvssData.modifiedAttackRequirements)"
+#end
+#if($vuln.cvssV4.cvssData.modifiedPrivilegesRequired)
+                        ,"modifiedPrivilegesRequired": "$enc.json($vuln.cvssV4.cvssData.modifiedPrivilegesRequired)"
+#end
+#if($vuln.cvssV4.cvssData.modifiedUserInteraction)
+                        ,"modifiedUserInteraction": "$enc.json($vuln.cvssV4.cvssData.modifiedUserInteraction)"
+#end
+#if($vuln.cvssV4.cvssData.modifiedVulnerableSystemConfidentiality)
+                        ,"modifiedVulnerableSystemConfidentiality": "$enc.json($vuln.cvssV4.cvssData.modifiedVulnerableSystemConfidentiality)"
+#end
+#if($vuln.cvssV4.cvssData.modifiedVulnerableSystemIntegrity)
+                        ,"modifiedVulnerableSystemIntegrity": "$enc.json($vuln.cvssV4.cvssData.modifiedVulnerableSystemIntegrity)"
+#end
+#if($vuln.cvssV4.cvssData.modifiedVulnerableSystemAvailability)
+                        ,"modifiedVulnerableSystemAvailability": "$enc.json($vuln.cvssV4.cvssData.modifiedVulnerableSystemAvailability)"
+#end
+#if($vuln.cvssV4.cvssData.modifiedSubsequentSystemConfidentiality)
+                        ,"modifiedSubsequentSystemConfidentiality": "$enc.json($vuln.cvssV4.cvssData.modifiedSubsequentSystemConfidentiality)"
+#end
+#if($vuln.cvssV4.cvssData.modifiedSubsequentSystemIntegrity)
+                        ,"modifiedSubsequentSystemIntegrity": "$enc.json($vuln.cvssV4.cvssData.modifiedSubsequentSystemIntegrity)"
+#end
+#if($vuln.cvssV4.cvssData.modifiedSubsequentSystemAvailability)
+                        ,"modifiedSubsequentSystemAvailability": "$enc.json($vuln.cvssV4.cvssData.modifiedSubsequentSystemAvailability)"
+#end
+#if($vuln.cvssV4.cvssData.safety)
+                        ,"safety": "$enc.json($vuln.cvssV4.cvssData.safety)"
+#end
+#if($vuln.cvssV4.cvssData.automatable)
+                        ,"automatable": "$enc.json($vuln.cvssV4.cvssData.automatable)"
+#end
+#if($vuln.cvssV4.cvssData.recovery)
+                        ,"recovery": "$enc.json($vuln.cvssV4.cvssData.recovery)"
+#end
+#if($vuln.cvssV4.cvssData.valueDensity)
+                        ,"valueDensity": "$enc.json($vuln.cvssV4.cvssData.valueDensity)"
+#end
+#if($vuln.cvssV4.cvssData.vulnerabilityResponseEffort)
+                        ,"vulnerabilityResponseEffort": "$enc.json($vuln.cvssV4.cvssData.vulnerabilityResponseEffort)"
+#end
+#if($vuln.cvssV4.cvssData.providerUrgency)
+                        ,"providerUrgency": "$enc.json($vuln.cvssV4.cvssData.providerUrgency)"
+#end
+#if($vuln.cvssV4.cvssData.baseScore)
+                        ,"baseScore": $vuln.cvssV4.cvssData.baseScore
+#end
+#if($vuln.cvssV4.cvssData.baseSeverity)
+                        ,"baseSeverity": "$enc.json($vuln.cvssV4.cvssData.baseSeverity)"
+#end
+#if($vuln.cvssV4.cvssData.threatScore)
+                        ,"threatScore": $vuln.cvssV4.cvssData.threatScore
+#end
+#if($vuln.cvssV4.cvssData.threatSeverity)
+                        ,"threatSeverity": "$enc.json($vuln.cvssV4.cvssData.threatSeverity)"
+#end
+#if($vuln.cvssV4.cvssData.environmentalScore)
+                        ,"environmentalScore": $vuln.cvssV4.cvssData.environmentalScore
+#end
+#if($vuln.cvssV4.cvssData.environmentalSeverity)
+                        ,"environmentalSeverity": "$enc.json($vuln.cvssV4.cvssData.environmentalSeverity)"
+#end
+                    },
+#end
 #if (!$vuln.cwes.isEmpty())
                     "cwes": [
 #set($addComma=0)

From d926861183e4ca8aa53c4b39a7563af51a8fa50c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 3 Sep 2025 18:01:33 -0400
Subject: [PATCH 122/195] build(deps): bump org.jsoup:jsoup from 1.21.1 to
 1.21.2 (#7885)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index f888930c1d8..5906f504ffc 100644
--- a/pom.xml
+++ b/pom.xml
@@ -157,7 +157,7 @@ Copyright (c) 2012 - Jeremy Long
         <junit.version>5.13.4</junit.version>
         <hamcrest.version>3.0</hamcrest.version>
         <mockito.version>5.19.0</mockito.version>
-        <jsoup.version>1.21.1</jsoup.version>
+        <jsoup.version>1.21.2</jsoup.version>
         <commons-compress.version>1.28.0</commons-compress.version>
         <org.apache.maven.shared.file-management.version>3.2.0</org.apache.maven.shared.file-management.version>
         <maven-plugin-testing-harness.version>3.3.0</maven-plugin-testing-harness.version>

From 1a111d22a9b98f61fad5dace7f96a0953f3381a7 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sun, 7 Sep 2025 07:55:58 -0400
Subject: [PATCH 123/195] build(deps): bump jackson.version from 2.19.2 to
 2.20.0 (#7907)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 5906f504ffc..27d35738d7d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -171,7 +171,7 @@ Copyright (c) 2012 - Jeremy Long
         <groovy-all.version>2.4.21</groovy-all.version>
         <gmavenplus-plugin.version>4.2.1</gmavenplus-plugin.version>
         <com.h3xstream.retirejs.core.version>3.0.4</com.h3xstream.retirejs.core.version>
-        <jackson.version>2.19.2</jackson.version>
+        <jackson.version>2.20.0</jackson.version>
         <!--necessary for some IDEs to be able to execute test cases (Netbeans)-->
         <surefireArgLine />
         <mock-server.version>5.15.0</mock-server.version>

From 4a6901fd3a3a31e1205695ba108e7544b6b454be Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 15 Sep 2025 06:20:00 -0400
Subject: [PATCH 124/195] build(deps): bump golang from 1.25.0-alpine to
 1.25.1-alpine (#7914)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index d4f821eb1b9..709f1844f22 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.25.0-alpine AS go
+FROM golang:1.25.1-alpine AS go
 
 FROM azul/zulu-openjdk-alpine:21 AS jlink
 

From fc289ea58a5307e6050ed887675c6331514237d3 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 16 Sep 2025 06:25:34 -0400
Subject: [PATCH 125/195] build(deps): bump actions/github-script from 7.0.1 to
 8.0.0 (#7909)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/false-positive-approvals.yml |  4 ++--
 .github/workflows/false-positive-ops.yml       | 12 ++++++------
 .github/workflows/publish-suppressions.yml     |  2 +-
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/false-positive-approvals.yml b/.github/workflows/false-positive-approvals.yml
index 5103bfb1461..2a228b4d17b 100644
--- a/.github/workflows/false-positive-approvals.yml
+++ b/.github/workflows/false-positive-approvals.yml
@@ -31,7 +31,7 @@ jobs:
           npm install fs
       - name: Commit Suppression Rule
         id: fp-ops-commit
-        uses: actions/github-script@v7.0.1
+        uses: actions/github-script@v8.0.0
         with:
           script: |
             const { execSync } = require("child_process");
@@ -159,7 +159,7 @@ jobs:
           target-folder: suppressions
       - name: Message failure
         if: ${{ failure() || steps.fp-ops-commit.outputs.failed }}
-        uses: actions/github-script@v7.0.1
+        uses: actions/github-script@v8.0.0
         with:
           script: |
             github.rest.issues.createComment({
diff --git a/.github/workflows/false-positive-ops.yml b/.github/workflows/false-positive-ops.yml
index 832ebc87cfe..ef9c4dea09d 100644
--- a/.github/workflows/false-positive-ops.yml
+++ b/.github/workflows/false-positive-ops.yml
@@ -15,7 +15,7 @@ jobs:
     steps:
       - name: Remove Labels
         if: contains(github.event.issue.labels.*.name, 'pending more information')
-        uses: actions/github-script@v7.0.1
+        uses: actions/github-script@v8.0.0
         with:
           script: |
               github.rest.issues.removeLabel({
@@ -50,7 +50,7 @@ jobs:
           npm install packageurl-js
       - name: Parse Package URL
         id: purl-parser
-        uses: actions/github-script@v7.0.1
+        uses: actions/github-script@v8.0.0
         env:
           PURL: ${{ fromJSON(steps.issue-parser.outputs.jsonString).purl }}
         with:
@@ -148,7 +148,7 @@ jobs:
            path: ${{github.workspace}}/reports
       - name: Comment on maven issue
         if: ${{ fromJSON(steps.purl-parser.outputs.result).type == 'maven' }}
-        uses: actions/github-script@v7.0.1
+        uses: actions/github-script@v8.0.0
         env:
           GROUPID: ${{ fromJSON(steps.purl-parser.outputs.result).namespace }}
           ARTIFACTID: ${{ fromJSON(steps.purl-parser.outputs.result).name }}
@@ -199,7 +199,7 @@ jobs:
             })
       - name: Comment on npm issue
         if: ${{ fromJSON(steps.purl-parser.outputs.result).type == 'npm' }}
-        uses: actions/github-script@v7.0.1
+        uses: actions/github-script@v8.0.0
         env:
           NAME: ${{ fromJSON(steps.purl-parser.outputs.result).name }}
           VERSION: ${{ fromJSON(steps.purl-parser.outputs.result).version }}
@@ -246,7 +246,7 @@ jobs:
             })
       - name: Comment on dotnet issue
         if: ${{ fromJSON(steps.purl-parser.outputs.result).type == 'nuget' }}
-        uses: actions/github-script@v7.0.1
+        uses: actions/github-script@v8.0.0
         env:
           NAME: ${{ fromJSON(steps.purl-parser.outputs.result).name }}
           VERSION: ${{ fromJSON(steps.purl-parser.outputs.result).version }}
@@ -293,7 +293,7 @@ jobs:
             
       - name: Message failure
         if: ${{ failure() }}
-        uses: actions/github-script@v7.0.1
+        uses: actions/github-script@v8.0.0
         with:
           script: |
             github.rest.issues.createComment({
diff --git a/.github/workflows/publish-suppressions.yml b/.github/workflows/publish-suppressions.yml
index e20f8893b23..889b9a4f2f1 100644
--- a/.github/workflows/publish-suppressions.yml
+++ b/.github/workflows/publish-suppressions.yml
@@ -19,7 +19,7 @@ jobs:
       - run: |
           npm install fs
       - name: Create Generated Suppressions XML
-        uses: actions/github-script@v7.0.1
+        uses: actions/github-script@v8.0.0
         with:
           script: |
             const fs = require('fs');

From 812793d05d354036883571ce10830baae3d6d156 Mon Sep 17 00:00:00 2001
From: framayo <framayo@morean.co>
Date: Sat, 20 Sep 2025 08:26:50 -0300
Subject: [PATCH 126/195] fix: Update to support OSS Index Authentication
 Requirements (#7920)

Co-authored-by: Jeremy Long <jeremy.long@gmail.com>
---
 .../analyzer/OssIndexAnalyzer.java            | 12 +++
 .../analyzer/OssIndexAnalyzerTest.java        | 95 +++++++++++++++----
 .../markdown/analyzers/oss-index-analyzer.md  |  6 ++
 3 files changed, 97 insertions(+), 16 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
index 265fb7c97c2..7b259ad661f 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
@@ -37,7 +37,9 @@
 import org.owasp.dependencycheck.dependency.VulnerableSoftwareBuilder;
 import org.owasp.dependencycheck.dependency.naming.Identifier;
 import org.owasp.dependencycheck.dependency.naming.PurlIdentifier;
+import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.Settings;
+import org.owasp.dependencycheck.utils.Settings.KEYS;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import us.springett.parsers.cpe.exceptions.CpeValidationException;
@@ -127,6 +129,16 @@ protected void closeAnalyzer() throws Exception {
         }
     }
 
+    @Override
+    protected void prepareAnalyzer(Engine engine) throws InitializationException {
+      synchronized (FETCH_MUTIX) {
+        if (StringUtils.isEmpty(getSettings().getString(KEYS.ANALYZER_OSSINDEX_USER, StringUtils.EMPTY)) ||
+            StringUtils.isEmpty(getSettings().getString(KEYS.ANALYZER_OSSINDEX_PASSWORD, StringUtils.EMPTY))) {
+          throw new InitializationException("Error initializing OSS Index analyzer due to missing user/password credentials. Authentication is now required: https://ossindex.sonatype.org/doc/auth-required");
+        }
+      }
+    }
+
     @Override
     protected void analyzeDependency(final Dependency dependency, final Engine engine) throws AnalysisException {
         // batch request component-reports for all dependencies
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
index b56c9556b6b..8b8c34492ad 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
@@ -8,14 +8,19 @@
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.naming.Identifier;
 import org.owasp.dependencycheck.dependency.naming.PurlIdentifier;
+import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.Settings;
+import org.owasp.dependencycheck.utils.Settings.KEYS;
+
 import org.sonatype.goodies.packageurl.PackageUrl;
 import org.sonatype.ossindex.service.api.componentreport.ComponentReport;
 import org.sonatype.ossindex.service.client.OssindexClient;
 import org.sonatype.ossindex.service.client.transport.Transport;
 
 import java.net.SocketTimeoutException;
+import java.net.URI;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.ExecutionException;
@@ -25,6 +30,7 @@
 
 import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 class OssIndexAnalyzerTest extends BaseTest {
@@ -42,10 +48,12 @@ void should_enrich_be_included_in_mutex_to_prevent_NPE()
         Dependency dependency = new Dependency();
         dependency.addSoftwareIdentifier(identifier);
         Settings settings = getSettings();
+        setCredentials(settings);
         Engine engine = new Engine(settings);
         engine.setDependencies(Collections.singletonList(dependency));
 
         analyzer.initialize(settings);
+        analyzer.prepareAnalyzer(engine);
 
         String expectedOutput = "https://ossindex.sonatype.org/component/pkg:maven/test/test@1.0";
 
@@ -75,6 +83,11 @@ void should_enrich_be_included_in_mutex_to_prevent_NPE()
      */
     static final class SproutOssIndexAnalyzer extends OssIndexAnalyzer {
         private Future<?> pendingClosureTask;
+        @Override
+        OssindexClient newOssIndexClient() {
+                return new OssIndexClientOk();
+        }
+
         @Override
         void enrich(Dependency dependency) {
             ExecutorService executor = Executors.newSingleThreadExecutor();
@@ -93,19 +106,46 @@ void awaitPendingClosure() throws ExecutionException, InterruptedException {
         }
     }
 
+    private static final class OssIndexClientOk implements OssindexClient {
+
+        @Override
+        public Map<PackageUrl, ComponentReport> requestComponentReports(List<PackageUrl> coordinates) throws Exception {
+            HashMap<PackageUrl, ComponentReport> reports = new HashMap<>();
+            ComponentReport report = new ComponentReport();
+            PackageUrl packageUrl = coordinates.get(0);
+            report.setCoordinates(packageUrl);
+            report.setReference(new URI("https://ossindex.sonatype.org/component/pkg:maven/test/test@1.0?utm_source=dependency-check&utm_medium=integration&utm_content=12.1.4-SNAPSHOT"));
+            reports.put(packageUrl, report);
+            return reports;
+        }
+
+        @Override
+        public ComponentReport requestComponentReport(PackageUrl coordinates) throws Exception {
+            return new ComponentReport();
+        }
+
+        @Override
+        public void close() {
+
+        }
+    }
+
     @Test
     void should_analyzeDependency_return_a_dedicated_error_message_when_403_response_from_sonatype() throws Exception {
         // Given
         OssIndexAnalyzer analyzer = new OssIndexAnalyzerThrowing403();
-        analyzer.initialize(getSettings());
+        Settings settings = getSettings();
+        setCredentials(settings);
+        Engine engine = new Engine(settings);
+
+        analyzer.initialize(settings);
+        analyzer.prepareAnalyzer(engine);
 
         Identifier identifier = new PurlIdentifier("maven", "test", "test", "1.0",
                 Confidence.HIGHEST);
 
         Dependency dependency = new Dependency();
         dependency.addSoftwareIdentifier(identifier);
-        Settings settings = getSettings();
-        Engine engine = new Engine(settings);
         engine.setDependencies(Collections.singletonList(dependency));
 
         // When
@@ -126,17 +166,19 @@ void should_analyzeDependency_return_a_dedicated_error_message_when_403_response
     void should_analyzeDependency_only_warn_when_transport_error_from_sonatype() throws Exception {
         // Given
         OssIndexAnalyzer analyzer = new OssIndexAnalyzerThrowing502();
+        Settings settings = getSettings();
+        setCredentials(settings);
+        settings.setBoolean(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, true);
+        Engine engine = new Engine(settings);
 
-        getSettings().setBoolean(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, true);
-        analyzer.initialize(getSettings());
+        analyzer.initialize(settings);
+        analyzer.prepareAnalyzer(engine);
 
         Identifier identifier = new PurlIdentifier("maven", "test", "test", "1.0",
                 Confidence.HIGHEST);
 
         Dependency dependency = new Dependency();
         dependency.addSoftwareIdentifier(identifier);
-        Settings settings = getSettings();
-        Engine engine = new Engine(settings);
 
         // When
         try (engine) {
@@ -148,22 +190,23 @@ void should_analyzeDependency_only_warn_when_transport_error_from_sonatype() thr
         }
     }
 
-
     @Test
     void should_analyzeDependency_only_warn_when_socket_error_from_sonatype() throws Exception {
         // Given
         OssIndexAnalyzer analyzer = new OssIndexAnalyzerThrowingSocketTimeout();
+        Settings settings = getSettings();
+        setCredentials(settings);
+        settings.setBoolean(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, true);
+        analyzer.initialize(settings);
 
-        getSettings().setBoolean(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, true);
-        analyzer.initialize(getSettings());
+        Engine engine = new Engine(settings);
+        analyzer.prepareAnalyzer(engine);
 
         Identifier identifier = new PurlIdentifier("maven", "test", "test", "1.0",
                 Confidence.HIGHEST);
 
         Dependency dependency = new Dependency();
         dependency.addSoftwareIdentifier(identifier);
-        Settings settings = getSettings();
-        Engine engine = new Engine(settings);
 
         // When
         try (engine) {
@@ -180,17 +223,19 @@ void should_analyzeDependency_only_warn_when_socket_error_from_sonatype() throws
     void should_analyzeDependency_fail_when_socket_error_from_sonatype() throws Exception {
         // Given
         OssIndexAnalyzer analyzer = new OssIndexAnalyzerThrowingSocketTimeout();
+        Settings settings = getSettings();
+        setCredentials(settings);
+        settings.setBoolean(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, false);
+        Engine engine = new Engine(settings);
 
-        getSettings().setBoolean(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, false);
-        analyzer.initialize(getSettings());
+        analyzer.initialize(settings);
+        analyzer.prepareAnalyzer(engine);
 
         Identifier identifier = new PurlIdentifier("maven", "test", "test", "1.0",
                 Confidence.HIGHEST);
 
         Dependency dependency = new Dependency();
         dependency.addSoftwareIdentifier(identifier);
-        Settings settings = getSettings();
-        Engine engine = new Engine(settings);
         engine.setDependencies(Collections.singletonList(dependency));
 
         // When
@@ -206,7 +251,25 @@ void should_analyzeDependency_fail_when_socket_error_from_sonatype() throws Exce
         analyzer.close();
     }
 
+    @Test
+    void should_prepareAnalyzer_fail_when_credentials_not_set() throws Exception {
+        OssIndexAnalyzer analyzer = new OssIndexAnalyzer();
+        Settings settings = getSettings();
+        Engine engine = new Engine(settings);
+        analyzer.initialize(settings);
+        try {
+            analyzer.prepareAnalyzer(engine);
+            assertThrows(InitializationException.class, () -> analyzer.prepareAnalyzer(engine));
+        } catch (InitializationException e) {
+          analyzer.close();
+          engine.close();
+        }
+    }
 
+    private static void setCredentials(final Settings settings) {
+        settings.setString(KEYS.ANALYZER_OSSINDEX_USER, "user");
+        settings.setString(KEYS.ANALYZER_OSSINDEX_PASSWORD, "pass");
+    }
 
     static final class OssIndexAnalyzerThrowing403 extends OssIndexAnalyzer {
         @Override
diff --git a/src/site/markdown/analyzers/oss-index-analyzer.md b/src/site/markdown/analyzers/oss-index-analyzer.md
index 4a85d4e7753..65636da4f67 100644
--- a/src/site/markdown/analyzers/oss-index-analyzer.md
+++ b/src/site/markdown/analyzers/oss-index-analyzer.md
@@ -8,3 +8,9 @@ identified vulnerabilities are included in the report. In addition, vulnerabilit
 found in both the NVD and OSS Index may have additional references added.
 
 This analyzer requires an Internet connection.
+
+Sonatype [announced](https://ossindex.sonatype.org/doc/auth-required) that OSS Index requires authentication.
+
+You can get an API Token following these steps:
+1. [Sign In](https://ossindex.sonatype.org/user/signin) or [Sign Up](https://ossindex.sonatype.org/user/register) for free.
+2. Get the API Token from user Settings.
\ No newline at end of file

From 8ddda012729cd8224f74823af2e3001ba34fd1c2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sat, 20 Sep 2025 07:27:37 -0400
Subject: [PATCH 127/195] build(deps): bump actions/setup-node from 4.4.0 to
 5.0.0 (#7910)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/false-positive-approvals.yml | 2 +-
 .github/workflows/false-positive-ops.yml       | 2 +-
 .github/workflows/publish-suppressions.yml     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/false-positive-approvals.yml b/.github/workflows/false-positive-approvals.yml
index 2a228b4d17b..32b978d9e96 100644
--- a/.github/workflows/false-positive-approvals.yml
+++ b/.github/workflows/false-positive-approvals.yml
@@ -25,7 +25,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           ref: generatedSuppressions
-      - uses: actions/setup-node@v4.4.0
+      - uses: actions/setup-node@v5.0.0
       - run: |
           npm install fast-xml-parser@4.0.9
           npm install fs
diff --git a/.github/workflows/false-positive-ops.yml b/.github/workflows/false-positive-ops.yml
index ef9c4dea09d..ff6e4a680de 100644
--- a/.github/workflows/false-positive-ops.yml
+++ b/.github/workflows/false-positive-ops.yml
@@ -41,7 +41,7 @@ jobs:
         with:
           issue-body: ${{ github.event.issue.body }}
           template-path: odc/.github/ISSUE_TEMPLATE/false-positive-report.yml
-      - uses: actions/setup-node@v4.4.0
+      - uses: actions/setup-node@v5.0.0
         with:
           node-version: 14
       - name: Initialize npm
diff --git a/.github/workflows/publish-suppressions.yml b/.github/workflows/publish-suppressions.yml
index 889b9a4f2f1..75245cb59f9 100644
--- a/.github/workflows/publish-suppressions.yml
+++ b/.github/workflows/publish-suppressions.yml
@@ -15,7 +15,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           ref: generatedSuppressions
-      - uses: actions/setup-node@v4.4.0
+      - uses: actions/setup-node@v5.0.0
       - run: |
           npm install fs
       - name: Create Generated Suppressions XML

From baf281b9e90f7f7e17707ebafd2e1815383b6e8b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sat, 20 Sep 2025 07:28:08 -0400
Subject: [PATCH 128/195] build(deps): bump actions/setup-dotnet from 4.3.1 to
 5.0.0 (#7908)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml              | 2 +-
 .github/workflows/false-positive-ops.yml | 2 +-
 .github/workflows/pull_requests.yml      | 4 ++--
 .github/workflows/release.yml            | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index fbef9282d26..90ec8ced510 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -43,7 +43,7 @@ jobs:
         with:
           path: core/target/data
           key: odc-data
-      - uses: actions/setup-dotnet@v4.3.1
+      - uses: actions/setup-dotnet@v5.0.0
         with:
           dotnet-version: '8.0.x'
       - name: Set up JDK 11
diff --git a/.github/workflows/false-positive-ops.yml b/.github/workflows/false-positive-ops.yml
index ff6e4a680de..b6de8b176b6 100644
--- a/.github/workflows/false-positive-ops.yml
+++ b/.github/workflows/false-positive-ops.yml
@@ -111,7 +111,7 @@ jobs:
           cd ..
       - name: Setup dotnet
         if: ${{ fromJSON(steps.purl-parser.outputs.result).type == 'nuget' }}
-        uses: actions/setup-dotnet@v4.3.1
+        uses: actions/setup-dotnet@v5.0.0
         with:
           dotnet-version: '8.0.x'
       - name: Setup dotnet fp-project
diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml
index 73d62c7c6fe..ac0dfb8571d 100644
--- a/.github/workflows/pull_requests.yml
+++ b/.github/workflows/pull_requests.yml
@@ -23,7 +23,7 @@ jobs:
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
           restore-keys: |
             ${{ runner.os }}-maven-
-      - uses: actions/setup-dotnet@v4.3.1
+      - uses: actions/setup-dotnet@v5.0.0
         with:
           dotnet-version: '8.0.x'
       - name: Set up JDK 11
@@ -81,7 +81,7 @@ jobs:
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
           restore-keys: |
             ${{ runner.os }}-maven-
-      - uses: actions/setup-dotnet@v4.3.1
+      - uses: actions/setup-dotnet@v5.0.0
         with:
           dotnet-version: '8.0.x'
       - name: Set up JDK 11
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6105f498654..0edea498200 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -45,7 +45,7 @@ jobs:
         with:
           path: core/target/data
           key: odc-data
-      - uses: actions/setup-dotnet@v4.3.1
+      - uses: actions/setup-dotnet@v5.0.0
         with:
           dotnet-version: '8.0.x'
       - name: Set up JDK 11

From 1d15a2d685fb23ac24dedfcf733932a1a736ddbf Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 20 Sep 2025 07:51:40 -0400
Subject: [PATCH 129/195] docs: update changelog for release 12.1.4

---
 CHANGELOG.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0ce7d1f529e..68852aec75e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,27 @@
 # Change Log
 
+## [Version 12.1.4](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.4) (2025-09-20)
+
+- **fix**: Update to support OSS Index Authentication Requirements (#7920)
+  - Note: OSS Index will require authentication starting 9/22/2025. Users must configure a free account to continue using the OSS Index Analyzer. See https://ossindex.sonatype.org/doc/auth-required.
+- fix: add CVSSv4 to suppressed entries in JSON report (#7900)
+- fix: correctly utilize CVSSv4 from ossindex (#7899)
+- fix: npe when processing cve with empty configuration (#7888)
+- fix: Return unsorted vulnerabilities in new HashSet, avoiding CoMod (#7848)
+- fix: Return unsorted vulnerabilities in new HashSet, avoiding CoMod
+- fix: class loading problem with fat jars (#7786) (#7787)
+- fix: Improve Artifactory handler log message (#7838)
+- fix: classloading problem with fat jars (#7786)
+- fix: Add null checking when parsing the license json in AbstractNpmAnalyzer. (#7784)
+- fix(fp): resolves several false positives related to CVE-2021-41033 (#7736)
+- docs: Clarify format of exclude patterns (#7879)
+- docs: Document poetry-based analysis behaviour in Python analyzer (#7855)
+- docs: request FP reporters use the latest version of ODC. (#7820)
+- docs: update development pre-reqs (#7792)
+- docs: fix minor typos in false positive issue template (#7763)
+
+See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/98?closed=1)
+
 ## [Version 12.1.3](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.3) (2025-06-10)
 
 - fix: correct regex matches introduced in 12.1.2 (#7726)

From dcfcc106bce67c080e3674ae551b68453300e87a Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 20 Sep 2025 07:54:22 -0400
Subject: [PATCH 130/195] build: prepare release v12.1.4

---
 ant/pom.xml       | 4 ++--
 archetype/pom.xml | 6 +++---
 cli/pom.xml       | 4 ++--
 core/pom.xml      | 4 ++--
 maven/pom.xml     | 4 ++--
 pom.xml           | 6 +++---
 utils/pom.xml     | 4 ++--
 7 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/ant/pom.xml b/ant/pom.xml
index 2672fd42130..a01fe49c164 100644
--- a/ant/pom.xml
+++ b/ant/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.4-SNAPSHOT</version>
+        <version>12.1.4</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/ant</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.4</tag>
     </scm>
     <build>
         <resources>
diff --git a/archetype/pom.xml b/archetype/pom.xml
index 97fcfb61fd0..fdc6acf8c6d 100644
--- a/archetype/pom.xml
+++ b/archetype/pom.xml
@@ -20,20 +20,20 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.4-SNAPSHOT</version>
+        <version>12.1.4</version>
     </parent>
     <artifactId>dependency-check-plugin</artifactId>
     <name>Dependency-Check Plugin Archetype</name>
     <packaging>jar</packaging>
     <properties>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-06-10T11:27:54Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-09-20T11:52:07Z</project.build.outputTimestamp>
     </properties>
     <scm>
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/archetype</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-      <tag>HEAD</tag>
+      <tag>v12.1.4</tag>
   </scm>
     <build>
         <plugins>
diff --git a/cli/pom.xml b/cli/pom.xml
index f1679dc91c2..f5596b35a0a 100644
--- a/cli/pom.xml
+++ b/cli/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.4-SNAPSHOT</version>
+        <version>12.1.4</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/cli</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.4</tag>
     </scm>
     <build>
         <finalName>dependency-check-${project.version}</finalName>
diff --git a/core/pom.xml b/core/pom.xml
index 77ee0af07c2..265d73ece6f 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.4-SNAPSHOT</version>
+        <version>12.1.4</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/core</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.4</tag>
     </scm>
     <build>
         <resources>
diff --git a/maven/pom.xml b/maven/pom.xml
index 57853b1d107..a3be581e86a 100644
--- a/maven/pom.xml
+++ b/maven/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.4-SNAPSHOT</version>
+        <version>12.1.4</version>
     </parent>
     <artifactId>dependency-check-maven</artifactId>
     <packaging>maven-plugin</packaging>
@@ -34,7 +34,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/master/maven</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.4</tag>
     </scm>
     <prerequisites>
         <maven>3.6.3</maven>
diff --git a/pom.xml b/pom.xml
index 27d35738d7d..dbc98867853 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>12.1.4-SNAPSHOT</version>
+    <version>12.1.4</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -94,7 +94,7 @@ Copyright (c) 2012 - Jeremy Long
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck</url>
         <developerConnection>scm:git:https://github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.4</tag>
     </scm>
     <issueManagement>
         <system>github</system>
@@ -113,7 +113,7 @@ Copyright (c) 2012 - Jeremy Long
     <properties>
         <maven.compiler.release>11</maven.compiler.release>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-06-10T11:27:54Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-09-20T11:52:07Z</project.build.outputTimestamp>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <github.global.server>github</github.global.server>
diff --git a/utils/pom.xml b/utils/pom.xml
index 45754c7f851..04353a10df0 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.4-SNAPSHOT</version>
+        <version>12.1.4</version>
    </parent>
 
     <artifactId>dependency-check-utils</artifactId>
@@ -30,7 +30,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/utils</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.4</tag>
     </scm>
     <properties>
         <spotbugs.onlyAnalyze>org.owasp.dependencycheck.utils.*</spotbugs.onlyAnalyze>

From 3220b965273700da7074f8aa470fe8105ac991bf Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 20 Sep 2025 07:54:22 -0400
Subject: [PATCH 131/195] build: prepare for next development iteration

---
 ant/pom.xml       | 4 ++--
 archetype/pom.xml | 6 +++---
 cli/pom.xml       | 4 ++--
 core/pom.xml      | 4 ++--
 maven/pom.xml     | 4 ++--
 pom.xml           | 6 +++---
 utils/pom.xml     | 4 ++--
 7 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/ant/pom.xml b/ant/pom.xml
index a01fe49c164..cd65700f556 100644
--- a/ant/pom.xml
+++ b/ant/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.4</version>
+        <version>12.1.5-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/ant</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.4</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <build>
         <resources>
diff --git a/archetype/pom.xml b/archetype/pom.xml
index fdc6acf8c6d..98b0c1249fe 100644
--- a/archetype/pom.xml
+++ b/archetype/pom.xml
@@ -20,20 +20,20 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.4</version>
+        <version>12.1.5-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-plugin</artifactId>
     <name>Dependency-Check Plugin Archetype</name>
     <packaging>jar</packaging>
     <properties>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-09-20T11:52:07Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-09-20T11:54:22Z</project.build.outputTimestamp>
     </properties>
     <scm>
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/archetype</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-      <tag>v12.1.4</tag>
+      <tag>HEAD</tag>
   </scm>
     <build>
         <plugins>
diff --git a/cli/pom.xml b/cli/pom.xml
index f5596b35a0a..07773e2d3ae 100644
--- a/cli/pom.xml
+++ b/cli/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.4</version>
+        <version>12.1.5-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/cli</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.4</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <build>
         <finalName>dependency-check-${project.version}</finalName>
diff --git a/core/pom.xml b/core/pom.xml
index 265d73ece6f..7a056ba6f3e 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.4</version>
+        <version>12.1.5-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/core</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.4</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <build>
         <resources>
diff --git a/maven/pom.xml b/maven/pom.xml
index a3be581e86a..ff0d601cef1 100644
--- a/maven/pom.xml
+++ b/maven/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.4</version>
+        <version>12.1.5-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-maven</artifactId>
     <packaging>maven-plugin</packaging>
@@ -34,7 +34,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/master/maven</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.4</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <prerequisites>
         <maven>3.6.3</maven>
diff --git a/pom.xml b/pom.xml
index dbc98867853..df6eb20d3dd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>12.1.4</version>
+    <version>12.1.5-SNAPSHOT</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -94,7 +94,7 @@ Copyright (c) 2012 - Jeremy Long
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck</url>
         <developerConnection>scm:git:https://github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.4</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <issueManagement>
         <system>github</system>
@@ -113,7 +113,7 @@ Copyright (c) 2012 - Jeremy Long
     <properties>
         <maven.compiler.release>11</maven.compiler.release>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-09-20T11:52:07Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-09-20T11:54:22Z</project.build.outputTimestamp>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <github.global.server>github</github.global.server>
diff --git a/utils/pom.xml b/utils/pom.xml
index 04353a10df0..78e4c28ccbe 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.4</version>
+        <version>12.1.5-SNAPSHOT</version>
    </parent>
 
     <artifactId>dependency-check-utils</artifactId>
@@ -30,7 +30,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/utils</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.4</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <properties>
         <spotbugs.onlyAnalyze>org.owasp.dependencycheck.utils.*</spotbugs.onlyAnalyze>

From 045e42874ce2ec34c8b108ee6e99ebe112bc8297 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 20 Sep 2025 08:19:16 -0400
Subject: [PATCH 132/195] chore: revert failed release

---
 ant/pom.xml       | 2 +-
 archetype/pom.xml | 2 +-
 cli/pom.xml       | 2 +-
 core/pom.xml      | 2 +-
 maven/pom.xml     | 2 +-
 pom.xml           | 2 +-
 test-docker.sh    | 2 ++
 utils/pom.xml     | 2 +-
 8 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/ant/pom.xml b/ant/pom.xml
index cd65700f556..2672fd42130 100644
--- a/ant/pom.xml
+++ b/ant/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.5-SNAPSHOT</version>
+        <version>12.1.4-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
diff --git a/archetype/pom.xml b/archetype/pom.xml
index 98b0c1249fe..663b36f466d 100644
--- a/archetype/pom.xml
+++ b/archetype/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.5-SNAPSHOT</version>
+        <version>12.1.4-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-plugin</artifactId>
     <name>Dependency-Check Plugin Archetype</name>
diff --git a/cli/pom.xml b/cli/pom.xml
index 07773e2d3ae..f1679dc91c2 100644
--- a/cli/pom.xml
+++ b/cli/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.5-SNAPSHOT</version>
+        <version>12.1.4-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
diff --git a/core/pom.xml b/core/pom.xml
index 7a056ba6f3e..77ee0af07c2 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.5-SNAPSHOT</version>
+        <version>12.1.4-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
diff --git a/maven/pom.xml b/maven/pom.xml
index ff0d601cef1..57853b1d107 100644
--- a/maven/pom.xml
+++ b/maven/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.5-SNAPSHOT</version>
+        <version>12.1.4-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-maven</artifactId>
     <packaging>maven-plugin</packaging>
diff --git a/pom.xml b/pom.xml
index df6eb20d3dd..32d6f7ebea7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>12.1.5-SNAPSHOT</version>
+    <version>12.1.4-SNAPSHOT</version>
     <packaging>pom</packaging>
 
     <modules>
diff --git a/test-docker.sh b/test-docker.sh
index 3d950493dec..611fe887141 100755
--- a/test-docker.sh
+++ b/test-docker.sh
@@ -61,6 +61,8 @@ docker run --rm \
     --scan /src \
     --format "JSON" \
     --project "test scan" \
+    --disableCentral \
+    --disableOssIndex \
     --out /report \
     --log /report/odc.log \
     --nvdDatafeed https://dependency-check.github.io/DependencyCheck/hb_nvd/
diff --git a/utils/pom.xml b/utils/pom.xml
index 78e4c28ccbe..45754c7f851 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.5-SNAPSHOT</version>
+        <version>12.1.4-SNAPSHOT</version>
    </parent>
 
     <artifactId>dependency-check-utils</artifactId>

From d5198d5d7d945e230b91d2a4d9dc292b89e35b8d Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 20 Sep 2025 08:37:30 -0400
Subject: [PATCH 133/195] chore: bump project to 12.1.5

---
 CHANGELOG.md      | 2 +-
 ant/pom.xml       | 2 +-
 archetype/pom.xml | 2 +-
 cli/pom.xml       | 2 +-
 core/pom.xml      | 2 +-
 maven/pom.xml     | 2 +-
 pom.xml           | 2 +-
 utils/pom.xml     | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 68852aec75e..13734bbba2d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,6 @@
 # Change Log
 
-## [Version 12.1.4](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.4) (2025-09-20)
+## [Version 12.1.5](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.5) (2025-09-20)
 
 - **fix**: Update to support OSS Index Authentication Requirements (#7920)
   - Note: OSS Index will require authentication starting 9/22/2025. Users must configure a free account to continue using the OSS Index Analyzer. See https://ossindex.sonatype.org/doc/auth-required.
diff --git a/ant/pom.xml b/ant/pom.xml
index 2672fd42130..cd65700f556 100644
--- a/ant/pom.xml
+++ b/ant/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.4-SNAPSHOT</version>
+        <version>12.1.5-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
diff --git a/archetype/pom.xml b/archetype/pom.xml
index 663b36f466d..98b0c1249fe 100644
--- a/archetype/pom.xml
+++ b/archetype/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.4-SNAPSHOT</version>
+        <version>12.1.5-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-plugin</artifactId>
     <name>Dependency-Check Plugin Archetype</name>
diff --git a/cli/pom.xml b/cli/pom.xml
index f1679dc91c2..07773e2d3ae 100644
--- a/cli/pom.xml
+++ b/cli/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.4-SNAPSHOT</version>
+        <version>12.1.5-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
diff --git a/core/pom.xml b/core/pom.xml
index 77ee0af07c2..7a056ba6f3e 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.4-SNAPSHOT</version>
+        <version>12.1.5-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
diff --git a/maven/pom.xml b/maven/pom.xml
index 57853b1d107..ff0d601cef1 100644
--- a/maven/pom.xml
+++ b/maven/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.4-SNAPSHOT</version>
+        <version>12.1.5-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-maven</artifactId>
     <packaging>maven-plugin</packaging>
diff --git a/pom.xml b/pom.xml
index 32d6f7ebea7..df6eb20d3dd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>12.1.4-SNAPSHOT</version>
+    <version>12.1.5-SNAPSHOT</version>
     <packaging>pom</packaging>
 
     <modules>
diff --git a/utils/pom.xml b/utils/pom.xml
index 45754c7f851..78e4c28ccbe 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.4-SNAPSHOT</version>
+        <version>12.1.5-SNAPSHOT</version>
    </parent>
 
     <artifactId>dependency-check-utils</artifactId>

From 71e0fd86351e32956aeae3436102b27e291af6e2 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 20 Sep 2025 08:42:40 -0400
Subject: [PATCH 134/195] build: prepare release v12.1.5

---
 ant/pom.xml       | 4 ++--
 archetype/pom.xml | 6 +++---
 cli/pom.xml       | 4 ++--
 core/pom.xml      | 4 ++--
 maven/pom.xml     | 4 ++--
 pom.xml           | 6 +++---
 utils/pom.xml     | 4 ++--
 7 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/ant/pom.xml b/ant/pom.xml
index cd65700f556..4d538455e7a 100644
--- a/ant/pom.xml
+++ b/ant/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.5-SNAPSHOT</version>
+        <version>12.1.5</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/ant</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.5</tag>
     </scm>
     <build>
         <resources>
diff --git a/archetype/pom.xml b/archetype/pom.xml
index 98b0c1249fe..b33f1c992ae 100644
--- a/archetype/pom.xml
+++ b/archetype/pom.xml
@@ -20,20 +20,20 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.5-SNAPSHOT</version>
+        <version>12.1.5</version>
     </parent>
     <artifactId>dependency-check-plugin</artifactId>
     <name>Dependency-Check Plugin Archetype</name>
     <packaging>jar</packaging>
     <properties>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-09-20T11:54:22Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-09-20T12:40:22Z</project.build.outputTimestamp>
     </properties>
     <scm>
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/archetype</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-      <tag>HEAD</tag>
+      <tag>v12.1.5</tag>
   </scm>
     <build>
         <plugins>
diff --git a/cli/pom.xml b/cli/pom.xml
index 07773e2d3ae..ce6d98a95d3 100644
--- a/cli/pom.xml
+++ b/cli/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.5-SNAPSHOT</version>
+        <version>12.1.5</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/cli</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.5</tag>
     </scm>
     <build>
         <finalName>dependency-check-${project.version}</finalName>
diff --git a/core/pom.xml b/core/pom.xml
index 7a056ba6f3e..94dd8a753d0 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.5-SNAPSHOT</version>
+        <version>12.1.5</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/core</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.5</tag>
     </scm>
     <build>
         <resources>
diff --git a/maven/pom.xml b/maven/pom.xml
index ff0d601cef1..ce454027c7a 100644
--- a/maven/pom.xml
+++ b/maven/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.5-SNAPSHOT</version>
+        <version>12.1.5</version>
     </parent>
     <artifactId>dependency-check-maven</artifactId>
     <packaging>maven-plugin</packaging>
@@ -34,7 +34,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/master/maven</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.5</tag>
     </scm>
     <prerequisites>
         <maven>3.6.3</maven>
diff --git a/pom.xml b/pom.xml
index df6eb20d3dd..9cc03721bd3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>12.1.5-SNAPSHOT</version>
+    <version>12.1.5</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -94,7 +94,7 @@ Copyright (c) 2012 - Jeremy Long
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck</url>
         <developerConnection>scm:git:https://github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.5</tag>
     </scm>
     <issueManagement>
         <system>github</system>
@@ -113,7 +113,7 @@ Copyright (c) 2012 - Jeremy Long
     <properties>
         <maven.compiler.release>11</maven.compiler.release>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-09-20T11:54:22Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-09-20T12:40:22Z</project.build.outputTimestamp>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <github.global.server>github</github.global.server>
diff --git a/utils/pom.xml b/utils/pom.xml
index 78e4c28ccbe..2148c59a96b 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.5-SNAPSHOT</version>
+        <version>12.1.5</version>
    </parent>
 
     <artifactId>dependency-check-utils</artifactId>
@@ -30,7 +30,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/utils</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.5</tag>
     </scm>
     <properties>
         <spotbugs.onlyAnalyze>org.owasp.dependencycheck.utils.*</spotbugs.onlyAnalyze>

From 4434197d26c757f5311169f4ef21a57246b03721 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 20 Sep 2025 08:42:40 -0400
Subject: [PATCH 135/195] build: prepare for next development iteration

---
 ant/pom.xml       | 4 ++--
 archetype/pom.xml | 6 +++---
 cli/pom.xml       | 4 ++--
 core/pom.xml      | 4 ++--
 maven/pom.xml     | 4 ++--
 pom.xml           | 6 +++---
 utils/pom.xml     | 4 ++--
 7 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/ant/pom.xml b/ant/pom.xml
index 4d538455e7a..dcc40a2a0d9 100644
--- a/ant/pom.xml
+++ b/ant/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.5</version>
+        <version>12.1.6-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/ant</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.5</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <build>
         <resources>
diff --git a/archetype/pom.xml b/archetype/pom.xml
index b33f1c992ae..1defbfc441a 100644
--- a/archetype/pom.xml
+++ b/archetype/pom.xml
@@ -20,20 +20,20 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.5</version>
+        <version>12.1.6-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-plugin</artifactId>
     <name>Dependency-Check Plugin Archetype</name>
     <packaging>jar</packaging>
     <properties>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-09-20T12:40:22Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-09-20T12:42:40Z</project.build.outputTimestamp>
     </properties>
     <scm>
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/archetype</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-      <tag>v12.1.5</tag>
+      <tag>HEAD</tag>
   </scm>
     <build>
         <plugins>
diff --git a/cli/pom.xml b/cli/pom.xml
index ce6d98a95d3..d551dda9cc8 100644
--- a/cli/pom.xml
+++ b/cli/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.5</version>
+        <version>12.1.6-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/cli</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.5</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <build>
         <finalName>dependency-check-${project.version}</finalName>
diff --git a/core/pom.xml b/core/pom.xml
index 94dd8a753d0..7fb940d87bc 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.5</version>
+        <version>12.1.6-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/core</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.5</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <build>
         <resources>
diff --git a/maven/pom.xml b/maven/pom.xml
index ce454027c7a..b40a3f97ebd 100644
--- a/maven/pom.xml
+++ b/maven/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.5</version>
+        <version>12.1.6-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-maven</artifactId>
     <packaging>maven-plugin</packaging>
@@ -34,7 +34,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/master/maven</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.5</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <prerequisites>
         <maven>3.6.3</maven>
diff --git a/pom.xml b/pom.xml
index 9cc03721bd3..b857ebc577d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>12.1.5</version>
+    <version>12.1.6-SNAPSHOT</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -94,7 +94,7 @@ Copyright (c) 2012 - Jeremy Long
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck</url>
         <developerConnection>scm:git:https://github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.5</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <issueManagement>
         <system>github</system>
@@ -113,7 +113,7 @@ Copyright (c) 2012 - Jeremy Long
     <properties>
         <maven.compiler.release>11</maven.compiler.release>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-09-20T12:40:22Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-09-20T12:42:40Z</project.build.outputTimestamp>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <github.global.server>github</github.global.server>
diff --git a/utils/pom.xml b/utils/pom.xml
index 2148c59a96b..13addee990b 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.5</version>
+        <version>12.1.6-SNAPSHOT</version>
    </parent>
 
     <artifactId>dependency-check-utils</artifactId>
@@ -30,7 +30,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/utils</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.5</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <properties>
         <spotbugs.onlyAnalyze>org.owasp.dependencycheck.utils.*</spotbugs.onlyAnalyze>

From 36543b5f6bc6143c732ddbd24c08dcf67abf04c9 Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Sun, 21 Sep 2025 18:10:21 +0800
Subject: [PATCH 136/195] fix: Correct CVSSv4 parsing for low precision
 OSSIndex values (#7935)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
 .../owasp/dependencycheck/utils/CvssUtil.java |  10 +-
 .../dependencycheck/utils/CvssUtilTest.java   | 171 ++++++++----------
 2 files changed, 80 insertions(+), 101 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/utils/CvssUtil.java b/core/src/main/java/org/owasp/dependencycheck/utils/CvssUtil.java
index c5f6c620dcb..411f27bb4fc 100644
--- a/core/src/main/java/org/owasp/dependencycheck/utils/CvssUtil.java
+++ b/core/src/main/java/org/owasp/dependencycheck/utils/CvssUtil.java
@@ -229,14 +229,14 @@ public static CvssV3 vectorToCvssV3(String vectorString, Double baseScore) {
         return cvss;
     }
 
-    private static CvssV4Data.SeverityType toSeverityType(double baseScore) {
+    public static CvssV4Data.SeverityType cvssV4ScoreToSeverity(double baseScore) {
         if (baseScore == 0.0) {
             return CvssV4Data.SeverityType.NONE;
-        } else if (baseScore >= 0.1 && baseScore <= 3.9) {
+        } else if (baseScore > 0.0 && baseScore < 4.0) {
             return CvssV4Data.SeverityType.LOW;
-        } else if (baseScore >= 4.0 && baseScore <= 6.9) {
+        } else if (baseScore >= 4.0 && baseScore < 7.0) {
             return CvssV4Data.SeverityType.MEDIUM;
-        } else if (baseScore >= 7.0 && baseScore <= 8.9) {
+        } else if (baseScore >= 7.0 && baseScore < 9.0) {
             return CvssV4Data.SeverityType.HIGH;
         } else if (baseScore >= 9.0 && baseScore <= 10.0) {
             return CvssV4Data.SeverityType.CRITICAL;
@@ -300,7 +300,7 @@ public static CvssV4 vectorToCvssV4(String source, CvssV4.Type type, Double base
         CvssV4Data.VulnerabilityResponseEffortType vulnerabilityResponseEffort = values.containsKey("RE") ? CvssV4Data.VulnerabilityResponseEffortType.fromValue(values.get("RE")) : CvssV4Data.VulnerabilityResponseEffortType.NOT_DEFINED;
         CvssV4Data.ProviderUrgencyType providerUrgency = values.containsKey("U") ? CvssV4Data.ProviderUrgencyType.fromValue(values.get("U")) : CvssV4Data.ProviderUrgencyType.NOT_DEFINED;
 
-        CvssV4Data.SeverityType baseSeverity = toSeverityType(baseScore);
+        CvssV4Data.SeverityType baseSeverity = cvssV4ScoreToSeverity(baseScore);
         // Scores and severities are not present in the vector string, set to null/defaults
         Double threatScore = null;
         CvssV4Data.SeverityType threatSeverity = null;
diff --git a/core/src/test/java/org/owasp/dependencycheck/utils/CvssUtilTest.java b/core/src/test/java/org/owasp/dependencycheck/utils/CvssUtilTest.java
index 5d517d1998c..fff6cec8120 100644
--- a/core/src/test/java/org/owasp/dependencycheck/utils/CvssUtilTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/utils/CvssUtilTest.java
@@ -21,10 +21,13 @@
 import io.github.jeremylong.openvulnerability.client.nvd.CvssV2Data;
 import io.github.jeremylong.openvulnerability.client.nvd.CvssV3;
 import io.github.jeremylong.openvulnerability.client.nvd.CvssV3Data;
+import io.github.jeremylong.openvulnerability.client.nvd.CvssV4;
+import io.github.jeremylong.openvulnerability.client.nvd.CvssV4Data;
 import org.junit.jupiter.api.Test;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 /**
  *
@@ -56,50 +59,17 @@ void testVectorToCvssV2() {
      */
     @Test
     void testCvssV2ScoreToSeverity() {
-        Double score = -1.0;
-        String expResult = "UNKNOWN";
-        String result = CvssUtil.cvssV2ScoreToSeverity(score);
-        assertEquals(expResult, result);
-
-        score = 0.0;
-        expResult = "LOW";
-        result = CvssUtil.cvssV2ScoreToSeverity(score);
-        assertEquals(expResult, result);
-
-        score = 1.0;
-        expResult = "LOW";
-        result = CvssUtil.cvssV2ScoreToSeverity(score);
-        assertEquals(expResult, result);
-
-        score = 3.9;
-        expResult = "LOW";
-        result = CvssUtil.cvssV2ScoreToSeverity(score);
-        assertEquals(expResult, result);
-
-        score = 4.0;
-        expResult = "MEDIUM";
-        result = CvssUtil.cvssV2ScoreToSeverity(score);
-        assertEquals(expResult, result);
-
-        score = 6.9;
-        expResult = "MEDIUM";
-        result = CvssUtil.cvssV2ScoreToSeverity(score);
-        assertEquals(expResult, result);
-
-        score = 7.0;
-        expResult = "HIGH";
-        result = CvssUtil.cvssV2ScoreToSeverity(score);
-        assertEquals(expResult, result);
-
-        score = 10.0;
-        expResult = "HIGH";
-        result = CvssUtil.cvssV2ScoreToSeverity(score);
-        assertEquals(expResult, result);
-
-        score = 11.0;
-        expResult = "UNKNOWN";
-        result = CvssUtil.cvssV2ScoreToSeverity(score);
-        assertEquals(expResult, result);
+        assertEquals("UNKNOWN", CvssUtil.cvssV2ScoreToSeverity(-1.0));
+        assertEquals("LOW", CvssUtil.cvssV2ScoreToSeverity(0.0));
+        assertEquals("LOW", CvssUtil.cvssV2ScoreToSeverity(0.05));
+        assertEquals("LOW", CvssUtil.cvssV2ScoreToSeverity(1.0));
+        assertEquals("LOW", CvssUtil.cvssV2ScoreToSeverity(3.9));
+        assertEquals("MEDIUM", CvssUtil.cvssV2ScoreToSeverity(4.0));
+        assertEquals("MEDIUM", CvssUtil.cvssV2ScoreToSeverity(6.9));
+        assertEquals("MEDIUM", CvssUtil.cvssV2ScoreToSeverity((double) 6.9f)); // test low-precision floating point values
+        assertEquals("HIGH", CvssUtil.cvssV2ScoreToSeverity(7.0));
+        assertEquals("HIGH", CvssUtil.cvssV2ScoreToSeverity(10.0));
+        assertEquals("UNKNOWN", CvssUtil.cvssV2ScoreToSeverity(11.0));
     }
 
     /**
@@ -107,58 +77,19 @@ void testCvssV2ScoreToSeverity() {
      */
     @Test
     void testCvssV3ScoreToSeverity() {
-        Double score = 0.0;
-        CvssV3Data.SeverityType expResult = CvssV3Data.SeverityType.NONE;
-        CvssV3Data.SeverityType result = CvssUtil.cvssV3ScoreToSeverity(score);
-        assertEquals(expResult, result);
-
-        score = 1.0;
-        expResult = CvssV3Data.SeverityType.LOW;
-        result = CvssUtil.cvssV3ScoreToSeverity(score);
-        assertEquals(expResult, result);
-
-        score = 3.9;
-        expResult = CvssV3Data.SeverityType.LOW;
-        result = CvssUtil.cvssV3ScoreToSeverity(score);
-        assertEquals(expResult, result);
-
-        score = 4.0;
-        expResult = CvssV3Data.SeverityType.MEDIUM;
-        result = CvssUtil.cvssV3ScoreToSeverity(score);
-        assertEquals(expResult, result);
-
-        score = 6.9;
-        expResult = CvssV3Data.SeverityType.MEDIUM;
-        result = CvssUtil.cvssV3ScoreToSeverity(score);
-        assertEquals(expResult, result);
-
-        score = 7.0;
-        expResult = CvssV3Data.SeverityType.HIGH;
-        result = CvssUtil.cvssV3ScoreToSeverity(score);
-        assertEquals(expResult, result);
-
-        score = 8.9;
-        expResult = CvssV3Data.SeverityType.HIGH;
-        result = CvssUtil.cvssV3ScoreToSeverity(score);
-        assertEquals(expResult, result);
-
-        score = 9.0;
-        expResult = CvssV3Data.SeverityType.CRITICAL;
-        result = CvssUtil.cvssV3ScoreToSeverity(score);
-        assertEquals(expResult, result);
-
-        score = 10.0;
-        expResult = CvssV3Data.SeverityType.CRITICAL;
-        result = CvssUtil.cvssV3ScoreToSeverity(score);
-        assertEquals(expResult, result);
-
-        score = 11.0;
-        result = CvssUtil.cvssV3ScoreToSeverity(score);
-        assertNull(result);
-
-        score = -1.0;
-        result = CvssUtil.cvssV3ScoreToSeverity(score);
-        assertNull(result);
+        assertEquals(CvssV3Data.SeverityType.NONE, CvssUtil.cvssV3ScoreToSeverity(0.0));
+        assertEquals(CvssV3Data.SeverityType.LOW, CvssUtil.cvssV3ScoreToSeverity(0.05));
+        assertEquals(CvssV3Data.SeverityType.LOW, CvssUtil.cvssV3ScoreToSeverity(1.0));
+        assertEquals(CvssV3Data.SeverityType.LOW, CvssUtil.cvssV3ScoreToSeverity(3.9));
+        assertEquals(CvssV3Data.SeverityType.MEDIUM, CvssUtil.cvssV3ScoreToSeverity(4.0));
+        assertEquals(CvssV3Data.SeverityType.MEDIUM, CvssUtil.cvssV3ScoreToSeverity(6.9));
+        assertEquals(CvssV3Data.SeverityType.MEDIUM, CvssUtil.cvssV3ScoreToSeverity((double) 6.9f)); // test low-precision floating point values
+        assertEquals(CvssV3Data.SeverityType.HIGH, CvssUtil.cvssV3ScoreToSeverity(7.0));
+        assertEquals(CvssV3Data.SeverityType.HIGH, CvssUtil.cvssV3ScoreToSeverity(8.9));
+        assertEquals(CvssV3Data.SeverityType.CRITICAL, CvssUtil.cvssV3ScoreToSeverity(9.0));
+        assertEquals(CvssV3Data.SeverityType.CRITICAL, CvssUtil.cvssV3ScoreToSeverity(10.0));
+        assertNull(CvssUtil.cvssV3ScoreToSeverity(11.0));
+        assertNull(CvssUtil.cvssV3ScoreToSeverity(-1.0));
     }
 
     /**
@@ -182,4 +113,52 @@ void testVectorToCvssV3() {
         assertEquals(10.0, result.getCvssData().getBaseScore(), 0);
     }
 
+    /**
+     * Test of cvssV4ScoreToSeverity method, of class CvssUtil.
+     */
+    @Test
+    void testCvssV4ScoreToSeverity() {
+        assertEquals(CvssV4Data.SeverityType.NONE, CvssUtil.cvssV4ScoreToSeverity(0.0));
+        assertEquals(CvssV4Data.SeverityType.LOW, CvssUtil.cvssV4ScoreToSeverity(0.05));
+        assertEquals(CvssV4Data.SeverityType.LOW, CvssUtil.cvssV4ScoreToSeverity(1.0));
+        assertEquals(CvssV4Data.SeverityType.LOW, CvssUtil.cvssV4ScoreToSeverity(3.9));
+        assertEquals(CvssV4Data.SeverityType.MEDIUM, CvssUtil.cvssV4ScoreToSeverity(4.0));
+        assertEquals(CvssV4Data.SeverityType.MEDIUM, CvssUtil.cvssV4ScoreToSeverity(6.9));
+        assertEquals(CvssV4Data.SeverityType.MEDIUM, CvssUtil.cvssV4ScoreToSeverity(6.9f)); // test low-precision floating point values
+        assertEquals(CvssV4Data.SeverityType.HIGH, CvssUtil.cvssV4ScoreToSeverity(7.0));
+        assertEquals(CvssV4Data.SeverityType.HIGH, CvssUtil.cvssV4ScoreToSeverity(8.9));
+        assertEquals(CvssV4Data.SeverityType.CRITICAL, CvssUtil.cvssV4ScoreToSeverity(9.0));
+        assertEquals(CvssV4Data.SeverityType.CRITICAL, CvssUtil.cvssV4ScoreToSeverity(10.0));
+        assertThrows(IllegalArgumentException.class, () -> CvssUtil.cvssV4ScoreToSeverity(11.0));
+        assertThrows(IllegalArgumentException.class, () -> CvssUtil.cvssV4ScoreToSeverity(-1.0));
+    }
+
+    /**
+     * Test of vectorToCvssV4 method, of class CvssUtil.
+     */
+    @Test
+    void testVectorToCvssV4() {
+        String vectorString = "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N";
+        Double baseScore = 8.2;
+        String source = "ossIndex";
+        CvssV4.Type type = CvssV4.Type.PRIMARY;
+        CvssV4 result = CvssUtil.vectorToCvssV4(source, type, baseScore, vectorString);
+        assertEquals(CvssV4Data.Version._4_0, result.getCvssData().getVersion());
+        assertEquals(source, result.getSource());
+        assertEquals(type, result.getType());
+        assertEquals(CvssV4Data.AttackVectorType.NETWORK, result.getCvssData().getAttackVector());
+        assertEquals(CvssV4Data.AttackComplexityType.LOW, result.getCvssData().getAttackComplexity());
+        assertEquals(CvssV4Data.AttackRequirementsType.PRESENT, result.getCvssData().getAttackRequirements());
+        assertEquals(CvssV4Data.PrivilegesRequiredType.NONE, result.getCvssData().getPrivilegesRequired());
+        assertEquals(CvssV4Data.UserInteractionType.NONE, result.getCvssData().getUserInteraction());
+        assertEquals(CvssV4Data.CiaType.HIGH, result.getCvssData().getVulnConfidentialityImpact());
+        assertEquals(CvssV4Data.CiaType.NONE, result.getCvssData().getVulnIntegrityImpact());
+        assertEquals(CvssV4Data.CiaType.NONE, result.getCvssData().getVulnAvailabilityImpact());
+        assertEquals(CvssV4Data.CiaType.NONE, result.getCvssData().getSubConfidentialityImpact());
+        assertEquals(CvssV4Data.CiaType.NONE, result.getCvssData().getSubIntegrityImpact());
+        assertEquals(CvssV4Data.CiaType.NONE, result.getCvssData().getSubAvailabilityImpact());
+        assertEquals(CvssV4Data.SeverityType.HIGH, result.getCvssData().getBaseSeverity());
+        assertEquals(8.2, result.getCvssData().getBaseScore(), 0);
+    }
+
 }

From dd04cd1c048cd6c71c5cf44a574cc92f2bd1dfc3 Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Mon, 22 Sep 2025 18:38:58 +0800
Subject: [PATCH 137/195] chore: fix version typo in security policy (#7936)

---
 SECURITY.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index a8fac4b22db..08e36f7633f 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -4,7 +4,7 @@
 
 | Version   | Supported          |
 |-----------|--------------------|
-| 12.2.3+   | :white_check_mark: |
+| 12.1.3+   | :white_check_mark: |
 | <= 12.1.2 | :x:                |
 
 ## Reporting a Vulnerability

From a74b3c729d2f10811caefa52de5005209d8a962b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 4 Aug 2025 01:57:48 +0000
Subject: [PATCH 138/195] build(deps): bump commons-cli:commons-cli from 1.9.0
 to 1.10.0

Bumps [commons-cli:commons-cli](https://github.com/apache/commons-cli) from 1.9.0 to 1.10.0.
- [Changelog](https://github.com/apache/commons-cli/blob/master/RELEASE-NOTES.txt)
- [Commits](https://github.com/apache/commons-cli/compare/rel/commons-cli-1.9.0...rel/commons-cli-1.10.0)

---
updated-dependencies:
- dependency-name: commons-cli:commons-cli
  dependency-version: 1.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index b857ebc577d..a95cfbef4ac 100644
--- a/pom.xml
+++ b/pom.xml
@@ -143,7 +143,7 @@ Copyright (c) 2012 - Jeremy Long
         <jetbrains.annotations.version>26.0.2</jetbrains.annotations.version>
         <findbugs.spotbugs.version>4.9.4</findbugs.spotbugs.version>
         <com.h2database.version>2.3.232</com.h2database.version>
-        <commons-cli.version>1.9.0</commons-cli.version>
+        <commons-cli.version>1.10.0</commons-cli.version>
         <commons-io.version>2.20.0</commons-io.version>
         <commons-lang3.version>3.18.0</commons-lang3.version>
         <commons-text.version>1.14.0</commons-text.version>

From 9cbfb35974865eec267f8240d6f6f0916247a4e1 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 22 Sep 2025 07:41:04 -0400
Subject: [PATCH 139/195] build(deps): bump org.jetbrains:annotations from
 26.0.2 to 26.0.2-1 (#7913)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index b857ebc577d..a75bca9125b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -140,7 +140,7 @@ Copyright (c) 2012 - Jeremy Long
         <spotbugs.maven.plugin.version>4.9.4.0</spotbugs.maven.plugin.version>
         <taglist-maven-plugin.version>3.2.1</taglist-maven-plugin.version>
         <versions-maven-plugin.version>2.18.0</versions-maven-plugin.version>
-        <jetbrains.annotations.version>26.0.2</jetbrains.annotations.version>
+        <jetbrains.annotations.version>26.0.2-1</jetbrains.annotations.version>
         <findbugs.spotbugs.version>4.9.4</findbugs.spotbugs.version>
         <com.h2database.version>2.3.232</com.h2database.version>
         <commons-cli.version>1.9.0</commons-cli.version>

From 1e7a5982e84ad38a447b94c6950cc9b107d52ab0 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 23 Sep 2025 01:01:17 +0000
Subject: [PATCH 140/195] build(deps): bump
 com.github.spotbugs:spotbugs-annotations

Bumps [com.github.spotbugs:spotbugs-annotations](https://github.com/spotbugs/spotbugs) from 4.9.4 to 4.9.6.
- [Release notes](https://github.com/spotbugs/spotbugs/releases)
- [Changelog](https://github.com/spotbugs/spotbugs/blob/master/CHANGELOG.md)
- [Commits](https://github.com/spotbugs/spotbugs/compare/4.9.4...4.9.6)

---
updated-dependencies:
- dependency-name: com.github.spotbugs:spotbugs-annotations
  dependency-version: 4.9.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index a75bca9125b..bc121d2033d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -141,7 +141,7 @@ Copyright (c) 2012 - Jeremy Long
         <taglist-maven-plugin.version>3.2.1</taglist-maven-plugin.version>
         <versions-maven-plugin.version>2.18.0</versions-maven-plugin.version>
         <jetbrains.annotations.version>26.0.2-1</jetbrains.annotations.version>
-        <findbugs.spotbugs.version>4.9.4</findbugs.spotbugs.version>
+        <findbugs.spotbugs.version>4.9.6</findbugs.spotbugs.version>
         <com.h2database.version>2.3.232</com.h2database.version>
         <commons-cli.version>1.9.0</commons-cli.version>
         <commons-io.version>2.20.0</commons-io.version>

From b3aa3f205d4600eb27b86c0a4e177c69bd3484fe Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Tue, 23 Sep 2025 19:02:54 +0800
Subject: [PATCH 141/195] build: replace deprecated jlink argument (#7953)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 709f1844f22..af7aeb711d5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ FROM golang:1.25.1-alpine AS go
 
 FROM azul/zulu-openjdk-alpine:21 AS jlink
 
-RUN "$JAVA_HOME/bin/jlink" --compress=2 --module-path /opt/java/openjdk/jmods --add-modules java.base,java.compiler,java.datatransfer,jdk.crypto.ec,java.desktop,java.instrument,java.logging,java.management,java.naming,java.rmi,java.scripting,java.security.sasl,java.sql,java.transaction.xa,java.xml,jdk.unsupported --output /jlinked
+RUN "$JAVA_HOME/bin/jlink" --compress=zip-6 --module-path /opt/java/openjdk/jmods --add-modules java.base,java.compiler,java.datatransfer,jdk.crypto.ec,java.desktop,java.instrument,java.logging,java.management,java.naming,java.rmi,java.scripting,java.security.sasl,java.sql,java.transaction.xa,java.xml,jdk.unsupported --output /jlinked
 
 FROM mcr.microsoft.com/dotnet/runtime:8.0-alpine3.22
 

From 60082023688fc68551fb4942d0b46c8683754ce8 Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Tue, 23 Sep 2025 19:06:35 +0800
Subject: [PATCH 142/195] test: Fix AssemblyAnalyzerTest to be robust to Grok
 availability (#7950)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
 .../org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java  | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
index f15a7fd93aa..d9cd109f3ba 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
@@ -427,7 +427,9 @@ private File extractGrokAssembly() throws InitializationException {
      */
     @Override
     public void closeAnalyzer() throws Exception {
-        FileUtils.delete(grokAssembly.getParentFile());
+        if (grokAssembly != null) {
+            FileUtils.delete(grokAssembly.getParentFile());
+        }
     }
 
     @Override

From 4af07ccd1635cdd308aafa0a6dabb4751e4f29e5 Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Tue, 23 Sep 2025 19:07:35 +0800
Subject: [PATCH 143/195] docs: Implement #7808 to make changelog links
 clickable (#7945)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
 CHANGELOG.md    | 622 ++++++++++++++++++++++++------------------------
 list-changes.sh |   4 +-
 2 files changed, 314 insertions(+), 312 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 13734bbba2d..af661a61dca 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,103 +2,103 @@
 
 ## [Version 12.1.5](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.5) (2025-09-20)
 
-- **fix**: Update to support OSS Index Authentication Requirements (#7920)
+- **fix**: Update to support OSS Index Authentication Requirements ([#7920](https://github.com/dependency-check/DependencyCheck/pull/7920))
   - Note: OSS Index will require authentication starting 9/22/2025. Users must configure a free account to continue using the OSS Index Analyzer. See https://ossindex.sonatype.org/doc/auth-required.
-- fix: add CVSSv4 to suppressed entries in JSON report (#7900)
-- fix: correctly utilize CVSSv4 from ossindex (#7899)
-- fix: npe when processing cve with empty configuration (#7888)
-- fix: Return unsorted vulnerabilities in new HashSet, avoiding CoMod (#7848)
+- fix: add CVSSv4 to suppressed entries in JSON report ([#7900](https://github.com/dependency-check/DependencyCheck/pull/7900))
+- fix: correctly utilize CVSSv4 from ossindex ([#7899](https://github.com/dependency-check/DependencyCheck/pull/7899))
+- fix: npe when processing cve with empty configuration ([#7888](https://github.com/dependency-check/DependencyCheck/pull/7888))
+- fix: Return unsorted vulnerabilities in new HashSet, avoiding CoMod ([#7848](https://github.com/dependency-check/DependencyCheck/pull/7848))
 - fix: Return unsorted vulnerabilities in new HashSet, avoiding CoMod
-- fix: class loading problem with fat jars (#7786) (#7787)
-- fix: Improve Artifactory handler log message (#7838)
-- fix: classloading problem with fat jars (#7786)
-- fix: Add null checking when parsing the license json in AbstractNpmAnalyzer. (#7784)
-- fix(fp): resolves several false positives related to CVE-2021-41033 (#7736)
-- docs: Clarify format of exclude patterns (#7879)
-- docs: Document poetry-based analysis behaviour in Python analyzer (#7855)
-- docs: request FP reporters use the latest version of ODC. (#7820)
-- docs: update development pre-reqs (#7792)
-- docs: fix minor typos in false positive issue template (#7763)
+- fix: class loading problem with fat jars ([#7786](https://github.com/dependency-check/DependencyCheck/pull/7786)) ([#7787](https://github.com/dependency-check/DependencyCheck/pull/7787))
+- fix: Improve Artifactory handler log message ([#7838](https://github.com/dependency-check/DependencyCheck/pull/7838))
+- fix: classloading problem with fat jars ([#7786](https://github.com/dependency-check/DependencyCheck/pull/7786))
+- fix: Add null checking when parsing the license json in AbstractNpmAnalyzer. ([#7784](https://github.com/dependency-check/DependencyCheck/pull/7784))
+- fix(fp): resolves several false positives related to CVE-2021-41033 ([#7736](https://github.com/dependency-check/DependencyCheck/pull/7736))
+- docs: Clarify format of exclude patterns ([#7879](https://github.com/dependency-check/DependencyCheck/pull/7879))
+- docs: Document poetry-based analysis behaviour in Python analyzer ([#7855](https://github.com/dependency-check/DependencyCheck/pull/7855))
+- docs: request FP reporters use the latest version of ODC. ([#7820](https://github.com/dependency-check/DependencyCheck/pull/7820))
+- docs: update development pre-reqs ([#7792](https://github.com/dependency-check/DependencyCheck/pull/7792))
+- docs: fix minor typos in false positive issue template ([#7763](https://github.com/dependency-check/DependencyCheck/pull/7763))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/98?closed=1)
 
 ## [Version 12.1.3](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.3) (2025-06-10)
 
-- fix: correct regex matches introduced in 12.1.2 (#7726)
-- build(deps): bump org.semver4j:semver4j from 5.7.0 to 5.7.1 (#7718)
-- build(deps): bump junit.version from 5.13.0 to 5.13.1 (#7719)
+- fix: correct regex matches introduced in 12.1.2 ([#7726](https://github.com/dependency-check/DependencyCheck/pull/7726))
+- build(deps): bump org.semver4j:semver4j from 5.7.0 to 5.7.1 ([#7718](https://github.com/dependency-check/DependencyCheck/pull/7718))
+- build(deps): bump junit.version from 5.13.0 to 5.13.1 ([#7719](https://github.com/dependency-check/DependencyCheck/pull/7719))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/97?closed=1)
 
 ## [Version 12.1.2](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.2) (2025-06-07)
 
-- fix: Allow configuring OSS Index user/pw directly (#7640)
-- fix: remove vulnerable transitive dependency - beanutils (#7705)
-- fix: Simplify PHP framework suppression for Composer (#7693)
-- fix: update CPE pattern to remove FP (#7684)
-- fix(cli): Patch generated Windows shell script for JAVACMD installs with spaces (#7653)
-- fix: Resolve various WCAG accessibility / css issues in the HTML report (#7629)
-- fix: #7510 Display a dedicated message when receiving an HTTP 403 (#7575)
-- docs: Make `Vulnerability Sources` in `Related Work` clearer (#7691)
-- docs: #7610 add a reference to NVD mirroring in getting started documentation (#7611)
+- fix: Allow configuring OSS Index user/pw directly ([#7640](https://github.com/dependency-check/DependencyCheck/pull/7640))
+- fix: remove vulnerable transitive dependency - beanutils ([#7705](https://github.com/dependency-check/DependencyCheck/pull/7705))
+- fix: Simplify PHP framework suppression for Composer ([#7693](https://github.com/dependency-check/DependencyCheck/pull/7693))
+- fix: update CPE pattern to remove FP ([#7684](https://github.com/dependency-check/DependencyCheck/pull/7684))
+- fix(cli): Patch generated Windows shell script for JAVACMD installs with spaces ([#7653](https://github.com/dependency-check/DependencyCheck/pull/7653))
+- fix: Resolve various WCAG accessibility / css issues in the HTML report ([#7629](https://github.com/dependency-check/DependencyCheck/pull/7629))
+- fix: [#7510](https://github.com/dependency-check/DependencyCheck/pull/7510) Display a dedicated message when receiving an HTTP 403 ([#7575](https://github.com/dependency-check/DependencyCheck/pull/7575))
+- docs: Make `Vulnerability Sources` in `Related Work` clearer ([#7691](https://github.com/dependency-check/DependencyCheck/pull/7691))
+- docs: [#7610](https://github.com/dependency-check/DependencyCheck/pull/7610) add a reference to NVD mirroring in getting started documentation ([#7611](https://github.com/dependency-check/DependencyCheck/pull/7611))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/96?closed=1)
 
 ## [Version 12.1.1](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.1) (2025-04-05)
 
 - fix: resolve NVD data Parse error `com.fasterxml.jackson.core.JsonParseException: Unexpected character (']' (code 93))`
-  - bump open-vulnerability-client from 7.3.1 to 7.3.2  (#7577)
-- fix: update links for repository move from `jeremylong` to the `dependency-check` organization (#7373)
-- fix: resolve NPE when processing CVE-2025-2682 (#7558)
-- fix: prevent rogue base suppression files (#7544)
-- fix: #6819 handle invalid toml file (#7548)
-- fix: Use unscored severity only in absence of any CVSS baseScore (#7530)
-- fix: protect against exotic version number of yarn (#7525)
-- fix: Ignore require-bundle MANIFEST.MF entry for evidence (#7523)
-- fix: avoid error on yarn berry audit when no vulnerability found (#7501)
-- fix: improve null checks in Downloader (#7493)
+  - bump open-vulnerability-client from 7.3.1 to 7.3.2  ([#7577](https://github.com/dependency-check/DependencyCheck/pull/7577))
+- fix: update links for repository move from `jeremylong` to the `dependency-check` organization ([#7373](https://github.com/dependency-check/DependencyCheck/pull/7373))
+- fix: resolve NPE when processing CVE-2025-2682 ([#7558](https://github.com/dependency-check/DependencyCheck/pull/7558))
+- fix: prevent rogue base suppression files ([#7544](https://github.com/dependency-check/DependencyCheck/pull/7544))
+- fix: [#6819](https://github.com/dependency-check/DependencyCheck/pull/6819) handle invalid toml file ([#7548](https://github.com/dependency-check/DependencyCheck/pull/7548))
+- fix: Use unscored severity only in absence of any CVSS baseScore ([#7530](https://github.com/dependency-check/DependencyCheck/pull/7530))
+- fix: protect against exotic version number of yarn ([#7525](https://github.com/dependency-check/DependencyCheck/pull/7525))
+- fix: Ignore require-bundle MANIFEST.MF entry for evidence ([#7523](https://github.com/dependency-check/DependencyCheck/pull/7523))
+- fix: avoid error on yarn berry audit when no vulnerability found ([#7501](https://github.com/dependency-check/DependencyCheck/pull/7501))
+- fix: improve null checks in Downloader ([#7493](https://github.com/dependency-check/DependencyCheck/pull/7493))
 - fix: improve null checks resolves https://github.com/dependency-check/dependency-check-gradle/issues/441
-- fix: Avoid FPs when Composer product name has php (#7486)
-- fix: cli not honoring window paths correctly (#7470)
-- fix: Also apply muteNoisyLoggers to UpdateMojo (#7469)
-- fix: Make HC5 Downloader honor the connection- and readTimeout settings that the old URLConnectionFactory based downloads observed (#7437) 
-- docs: sync the supported Maven version with the one stated in the system requirement section (#7570)
-- docs: update proxy config documentation (#7550)
+- fix: Avoid FPs when Composer product name has php ([#7486](https://github.com/dependency-check/DependencyCheck/pull/7486))
+- fix: cli not honoring window paths correctly ([#7470](https://github.com/dependency-check/DependencyCheck/pull/7470))
+- fix: Also apply muteNoisyLoggers to UpdateMojo ([#7469](https://github.com/dependency-check/DependencyCheck/pull/7469))
+- fix: Make HC5 Downloader honor the connection- and readTimeout settings that the old URLConnectionFactory based downloads observed ([#7437](https://github.com/dependency-check/DependencyCheck/pull/7437)) 
+- docs: sync the supported Maven version with the one stated in the system requirement section ([#7570](https://github.com/dependency-check/DependencyCheck/pull/7570))
+- docs: update proxy config documentation ([#7550](https://github.com/dependency-check/DependencyCheck/pull/7550))
 - docs: Remove copyright as requested by the Apache foundation
-- docs: drop redundant text in the Internet Access Required section (#7521)
-- docs: correct gradle documentation (#7511)
+- docs: drop redundant text in the Internet Access Required section ([#7521](https://github.com/dependency-check/DependencyCheck/pull/7521))
+- docs: correct gradle documentation ([#7511](https://github.com/dependency-check/DependencyCheck/pull/7511))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/95?closed=1)
 
 ## [Version 12.1.0](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.0) (2025-02-16)
 
-- build(deps): bump open-vulnerability-client to 7.2.2 (#7407)
-  - resolves issue with downloading data from the NVD (#7406)
-- fix: Improve thread safety issue #7338 alternative (#7367)
-- feat: Implement Yarn Berry Analyser (#7319)
+- build(deps): bump open-vulnerability-client to 7.2.2 ([#7407](https://github.com/dependency-check/DependencyCheck/pull/7407))
+  - resolves issue with downloading data from the NVD ([#7406](https://github.com/dependency-check/DependencyCheck/pull/7406))
+- fix: Improve thread safety issue [#7338](https://github.com/dependency-check/DependencyCheck/pull/7338) alternative ([#7367](https://github.com/dependency-check/DependencyCheck/pull/7367))
+- feat: Implement Yarn Berry Analyser ([#7319](https://github.com/dependency-check/DependencyCheck/pull/7319))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/94?closed=1)
 
 ## [Version 12.0.2](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.0.2) (2025-01-29)
 
-- fix: correct JSON report error (#7350)
-- fix: some compatability issues in the gitlab report (#7349)
-- fix: ArtifactoryAnalyzer updated to use the HTTPClient5-based Downloader and skip unusable results (#7293)
-- chore: allow messages via EngineVersionCheck (#7353)
-- chore: switch from javax.json to jakarta.json (#7326)
+- fix: correct JSON report error ([#7350](https://github.com/dependency-check/DependencyCheck/pull/7350))
+- fix: some compatability issues in the gitlab report ([#7349](https://github.com/dependency-check/DependencyCheck/pull/7349))
+- fix: ArtifactoryAnalyzer updated to use the HTTPClient5-based Downloader and skip unusable results ([#7293](https://github.com/dependency-check/DependencyCheck/pull/7293))
+- chore: allow messages via EngineVersionCheck ([#7353](https://github.com/dependency-check/DependencyCheck/pull/7353))
+- chore: switch from javax.json to jakarta.json ([#7326](https://github.com/dependency-check/DependencyCheck/pull/7326))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/93?closed=1).
 
 ## [Version 12.0.1](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.0.1) (2025-01-19)
 
-- docs: Fix OSS Index Maven config documentation (#7322)
+- docs: Fix OSS Index Maven config documentation ([#7322](https://github.com/dependency-check/DependencyCheck/pull/7322))
 - Fix OSS Index Maven config documentation
-- chore(docs): Document Gradle plugin support for failBuildOnUnusedSuppressionRule (#7307)
-- chore(docs): Correct analyzers config example to use Gradle dot-syntax (#7305)
-- fix: improve error message on improperly configured serverId credentials in settings.xml (#7313)
+- chore(docs): Document Gradle plugin support for failBuildOnUnusedSuppressionRule ([#7307](https://github.com/dependency-check/DependencyCheck/pull/7307))
+- chore(docs): Correct analyzers config example to use Gradle dot-syntax ([#7305](https://github.com/dependency-check/DependencyCheck/pull/7305))
+- fix: improve error message on improperly configured serverId credentials in settings.xml ([#7313](https://github.com/dependency-check/DependencyCheck/pull/7313))
 - fix: Lower Basic serverId when Bearer was expected to a warning
 - fix: improve error message on improperly configured serverId credentials
-- fix: Correct nonProxyHosts support when no sys properties set (#7306)
+- fix: Correct nonProxyHosts support when no sys properties set ([#7306](https://github.com/dependency-check/DependencyCheck/pull/7306))
 - core(docs): Group failBuildOnUnusedSuppressionRule flag next to suppression file configuration
 - core(docs): Update Gradle plugin documentation for failBuildOnUnusedSuppressionRule support
 - fix: Correct nonProxyHosts support when no sys properties set
@@ -108,100 +108,100 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ## [Version 12.0.0](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.0.0) (2025-01-11)
 
-- BREAKING CHANGE: report on CVSS v4 (#7204)
+- BREAKING CHANGE: report on CVSS v4 ([#7204](https://github.com/dependency-check/DependencyCheck/pull/7204))
   - the schema has been updated to include CVSS v4 for JSON and XML reports
-- feat: show from which dependency the CVE comes in failure report (#7224)
-- feat: Use Maven settings decryption API for decrypting secrets from settings.xml (#7284)
-- feat: Extend authentication to support Bearer token for many resources (#7277)
-- feat: Add a flag to fail when one or more suppression rules are not used (#7244)
-- fix: add product evidence as vendor to reduce FN (#7295)
-- fix: Make the HTTP-Client use pre-emptive authentication (#7255)
+- feat: show from which dependency the CVE comes in failure report ([#7224](https://github.com/dependency-check/DependencyCheck/pull/7224))
+- feat: Use Maven settings decryption API for decrypting secrets from settings.xml ([#7284](https://github.com/dependency-check/DependencyCheck/pull/7284))
+- feat: Extend authentication to support Bearer token for many resources ([#7277](https://github.com/dependency-check/DependencyCheck/pull/7277))
+- feat: Add a flag to fail when one or more suppression rules are not used ([#7244](https://github.com/dependency-check/DependencyCheck/pull/7244))
+- fix: add product evidence as vendor to reduce FN ([#7295](https://github.com/dependency-check/DependencyCheck/pull/7295))
+- fix: Make the HTTP-Client use pre-emptive authentication ([#7255](https://github.com/dependency-check/DependencyCheck/pull/7255))
 - fix: Add the missing proxy credentials for suppressionFileUser/Password authentication scenario
-- fix: increase max retry count (#7252)
+- fix: increase max retry count ([#7252](https://github.com/dependency-check/DependencyCheck/pull/7252))
 - fix: Make the HTTP-Client use pre-emptive authentication for configured server credentials and extend HTTPClient usage to Nexus search
-- fix: Tranform into UTC the last modified date from database (#7222)
+- fix: Tranform into UTC the last modified date from database ([#7222](https://github.com/dependency-check/DependencyCheck/pull/7222))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/91?closed=1). 
 
 ## [Version 11.1.1](https://github.com/dependency-check/DependencyCheck/releases/tag/v11.1.1) (2024-12-04)
 
-- fix: re-enable issue locking (#7220)
-- fix: add username/password properties to be able to authenticate for central.content.url and analyzer.central.url again (#7169)
-- fix: rework replaceOrAddVulnerability (#7177)
-- fix: do not log loading of JDBC driver (#7155)
-- fix: expose flag to disable version check (#7147)
-- fix: Gracefully handle CVEs with bad configuration nodes missing CPE match expressions (#7125)
-- chore: cleanup base suppression (#7138)
-- docs: update gradle configuration documentation (#7176)
-- docs: update documentation for Gradle plugin (#7143)
-- docs: improve false positive issue templat (#7130)
+- fix: re-enable issue locking ([#7220](https://github.com/dependency-check/DependencyCheck/pull/7220))
+- fix: add username/password properties to be able to authenticate for central.content.url and analyzer.central.url again ([#7169](https://github.com/dependency-check/DependencyCheck/pull/7169))
+- fix: rework replaceOrAddVulnerability ([#7177](https://github.com/dependency-check/DependencyCheck/pull/7177))
+- fix: do not log loading of JDBC driver ([#7155](https://github.com/dependency-check/DependencyCheck/pull/7155))
+- fix: expose flag to disable version check ([#7147](https://github.com/dependency-check/DependencyCheck/pull/7147))
+- fix: Gracefully handle CVEs with bad configuration nodes missing CPE match expressions ([#7125](https://github.com/dependency-check/DependencyCheck/pull/7125))
+- chore: cleanup base suppression ([#7138](https://github.com/dependency-check/DependencyCheck/pull/7138))
+- docs: update gradle configuration documentation ([#7176](https://github.com/dependency-check/DependencyCheck/pull/7176))
+- docs: update documentation for Gradle plugin ([#7143](https://github.com/dependency-check/DependencyCheck/pull/7143))
+- docs: improve false positive issue templat ([#7130](https://github.com/dependency-check/DependencyCheck/pull/7130))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/90?closed=1). 
 
 ## [Version 11.1.0](https://github.com/dependency-check/DependencyCheck/releases/tag/v11.1.0) (2024-10-30)
 
-- feat: PHP Composer Analyzer now scans packages-dev by default (#7114)
+- feat: PHP Composer Analyzer now scans packages-dev by default ([#7114](https://github.com/dependency-check/DependencyCheck/pull/7114))
   - Users can configure if packages-dev should be skipped
-- fix(regression): re-add h2 database driver name (#7115) 
-- fix(regression): Make the Downloader honour the proxy.nonproxyhosts ODC Setting (#7077)
-- fix: do not set legacy proxy from maven or env (#7072) (#7074)
-- docs: add missing documentation for the MS Build Analyzer (#7113)
-- docs: Document the breaking change for Maven plugin as reporting plugin (#7079)
+- fix(regression): re-add h2 database driver name ([#7115](https://github.com/dependency-check/DependencyCheck/pull/7115)) 
+- fix(regression): Make the Downloader honour the proxy.nonproxyhosts ODC Setting ([#7077](https://github.com/dependency-check/DependencyCheck/pull/7077))
+- fix: do not set legacy proxy from maven or env ([#7072](https://github.com/dependency-check/DependencyCheck/pull/7072)) ([#7074](https://github.com/dependency-check/DependencyCheck/pull/7074))
+- docs: add missing documentation for the MS Build Analyzer ([#7113](https://github.com/dependency-check/DependencyCheck/pull/7113))
+- docs: Document the breaking change for Maven plugin as reporting plugin ([#7079](https://github.com/dependency-check/DependencyCheck/pull/7079))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/89?closed=1). 
 
 ## [Version 11.0.0](https://github.com/dependency-check/DependencyCheck/releases/tag/v11.0.0) (2024-10-21)
 
-- **breaking change**: Switch from JMockit to Mockito & build target to Java 11 (#6922)
+- **breaking change**: Switch from JMockit to Mockito & build target to Java 11 ([#6922](https://github.com/dependency-check/DependencyCheck/pull/6922))
   - dependency-check now requires a minimum of Java 11.0 to run
-- **breaking change**: bump com.h2database:h2 from 2.1.214 to 2.3.232 (#6132)
+- **breaking change**: bump com.h2database:h2 from 2.1.214 to 2.3.232 ([#6132](https://github.com/dependency-check/DependencyCheck/pull/6132))
   - H2 databases generated with an older version of ODC will not work with ODC 11.0.0; a new H2 db must be generated
 - **breaking change**: Maven plugin updated to Doxia 2.x reporting stack
-  - Users of the Maven plugin that configure it as a reporting plugin will need to use maven-site-plugin 3.20.0 or later (#6959)
+  - Users of the Maven plugin that configure it as a reporting plugin will need to use maven-site-plugin 3.20.0 or later ([#6959](https://github.com/dependency-check/DependencyCheck/pull/6959))
 - feat: Replace old Downloader by an Apache HTTPClient based downloader
-- feat: Use Apache HTTPClient for downloads of public resources (#6949)
+- feat: Use Apache HTTPClient for downloads of public resources ([#6949](https://github.com/dependency-check/DependencyCheck/pull/6949))
 - feat: Also make NodeAuditSearch usr our HTTPClient based connections
 - feat: Also make OSSIndexAnalyzer use our HTTPClient based connections
 - feat: Migrate CentralSearch to use Apache HTTP-client via Downloader
 - feat: Extend apache HTTP-client usage to EngineVersionCheck
-- feat: Remove the need to specify dbDriver for external databases using JDBCv4 ServiceLoader supporting JDBC drivers (#6938)
-- fix: use latest generated suppressions (#7064)
-- fix: Fixup parameter sequence for Dowloader credentials (#7033)
+- feat: Remove the need to specify dbDriver for external databases using JDBCv4 ServiceLoader supporting JDBC drivers ([#6938](https://github.com/dependency-check/DependencyCheck/pull/6938))
+- fix: use latest generated suppressions ([#7064](https://github.com/dependency-check/DependencyCheck/pull/7064))
+- fix: Fixup parameter sequence for Dowloader credentials ([#7033](https://github.com/dependency-check/DependencyCheck/pull/7033))
 - fix: Fixup the missing addition of NVD API Datafeed credentials (if configured)
 - fix: Fixup broken proxy authentication in first attempt; extend to include KEV downloads
-- fix: store timestamps locally for local resources (#6936)
-- build: Remove the animal-sniffer, propagate java version to plugin-archetype (#6950)
-- build: Update Checkstyle configuration and Suppression DTD references (#6951)
-- chore: Update test db schema (#7036)
+- fix: store timestamps locally for local resources ([#6936](https://github.com/dependency-check/DependencyCheck/pull/6936))
+- build: Remove the animal-sniffer, propagate java version to plugin-archetype ([#6950](https://github.com/dependency-check/DependencyCheck/pull/6950))
+- build: Update Checkstyle configuration and Suppression DTD references ([#6951](https://github.com/dependency-check/DependencyCheck/pull/6951))
+- chore: Update test db schema ([#7036](https://github.com/dependency-check/DependencyCheck/pull/7036))
 - chore: remove old, unneeded database upgrade script
-- docs: reformat javadoc (#7009)
-- docs: Fixup javadoc warnings (#6995)
-- chore: Replace use of several deprecated methods/classes by their successors (#6933)
+- docs: reformat javadoc ([#7009](https://github.com/dependency-check/DependencyCheck/pull/7009))
+- docs: Fixup javadoc warnings ([#6995](https://github.com/dependency-check/DependencyCheck/pull/6995))
+- chore: Replace use of several deprecated methods/classes by their successors ([#6933](https://github.com/dependency-check/DependencyCheck/pull/6933))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/87?closed=1). 
 
 ## [Version 10.0.4](https://github.com/dependency-check/DependencyCheck/releases/tag/v10.0.4) (2024-09-01)
 
- - build(deps): exclude unused dependency (#6916)
- - fix: improve regex (#6917)
- - fix: correctly handle null values in cpeMatch (#6915)
- - fix(site): Update Fluido skin to resolve broken fork-me-on-github image (#6914)
- - fix: do not report over 100% download complete (#6899)
- - fix: Correct spelling of occurring in NvdApiDataSource.java (#6883)
- - fix: skip blank lines in requirements.txt (#6867)
- - fix: correct percentage calculation (#6868)
- - docs: remove old recommendation (#6860)
+ - build(deps): exclude unused dependency ([#6916](https://github.com/dependency-check/DependencyCheck/pull/6916))
+ - fix: improve regex ([#6917](https://github.com/dependency-check/DependencyCheck/pull/6917))
+ - fix: correctly handle null values in cpeMatch ([#6915](https://github.com/dependency-check/DependencyCheck/pull/6915))
+ - fix(site): Update Fluido skin to resolve broken fork-me-on-github image ([#6914](https://github.com/dependency-check/DependencyCheck/pull/6914))
+ - fix: do not report over 100% download complete ([#6899](https://github.com/dependency-check/DependencyCheck/pull/6899))
+ - fix: Correct spelling of occurring in NvdApiDataSource.java ([#6883](https://github.com/dependency-check/DependencyCheck/pull/6883))
+ - fix: skip blank lines in requirements.txt ([#6867](https://github.com/dependency-check/DependencyCheck/pull/6867))
+ - fix: correct percentage calculation ([#6868](https://github.com/dependency-check/DependencyCheck/pull/6868))
+ - docs: remove old recommendation ([#6860](https://github.com/dependency-check/DependencyCheck/pull/6860))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/88?closed=1). 
 
 ## [Version 10.0.3](https://github.com/dependency-check/DependencyCheck/releases/tag/v10.0.3) (2024-07-16)
 
-- feat: Enable configuration of a lower resultsPerPage on NVD API (#6843)
-- build(deps): bump open-vulnerability-clients from 6.1.6 to 6.1.7 (#6848)
-- build(deps): bump JamesIves/github-pages-deploy-action from 4.6.1 to 4.6.3 (#6814)
-- build(deps): bump org.codehaus.mojo:versions-maven-plugin from 2.16.2 to 2.17.0 (#6762)
-- build(deps): bump org.apache.maven.plugins:maven-checkstyle-plugin from 3.3.1 to 3.4.0 (#6815)
-- build(deps): bump golang from 1.22.4-alpine to 1.22.5-alpine (#6805)
+- feat: Enable configuration of a lower resultsPerPage on NVD API ([#6843](https://github.com/dependency-check/DependencyCheck/pull/6843))
+- build(deps): bump open-vulnerability-clients from 6.1.6 to 6.1.7 ([#6848](https://github.com/dependency-check/DependencyCheck/pull/6848))
+- build(deps): bump JamesIves/github-pages-deploy-action from 4.6.1 to 4.6.3 ([#6814](https://github.com/dependency-check/DependencyCheck/pull/6814))
+- build(deps): bump org.codehaus.mojo:versions-maven-plugin from 2.16.2 to 2.17.0 ([#6762](https://github.com/dependency-check/DependencyCheck/pull/6762))
+- build(deps): bump org.apache.maven.plugins:maven-checkstyle-plugin from 3.3.1 to 3.4.0 ([#6815](https://github.com/dependency-check/DependencyCheck/pull/6815))
+- build(deps): bump golang from 1.22.4-alpine to 1.22.5-alpine ([#6805](https://github.com/dependency-check/DependencyCheck/pull/6805))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/84?closed=1). 
 
@@ -209,164 +209,164 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 **Mandatory Upgrade** - due to older versions of dependency-check causing numerous, spurious requests that end in processing failures, this upgrade is mandatory so that the NVD can differentiate valid requests and block the old clients.
 
-- build(deps): bump open-vulnerability-clients (#6810)
-- fix(db): #6788 removing redundant db index "idxVulnerability" on "vulnerability.cve" (#6807)
-- docs: Further improve formatting and docs of H2 database caching strats (#6804)
-- fix: update_vulnerability in dbStatements_oracle.properties (#6803)
-- fix: fix NPE  (#6778)
-- fix: add hint to resolve false negative (#6802)
-- chore: update configure (#6794)
+- build(deps): bump open-vulnerability-clients ([#6810](https://github.com/dependency-check/DependencyCheck/pull/6810))
+- fix(db): [#6788](https://github.com/dependency-check/DependencyCheck/pull/6788) removing redundant db index "idxVulnerability" on "vulnerability.cve" ([#6807](https://github.com/dependency-check/DependencyCheck/pull/6807))
+- docs: Further improve formatting and docs of H2 database caching strats ([#6804](https://github.com/dependency-check/DependencyCheck/pull/6804))
+- fix: update_vulnerability in dbStatements_oracle.properties ([#6803](https://github.com/dependency-check/DependencyCheck/pull/6803))
+- fix: fix NPE  ([#6778](https://github.com/dependency-check/DependencyCheck/pull/6778))
+- fix: add hint to resolve false negative ([#6802](https://github.com/dependency-check/DependencyCheck/pull/6802))
+- chore: update configure ([#6794](https://github.com/dependency-check/DependencyCheck/pull/6794))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/86?closed=1). 
 
 ## [Version 10.0.1](https://github.com/dependency-check/DependencyCheck/releases/tag/v10.0.1) (2024-07-02)
 
-- build(deps): bump open-vulnerability-client (#6772)
-- fix: remove debug logging (#6770)
-- fix: postgresql column count error (#6773)
-- fix: mssql column name and version (#6761)
-- docs: update supported versions (#6771)
+- build(deps): bump open-vulnerability-client ([#6772](https://github.com/dependency-check/DependencyCheck/pull/6772))
+- fix: remove debug logging ([#6770](https://github.com/dependency-check/DependencyCheck/pull/6770))
+- fix: postgresql column count error ([#6773](https://github.com/dependency-check/DependencyCheck/pull/6773))
+- fix: mssql column name and version ([#6761](https://github.com/dependency-check/DependencyCheck/pull/6761))
+- docs: update supported versions ([#6771](https://github.com/dependency-check/DependencyCheck/pull/6771))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/85?closed=1). 
 
 ## [Version 10.0.0](https://github.com/dependency-check/DependencyCheck/releases/tag/v10.0.0) (2024-07-01)
 
-- **breaking change**: upgrade to dotnet 8.0 (#6580)
+- **breaking change**: upgrade to dotnet 8.0 ([#6580](https://github.com/dependency-check/DependencyCheck/pull/6580))
   - Users of the AssemblyAnalyzer must upgrade/utilize dotnet 8 to analyze assemblies
-- feat: fix the NVD API related errors by adding cvssV4 support (#6756)
+- feat: fix the NVD API related errors by adding cvssV4 support ([#6756](https://github.com/dependency-check/DependencyCheck/pull/6756))
    - **breaking changes**: anyone utilizing a centralized database will need to upgrade the schema; see changes in [PR #6756](https://github.com/dependency-check/DependencyCheck/pull/6756/files#diff-ca432c4b41d39caa84d140e06694b09c7e6394c8a2db72ba27516dc77ee3bd67)
-- fix: avoid escaping unnecessary chars in HTML report suppression regexes (#6749)
-- fix: #6688 Trim version number when parsin POM (#6705)
-- fix: change request if lockfile is file v3 (#6690)
-- fix: skip pyproject.toml unless it contains `tool.poetry` before ensuring lockfiles (#6681)
+- fix: avoid escaping unnecessary chars in HTML report suppression regexes ([#6749](https://github.com/dependency-check/DependencyCheck/pull/6749))
+- fix: [#6688](https://github.com/dependency-check/DependencyCheck/pull/6688) Trim version number when parsing POM ([#6705](https://github.com/dependency-check/DependencyCheck/pull/6705))
+- fix: change request if lockfile is file v3 ([#6690](https://github.com/dependency-check/DependencyCheck/pull/6690))
+- fix: skip pyproject.toml unless it contains `tool.poetry` before ensuring lockfiles ([#6681](https://github.com/dependency-check/DependencyCheck/pull/6681))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/83?closed=1). 
 
 ## [Version 9.2.0](https://github.com/dependency-check/DependencyCheck/releases/tag/v9.2.0) (2024-05-15)
 
- - docs: update logo per intellj (#6660)
- - feat: Carthage analyzer (#6614)
- - fix: Ensure valid JSON output for gitlab report (#6630)
- - feat: Support Package.swift version 3 Specification (#6578)
- - chore: Update the packaged suppressions to include new hosted suppressions (#6567)
+ - docs: update logo per intellj ([#6660](https://github.com/dependency-check/DependencyCheck/pull/6660))
+ - feat: Carthage analyzer ([#6614](https://github.com/dependency-check/DependencyCheck/pull/6614))
+ - fix: Ensure valid JSON output for gitlab report ([#6630](https://github.com/dependency-check/DependencyCheck/pull/6630))
+ - feat: Support Package.swift version 3 Specification ([#6578](https://github.com/dependency-check/DependencyCheck/pull/6578))
+ - chore: Update the packaged suppressions to include new hosted suppressions ([#6567](https://github.com/dependency-check/DependencyCheck/pull/6567))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/82?closed=1). 
 
 ## [Version 9.1.0](https://github.com/dependency-check/DependencyCheck/releases/tag/v9.1.0) (2024-03-31)
 
-- feat: Add v2 support for maven_install.json (#6528)
-- build(deps): bump open-vulnerability-client (#6554)
+- feat: Add v2 support for maven_install.json ([#6528](https://github.com/dependency-check/DependencyCheck/pull/6528))
+- build(deps): bump open-vulnerability-client ([#6554](https://github.com/dependency-check/DependencyCheck/pull/6554))
   - resolves update issues due to CVSS Metrics 4.0
-- build(deps): bump jackson.version from 2.16.0 to 2.16.1 (#6353)
-- build(deps): bump org.jsoup:jsoup from 1.16.2 to 1.17.2 (#6362)
-- build(deps): bump golang from 1.21.5-alpine to 1.22.1-alpine (#6506)
+- build(deps): bump jackson.version from 2.16.0 to 2.16.1 ([#6353](https://github.com/dependency-check/DependencyCheck/pull/6353))
+- build(deps): bump org.jsoup:jsoup from 1.16.2 to 1.17.2 ([#6362](https://github.com/dependency-check/DependencyCheck/pull/6362))
+- build(deps): bump golang from 1.21.5-alpine to 1.22.1-alpine ([#6506](https://github.com/dependency-check/DependencyCheck/pull/6506))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/81?closed=1).
 
 ## [Version 9.0.10](https://github.com/dependency-check/DependencyCheck/releases/tag/v9.0.10) (2024-03-15)
 
-- fix: #4321 Suppress redis server CVEs for client libraries (#4321) (#6489)
-- fix: bump commons-compress from 1.25.0 to 1.26.0 to fix CVE-2024-25710 and CVE-2024-26308 (#6492)
-- feat: Allow to pass NVD API key via environment variable (#6454)
-- fix: issue 5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies - adding synchronized block  (#6501)
-- docs: document the default data directory (#6484)
-- fix: prevent NPE in bundler audit (#6462)
-- fix: #6441 Improve suppression rule to not restrict to a single version (#6442)
+- fix: [#4321](https://github.com/dependency-check/DependencyCheck/pull/4321) Suppress redis server CVEs for client libraries ([#4321](https://github.com/dependency-check/DependencyCheck/pull/4321)) ([#6489](https://github.com/dependency-check/DependencyCheck/pull/6489))
+- fix: bump commons-compress from 1.25.0 to 1.26.0 to fix CVE-2024-25710 and CVE-2024-26308 ([#6492](https://github.com/dependency-check/DependencyCheck/pull/6492))
+- feat: Allow to pass NVD API key via environment variable ([#6454](https://github.com/dependency-check/DependencyCheck/pull/6454))
+- fix: issue 5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies - adding synchronized block  ([#6501](https://github.com/dependency-check/DependencyCheck/pull/6501))
+- docs: document the default data directory ([#6484](https://github.com/dependency-check/DependencyCheck/pull/6484))
+- fix: prevent NPE in bundler audit ([#6462](https://github.com/dependency-check/DependencyCheck/pull/6462))
+- fix: [#6441](https://github.com/dependency-check/DependencyCheck/pull/6441) Improve suppression rule to not restrict to a single version ([#6442](https://github.com/dependency-check/DependencyCheck/pull/6442))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/80?closed=1).
 
 ## [Version 9.0.9](https://github.com/dependency-check/DependencyCheck/releases/tag/v9.0.9) (2024-01-17)
 
-- fix: for #6374 to delete non-empty directories (#6375)
-- fix: NoSuchMethodError closeQuietly(java.io.Closeable[]) (#6377)
-- chore: close stream to prevent possible resource leak (#6382)
-- docs: Document default for CLI --data (#6359)
-- docs: document gradle build (#6371)
+- fix: for [#6374](https://github.com/dependency-check/DependencyCheck/pull/6374) to delete non-empty directories ([#6375](https://github.com/dependency-check/DependencyCheck/pull/6375))
+- fix: NoSuchMethodError closeQuietly(java.io.Closeable[]) ([#6377](https://github.com/dependency-check/DependencyCheck/pull/6377))
+- chore: close stream to prevent possible resource leak ([#6382](https://github.com/dependency-check/DependencyCheck/pull/6382))
+- docs: Document default for CLI --data ([#6359](https://github.com/dependency-check/DependencyCheck/pull/6359))
+- docs: document gradle build ([#6371](https://github.com/dependency-check/DependencyCheck/pull/6371))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/79?closed=1).
 
 ## [Version 9.0.8](https://github.com/dependency-check/DependencyCheck/releases/tag/v9.0.8) (2024-01-06)
 
-- fix: favor stability over performance (#6349)
-- chore: replace commons-io with core java calls (#6343)
-- fix: improve error reporting for invalid H2 database (#6339)
-- fix: rework fix for closing input streams on errors correctly (#6338)
-- fix: reduce chance NVD API block updates due to rate limit (#6333)
-- fix: ensure open handles will not leak on errors (#6326)
-- fix: improve error reporting (#6324)
+- fix: favor stability over performance ([#6349](https://github.com/dependency-check/DependencyCheck/pull/6349))
+- chore: replace commons-io with core java calls ([#6343](https://github.com/dependency-check/DependencyCheck/pull/6343))
+- fix: improve error reporting for invalid H2 database ([#6339](https://github.com/dependency-check/DependencyCheck/pull/6339))
+- fix: rework fix for closing input streams on errors correctly ([#6338](https://github.com/dependency-check/DependencyCheck/pull/6338))
+- fix: reduce chance NVD API block updates due to rate limit ([#6333](https://github.com/dependency-check/DependencyCheck/pull/6333))
+- fix: ensure open handles will not leak on errors ([#6326](https://github.com/dependency-check/DependencyCheck/pull/6326))
+- fix: improve error reporting ([#6324](https://github.com/dependency-check/DependencyCheck/pull/6324))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/78?closed=1).
 
 ## [Version 9.0.7](https://github.com/dependency-check/DependencyCheck/releases/tag/v9.0.7) (2023-12-18)
 
-- docs: document insecure configuration for GHSA-qqhq-8r2c-c3f5 (#6315)
-- fix: improve memory usage on NVD update (#6321)
-- fix: skip pyproject.toml unless it contains `tool.poetry` (#6316)
-- fix: resolve build error that may cause an issue on some JDK versions (#6312)
+- docs: document insecure configuration for GHSA-qqhq-8r2c-c3f5 ([#6315](https://github.com/dependency-check/DependencyCheck/pull/6315))
+- fix: improve memory usage on NVD update ([#6321](https://github.com/dependency-check/DependencyCheck/pull/6321))
+- fix: skip pyproject.toml unless it contains `tool.poetry` ([#6316](https://github.com/dependency-check/DependencyCheck/pull/6316))
+- fix: resolve build error that may cause an issue on some JDK versions ([#6312](https://github.com/dependency-check/DependencyCheck/pull/6312))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/77?closed=1).
 
 ## [Version 9.0.6](https://github.com/dependency-check/DependencyCheck/releases/tag/v9.0.6) (2023-12-15)
 
-- build: bump open-vulnerability-clients@5.1.1 (#6308)
-- fix: mask nvd.api.key in logs; see GHSA-qqhq-8r2c-c3f5 (#6307)
-- fix: update java version check (#6297)
-- fix: more efficient memory usage (#6299)
-- fix: stream NVD data via Jackson to reduce memory footprint (#6275)
-- docs: document github action caching (#6301)
+- build: bump open-vulnerability-clients@5.1.1 ([#6308](https://github.com/dependency-check/DependencyCheck/pull/6308))
+- fix: mask nvd.api.key in logs; see GHSA-qqhq-8r2c-c3f5 ([#6307](https://github.com/dependency-check/DependencyCheck/pull/6307))
+- fix: update java version check ([#6297](https://github.com/dependency-check/DependencyCheck/pull/6297))
+- fix: more efficient memory usage ([#6299](https://github.com/dependency-check/DependencyCheck/pull/6299))
+- fix: stream NVD data via Jackson to reduce memory footprint ([#6275](https://github.com/dependency-check/DependencyCheck/pull/6275))
+- docs: document github action caching ([#6301](https://github.com/dependency-check/DependencyCheck/pull/6301))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/76?closed=1).
 
 ## [Version 9.0.5](https://github.com/dependency-check/DependencyCheck/releases/tag/v9.0.5) (2023-12-13)
 
-- fix: make NVD API endpoint configurable (#6287)
-- fix: synch last modified timestamp for NVD API (#6281)
-- fix: read NVD cache meta files if cache.properties does not exist (#6282)
-- fix: correct property for nonProxyHosts (#6285)
-- fix: reduce apache http logging (#6280)
-- fix: store last modified timestamp for RetireJS and the Hosted Suppression File in db (#6271)
-- build: bump golang in the docker image (#6274)
-- fix: use temporary files to reduce memory usage during the NVD Update (#6270)
-- fix: use BIT for Oracle DB instead of Boolean when calling prepared statements (#6264)
-- fix: showing all reference tags in reports (#6259)
+- fix: make NVD API endpoint configurable ([#6287](https://github.com/dependency-check/DependencyCheck/pull/6287))
+- fix: synch last modified timestamp for NVD API ([#6281](https://github.com/dependency-check/DependencyCheck/pull/6281))
+- fix: read NVD cache meta files if cache.properties does not exist ([#6282](https://github.com/dependency-check/DependencyCheck/pull/6282))
+- fix: correct property for nonProxyHosts ([#6285](https://github.com/dependency-check/DependencyCheck/pull/6285))
+- fix: reduce apache http logging ([#6280](https://github.com/dependency-check/DependencyCheck/pull/6280))
+- fix: store last modified timestamp for RetireJS and the Hosted Suppression File in db ([#6271](https://github.com/dependency-check/DependencyCheck/pull/6271))
+- build: bump golang in the docker image ([#6274](https://github.com/dependency-check/DependencyCheck/pull/6274))
+- fix: use temporary files to reduce memory usage during the NVD Update ([#6270](https://github.com/dependency-check/DependencyCheck/pull/6270))
+- fix: use BIT for Oracle DB instead of Boolean when calling prepared statements ([#6264](https://github.com/dependency-check/DependencyCheck/pull/6264))
+- fix: showing all reference tags in reports ([#6259](https://github.com/dependency-check/DependencyCheck/pull/6259))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/75?closed=1).
 
 ## [Version 9.0.4](https://github.com/dependency-check/DependencyCheck/releases/tag/v9.0.4) (2023-12-08)
 
-- fix: utilize maven proxy if present (#6255)
-- fix: allow api key in cli to be quoted (#6253)
-- fix: use correct maven plugin reporting plugin (#6244)
-- fix: correct trailing comma in JSON report (#6245)
+- fix: utilize maven proxy if present ([#6255](https://github.com/dependency-check/DependencyCheck/pull/6255))
+- fix: allow api key in cli to be quoted ([#6253](https://github.com/dependency-check/DependencyCheck/pull/6253))
+- fix: use correct maven plugin reporting plugin ([#6244](https://github.com/dependency-check/DependencyCheck/pull/6244))
+- fix: correct trailing comma in JSON report ([#6245](https://github.com/dependency-check/DependencyCheck/pull/6245))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/74?closed=1).
 
 ## [Version 9.0.3](https://github.com/dependency-check/DependencyCheck/releases/tag/v9.0.3) (2023-12-06)
 
-- fix: use Java properties for proxy configuration (#6238)
-- docs: update proxy configuration documentation (#6237)
-- docs: add documentation on caching (#6204)
-- docs: Clarify H2 database caching strategy (#6220)
-- docs: Update list of supported report formats (#6224)
-- docs: example 5 with new nvdDatafeedUrl parameter (#6215)
-- fix: prevent NPEs (#6232 and #6206)
-- fix: check valid for hours for NVD API (#6225)
-- fix: correct NVD cache last checked logic (#6218)
-- fix: nvd datafeed should process current year (#6213)
-- fix: correct references to cvssv2 and cvssv3 fields in json and xml reports (#6212)
-- fix: correct name on reference links in report (#6205)
-- fix: flaws int the gitlab report (#6193)
+- fix: use Java properties for proxy configuration ([#6238](https://github.com/dependency-check/DependencyCheck/pull/6238))
+- docs: update proxy configuration documentation ([#6237](https://github.com/dependency-check/DependencyCheck/pull/6237))
+- docs: add documentation on caching ([#6204](https://github.com/dependency-check/DependencyCheck/pull/6204))
+- docs: Clarify H2 database caching strategy ([#6220](https://github.com/dependency-check/DependencyCheck/pull/6220))
+- docs: Update list of supported report formats ([#6224](https://github.com/dependency-check/DependencyCheck/pull/6224))
+- docs: example 5 with new nvdDatafeedUrl parameter ([#6215](https://github.com/dependency-check/DependencyCheck/pull/6215))
+- fix: prevent NPEs ([#6232](https://github.com/dependency-check/DependencyCheck/pull/6232) and [#6206](https://github.com/dependency-check/DependencyCheck/pull/6206))
+- fix: check valid for hours for NVD API ([#6225](https://github.com/dependency-check/DependencyCheck/pull/6225))
+- fix: correct NVD cache last checked logic ([#6218](https://github.com/dependency-check/DependencyCheck/pull/6218))
+- fix: nvd datafeed should process current year ([#6213](https://github.com/dependency-check/DependencyCheck/pull/6213))
+- fix: correct references to cvssv2 and cvssv3 fields in json and xml reports ([#6212](https://github.com/dependency-check/DependencyCheck/pull/6212))
+- fix: correct name on reference links in report ([#6205](https://github.com/dependency-check/DependencyCheck/pull/6205))
+- fix: flaws int the gitlab report ([#6193](https://github.com/dependency-check/DependencyCheck/pull/6193))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/73?closed=1).
 
 ## [Version 9.0.2](https://github.com/dependency-check/DependencyCheck/releases/tag/v9.0.2) (2023-12-01)
 
-- fix: remove virtual match string on NVD API Request (#6177)
-- fix: correct meta data in report after switching the NVD API (#6154)
-- fix: retry HTTP connections to NVD on 502 and 504 errors (#6151)
-- fix: Gitlab report format needs severity capitalized (#6182)
-- fix: improve JDK update version parsing (#6163)
-- fix: mute JCS logging (again) (#6153)
+- fix: remove virtual match string on NVD API Request ([#6177](https://github.com/dependency-check/DependencyCheck/pull/6177))
+- fix: correct meta data in report after switching the NVD API ([#6154](https://github.com/dependency-check/DependencyCheck/pull/6154))
+- fix: retry HTTP connections to NVD on 502 and 504 errors ([#6151](https://github.com/dependency-check/DependencyCheck/pull/6151))
+- fix: Gitlab report format needs severity capitalized ([#6182](https://github.com/dependency-check/DependencyCheck/pull/6182))
+- fix: improve JDK update version parsing ([#6163](https://github.com/dependency-check/DependencyCheck/pull/6163))
+- fix: mute JCS logging (again) ([#6153](https://github.com/dependency-check/DependencyCheck/pull/6153))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/72?closed=1).
 
@@ -374,14 +374,14 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 **breaking changes**: See the [upgrade notice](https://github.com/dependency-check/DependencyCheck#900-upgrade-notice)
 
-- fix: check java 8 update version; minimum JRE is 8 update 251 (#6118)
-- fix: add retry for failed NVD API requests (#6136)
-- docs: add default values to documentation for the NVD API Delay (#6135)
-- chore: Revert "build(deps): bump com.h2database:h2 from 2.1.214 to 2.2.224" (#6131)
+- fix: check java 8 update version; minimum JRE is 8 update 251 ([#6118](https://github.com/dependency-check/DependencyCheck/pull/6118))
+- fix: add retry for failed NVD API requests ([#6136](https://github.com/dependency-check/DependencyCheck/pull/6136))
+- docs: add default values to documentation for the NVD API Delay ([#6135](https://github.com/dependency-check/DependencyCheck/pull/6135))
+- chore: Revert "build(deps): bump com.h2database:h2 from 2.1.214 to 2.2.224" ([#6131](https://github.com/dependency-check/DependencyCheck/pull/6131))
   - this is a **breaking change** for anyone that successfully created the H2 database with 9.0.0.
-- fix: mute jcs logging (#6130)
-- docs: update NVD notice (#6110)
-- fix: Use the correct key for NVD API-Key from Maven Settings serverId (#6109)
+- fix: mute jcs logging ([#6130](https://github.com/dependency-check/DependencyCheck/pull/6130))
+- docs: update NVD notice ([#6110](https://github.com/dependency-check/DependencyCheck/pull/6110))
+- fix: Use the correct key for NVD API-Key from Maven Settings serverId ([#6109](https://github.com/dependency-check/DependencyCheck/pull/6109))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/71?closed=1).
 
@@ -389,22 +389,22 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 **breaking changes**: See the [upgrade notice](https://github.com/dependency-check/DependencyCheck#900-upgrade-notice)
 
-- feat: Utilize NVD API (#5978)
-- feat: gitlab dependency scanner report format #5919 (#5920)
-- fix: Use ASCII apostrophe for console message (#6076)
+- feat: Utilize NVD API ([#5978](https://github.com/dependency-check/DependencyCheck/pull/5978))
+- feat: gitlab dependency scanner report format [#5919](https://github.com/dependency-check/DependencyCheck/pull/5919) ([#5920](https://github.com/dependency-check/DependencyCheck/pull/5920))
+- fix: Use ASCII apostrophe for console message ([#6076](https://github.com/dependency-check/DependencyCheck/pull/6076))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/68?closed=1).
 
 ## [Version 8.4.3](https://github.com/dependency-check/DependencyCheck/releases/tag/v8.4.3) (2023-11-15)
 
-- fix: bump jcs3 (#6047)
-- docs: Corrected docs on hostedSuppressions (#6035)
+- fix: bump jcs3 ([#6047](https://github.com/dependency-check/DependencyCheck/pull/6047))
+- docs: Corrected docs on hostedSuppressions ([#6035](https://github.com/dependency-check/DependencyCheck/pull/6035))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/70?closed=1).
 
 ## [Version 8.4.2](https://github.com/dependency-check/DependencyCheck/releases/tag/v8.4.2) (2023-10-22)
 
-- fix: correct log configuration in cli (#6002)
+- fix: correct log configuration in cli ([#6002](https://github.com/dependency-check/DependencyCheck/pull/6002))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/69?closed=1).
 
@@ -412,11 +412,11 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Fixed
 
-- fix: upgrade to JCS3 (#5114)
-- fix: Support ~= version specifier in requirements.txt and pipfile (#5902)
-- fix: Version of dependency no longer ignored when CPE product has a 'java' suffix in a product name (#5901)
-- fix: Do not filter out evidences added by hints (#5900)
-- fix: fixes FP #5925 (#5927)
+- fix: upgrade to JCS3 ([#5114](https://github.com/dependency-check/DependencyCheck/pull/5114))
+- fix: Support ~= version specifier in requirements.txt and pipfile ([#5902](https://github.com/dependency-check/DependencyCheck/pull/5902))
+- fix: Version of dependency no longer ignored when CPE product has a 'java' suffix in a product name ([#5901](https://github.com/dependency-check/DependencyCheck/pull/5901))
+- fix: Do not filter out evidences added by hints ([#5900](https://github.com/dependency-check/DependencyCheck/pull/5900))
+- fix: fixes FP [#5925](https://github.com/dependency-check/DependencyCheck/pull/5925) ([#5927](https://github.com/dependency-check/DependencyCheck/pull/5927))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/67?closed=1).
 
@@ -424,17 +424,17 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Added
 
-- feat: Add support for Nexus v3 to NexusAnalyzer (#5849)
+- feat: Add support for Nexus v3 to NexusAnalyzer ([#5849](https://github.com/dependency-check/DependencyCheck/pull/5849))
 
 ### Fixed
 
-- fix: Hint Analyzer should run before VersionFilter Analyzer (#5818)
+- fix: Hint Analyzer should run before VersionFilter Analyzer ([#5818](https://github.com/dependency-check/DependencyCheck/pull/5818))
 - chore: switch to sha1-pinning as suggested by Semgrep
-- fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter (#5845)
-- fix: use curl with -L to follow github redirect (#5808)
+- fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter ([#5845](https://github.com/dependency-check/DependencyCheck/pull/5845))
+- fix: use curl with -L to follow github redirect ([#5808](https://github.com/dependency-check/DependencyCheck/pull/5808))
 - fix: use curl with -L to follow github redirect
-- fix: #5671 out of memory error (#5789)
-- fix: #5671 Exit method as soon as we detect a loop to prevent an infinite loop leading to an OutOfMemoryError
+- fix: [#5671](https://github.com/dependency-check/DependencyCheck/pull/5671) out of memory error ([#5789](https://github.com/dependency-check/DependencyCheck/pull/5789))
+- fix: [#5671](https://github.com/dependency-check/DependencyCheck/pull/5671) Exit method as soon as we detect a loop to prevent an infinite loop leading to an OutOfMemoryError
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/66?closed=1).
 
@@ -446,16 +446,16 @@ Re-release of 8.3.0 as 8.3.1.
 
 ### Added
 
- - Add LibmanAnalyzer (#5652)
- - Update HTML report Dependencies header based on display settings (#5619)
- - Add link to suppressed vulnerabilities header in HTML report (#5620)
- - Enable local proxy configuration in maven plugin configuration (#5696)
+ - Add LibmanAnalyzer ([#5652](https://github.com/dependency-check/DependencyCheck/pull/5652))
+ - Update HTML report Dependencies header based on display settings ([#5619](https://github.com/dependency-check/DependencyCheck/pull/5619))
+ - Add link to suppressed vulnerabilities header in HTML report ([#5620](https://github.com/dependency-check/DependencyCheck/pull/5620))
+ - Enable local proxy configuration in maven plugin configuration ([#5696](https://github.com/dependency-check/DependencyCheck/pull/5696))
 
 ### Fixed
 
- - Fix npm alias present in requires of dependencies (#5703)
- - Make Central URL configurable via CLI (#5667)
- - Ensure support of CVSSv3.1 (#5602)
+ - Fix npm alias present in requires of dependencies ([#5703](https://github.com/dependency-check/DependencyCheck/pull/5703))
+ - Make Central URL configurable via CLI ([#5667](https://github.com/dependency-check/DependencyCheck/pull/5667))
+ - Ensure support of CVSSv3.1 ([#5602](https://github.com/dependency-check/DependencyCheck/pull/5602))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/65?closed=1).
 
@@ -463,9 +463,9 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Fixed
 
- - NullPointerException in MSBuildAnalyzer (#5589)
- - SQL Syntax for Oracle (#5590)
- - Use `https://` URLs in report templates (#5582)
+ - NullPointerException in MSBuildAnalyzer ([#5589](https://github.com/dependency-check/DependencyCheck/pull/5589))
+ - SQL Syntax for Oracle ([#5590](https://github.com/dependency-check/DependencyCheck/pull/5590))
+ - Use `https://` URLs in report templates ([#5582](https://github.com/dependency-check/DependencyCheck/pull/5582))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/64?closed=1).
 
@@ -473,14 +473,14 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Added
 
- - Support msbuild Directory.build.props (#5475)
+ - Support msbuild Directory.build.props ([#5475](https://github.com/dependency-check/DependencyCheck/pull/5475))
  - better display of NPM audit references
  - Add CVSS V3 results from NPM Audit results
 
 ### Fixed
 
- - Fix several issues on NPM Audit reporting (#5546)
- - Case issue in SQL (#5557)
+ - Fix several issues on NPM Audit reporting ([#5546](https://github.com/dependency-check/DependencyCheck/pull/5546))
+ - Case issue in SQL ([#5557](https://github.com/dependency-check/DependencyCheck/pull/5557))
  - Fix CWE(s) extraction for NPM Audit advisories
  - Use the stable github_advisory_id instead of the now unstable id in NPM audit results
 
@@ -490,7 +490,7 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Fixed
 
- - Fix `NullPointerException` in the Jar Analyzer introduced in 8.1.1 (#5512)
+ - Fix `NullPointerException` in the Jar Analyzer introduced in 8.1.1 ([#5512](https://github.com/dependency-check/DependencyCheck/pull/5512))
  
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/62?closed=1).
 
@@ -498,13 +498,13 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Fixed
 
- - allow hosted suppressions file to be disabled (#5509)
- - Several FPs not suitable for our automation (#5504)
- - Fix incorrect defaults for nexus and central-analyzer in gradle plugin documentation (#5503)
- - Erroneous error-log for deprecated CLI flag usage when using properyfile based disablement of Node Audit Analyzer (#5487)
- - Prefer pom.properties G/A/V over pom.xml G/A/V to resolve GAV interpolation issues (#5473)
- - Node package dependencies ending up as related dependency of the wrong version of the package (#5479)
- - do not throw error if pyproject.toml is in node_modules (#5470)
+ - allow hosted suppressions file to be disabled ([#5509](https://github.com/dependency-check/DependencyCheck/pull/5509))
+ - Several FPs not suitable for our automation ([#5504](https://github.com/dependency-check/DependencyCheck/pull/5504))
+ - Fix incorrect defaults for nexus and central-analyzer in gradle plugin documentation ([#5503](https://github.com/dependency-check/DependencyCheck/pull/5503))
+ - Erroneous error-log for deprecated CLI flag usage when using properyfile based disablement of Node Audit Analyzer ([#5487](https://github.com/dependency-check/DependencyCheck/pull/5487))
+ - Prefer pom.properties G/A/V over pom.xml G/A/V to resolve GAV interpolation issues ([#5473](https://github.com/dependency-check/DependencyCheck/pull/5473))
+ - Node package dependencies ending up as related dependency of the wrong version of the package ([#5479](https://github.com/dependency-check/DependencyCheck/pull/5479))
+ - do not throw error if pyproject.toml is in node_modules ([#5470](https://github.com/dependency-check/DependencyCheck/pull/5470))
  
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/61?closed=1).
 
@@ -586,7 +586,7 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Fixed
 
-- Resolved issue processing NVD CVE data due to column width (#5229)
+- Resolved issue processing NVD CVE data due to column width ([#5229](https://github.com/dependency-check/DependencyCheck/pull/5229))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/56?closed=1).
 
@@ -594,8 +594,8 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Fixed
 
-- Fixed NPE when analyzing version ranges in NPM (#5158 & #5190)
-- Resolved several FP (#5191)
+- Fixed NPE when analyzing version ranges in NPM ([#5158](https://github.com/dependency-check/DependencyCheck/pull/5158) & [#5190](https://github.com/dependency-check/DependencyCheck/pull/5190))
+- Resolved several FP ([#5191](https://github.com/dependency-check/DependencyCheck/pull/5191))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/55?closed=1).
 
@@ -603,11 +603,11 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Fixed
 
-- Fixes maven 3.1 compatibility issue (#5152)
-- Fixed issue with invalid `node_module` paths in some scans (#5135)
-- Fixed missing option to disable the Poetry Analyzer in the CLI (#5160)
-- Fixed missing option to configure the OSS Index URL in the CLI (#5180)
-- Fixed NPE when analyzing version ranges in NPM (#5158)
+- Fixes maven 3.1 compatibility issue ([#5152](https://github.com/dependency-check/DependencyCheck/pull/5152))
+- Fixed issue with invalid `node_module` paths in some scans ([#5135](https://github.com/dependency-check/DependencyCheck/pull/5135))
+- Fixed missing option to disable the Poetry Analyzer in the CLI ([#5160](https://github.com/dependency-check/DependencyCheck/pull/5160))
+- Fixed missing option to configure the OSS Index URL in the CLI ([#5180](https://github.com/dependency-check/DependencyCheck/pull/5180))
+- Fixed NPE when analyzing version ranges in NPM ([#5158](https://github.com/dependency-check/DependencyCheck/pull/5158))
 - Fixed issue with non-proxy host in the gradle plugin (https://github.com/dependency-check/dependency-check-gradle/pull/298)
 - Resolved several FP
 
@@ -617,8 +617,8 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Fixed
 
-- Fixed bug when setting the proxy port in gradle (#5123)
-- Fixed issue with invalid `node_module` paths in some scans (#5127)
+- Fixed bug when setting the proxy port in gradle ([#5123](https://github.com/dependency-check/DependencyCheck/pull/5123))
+- Fixed issue with invalid `node_module` paths in some scans ([#5127](https://github.com/dependency-check/DependencyCheck/pull/5127))
 - Resolved several FP
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/53?closed=1).
@@ -627,20 +627,20 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Added
 
-- Add support for npm package lock v2 and v3 (#5078)
-- Added experimental support for Python Poetry (#5025)
-- Added a vanilla HTML report for use in Jenkins (#5053)
+- Add support for npm package lock v2 and v3 ([#5078](https://github.com/dependency-check/DependencyCheck/pull/5078))
+- Added experimental support for Python Poetry ([#5025](https://github.com/dependency-check/DependencyCheck/pull/5025))
+- Added a vanilla HTML report for use in Jenkins ([#5053](https://github.com/dependency-check/DependencyCheck/pull/5053))
 
 ### Changed
 
 - Renamed `RELEASE_NOTES.md` to `CHANGELOG.md` to be more conventional
-- Optimized checksum calculation to improve performance (#5112)
-- Added support for scanning .NET assemblies when only the dotnet runtime is installed (#5087)
+- Optimized checksum calculation to improve performance ([#5112](https://github.com/dependency-check/DependencyCheck/pull/5112))
+- Added support for scanning .NET assemblies when only the dotnet runtime is installed ([#5087](https://github.com/dependency-check/DependencyCheck/pull/5087))
 - Bumped several dependencies
 
 ### Fixed
 
-- Fixed bug when setting the proxy port (#5076)
+- Fixed bug when setting the proxy port ([#5076](https://github.com/dependency-check/DependencyCheck/pull/5076))
 - Resolved several FP and FN
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/52?closed=1).
@@ -651,8 +651,8 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 - Automated release of 7.3.1 failed and only published to Central; 7.3.2 is a re-release of 7.3.1.
 - Resolved several false positives and false negatives.
-- Use Jackson Afterburner if still on Java 8 (#4966).
-- Exclude `node_modules` from the Maven plugin's scan path (#4974).
+- Use Jackson Afterburner if still on Java 8 ([#4966](https://github.com/dependency-check/DependencyCheck/pull/4966)).
+- Exclude `node_modules` from the Maven plugin's scan path ([#4974](https://github.com/dependency-check/DependencyCheck/pull/4974)).
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/51?closed=1).
 
@@ -661,8 +661,8 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 ### Changed
 
 - Resolved several false positives and false negatives.
-- Use Jackson Afterburner if still on Java 8 (#4966).
-- Exclude `node_modules` from the Maven plugin's scan path (#4974).
+- Use Jackson Afterburner if still on Java 8 ([#4966](https://github.com/dependency-check/DependencyCheck/pull/4966)).
+- Exclude `node_modules` from the Maven plugin's scan path ([#4974](https://github.com/dependency-check/DependencyCheck/pull/4974)).
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/51?closed=1).
 
@@ -670,15 +670,15 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Added
 
-- Added an experimental Dart analyzer (#4869).
+- Added an experimental Dart analyzer ([#4869](https://github.com/dependency-check/DependencyCheck/pull/4869)).
 
 ### Changed
 
-- Migrated from Jackson Afterburner to Blackbird (#4905).
+- Migrated from Jackson Afterburner to Blackbird ([#4905](https://github.com/dependency-check/DependencyCheck/pull/4905)).
 
 ### Fixed
 
-- Fixed issue with the Maven plugin that caused concurrent modification exceptions (#4935).
+- Fixed issue with the Maven plugin that caused concurrent modification exceptions ([#4935](https://github.com/dependency-check/DependencyCheck/pull/4935)).
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/50?closed=1).
 
@@ -686,7 +686,7 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Fixed
 
-- Fixed logging issue (#4846).
+- Fixed logging issue ([#4846](https://github.com/dependency-check/DependencyCheck/pull/4846)).
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/49?closed=1).
 
@@ -694,8 +694,8 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Changed
 
-- Add support for Bazel's pinned `maven_install.json` (#4772).
-- Fixed bug preventing the use of custom report templates (#4800).
+- Add support for Bazel's pinned `maven_install.json` ([#4772](https://github.com/dependency-check/DependencyCheck/pull/4772)).
+- Fixed bug preventing the use of custom report templates ([#4800](https://github.com/dependency-check/DependencyCheck/pull/4800)).
 - Updated several dependencies including upgrades for dependencies with CVEs.
 - Several bug fixes made and suppression rules were added.
 
@@ -705,8 +705,8 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Changed
 
-- The maven plugin now includes pnpm and yarn lock files in the scan by default (#4753).
-- If a suppression rule is no longer used a log entry will be written (#4685).
+- The maven plugin now includes pnpm and yarn lock files in the scan by default ([#4753](https://github.com/dependency-check/DependencyCheck/pull/4753)).
+- If a suppression rule is no longer used a log entry will be written ([#4685](https://github.com/dependency-check/DependencyCheck/pull/4685)).
 - Several bug fixes made and suppression rules added.
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/47?closed=1).
@@ -734,7 +734,7 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Changed
 
-- Update to `jackson-databind` (see #4285).
+- Update to `jackson-databind` (see [#4285](https://github.com/dependency-check/DependencyCheck/pull/4285)).
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/43?closed=1).
 
@@ -742,7 +742,7 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Changed
 
-- Update to `jackson-databind` (see #4285).
+- Update to `jackson-databind` (see [#4285](https://github.com/dependency-check/DependencyCheck/pull/4285)).
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/42?closed=1).
 
@@ -769,7 +769,7 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 - **Breaking:** The H2 database version has been upgraded.
   - if you use the `dataDirectory` option you will need to run a purge after upgrading.
 - **Breaking:** Upgraded to dotnet core 6.0. If analyzing dotnet assemblies the system will need to have the dotnet core 6.0.x runtime available.
-- The Sarif report format has been fixed and can now be imported into GitHub if desired (See #3993).
+- The Sarif report format has been fixed and can now be imported into GitHub if desired (See [#3993](https://github.com/dependency-check/DependencyCheck/pull/3993)).
 - Introduced IssueOps for False Positive reports to assist the team in evaluating FP reports.
   - [Create New FP Report Issue](https://github.com/dependency-check/DependencyCheck/issues/new?assignees=&labels=FP+Report&template=false-positive-report.yml&title=%5BFP%5D%3A+).
 - When analyzing Java projects ODC now includes data from the developers section. 
@@ -782,9 +782,9 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Changed
 
-- Performance improvements for some Maven projects (see #3923 and #3931).
-- Fixed bug in npm version handling introduced in 6.5.2 (see #3956).
-- Improved the node package analyzer to correctly report the origin of a dependency (see #3970).
+- Performance improvements for some Maven projects (see [#3923](https://github.com/dependency-check/DependencyCheck/pull/3923) and [#3931](https://github.com/dependency-check/DependencyCheck/pull/3931)).
+- Fixed bug in npm version handling introduced in 6.5.2 (see [#3956](https://github.com/dependency-check/DependencyCheck/pull/3956)).
+- Improved the node package analyzer to correctly report the origin of a dependency (see [#3970](https://github.com/dependency-check/DependencyCheck/pull/3970)).
 - General code maintenance and false positive reductions.
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/39?closed=1).
@@ -793,9 +793,9 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Changed
 
-- Fixed false positives around log4j-api and Log4j-web (#3910 & #3937).
-- Bug fix when processing NPM lock files (#3893).
-- Added missing `pnpm` argmument to the CLI (#3916).
+- Fixed false positives around log4j-api and Log4j-web ([#3910](https://github.com/dependency-check/DependencyCheck/pull/3910) & [#3937](https://github.com/dependency-check/DependencyCheck/pull/3937)).
+- Bug fix when processing NPM lock files ([#3893](https://github.com/dependency-check/DependencyCheck/pull/3893)).
+- Added missing `pnpm` argmument to the CLI ([#3916](https://github.com/dependency-check/DependencyCheck/pull/3916)).
 - General code maintenance and false positive reductions.
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/38?closed=1).
@@ -804,8 +804,8 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Changed
 
-- Updated the dependency-check-maven plugin to correctly support SNAPSHOT version when a classifier is specified (#3787).
-- Improved the analysis of Swift package manager (package.resolved - see #3813).
+- Updated the dependency-check-maven plugin to correctly support SNAPSHOT version when a classifier is specified ([#3787](https://github.com/dependency-check/DependencyCheck/pull/3787)).
+- Improved the analysis of Swift package manager (package.resolved - see [#3813](https://github.com/dependency-check/DependencyCheck/pull/3813)).
 - General code maintenance and false positive reductions.
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/37?closed=1).
@@ -817,8 +817,8 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 - Updated build configuration to create [reproducible builds](https://reproducible-builds.org/).
 - Updated automated release process to work with branch protection.
 - Resolved several false positives in the Java ecosystem.
-- Enabled the Swift Resolved analyzer per #3735
-- Improved iOS support per #3168 and #3765
+- Enabled the Swift Resolved analyzer per [#3735](https://github.com/dependency-check/DependencyCheck/pull/3735)
+- Improved iOS support per [#3168](https://github.com/dependency-check/DependencyCheck/pull/3168) and [#3765](https://github.com/dependency-check/DependencyCheck/pull/3765)
 - Added the a new pnpm Analyzer
 - Fixed issue with some npm and yarn analysis failing due to large audit output
 
@@ -903,8 +903,8 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Fixed
 
-- Resolved issue with Sarif report (#3243)
-- Resolved issue with Ruby Bundle Audit (#3256)
+- Resolved issue with Sarif report ([#3243](https://github.com/dependency-check/DependencyCheck/pull/3243))
+- Resolved issue with Ruby Bundle Audit ([#3256](https://github.com/dependency-check/DependencyCheck/pull/3256))
 - Several minor bug fixes and updates to reduce false positives
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/26?closed=1).
@@ -913,7 +913,7 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Fixed
 
-- Fixed a second NPE introduced in 6.1.3 (see #3246)
+- Fixed a second NPE introduced in 6.1.3 (see [#3246](https://github.com/dependency-check/DependencyCheck/pull/3246))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/25?closed=1).
 
@@ -921,7 +921,7 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Changed
 
-- Fixed an NPE introduced in 6.1.3 (see #3212)
+- Fixed an NPE introduced in 6.1.3 (see [#3212](https://github.com/dependency-check/DependencyCheck/pull/3212))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/24?closed=1).
 
@@ -929,8 +929,8 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Changed
 
-- Modified the new CPE matching strategy to be more performant (#3207)
-- Upgraded a vulnerable dependency (velocity-engine-core/CVE-2020-13936) (#3205)
+- Modified the new CPE matching strategy to be more performant ([#3207](https://github.com/dependency-check/DependencyCheck/pull/3207))
+- Upgraded a vulnerable dependency (velocity-engine-core/CVE-2020-13936) ([#3205](https://github.com/dependency-check/DependencyCheck/pull/3205))
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/23?closed=1).
 
@@ -969,7 +969,7 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Changed
 
-- Added missing command line arguments per #3028 and #3035.
+- Added missing command line arguments per [#3028](https://github.com/dependency-check/DependencyCheck/pull/3028) and [#3035](https://github.com/dependency-check/DependencyCheck/pull/3035).
 - False positive reduction and minor bug fixes.
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/19?closed=1).
@@ -986,20 +986,20 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Changed
 
-- Added a bash command completion script (see #2916); to add completion to your shell
+- Added a bash command completion script (see [#2916](https://github.com/dependency-check/DependencyCheck/pull/2916)); to add completion to your shell
   `completion-for-dependency-check.sh` can be found in the bin directory of the CLI:
 
    ```bash
    $ source completion-for-dependency-check.sh
    ```
 
-- An experimental PIP File Analyzer was added (see #2877).
-- Analysis of Node JS produced several false positives (see #2796); the analysis has
+- An experimental PIP File Analyzer was added (see [#2877](https://github.com/dependency-check/DependencyCheck/pull/2877)).
+- Analysis of Node JS produced several false positives (see [#2796](https://github.com/dependency-check/DependencyCheck/pull/2796)); the analysis has
   been updated to reduce the number of false positives.
   - If analyzing Node JS projects it is highly recommended to disable the Node JS Analyzer
     and solely rely on the Node Audit Analyzer. There are plans to rework Node JS analysis
     in a future release.
-- Support for external Oracle databases has been add for the 6.x releases (see #2899)
+- Support for external Oracle databases has been add for the 6.x releases (see [#2899](https://github.com/dependency-check/DependencyCheck/pull/2899))
 - Resolved several reported false positives.
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/17?closed=1).
@@ -1010,8 +1010,8 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 - The project is migrating from hosting the release archives on Bintray and moving them to Github under the assets for each [release](https://github.com/dependency-check/DependencyCheck/releases)
   - **Please update any automation you have to point to the new location.**
-- Npm Audit Analyzer now correctly skips dev dependencies (`--nodeAuditSkipDevDependencies`); see #2482.
-- GoLang Analyzer now scans transitive dependencies; see #2680.
+- Npm Audit Analyzer now correctly skips dev dependencies (`--nodeAuditSkipDevDependencies`); see [#2482](https://github.com/dependency-check/DependencyCheck/pull/2482).
+- GoLang Analyzer now scans transitive dependencies; see [#2680](https://github.com/dependency-check/DependencyCheck/pull/2680).
 - Several bug fixes found in 6.0.1.
 
 See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/16?closed=1).
@@ -1034,7 +1034,7 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 - Updated database schema; this is a *breaking change* and anyone using an external database or those whom
   specify the data directory will need recreate the database (including users of the docker image). The schema
   changes were made to:
-  - Improve the CVSS data, when available, per #2547
+  - Improve the CVSS data, when available, per [#2547](https://github.com/dependency-check/DependencyCheck/pull/2547)
   - Improve the way that ecosystems are determined
   - Improve the update performance of external databases
 - Users with an **external Oracle** database will not be able to upgrade as https://github.com/dependency-check/DependencyCheck/issues/2755
@@ -1065,10 +1065,10 @@ See the full listing of [changes](https://github.com/jeremylong/DependencyCheck/
 
 ### Changed
 
-- Updated the JSON report to include a new field for unscored vulnerabilities (see #2392).
-- Updated the XML report to include a new attribute to flag unscored vulnerabilities (see #2392)
+- Updated the JSON report to include a new field for unscored vulnerabilities (see [#2392](https://github.com/dependency-check/DependencyCheck/pull/2392)).
+- Updated the XML report to include a new attribute to flag unscored vulnerabilities (see [#2392](https://github.com/dependency-check/DependencyCheck/pull/2392))
   - see https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/resources/schema/dependency-check.2.3.xsd
-- Added an experimental analyzer that will lookup Node libraries in the NVD data feeds (see #1249)
+- Added an experimental analyzer that will lookup Node libraries in the NVD data feeds (see [#1249](https://github.com/dependency-check/DependencyCheck/pull/1249))
   - `NpmCPEAnalyzer`, experimental analyzers must be enabled, controlled via property `analyzer.npm.cpe.enabled` which will be exposed as a configuration option in the next release.
 
 See the full listing of [changes](https://github.com/jeremylong/DependencyCheck/milestone/11?closed=1).
@@ -1350,11 +1350,11 @@ See the full listing of [resolved issues](https://github.com/jeremylong/Dependen
 
 ### Fixed
 
-- In some cases when using the Maven or Gradle plugins the GAV coordinates were not being added as an Identifier causing suppression rules to fail; this has been resolved (#1298)
-- Documentation Update (SCM links in the maven site were broken) (#1297)
-- False positive reduction (#1290)
-- Enhanced logging output for TLS failures to better assist with debugging (#1269)
-- Resolved a Null Pointer Exception (#1296)
+- In some cases when using the Maven or Gradle plugins the GAV coordinates were not being added as an Identifier causing suppression rules to fail; this has been resolved ([#1298](https://github.com/dependency-check/DependencyCheck/pull/1298))
+- Documentation Update (SCM links in the maven site were broken) ([#1297](https://github.com/dependency-check/DependencyCheck/pull/1297))
+- False positive reduction ([#1290](https://github.com/dependency-check/DependencyCheck/pull/1290))
+- Enhanced logging output for TLS failures to better assist with debugging ([#1269](https://github.com/dependency-check/DependencyCheck/pull/1269))
+- Resolved a Null Pointer Exception ([#1296](https://github.com/dependency-check/DependencyCheck/pull/1296))
 
 ## [Version 3.2.0](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.2.0) (2018-05-21)
 
diff --git a/list-changes.sh b/list-changes.sh
index 47f1dc416b1..99eed75c718 100755
--- a/list-changes.sh
+++ b/list-changes.sh
@@ -1,3 +1,5 @@
 #!/bin/bash -e
 ##https://blogs.sap.com/2018/06/22/generating-release-notes-from-git-commit-messages-using-basic-shell-commands-gitgrep/
-git --no-pager log $(git describe --tags --abbrev=0)..HEAD --pretty=format:" - %s" | grep -v ' - Bump'
\ No newline at end of file
+git --no-pager log $(git describe --tags --abbrev=0)..HEAD --pretty=format:" - %s" \
+  | grep -v ' - Bump' \
+  | sed -E 's/#([0-9]+)/[#\1](https:\/\/github.com\/dependency-check\/DependencyCheck\/pull\/\1)/g'

From c44ba32cc763d2621c180f2673be6ba49a75d10a Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Tue, 23 Sep 2025 19:08:14 +0800
Subject: [PATCH 144/195] fix(fp): Fix false positives for Redis Server against
 NPM/JS client libs (#7942)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
 .../main/resources/dependencycheck-base-suppression.xml    | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml
index 9c805ab2b6e..855e35ff600 100644
--- a/core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/core/src/main/resources/dependencycheck-base-suppression.xml
@@ -7056,6 +7056,13 @@
         <packageUrl regex="true">^pkg:nuget/.+\.Redis\..*$</packageUrl>
         <cpe>cpe:2.3:a:redis:redis</cpe>
     </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        FP per issue #7740
+        ]]></notes>
+        <packageUrl regex="true">^pkg:npm/.*redis.*@.*$</packageUrl>
+        <cpe>cpe:2.3:a:redis:redis</cpe>
+    </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #7664

From 34a1235b77163cf3e1c9ee374d2dd89bd2197c11 Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Tue, 23 Sep 2025 19:12:17 +0800
Subject: [PATCH 145/195] docs: Fix legacy GitHub links within docs and
 CHANGELOG (#7944)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Co-authored-by: Jeremy Long <jeremy.long@gmail.com>
---
 CHANGELOG.md                                  | 164 +++++++++---------
 .../dependencycheck-base-suppression.xml      |   4 +-
 .../configuration-aggregate.md                |  44 ++---
 .../dependency-check-gradle/configuration.md  |  46 ++---
 src/site/resources/general/SampleReport.html  |   4 +-
 5 files changed, 131 insertions(+), 131 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index af661a61dca..1a8111c0209 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1055,55 +1055,55 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
 
 ### Changed
 
-- Added an experimental PE Analyzer that reads the PE headers of DLL and EXE files; see [#2448](https://github.com/jeremylong/DependencyCheck/pull/2448) and [#2446](https://github.com/jeremylong/DependencyCheck/pull/2446).
+- Added an experimental PE Analyzer that reads the PE headers of DLL and EXE files; see [#2448](https://github.com/dependency-check/DependencyCheck/pull/2448) and [#2446](https://github.com/dependency-check/DependencyCheck/pull/2446).
 - Lots of bug fixes and updates to false positives and false negatives
   - You may see a large one time performance hit when updating the database after updating to 5.3.1
 
-See the full listing of [changes](https://github.com/jeremylong/DependencyCheck/milestone/12?closed=1).
+See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/12?closed=1).
 
-## [Version 5.3.0](https://github.com/jeremylong/DependencyCheck/releases/tag/v5.3.0) (2020-01-15)
+## [Version 5.3.0](https://github.com/dependency-check/DependencyCheck/releases/tag/v5.3.0) (2020-01-15)
 
 ### Changed
 
 - Updated the JSON report to include a new field for unscored vulnerabilities (see [#2392](https://github.com/dependency-check/DependencyCheck/pull/2392)).
 - Updated the XML report to include a new attribute to flag unscored vulnerabilities (see [#2392](https://github.com/dependency-check/DependencyCheck/pull/2392))
-  - see https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/resources/schema/dependency-check.2.3.xsd
+  - see https://github.com/dependency-check//DependencyCheck/blob/main/core/src/main/resources/schema/dependency-check.2.3.xsd
 - Added an experimental analyzer that will lookup Node libraries in the NVD data feeds (see [#1249](https://github.com/dependency-check/DependencyCheck/pull/1249))
   - `NpmCPEAnalyzer`, experimental analyzers must be enabled, controlled via property `analyzer.npm.cpe.enabled` which will be exposed as a configuration option in the next release.
 
-See the full listing of [changes](https://github.com/jeremylong/DependencyCheck/milestone/11?closed=1).
+See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/11?closed=1).
 
-## [Version 5.2.4](https://github.com/jeremylong/DependencyCheck/releases/tag/v5.2.4) (2019-11-12)
+## [Version 5.2.4](https://github.com/dependency-check/DependencyCheck/releases/tag/v5.2.4) (2019-11-12)
 
 ### Changed
 
 - Reverted a in 5.2.3 that caused the dependency-check.sh script to fail on some systems (including the docker image).
 - Fixed issue with pretty printing the XML report.
 
-See the full listing of [resolved issues](https://github.com/jeremylong/DependencyCheck/issues?utf8=%E2%9C%93&q=is%3Aissue++is%3Aclosed+milestone%3A5.2.4).
+See the full listing of [resolved issues](https://github.com/dependency-check/DependencyCheck/issues?utf8=%E2%9C%93&q=is%3Aissue++is%3Aclosed+milestone%3A5.2.4).
 
-## [Version 5.2.3](https://github.com/jeremylong/DependencyCheck/releases/tag/v5.2.3) (2019-11-11)
+## [Version 5.2.3](https://github.com/dependency-check/DependencyCheck/releases/tag/v5.2.3) (2019-11-11)
 
 ### Changed
 
-- Updated to use the NVD JSON 1.1 schema (see [#2273](https://github.com/jeremylong/DependencyCheck/issues/2273)).
+- Updated to use the NVD JSON 1.1 schema (see [#2273](https://github.com/dependency-check/DependencyCheck/issues/2273)).
   - This update is 100% backward compatible with the 1.0 schema if you are mirroring the 1.0 JSON files.
 - Added `nonProxyHosts` to the CLI and gradle plugin.
 - False positive corrections.
 - General code cleanup/bug fix.
 
-See the full listing of [resolved issues](https://github.com/jeremylong/DependencyCheck/issues?utf8=%E2%9C%93&q=is%3Aissue++is%3Aclosed+milestone%3A5.2.3) and [pull requests](https://github.com/jeremylong/DependencyCheck/pulls?utf8=%E2%9C%93&q=is%3Apr+milestone%3A5.2.3+is%3Aclosed+).
+See the full listing of [resolved issues](https://github.com/dependency-check/DependencyCheck/issues?utf8=%E2%9C%93&q=is%3Aissue++is%3Aclosed+milestone%3A5.2.3) and [pull requests](https://github.com/dependency-check/DependencyCheck/pulls?utf8=%E2%9C%93&q=is%3Apr+milestone%3A5.2.3+is%3Aclosed+).
 
-## [Version 5.2.2](https://github.com/jeremylong/DependencyCheck/releases/tag/v5.2.2) (2019-09-22)
+## [Version 5.2.2](https://github.com/dependency-check/DependencyCheck/releases/tag/v5.2.2) (2019-09-22)
 
 ### Changed
 
 - False positive corrections
 - General code cleanup/bug fix
 
-See the full listing of [resolved issues](https://github.com/jeremylong/DependencyCheck/issues?utf8=%E2%9C%93&q=is%3Aissue++is%3Aclosed+milestone%3A5.2.2).
+See the full listing of [resolved issues](https://github.com/dependency-check/DependencyCheck/issues?utf8=%E2%9C%93&q=is%3Aissue++is%3Aclosed+milestone%3A5.2.2).
 
-## [Version 5.2.1](https://github.com/jeremylong/DependencyCheck/releases/tag/v5.2.1) (2019-08-04)
+## [Version 5.2.1](https://github.com/dependency-check/DependencyCheck/releases/tag/v5.2.1) (2019-08-04)
 
 ### Changed
 
@@ -1112,29 +1112,29 @@ See the full listing of [resolved issues](https://github.com/jeremylong/Dependen
 - False positive corrections
 - General code cleanup/bug fix
 
-See the full listing of [resolved issues](https://github.com/jeremylong/DependencyCheck/issues?utf8=%E2%9C%93&q=is%3Aissue++is%3Aclosed+milestone%3A5.2.1).
+See the full listing of [resolved issues](https://github.com/dependency-check/DependencyCheck/issues?utf8=%E2%9C%93&q=is%3Aissue++is%3Aclosed+milestone%3A5.2.1).
 
-## [Version 5.2.0](https://github.com/jeremylong/DependencyCheck/releases/tag/v5.2.0) (2019-07-21)
+## [Version 5.2.0](https://github.com/dependency-check/DependencyCheck/releases/tag/v5.2.0) (2019-07-21)
 
 ### Changed
 
 - Resolved formatting issues within the CSV report
 - False positive corrections
 - Renamed three properties within the `dependencycheck.properties`; there is no impact unless you are using a properties file in your build to control the CLI.
-- Added support for rbenv for Bundle Audit Analysis (see https://github.com/jeremylong/DependencyCheck/issues/2060).
+- Added support for rbenv for Bundle Audit Analysis (see https://github.com/dependency-check/DependencyCheck/issues/2060).
 
-See the full listing of [resolved issues](https://github.com/jeremylong/DependencyCheck/issues?utf8=%E2%9C%93&q=is%3Aissue++is%3Aclosed+milestone%3A5.2.0).
+See the full listing of [resolved issues](https://github.com/dependency-check/DependencyCheck/issues?utf8=%E2%9C%93&q=is%3Aissue++is%3Aclosed+milestone%3A5.2.0).
 
-## [Version 5.1.1](https://github.com/jeremylong/DependencyCheck/releases/tag/v5.1.1) (2019-07-15)
+## [Version 5.1.1](https://github.com/dependency-check/DependencyCheck/releases/tag/v5.1.1) (2019-07-15)
 
 ### Changed
 
 - False positive corrections
 - General code cleanup
 
-See the full listing of [resolved issues](https://github.com/jeremylong/DependencyCheck/issues?q=is%3Aissue+milestone%3A5.1.1+is%3Aclosed).
+See the full listing of [resolved issues](https://github.com/dependency-check/DependencyCheck/issues?q=is%3Aissue+milestone%3A5.1.1+is%3Aclosed).
 
-## [Version 5.1.0](https://github.com/jeremylong/DependencyCheck/releases/tag/v5.1.0) (2019-06-28)
+## [Version 5.1.0](https://github.com/dependency-check/DependencyCheck/releases/tag/v5.1.0) (2019-06-28)
 
 ### Changed
 
@@ -1145,16 +1145,16 @@ See the full listing of [resolved issues](https://github.com/jeremylong/Dependen
 - Added optional configuration to add credentials to the OSS Index analysis.
 - Resolved issues when Oracle or MySQL were used as a centralized database in 5.0.0.
 
-See the full listing of [resolved issues](https://github.com/jeremylong/DependencyCheck/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+milestone%3A5.1.0) and [pull requests](https://github.com/jeremylong/DependencyCheck/pulls?utf8=%E2%9C%93&q=is%3Apr+milestone%3A5.1.0).
+See the full listing of [resolved issues](https://github.com/dependency-check/DependencyCheck/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+milestone%3A5.1.0) and [pull requests](https://github.com/dependency-check/DependencyCheck/pulls?utf8=%E2%9C%93&q=is%3Apr+milestone%3A5.1.0).
 
-## [Version 5.0.0](https://github.com/jeremylong/DependencyCheck/releases/tag/v5.0.0) (2019-06-09)
+## [Version 5.0.0](https://github.com/dependency-check/DependencyCheck/releases/tag/v5.0.0) (2019-06-09)
 
 ### Changed
 
 - Add caching of OSS-Index, Central Analyzer, and Node Audit analysis results.
-- General bug fixes identified in the previous milestone releases; see [5.0.0 resolved issues](https://github.com/jeremylong/DependencyCheck/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+milestone%3A5.0.0+) and [pull requests](https://github.com/jeremylong/DependencyCheck/pulls?utf8=%E2%9C%93&q=is%3Apr+milestone%3A5.0.0).
+- General bug fixes identified in the previous milestone releases; see [5.0.0 resolved issues](https://github.com/dependency-check/DependencyCheck/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+milestone%3A5.0.0+) and [pull requests](https://github.com/dependency-check/DependencyCheck/pulls?utf8=%E2%9C%93&q=is%3Apr+milestone%3A5.0.0).
 
-## [Version 5.0.0-M3](https://github.com/jeremylong/DependencyCheck/releases/tag/v5.0.0-M3) (2019-05-06)
+## [Version 5.0.0-M3](https://github.com/dependency-check/DependencyCheck/releases/tag/v5.0.0-M3) (2019-05-06)
 
 ### Changed
 
@@ -1162,7 +1162,7 @@ See the full listing of [resolved issues](https://github.com/jeremylong/Dependen
 
 ### Changed
 
-- Several bug fixes and minor enhancements have been made; see the related [issues](https://github.com/jeremylong/DependencyCheck/issues?utf8=%E2%9C%93&q=+milestone%3A5.0.0-M3+) and [pull requests](https://github.com/jeremylong/DependencyCheck/pulls?utf8=%E2%9C%93&q=+milestone%3A5.0.0-M3+).
+- Several bug fixes and minor enhancements have been made; see the related [issues](https://github.com/dependency-check/DependencyCheck/issues?utf8=%E2%9C%93&q=+milestone%3A5.0.0-M3+) and [pull requests](https://github.com/dependency-check/DependencyCheck/pulls?utf8=%E2%9C%93&q=+milestone%3A5.0.0-M3+).
 - Multiple report formats can be specified; if you wanted just two of the reports you no longer need to use ALL.
 - A new JUNIT formatted report has been added; this provides a different way to integrate with Jenkins builds; the following example creates a JUNIT report with failures for any CVE with a CVSS score greater than or equal to 7.0 the Jenkins pipeline script shows how to publish the report:
 
@@ -1205,14 +1205,14 @@ See the full listing of [resolved issues](https://github.com/jeremylong/Dependen
   }
   ```
 
-## [Version 5.0.0-M2](https://github.com/jeremylong/DependencyCheck/releases/tag/v5.0.0-M2) (2019-03-11)
+## [Version 5.0.0-M2](https://github.com/dependency-check/DependencyCheck/releases/tag/v5.0.0-M2) (2019-03-11)
 
 ### Changed
 
 - **Breaking:** [dotnet core](https://dotnet.microsoft.com/download/dotnet-core/2.2) must be installed to analyze .NET assemblies.
 - **Breaking:** The retire.js analyzer is no longer considered experimental and is enabled by default.
 
-## [Version 5.0.0-M1](https://github.com/jeremylong/DependencyCheck/releases/tag/v5.0.0-M1) (2019-02-17)
+## [Version 5.0.0-M1](https://github.com/dependency-check/DependencyCheck/releases/tag/v5.0.0-M1) (2019-02-17)
 
 ### Changed
 
@@ -1229,7 +1229,7 @@ See the full listing of [resolved issues](https://github.com/jeremylong/Dependen
   from one technology stack do not appear on a dependency built using a completely different stack (e.g.
   NodeJS vulnerabilities should not show up on a .NET DLL).
 
-## [Version 4.0.2](https://github.com/jeremylong/DependencyCheck/releases/tag/v4.0.2) (2019-01-01)
+## [Version 4.0.2](https://github.com/dependency-check/DependencyCheck/releases/tag/v4.0.2) (2019-01-01)
 
 ### Added
 
@@ -1238,91 +1238,91 @@ See the full listing of [resolved issues](https://github.com/jeremylong/Dependen
   To enable this feature set `<skipDependencyManagement>false</skipDependencyManagement>`.
 - If using a local Nexus server (v2 or v3 pro) it is now possible to provide authentication credentials.
   - Previous versions only worked with anonymous/unauthenticated access.
-  - See [issue #977](https://github.com/jeremylong/DependencyCheck/issues/977)
+  - See [issue #977](https://github.com/dependency-check/DependencyCheck/issues/977)
 
 ### Fixed
 
 - Updated fix for transitive dependencies with known vulnerabilities (guava and commons-collections)
   so that the upgrade occurs correctly in other integrations that utilize core; see
-  [issue #1562](https://github.com/jeremylong/DependencyCheck/issues/1561#issuecomment-450112110).
+  [issue #1562](https://github.com/dependency-check/DependencyCheck/issues/1561#issuecomment-450112110).
 - Resolved several false positives
 
-## [Version 4.0.1](https://github.com/jeremylong/DependencyCheck/releases/tag/v4.0.1) (2018-12-17)
+## [Version 4.0.1](https://github.com/dependency-check/DependencyCheck/releases/tag/v4.0.1) (2018-12-17)
 
 ### Fixed
 
-- Fixed issue with false positives due to Lucene upgrade. See [#1531](https://github.com/jeremylong/DependencyCheck/issues/1580).
+- Fixed issue with false positives due to Lucene upgrade. See [#1531](https://github.com/dependency-check/DependencyCheck/issues/1580).
 - Resolved several false positives.
 - Resolved typo in documentation.
 
-## [Version 4.0.0](https://github.com/jeremylong/DependencyCheck/releases/tag/v4.0.0) (2018-11-21)
+## [Version 4.0.0](https://github.com/dependency-check/DependencyCheck/releases/tag/v4.0.0) (2018-11-21)
 
 ### Changed
 
-- OWASP dependency-check no longer supports running in JRE/JDK 7; JRE/JDK 8 or higher is required run dependency-check. See [#1531](https://github.com/jeremylong/DependencyCheck/issues/1531).
+- OWASP dependency-check no longer supports running in JRE/JDK 7; JRE/JDK 8 or higher is required run dependency-check. See [#1531](https://github.com/dependency-check/DependencyCheck/issues/1531).
 
 ### Fixed
 
-- Upgraded dependencies to resolve published vulnerabilities (Guava and Lucene); See [#1561](https://github.com/jeremylong/DependencyCheck/issues/1561).
+- Upgraded dependencies to resolve published vulnerabilities (Guava and Lucene); See [#1561](https://github.com/dependency-check/DependencyCheck/issues/1561).
 
-## [Version 3.3.4](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.3.4) (2018-10-28)
+## [Version 3.3.4](https://github.com/dependency-check/DependencyCheck/releases/tag/v3.3.4) (2018-10-28)
 
 ### Fixed
 
 - Resolved bug with parsing license information during analysis of Node.js modules.
 
-## [Version 3.3.3](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.3.3) (2018-10-27)
+## [Version 3.3.3](https://github.com/dependency-check/DependencyCheck/releases/tag/v3.3.3) (2018-10-27)
 
 ### Changed
 
-- Migrated the NSP Analyzer to use the Node Audit APIs instead; see [#1366](https://github.com/jeremylong/DependencyCheck/issues/1366).
+- Migrated the NSP Analyzer to use the Node Audit APIs instead; see [#1366](https://github.com/dependency-check/DependencyCheck/issues/1366).
   - Note that the analyzer and configuration was changed to NodeAuditAnalyzer.
   - Configurations for the NSP analyzer have been deprecated and will control the NodeAuditAnalyzer if used; note that the NSP configuration options will be removed in a future release.
-- The [dependency-check-gradle](https://github.com/jeremylong/dependency-check-gradle) plugin was updated to include a default scan set
+- The [dependency-check-gradle](https://github.com/dependency-check/Dependency-check-gradle) plugin was updated to include a default scan set
   of ['src/main/resources','src/main/webapp'] and any dependencies contained in these directories will be analyzed. The purpose of this
   enhancement is to enable the RetireJS Analyzer to scan JavaScript files that may be included.
 
 ### Fixed
 
-- Resolved **false negative** on Bouncy Castle JAR files; see [#1500](https://github.com/jeremylong/DependencyCheck/issues/1500).
-- Resolved **false negatives** that may occur when using the Maven plugin if transitive dependencies of a library in use and is also declared as a primary dependency in a scope that is not used; see [#1512](https://github.com/jeremylong/DependencyCheck/issues/1512).
-- Resolved **false negatives** on libraries that contain an update version or timestamp tacked onto the end of the version number; see [#1537](https://github.com/jeremylong/DependencyCheck/issues/1537).
+- Resolved **false negative** on Bouncy Castle JAR files; see [#1500](https://github.com/dependency-check/DependencyCheck/issues/1500).
+- Resolved **false negatives** that may occur when using the Maven plugin if transitive dependencies of a library in use and is also declared as a primary dependency in a scope that is not used; see [#1512](https://github.com/dependency-check/DependencyCheck/issues/1512).
+- Resolved **false negatives** on libraries that contain an update version or timestamp tacked onto the end of the version number; see [#1537](https://github.com/dependency-check/DependencyCheck/issues/1537).
   - The resolution for these false negatives may generate some false positives, please continue to report false positives and the engine can continue to be tuned.
-- Fixed bug preventing multiple proxies from being defined for Maven; see [#831](https://github.com/jeremylong/DependencyCheck/issues/831).
-- Updated the suppress buttons in the HTML report to generate the XML using the latest suppression schema; see [#489](https://github.com/jeremylong/DependencyCheck/issues/1489).
-- Added the `--artifactoryUrl` argument to the CLI - this was missed when the Artifactory Analyzer was previously added; see [#1492](https://github.com/jeremylong/DependencyCheck/issues/1492).
-- Updated test cases so that they no longer fail behind a proxy; see [#1493](https://github.com/jeremylong/DependencyCheck/issues/1493).
-- Resolved several reported false positives; see [#1504](https://github.com/jeremylong/DependencyCheck/issues/1504), [#1513](https://github.com/jeremylong/DependencyCheck/issues/1513),
-  [#1515](https://github.com/jeremylong/DependencyCheck/issues/1515), [#1529](https://github.com/jeremylong/DependencyCheck/issues/1529), [#1535](https://github.com/jeremylong/DependencyCheck/issues/1535),
-  and [#1437](https://github.com/jeremylong/DependencyCheck/issues/1437).
-- Fixed copy/paste error in JavaDoc; see [#1509](https://github.com/jeremylong/DependencyCheck/issues/1509).
+- Fixed bug preventing multiple proxies from being defined for Maven; see [#831](https://github.com/dependency-check/DependencyCheck/issues/831).
+- Updated the suppress buttons in the HTML report to generate the XML using the latest suppression schema; see [#489](https://github.com/dependency-check/DependencyCheck/issues/1489).
+- Added the `--artifactoryUrl` argument to the CLI - this was missed when the Artifactory Analyzer was previously added; see [#1492](https://github.com/dependency-check/DependencyCheck/issues/1492).
+- Updated test cases so that they no longer fail behind a proxy; see [#1493](https://github.com/dependency-check/DependencyCheck/issues/1493).
+- Resolved several reported false positives; see [#1504](https://github.com/dependency-check/DependencyCheck/issues/1504), [#1513](https://github.com/dependency-check/DependencyCheck/issues/1513),
+  [#1515](https://github.com/dependency-check/DependencyCheck/issues/1515), [#1529](https://github.com/dependency-check/DependencyCheck/issues/1529), [#1535](https://github.com/dependency-check/DependencyCheck/issues/1535),
+  and [#1437](https://github.com/dependency-check/DependencyCheck/issues/1437).
+- Fixed copy/paste error in JavaDoc; see [#1509](https://github.com/dependency-check/DependencyCheck/issues/1509).
 
-## [Version 3.3.2](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.3.2) (2018-09-14)
+## [Version 3.3.2](https://github.com/dependency-check/DependencyCheck/releases/tag/v3.3.2) (2018-09-14)
 
 ### Fixed
 
-- Gradle plugin was updated to include backward compatibility with gradle < v4.0; see [#95](https://github.com/jeremylong/dependency-check-gradle/issues/95).
-- Gradle plugin improved handling of Android project; see [#94](https://github.com/jeremylong/dependency-check-gradle/issues/94)
-- CLI used an incorrect key for RetireJS causing the analyzer to not be loaded in some cases; see [#1440](https://github.com/jeremylong/DependencyCheck/issues/1440).
-- Resolved failure in the `CentralAnalyzer` when the pom.xml is not available in Central; see [#1439](https://github.com/jeremylong/DependencyCheck/issues/1439).
-- Resolved exception when JAR files contain invalid pom.xml files outside of META-INF; see [#1438](https://github.com/jeremylong/DependencyCheck/issues/1438).
+- Gradle plugin was updated to include backward compatibility with gradle < v4.0; see [#95](https://github.com/dependency-check/Dependency-check-gradle/issues/95).
+- Gradle plugin improved handling of Android project; see [#94](https://github.com/dependency-check/Dependency-check-gradle/issues/94)
+- CLI used an incorrect key for RetireJS causing the analyzer to not be loaded in some cases; see [#1440](https://github.com/dependency-check/DependencyCheck/issues/1440).
+- Resolved failure in the `CentralAnalyzer` when the pom.xml is not available in Central; see [#1439](https://github.com/dependency-check/DependencyCheck/issues/1439).
+- Resolved exception when JAR files contain invalid pom.xml files outside of META-INF; see [#1438](https://github.com/dependency-check/DependencyCheck/issues/1438).
 - Resolved several reported false positives.
 
-## [Version 3.3.1](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.3.1) (2018-08-06)
+## [Version 3.3.1](https://github.com/dependency-check/DependencyCheck/releases/tag/v3.3.1) (2018-08-06)
 
 ### Changed
 
-- An Nuget Packages.config Analyzer was added; see [#1412](https://github.com/jeremylong/DependencyCheck/issues/1412).
+- An Nuget Packages.config Analyzer was added; see [#1412](https://github.com/dependency-check/DependencyCheck/issues/1412).
 
 ### Fixed
 
-- Fixed error handling with regard to invalid manifest files contained within JAR files; see [#1024](https://github.com/jeremylong/DependencyCheck/issues/1024).
-- Fixed parsing of pom.xml files, in some cases a SAX Exception would be thrown; see [#1400](https://github.com/jeremylong/DependencyCheck/issues/1400).
-- Fixed bug that caused dependency-check to crash if the temporary directory and data directory were on different drives; see [#1394](https://github.com/jeremylong/DependencyCheck/issues/1394).
-- Fixed bug in dependency-check-maven where an aggregate analysis did not scan all files defined in the ScanSet; see [#1421](https://github.com/jeremylong/DependencyCheck/issues/1421).
-- Fixed NPE in dependency-check-gradle that occurred when artifacts where included using `implementation files("./lib/some.jar")`; see [#91](https://github.com/jeremylong/dependency-check-gradle/issues/91).
+- Fixed error handling with regard to invalid manifest files contained within JAR files; see [#1024](https://github.com/dependency-check/DependencyCheck/issues/1024).
+- Fixed parsing of pom.xml files, in some cases a SAX Exception would be thrown; see [#1400](https://github.com/dependency-check/DependencyCheck/issues/1400).
+- Fixed bug that caused dependency-check to crash if the temporary directory and data directory were on different drives; see [#1394](https://github.com/dependency-check/DependencyCheck/issues/1394).
+- Fixed bug in dependency-check-maven where an aggregate analysis did not scan all files defined in the ScanSet; see [#1421](https://github.com/dependency-check/DependencyCheck/issues/1421).
+- Fixed NPE in dependency-check-gradle that occurred when artifacts where included using `implementation files("./lib/some.jar")`; see [#91](https://github.com/dependency-check/Dependency-check-gradle/issues/91).
 
-## [Version 3.3.0](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.3.0) (2018-07-22)
+## [Version 3.3.0](https://github.com/dependency-check/DependencyCheck/releases/tag/v3.3.0) (2018-07-22)
 
 ### Changed
 
@@ -1331,22 +1331,22 @@ See the full listing of [resolved issues](https://github.com/jeremylong/Dependen
 - An experimental Retire JS analyzer has been added to analyze client side JavaScript.
   - This utilizes information from the RetireJS repo on github. If you have a proxy that prevents access you will either need to have access granted to https://raw.githubusercontent.com/Retirejs/retire.js/main/repository/jsrepository.json or host the file internally, update the environment variable `analyzer.retirejs.repo.js.ur`, and periodically update the file.
   - This analyzer is considered experimental, but the team expects this to be promoted quickly.
-- NuGet dependencies contained in MSBuild files are now included in the scan. See [Issue #1131](https://github.com/jeremylong/DependencyCheck/issues/1131) for more details.
-- Cocoapod's Podfile.lock is now analyzed when present. See [PR #1324](https://github.com/jeremylong/DependencyCheck/pull/1324) for more information.
+- NuGet dependencies contained in MSBuild files are now included in the scan. See [Issue #1131](https://github.com/dependency-check/DependencyCheck/issues/1131) for more details.
+- Cocoapod's Podfile.lock is now analyzed when present. See [PR #1324](https://github.com/dependency-check/DependencyCheck/pull/1324) for more information.
 
 ### Fixed
 
-- The dependency-check-gradle plugin can now analyze multi-project android builds. See [PR #09](https://github.com/jeremylong/dependency-check-gradle/pull/90) for more information.
-- In some cases extremely large project may cause dependency-check to fail due to the analysis time. Previously, the analysis was capped at 10 minutes; the timeout was increased to 20 minutes and made configurable if this continues to be an issue for some users. See [issue #936](https://github.com/jeremylong/DependencyCheck/issues/936) for more information.
+- The dependency-check-gradle plugin can now analyze multi-project android builds. See [PR #09](https://github.com/dependency-check/Dependency-check-gradle/pull/90) for more information.
+- In some cases extremely large project may cause dependency-check to fail due to the analysis time. Previously, the analysis was capped at 10 minutes; the timeout was increased to 20 minutes and made configurable if this continues to be an issue for some users. See [issue #936](https://github.com/dependency-check/DependencyCheck/issues/936) for more information.
 - Some pom.xml files could not be analyzed because they contained a doctype definition. The parser has been enhanced to strip the doctype definitions.
 - Fixed issue where, in some cases, temporary files were not correctly cleaned up in Jenkins and gradle builds.
-- Fixed issue where, in some cases, files were retrieved from Maven Central using HTTP instead of HTTPS. See [issue #1325](https://github.com/jeremylong/DependencyCheck/issues/1325) for more information.
+- Fixed issue where, in some cases, files were retrieved from Maven Central using HTTP instead of HTTPS. See [issue #1325](https://github.com/dependency-check/DependencyCheck/issues/1325) for more information.
   - Additionally, a retry count was added when attempting to download pom.xml files during analysis.
-- Fixed issue where nodejs dependencies were not correctly analyzed. See [issue #1355](https://github.com/jeremylong/DependencyCheck/issues/1355) for more information.
+- Fixed issue where nodejs dependencies were not correctly analyzed. See [issue #1355](https://github.com/dependency-check/DependencyCheck/issues/1355) for more information.
 - Fixed issue where the CWE was not written to the CSV report.
 - In addition, general bug fixes, code cleanup, and false positive/negatives updates were made.
 
-## [Version 3.2.1](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.2.1) (2018-05-28)
+## [Version 3.2.1](https://github.com/dependency-check/DependencyCheck/releases/tag/v3.2.1) (2018-05-28)
 
 ### Fixed
 
@@ -1356,27 +1356,27 @@ See the full listing of [resolved issues](https://github.com/jeremylong/Dependen
 - Enhanced logging output for TLS failures to better assist with debugging ([#1269](https://github.com/dependency-check/DependencyCheck/pull/1269))
 - Resolved a Null Pointer Exception ([#1296](https://github.com/dependency-check/DependencyCheck/pull/1296))
 
-## [Version 3.2.0](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.2.0) (2018-05-21)
+## [Version 3.2.0](https://github.com/dependency-check/DependencyCheck/releases/tag/v3.2.0) (2018-05-21)
 
 ### Changed
 
 - Excess white space has been removed from the XML and HTML reports; the JSON report is still pretty printed (a future release will convert this to a configurable option)
 - Better error reporting
 - Changed to use commons-text instead of commons-lang3 as a portion of commons-lang3 was moved to commonts-text
-- Added more flexible suppression rules with the introduction of the `until` attribute (see [#1145](https://github.com/jeremylong/DependencyCheck/issues/1145) and [dependency-suppression.1.2.xsd](https://dependency-check.github.io/DependencyCheck/dependency-suppression.1.2.xsd)
+- Added more flexible suppression rules with the introduction of the `until` attribute (see [#1145](https://github.com/dependency-check/DependencyCheck/issues/1145) and [dependency-suppression.1.2.xsd](https://dependency-check.github.io/DependencyCheck/dependency-suppression.1.2.xsd)
 
 ### Fixed
 
 - Unsafe unzip operations ([zip slip](https://github.com/snyk/zip-slip-vulnerability)), as reported by the Snyk Security Research Team, have been corrected. CVE-2018-12036 allows attackers to write to arbitrary files via a crafted archive that holds directory traversal filenames.
 - The dependency-check-maven plugin no longer uses the [Central Analyzer](https://dependency-check.github.io/DependencyCheck/analyzers/central-analyzer.html) by default
-- Updated dependency-check-maven so that it will not fail when your multi-module build has dependencies that have not yet been built in the reactor (See [#740](https://github.com/jeremylong/DependencyCheck/issues/740))
+- Updated dependency-check-maven so that it will not fail when your multi-module build has dependencies that have not yet been built in the reactor (See [#740](https://github.com/dependency-check/DependencyCheck/issues/740))
   - Note if the required dependency has not yet been built in the reactor and the dependency is available in a configured repository dependency-check-maven, as expected, would pull the dependency from the repository for analysis.
 - Minor documentation updates
 - False positive reduction
 - Fixed the Gradle Plugin and Ant Task so that the temp directory is properly cleaned up after execution
-- Removed TLSv1 from the list of protocols used by default (See [#1237](https://github.com/jeremylong/DependencyCheck/pull/1237))
+- Removed TLSv1 from the list of protocols used by default (See [#1237](https://github.com/dependency-check/DependencyCheck/pull/1237))
 
-## [Version 3.1.2](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.1.2) (2018-04-02)
+## [Version 3.1.2](https://github.com/dependency-check/DependencyCheck/releases/tag/v3.1.2) (2018-04-02)
 
 ### Fixed
 
@@ -1386,11 +1386,11 @@ See the full listing of [resolved issues](https://github.com/jeremylong/Dependen
   will include a reference to the project/module where they were found
 - The configuration option `versionCheckEnabled` was added to Maven to allow users to disable the check for
   new versions of dependency-check; this will be added to gradle plugin, Ant Task, and the CLI in a future release
-- The XML and JSON reports were fixed so that the correct version number is displayed see [issue #1109](https://github.com/jeremylong/DependencyCheck/issues/1109)
+- The XML and JSON reports were fixed so that the correct version number is displayed see [issue #1109](https://github.com/dependency-check/DependencyCheck/issues/1109)
 - The initial database creation time for H2 databases was improved
 - Changes made to decrease false positive and false negatives
 
-## [Version 3.1.1](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.1.1) (2018-01-29)
+## [Version 3.1.1](https://github.com/dependency-check/DependencyCheck/releases/tag/v3.1.1) (2018-01-29)
 
 ### Fixed
 
@@ -1399,7 +1399,7 @@ See the full listing of [resolved issues](https://github.com/jeremylong/Dependen
 - False positive reduction.
 - Minor documentation cleanup.
 
-## [Version 3.1.0](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.1.0) (2018-01-02)
+## [Version 3.1.0](https://github.com/dependency-check/DependencyCheck/releases/tag/v3.1.0) (2018-01-02)
 
 ### Changed
 
@@ -1419,19 +1419,19 @@ See the full listing of [resolved issues](https://github.com/jeremylong/Dependen
   the query to break.
 - General cleanup, false positive, and false negative reduction.
 
-## [Version 3.0.2](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.0.2) (2017-11-13)
+## [Version 3.0.2](https://github.com/dependency-check/DependencyCheck/releases/tag/v3.0.2) (2017-11-13)
 
 ### Fixed
 
 - Updated the query format for the CentralAnalyzer; the old format caused the CentralAnalyzer to fail
 
-## [Version 3.0.1](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.0.1) (2017-10-20)
+## [Version 3.0.1](https://github.com/dependency-check/DependencyCheck/releases/tag/v3.0.1) (2017-10-20)
 
 ### Fixed
 
 - Fixed a database connection issue that affected some usages.
 
-## [Version 3.0.0](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.0.0) (2017-10-16)
+## [Version 3.0.0](https://github.com/dependency-check/DependencyCheck/releases/tag/v3.0.0) (2017-10-16)
 
 - Several bug fixes and false positive reduction
   - The 2.x branch introduced several new false positives – but also reduced the false negatives
diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml
index 855e35ff600..596b978dd13 100644
--- a/core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/core/src/main/resources/dependencycheck-base-suppression.xml
@@ -1571,7 +1571,7 @@
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
-        False positives found while investigating https://github.com/jeremylong/dependency-check-gradle/issues/103
+        False positives found while investigating https://github.com/dependency-check/dependency-check-gradle/issues/103
         ]]></notes>
         <gav regex="true">^org\.jetbrains:annotations:.*$</gav>
         <cpe>cpe:/a:jetbrains:intellij_idea</cpe>
@@ -1991,7 +1991,7 @@
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
-        FP per issue https://github.com/jeremylong/dependency-check-gradle/issues/61
+        FP per issue https://github.com/dependency-check/dependency-check-gradle/issues/61
         ]]></notes>
         <gav regex="true">^org\.eclipse\.jetty\.toolchain:jetty-schemas:.*$</gav>
         <cpe>cpe:/a:mortbay_jetty:jetty</cpe>
diff --git a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md
index 9a083fbda61..cc6335daac7 100644
--- a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md
+++ b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md
@@ -25,28 +25,28 @@ apply plugin: 'org.owasp.dependencycheck'
 check.dependsOn dependencyCheckAggregate
 ```
 
-| Property           | Description                                                                                                                                                                                                                                                                                                                               | Default Value                                                                                                                          |
-|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|
-| autoUpdate         | Sets whether auto-updating of the NVD API CVE data is enabled. It is not recommended that this be turned to false.                                                                                                                                                                                                                        | true                                                                                                                                   |
-| analyzedTypes      | The default artifact types that will be analyzed.                                                                                                                                                                                                                                                                                         | ['jar', 'aar', 'js', 'war', 'ear', 'zip']                                                                                              |
-| format             | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                             | HTML                                                                                                                                   |
-| formats            | A list of report formats to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                      | &nbsp;                                                                                                                                 |
-| junitFailOnCVSS    | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure.                                                                                                                                                                                                                          | 0                                                                                                                                      |
-| failBuildOnCVSS    | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11; since the CVSS scores are 0-10, by default the build will never fail.  More information on CVSS scores can be found at the [NVD](https://nvd.nist.gov/vuln-metrics/cvss)                                    | 11                                                                                                                                     |
-| failOnError        | Fails the build if an error occurs during the dependency-check analysis.                                                                                                                                                                                                                                                                  | true                                                                                                                                   |
-| outputDirectory    | The location to write the report(s). This directory will be located in the build directory.                                                                                                                                                                                                                                               | ${buildDir}/reports                                                                                                                    |
-| skipTestGroups     | When set to true (the default) all dependency groups that being with 'test' will be skipped.                                                                                                                                                                                                                                              | true                                                                                                                                   |
-| suppressionFile    | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html). The configured value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799)          | &nbsp;                                                                                                                                 |
-| suppressionFiles   | A list of file paths to the XML suppression files \- used to suppress [false positives](../general/suppression.html). The configured values can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799) | &nbsp;                                                                                                                                 |
-| hintsFile          | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html)                                                                                                                                                                                                                                           | &nbsp;                                                                                                                                 |
-| skip               | If set to true dependency-check analysis will be skipped.                                                                                                                                                                                                                                                                                 | false                                                                                                                                  |
-| skipConfigurations | A list of configurations that will be skipped. This is mutually exclusive with the scanConfigurations property.                                                                                                                                                                                                                           | `[]` which means no configuration is skipped.                                                                                          |
-| scanConfigurations | A list of configurations that will be scanned, all other configurations are skipped. This is mutually exclusive with the skipConfigurations property.                                                                                                                                                                                     | `[]` which implicitly means all configurations are scanned.                                                                            |
-| scanProjects       | A list of projects that will be scanned, all other projects are skipped. The list or projects to skip must include a preceding colon: `scanProjects = [':app']`. This is mutually exclusive with the `skipProjects` property.                                                                                                             | `[]` which implicitly means all projects get scanned.                                                                                  |
-| skipProjects       | A list of projects that will be skipped.  The list or projects to skip must include a preceding colon: `skipProjects = [':sub1']`. This is mutually exclusive with the `scanProjects` property.                                                                                                                                           | `[]` which means no projects are skipped.                                                                                              |
-| scanBuildEnv       | A boolean indicating whether to scan the `buildEnv`.                                                                                                                                                                                                                                                                                      | false                                                                                                                                  |
-| scanDependencies   | A boolean indicating whether to scan the `dependencies`.                                                                                                                                                                                                                                                                                  | true                                                                                                                                   |
-| scanSet            | A list of directories that will be scanned for additional dependencies.                                                                                                                                                                                                                                                                   | ['src/main/resources','src/main/webapp', './package.json', './package-lock.json', './npm-shrinkwrap.json', './Gopkg.lock', './go.mod'] |
+| Property           | Description                                                                                                                                                                                                                                                                                                                                     | Default Value                                                                                                                          |
+|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|
+| autoUpdate         | Sets whether auto-updating of the NVD API CVE data is enabled. It is not recommended that this be turned to false.                                                                                                                                                                                                                              | true                                                                                                                                   |
+| analyzedTypes      | The default artifact types that will be analyzed.                                                                                                                                                                                                                                                                                               | ['jar', 'aar', 'js', 'war', 'ear', 'zip']                                                                                              |
+| format             | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                                   | HTML                                                                                                                                   |
+| formats            | A list of report formats to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                            | &nbsp;                                                                                                                                 |
+| junitFailOnCVSS    | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure.                                                                                                                                                                                                                                | 0                                                                                                                                      |
+| failBuildOnCVSS    | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11; since the CVSS scores are 0-10, by default the build will never fail.  More information on CVSS scores can be found at the [NVD](https://nvd.nist.gov/vuln-metrics/cvss)                                          | 11                                                                                                                                     |
+| failOnError        | Fails the build if an error occurs during the dependency-check analysis.                                                                                                                                                                                                                                                                        | true                                                                                                                                   |
+| outputDirectory    | The location to write the report(s). This directory will be located in the build directory.                                                                                                                                                                                                                                                     | ${buildDir}/reports                                                                                                                    |
+| skipTestGroups     | When set to true (the default) all dependency groups that being with 'test' will be skipped.                                                                                                                                                                                                                                                    | true                                                                                                                                   |
+| suppressionFile    | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html). The configured value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/dependency-check/DependencyCheck/issues/1878#issuecomment-487533799)          | &nbsp;                                                                                                                                 |
+| suppressionFiles   | A list of file paths to the XML suppression files \- used to suppress [false positives](../general/suppression.html). The configured values can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/dependency-check/DependencyCheck/issues/1878#issuecomment-487533799) | &nbsp;                                                                                                                                 |
+| hintsFile          | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html)                                                                                                                                                                                                                                                 | &nbsp;                                                                                                                                 |
+| skip               | If set to true dependency-check analysis will be skipped.                                                                                                                                                                                                                                                                                       | false                                                                                                                                  |
+| skipConfigurations | A list of configurations that will be skipped. This is mutually exclusive with the scanConfigurations property.                                                                                                                                                                                                                                 | `[]` which means no configuration is skipped.                                                                                          |
+| scanConfigurations | A list of configurations that will be scanned, all other configurations are skipped. This is mutually exclusive with the skipConfigurations property.                                                                                                                                                                                           | `[]` which implicitly means all configurations are scanned.                                                                            |
+| scanProjects       | A list of projects that will be scanned, all other projects are skipped. The list or projects to skip must include a preceding colon: `scanProjects = [':app']`. This is mutually exclusive with the `skipProjects` property.                                                                                                                   | `[]` which implicitly means all projects get scanned.                                                                                  |
+| skipProjects       | A list of projects that will be skipped.  The list or projects to skip must include a preceding colon: `skipProjects = [':sub1']`. This is mutually exclusive with the `scanProjects` property.                                                                                                                                                 | `[]` which means no projects are skipped.                                                                                              |
+| scanBuildEnv       | A boolean indicating whether to scan the `buildEnv`.                                                                                                                                                                                                                                                                                            | false                                                                                                                                  |
+| scanDependencies   | A boolean indicating whether to scan the `dependencies`.                                                                                                                                                                                                                                                                                        | true                                                                                                                                   |
+| scanSet            | A list of directories that will be scanned for additional dependencies.                                                                                                                                                                                                                                                                         | ['src/main/resources','src/main/webapp', './package.json', './package-lock.json', './npm-shrinkwrap.json', './Gopkg.lock', './go.mod'] |
 
 #### Example
 ```groovy
diff --git a/src/site/markdown/dependency-check-gradle/configuration.md b/src/site/markdown/dependency-check-gradle/configuration.md
index ac1c5fae285..cb2e3d327b5 100644
--- a/src/site/markdown/dependency-check-gradle/configuration.md
+++ b/src/site/markdown/dependency-check-gradle/configuration.md
@@ -25,29 +25,29 @@ apply plugin: 'org.owasp.dependencycheck'
 check.dependsOn dependencyCheckAnalyze
 ```
 
-| Property                         | Description                                                                                                                                                                                                                                                                                                                               | Default Value                                               |
-|----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------|
-| autoUpdate                       | Sets whether auto-updating of the NVD API CVE data is enabled. It is not recommended that this be turned to false.                                                                                                                                                                                                                        | true                                                        |
-| analyzedTypes                    | The default artifact types that will be analyzed.                                                                                                                                                                                                                                                                                         | ['jar', 'aar', 'js', 'war', 'ear', 'zip']                   |
-| format                           | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                             | HTML                                                        |
-| formats                          | A list of report formats to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                      | &nbsp;                                                      |
-| junitFailOnCVSS                  | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure.                                                                                                                                                                                                                          | 0                                                           |
-| failBuildOnCVSS                  | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11; since the CVSS scores are 0-10, by default the build will never fail. More information on CVSS scores can be found at the [NVD](https://nvd.nist.gov/vuln-metrics/cvss)                                     | 11                                                          |
-| failOnError                      | Fails the build if an error occurs during the dependency-check analysis.                                                                                                                                                                                                                                                                  | true                                                        |
-| outputDirectory                  | The location to write the report(s). This directory will be located in the build directory.                                                                                                                                                                                                                                               | ${buildDir}/reports                                         |
-| skipTestGroups                   | When set to true (the default) all dependency groups that being with 'test' will be skipped.                                                                                                                                                                                                                                              | true                                                        |
-| suppressionFile                  | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html). The configured value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799)          | &nbsp;                                                      |
-| suppressionFiles                 | A list of file paths to the XML suppression files \- used to suppress [false positives](../general/suppression.html). The configured values can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799) | &nbsp;                                                      |
-| failBuildOnUnusedSuppressionRule | Specifies that if any unused suppression rule is found, the build will fail. This is best combined with a Gradle CLI `--warn` arg or `org.gradle.logging.level=warn` property so the unused rules are logged before task failure.                                                                                                         | false                                                       |
-| hintsFile                        | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html)                                                                                                                                                                                                                                           | &nbsp;                                                      |
-| skip                             | If set to true dependency-check analysis will be skipped.                                                                                                                                                                                                                                                                                 | false                                                       |
-| skipConfigurations               | A list of configurations that will be skipped. This is mutually exclusive with the scanConfigurations property.                                                                                                                                                                                                                           | `[]` which means no configuration is skipped.               |
-| scanConfigurations               | A list of configurations that will be scanned, all other configurations are skipped. This is mutually exclusive with the skipConfigurations property.                                                                                                                                                                                     | `[]` which implicitly means all configurations get scanned. |
-| scanProjects                     | A list of projects that will be scanned, all other projects are skipped. The list or projects to skip must include a preceding colon: `scanProjects = [':app']`. This is mutually exclusive with the `skipProjects` property.                                                                                                             | `[]` which implicitly means all projects get scanned.       |
-| skipProjects                     | A list of projects that will be skipped.  The list or projects to skip must include a preceding colon: `skipProjects = [':sub1']`. This is mutually exclusive with the `scanProjects` property.                                                                                                                                           | `[]` which means no projects are skipped.                   |
-| scanBuildEnv                     | A boolean indicating whether to scan the `buildEnv`.                                                                                                                                                                                                                                                                                      | false                                                       |
-| scanDependencies                 | A boolean indicating whether to scan the `dependencies`.                                                                                                                                                                                                                                                                                  | true                                                        |
-| scanSet                          | A list of directories that will be scanned for additional dependencies.                                                                                                                                                                                                                                                                   | ['src/main/resources','src/main/webapp']                    |
+| Property                         | Description                                                                                                                                                                                                                                                                                                                                     | Default Value                                               |
+|----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------|
+| autoUpdate                       | Sets whether auto-updating of the NVD API CVE data is enabled. It is not recommended that this be turned to false.                                                                                                                                                                                                                              | true                                                        |
+| analyzedTypes                    | The default artifact types that will be analyzed.                                                                                                                                                                                                                                                                                               | ['jar', 'aar', 'js', 'war', 'ear', 'zip']                   |
+| format                           | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                                   | HTML                                                        |
+| formats                          | A list of report formats to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                            | &nbsp;                                                      |
+| junitFailOnCVSS                  | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure.                                                                                                                                                                                                                                | 0                                                           |
+| failBuildOnCVSS                  | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11; since the CVSS scores are 0-10, by default the build will never fail. More information on CVSS scores can be found at the [NVD](https://nvd.nist.gov/vuln-metrics/cvss)                                           | 11                                                          |
+| failOnError                      | Fails the build if an error occurs during the dependency-check analysis.                                                                                                                                                                                                                                                                        | true                                                        |
+| outputDirectory                  | The location to write the report(s). This directory will be located in the build directory.                                                                                                                                                                                                                                                     | ${buildDir}/reports                                         |
+| skipTestGroups                   | When set to true (the default) all dependency groups that being with 'test' will be skipped.                                                                                                                                                                                                                                                    | true                                                        |
+| suppressionFile                  | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html). The configured value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/dependency-check/DependencyCheck/issues/1878#issuecomment-487533799)          | &nbsp;                                                      |
+| suppressionFiles                 | A list of file paths to the XML suppression files \- used to suppress [false positives](../general/suppression.html). The configured values can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/dependency-check/DependencyCheck/issues/1878#issuecomment-487533799) | &nbsp;                                                      |
+| failBuildOnUnusedSuppressionRule | Specifies that if any unused suppression rule is found, the build will fail. This is best combined with a Gradle CLI `--warn` arg or `org.gradle.logging.level=warn` property so the unused rules are logged before task failure.                                                                                                               | false                                                       |
+| hintsFile                        | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html)                                                                                                                                                                                                                                                 | &nbsp;                                                      |
+| skip                             | If set to true dependency-check analysis will be skipped.                                                                                                                                                                                                                                                                                       | false                                                       |
+| skipConfigurations               | A list of configurations that will be skipped. This is mutually exclusive with the scanConfigurations property.                                                                                                                                                                                                                                 | `[]` which means no configuration is skipped.               |
+| scanConfigurations               | A list of configurations that will be scanned, all other configurations are skipped. This is mutually exclusive with the skipConfigurations property.                                                                                                                                                                                           | `[]` which implicitly means all configurations get scanned. |
+| scanProjects                     | A list of projects that will be scanned, all other projects are skipped. The list or projects to skip must include a preceding colon: `scanProjects = [':app']`. This is mutually exclusive with the `skipProjects` property.                                                                                                                   | `[]` which implicitly means all projects get scanned.       |
+| skipProjects                     | A list of projects that will be skipped.  The list or projects to skip must include a preceding colon: `skipProjects = [':sub1']`. This is mutually exclusive with the `scanProjects` property.                                                                                                                                                 | `[]` which means no projects are skipped.                   |
+| scanBuildEnv                     | A boolean indicating whether to scan the `buildEnv`.                                                                                                                                                                                                                                                                                            | false                                                       |
+| scanDependencies                 | A boolean indicating whether to scan the `dependencies`.                                                                                                                                                                                                                                                                                        | true                                                        |
+| scanSet                          | A list of directories that will be scanned for additional dependencies.                                                                                                                                                                                                                                                                         | ['src/main/resources','src/main/webapp']                    |
 
 #### Example
 ```groovy
diff --git a/src/site/resources/general/SampleReport.html b/src/site/resources/general/SampleReport.html
index 746241b7cbe..61f6a77bb7a 100644
--- a/src/site/resources/general/SampleReport.html
+++ b/src/site/resources/general/SampleReport.html
@@ -562,7 +562,7 @@
 <h3><a href="https://dependency-check.github.io/DependencyCheck/general/thereport.html" target="_bank">How&nbsp;to&nbsp;read&nbsp;the&nbsp;report</a> |
 <a href="https://dependency-check.github.io/DependencyCheck/general/suppression.html" target="_bank">Suppressing false positives</a> |
 Getting Help: <a href="https://groups.google.com/forum/#!forum/dependency-check" target="_blank">google group</a> | 
-<a href="https://github.com/jeremylong/DependencyCheck/issues" target="_blank">github issues</a></h3>
+<a href="https://github.com/dependency-check/DependencyCheck/issues" target="_blank">github issues</a></h3>
 
             <h2 class="">Project:&nbsp;DependencyCheck</h2>
             <div class="">
@@ -8876,7 +8876,7 @@ <h4 id="header188" class="subsectionheader expandable expandablesubsection white
                                                                     <tr><td>file</td><td>name</td><td>dependency-check-utils</td></tr>
                                                                     <tr><td>file</td><td>version</td><td>1.4.4</td></tr>
                                                                     <tr><td>Manifest</td><td>Implementation-Title</td><td>Dependency-Check Utils</td></tr>
-                                                                    <tr><td>Manifest</td><td>implementation-url</td><td>https://github.com/jeremylong/DependencyCheck.git/dependency-check-utils</td></tr>
+                                                                    <tr><td>Manifest</td><td>implementation-url</td><td>https://github.com/dependency-check/DependencyCheck/tree/main/utils</td></tr>
                                                                     <tr><td>Manifest</td><td>Implementation-Vendor</td><td>OWASP</td></tr>
                                                                     <tr><td>Manifest</td><td>Implementation-Vendor-Id</td><td>org.owasp</td></tr>
                                                                     <tr><td>Manifest</td><td>Implementation-Version</td><td>1.4.4-SNAPSHOT</td></tr>

From 93422d23795d090974c52d705d370358a3444e50 Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Tue, 23 Sep 2025 19:17:05 +0800
Subject: [PATCH 146/195] chore: Allow passing ossIndex credentials during
 false positive ops workflow (#7943)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
 .github/workflows/false-positive-ops.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/false-positive-ops.yml b/.github/workflows/false-positive-ops.yml
index b6de8b176b6..81b0bb9f6db 100644
--- a/.github/workflows/false-positive-ops.yml
+++ b/.github/workflows/false-positive-ops.yml
@@ -140,6 +140,8 @@ jobs:
           args: >
             --failOnCVSS 11
             --enableExperimental
+            --ossIndexUsername ${{ secrets.OSS_INDEX_USERNAME }}
+            --ossIndexPassword ${{ secrets.OSS_INDEX_API_TOKEN }}
       - name: Upload FP Report
         if: steps.check_files.outputs.files_exists == 'true'
         uses: actions/upload-artifact@v4

From 22ecc0b59fcaa81d16d2e278cf751f0ec5aca66a Mon Sep 17 00:00:00 2001
From: Gustavo De Micheli <gustavo.demicheli@gmail.com>
Date: Wed, 24 Sep 2025 13:20:15 +0200
Subject: [PATCH 147/195] fix: Disable OSS Index if its credentials are missing
 (#7963)

Co-authored-by: Gustavo De Micheli <gustavo.de.micheli@lunatech.com>
Co-authored-by: Jeremy Long <jeremy.long@gmail.com>
---
 .../analyzer/OssIndexAnalyzer.java            |  3 ++-
 .../analyzer/OssIndexAnalyzerTest.java        | 22 ++++++++++---------
 .../markdown/analyzers/oss-index-analyzer.md  |  4 +++-
 3 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
index 7b259ad661f..e04066201f9 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
@@ -134,7 +134,8 @@ protected void prepareAnalyzer(Engine engine) throws InitializationException {
       synchronized (FETCH_MUTIX) {
         if (StringUtils.isEmpty(getSettings().getString(KEYS.ANALYZER_OSSINDEX_USER, StringUtils.EMPTY)) ||
             StringUtils.isEmpty(getSettings().getString(KEYS.ANALYZER_OSSINDEX_PASSWORD, StringUtils.EMPTY))) {
-          throw new InitializationException("Error initializing OSS Index analyzer due to missing user/password credentials. Authentication is now required: https://ossindex.sonatype.org/doc/auth-required");
+          LOG.warn("Disabling OSS Index analyzer due to missing user/password credentials. Authentication is now required: https://ossindex.sonatype.org/doc/auth-required");
+          setEnabled(false);
         }
       }
     }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
index 8b8c34492ad..4f4ad4c8f0f 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
@@ -8,7 +8,6 @@
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.naming.Identifier;
 import org.owasp.dependencycheck.dependency.naming.PurlIdentifier;
-import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.Settings.KEYS;
 
@@ -30,7 +29,7 @@
 
 import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 class OssIndexAnalyzerTest extends BaseTest {
@@ -252,18 +251,21 @@ void should_analyzeDependency_fail_when_socket_error_from_sonatype() throws Exce
     }
 
     @Test
-    void should_prepareAnalyzer_fail_when_credentials_not_set() throws Exception {
+    void should_prepareAnalyzer_disable_when_credentials_not_set() throws Exception {
+        // Given
         OssIndexAnalyzer analyzer = new OssIndexAnalyzer();
         Settings settings = getSettings();
         Engine engine = new Engine(settings);
         analyzer.initialize(settings);
-        try {
-            analyzer.prepareAnalyzer(engine);
-            assertThrows(InitializationException.class, () -> analyzer.prepareAnalyzer(engine));
-        } catch (InitializationException e) {
-          analyzer.close();
-          engine.close();
-        }
+
+        // When
+        analyzer.prepareAnalyzer(engine);
+
+        // Then
+        boolean enabled = analyzer.isEnabled();
+        analyzer.close();
+        engine.close();
+        assertFalse(enabled);
     }
 
     private static void setCredentials(final Settings settings) {
diff --git a/src/site/markdown/analyzers/oss-index-analyzer.md b/src/site/markdown/analyzers/oss-index-analyzer.md
index 65636da4f67..1cd259e1f3d 100644
--- a/src/site/markdown/analyzers/oss-index-analyzer.md
+++ b/src/site/markdown/analyzers/oss-index-analyzer.md
@@ -13,4 +13,6 @@ Sonatype [announced](https://ossindex.sonatype.org/doc/auth-required) that OSS I
 
 You can get an API Token following these steps:
 1. [Sign In](https://ossindex.sonatype.org/user/signin) or [Sign Up](https://ossindex.sonatype.org/user/register) for free.
-2. Get the API Token from user Settings.
\ No newline at end of file
+2. Get the API Token from user Settings.
+
+If no credentials are provided, this analyzer will be disabled.

From 93b0d1bd031ef9dfed623575ac0407910258e98e Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Wed, 24 Sep 2025 07:35:35 -0400
Subject: [PATCH 148/195] build(deps): bump netty-codec-http from 5.2.4-final
 to 5.2.5-final (#7965)

---
 utils/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/pom.xml b/utils/pom.xml
index 13addee990b..03bf54f0fff 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -95,7 +95,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-codec-http</artifactId>
-            <version>4.2.4.Final</version>
+            <version>4.2.5.Final</version>
             <scope>test</scope>
         </dependency>
         <dependency>

From c7e992c9926eb10314d113525a4e5c29e11d0993 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Wed, 24 Sep 2025 07:38:16 -0400
Subject: [PATCH 149/195] docs: release 12.1.6

---
 CHANGELOG.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1a8111c0209..415065520e1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,15 @@
 # Change Log
 
+## [Version 12.1.6](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.6) (2025-09-24)
+
+- fix: Disable OSS Index if its credentials are missing ([#7963](https://github.com/dependency-check/DependencyCheck/pull/7963))
+- fix: Correct CVSSv4 parsing for low precision OSSIndex values ([#7935](https://github.com/dependency-check/DependencyCheck/pull/7935))
+- fix(fp): Fix false positives for Redis Server against NPM/JS client libs ([#7942](https://github.com/dependency-check/DependencyCheck/pull/7942))
+- docs: Fix legacy GitHub links within docs and CHANGELOG ([#7944](https://github.com/dependency-check/DependencyCheck/pull/7944))
+- chore: fix version typo in security policy ([#7936](https://github.com/dependency-check/DependencyCheck/pull/7936))
+
+See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/99?closed=1)
+
 ## [Version 12.1.5](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.5) (2025-09-20)
 
 - **fix**: Update to support OSS Index Authentication Requirements ([#7920](https://github.com/dependency-check/DependencyCheck/pull/7920))

From 0a9592c6bff2c756c7e8f368cd5f3d9bab4e2f7b Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Wed, 24 Sep 2025 07:40:53 -0400
Subject: [PATCH 150/195] build: prepare release v12.1.6

---
 ant/pom.xml       | 4 ++--
 archetype/pom.xml | 6 +++---
 cli/pom.xml       | 4 ++--
 core/pom.xml      | 4 ++--
 maven/pom.xml     | 4 ++--
 pom.xml           | 6 +++---
 utils/pom.xml     | 4 ++--
 7 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/ant/pom.xml b/ant/pom.xml
index dcc40a2a0d9..66f6bd3e8ff 100644
--- a/ant/pom.xml
+++ b/ant/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.6-SNAPSHOT</version>
+        <version>12.1.6</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/ant</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.6</tag>
     </scm>
     <build>
         <resources>
diff --git a/archetype/pom.xml b/archetype/pom.xml
index 1defbfc441a..0a73ba01ba1 100644
--- a/archetype/pom.xml
+++ b/archetype/pom.xml
@@ -20,20 +20,20 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.6-SNAPSHOT</version>
+        <version>12.1.6</version>
     </parent>
     <artifactId>dependency-check-plugin</artifactId>
     <name>Dependency-Check Plugin Archetype</name>
     <packaging>jar</packaging>
     <properties>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-09-20T12:42:40Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-09-24T11:38:37Z</project.build.outputTimestamp>
     </properties>
     <scm>
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/archetype</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-      <tag>HEAD</tag>
+      <tag>v12.1.6</tag>
   </scm>
     <build>
         <plugins>
diff --git a/cli/pom.xml b/cli/pom.xml
index d551dda9cc8..1ee8e403bfa 100644
--- a/cli/pom.xml
+++ b/cli/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.6-SNAPSHOT</version>
+        <version>12.1.6</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/cli</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.6</tag>
     </scm>
     <build>
         <finalName>dependency-check-${project.version}</finalName>
diff --git a/core/pom.xml b/core/pom.xml
index 7fb940d87bc..3acf3d3cfda 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.6-SNAPSHOT</version>
+        <version>12.1.6</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/core</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.6</tag>
     </scm>
     <build>
         <resources>
diff --git a/maven/pom.xml b/maven/pom.xml
index b40a3f97ebd..c2ecefabd46 100644
--- a/maven/pom.xml
+++ b/maven/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.6-SNAPSHOT</version>
+        <version>12.1.6</version>
     </parent>
     <artifactId>dependency-check-maven</artifactId>
     <packaging>maven-plugin</packaging>
@@ -34,7 +34,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/master/maven</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.6</tag>
     </scm>
     <prerequisites>
         <maven>3.6.3</maven>
diff --git a/pom.xml b/pom.xml
index a75bca9125b..4209559e04a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>12.1.6-SNAPSHOT</version>
+    <version>12.1.6</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -94,7 +94,7 @@ Copyright (c) 2012 - Jeremy Long
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck</url>
         <developerConnection>scm:git:https://github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.6</tag>
     </scm>
     <issueManagement>
         <system>github</system>
@@ -113,7 +113,7 @@ Copyright (c) 2012 - Jeremy Long
     <properties>
         <maven.compiler.release>11</maven.compiler.release>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-09-20T12:42:40Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-09-24T11:38:37Z</project.build.outputTimestamp>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <github.global.server>github</github.global.server>
diff --git a/utils/pom.xml b/utils/pom.xml
index 03bf54f0fff..5ec414d94dc 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.6-SNAPSHOT</version>
+        <version>12.1.6</version>
    </parent>
 
     <artifactId>dependency-check-utils</artifactId>
@@ -30,7 +30,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/utils</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.6</tag>
     </scm>
     <properties>
         <spotbugs.onlyAnalyze>org.owasp.dependencycheck.utils.*</spotbugs.onlyAnalyze>

From e96e843c40e0d3aebfc9332e888cdfbc6efb9f0b Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Wed, 24 Sep 2025 07:40:53 -0400
Subject: [PATCH 151/195] build: prepare for next development iteration

---
 ant/pom.xml       | 4 ++--
 archetype/pom.xml | 6 +++---
 cli/pom.xml       | 4 ++--
 core/pom.xml      | 4 ++--
 maven/pom.xml     | 4 ++--
 pom.xml           | 6 +++---
 utils/pom.xml     | 4 ++--
 7 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/ant/pom.xml b/ant/pom.xml
index 66f6bd3e8ff..2cdaf7a7ee9 100644
--- a/ant/pom.xml
+++ b/ant/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.6</version>
+        <version>12.1.7-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/ant</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.6</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <build>
         <resources>
diff --git a/archetype/pom.xml b/archetype/pom.xml
index 0a73ba01ba1..328543a5d19 100644
--- a/archetype/pom.xml
+++ b/archetype/pom.xml
@@ -20,20 +20,20 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.6</version>
+        <version>12.1.7-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-plugin</artifactId>
     <name>Dependency-Check Plugin Archetype</name>
     <packaging>jar</packaging>
     <properties>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-09-24T11:38:37Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-09-24T11:40:53Z</project.build.outputTimestamp>
     </properties>
     <scm>
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/archetype</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-      <tag>v12.1.6</tag>
+      <tag>HEAD</tag>
   </scm>
     <build>
         <plugins>
diff --git a/cli/pom.xml b/cli/pom.xml
index 1ee8e403bfa..9d1975900b9 100644
--- a/cli/pom.xml
+++ b/cli/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.6</version>
+        <version>12.1.7-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/cli</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.6</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <build>
         <finalName>dependency-check-${project.version}</finalName>
diff --git a/core/pom.xml b/core/pom.xml
index 3acf3d3cfda..98b60b5b306 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.6</version>
+        <version>12.1.7-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/core</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.6</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <build>
         <resources>
diff --git a/maven/pom.xml b/maven/pom.xml
index c2ecefabd46..e5aef3fdc48 100644
--- a/maven/pom.xml
+++ b/maven/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.6</version>
+        <version>12.1.7-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-maven</artifactId>
     <packaging>maven-plugin</packaging>
@@ -34,7 +34,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/master/maven</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.6</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <prerequisites>
         <maven>3.6.3</maven>
diff --git a/pom.xml b/pom.xml
index 4209559e04a..8ee8a6571ac 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>12.1.6</version>
+    <version>12.1.7-SNAPSHOT</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -94,7 +94,7 @@ Copyright (c) 2012 - Jeremy Long
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck</url>
         <developerConnection>scm:git:https://github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.6</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <issueManagement>
         <system>github</system>
@@ -113,7 +113,7 @@ Copyright (c) 2012 - Jeremy Long
     <properties>
         <maven.compiler.release>11</maven.compiler.release>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-09-24T11:38:37Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-09-24T11:40:53Z</project.build.outputTimestamp>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <github.global.server>github</github.global.server>
diff --git a/utils/pom.xml b/utils/pom.xml
index 5ec414d94dc..cfd5a3176cb 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.6</version>
+        <version>12.1.7-SNAPSHOT</version>
    </parent>
 
     <artifactId>dependency-check-utils</artifactId>
@@ -30,7 +30,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/utils</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.6</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <properties>
         <spotbugs.onlyAnalyze>org.owasp.dependencycheck.utils.*</spotbugs.onlyAnalyze>

From 966aca16675bb8107eabaa7b2961b86aa787f72c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 25 Sep 2025 01:01:09 +0000
Subject: [PATCH 152/195] build(deps): bump
 org.apache.maven.plugins:maven-failsafe-plugin

Bumps [org.apache.maven.plugins:maven-failsafe-plugin](https://github.com/apache/maven-surefire) from 3.5.3 to 3.5.4.
- [Release notes](https://github.com/apache/maven-surefire/releases)
- [Commits](https://github.com/apache/maven-surefire/compare/surefire-3.5.3...surefire-3.5.4)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-failsafe-plugin
  dependency-version: 3.5.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 11d2be36a73..6b255ccf326 100644
--- a/pom.xml
+++ b/pom.xml
@@ -240,7 +240,7 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-failsafe-plugin</artifactId>
-                    <version>3.5.3</version>
+                    <version>3.5.4</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>

From 1e3a83bbdf3bbf0c69c66e3ef3fdd6cfb3330b1b Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Sat, 27 Sep 2025 01:24:10 +0800
Subject: [PATCH 153/195] fix(fp): Fix broad Python regex to suppress packages
 ending in `-python` (#7980)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
 core/src/main/resources/dependencycheck-base-suppression.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml
index 596b978dd13..99e88dc0aae 100644
--- a/core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/core/src/main/resources/dependencycheck-base-suppression.xml
@@ -3880,10 +3880,10 @@
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
-        several python-* PyPI packages hit a FP CPE match #3233 & #3017 & #5335
+        several python-* PyPI packages hit a FP CPE match #3233 & #3017 & #5335 & #7968
         as Python itself is not a PyPI package suppress it with a broad regex
         ]]></notes>
-        <packageUrl regex="true">^pkg:pypi/.*python\-.*$</packageUrl>
+        <packageUrl regex="true">^pkg:pypi/.*python.*$</packageUrl>
         <cpe>cpe:/a:python:python</cpe>
         <cpe>cpe:/a:python_software_foundation:python</cpe>
     </suppress>

From a98db2515f778cb6ab9ee56f2c64fcf0d0d0b39c Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Sat, 27 Sep 2025 01:25:07 +0800
Subject: [PATCH 154/195] fix: Clean up Apache Lucene logging via SLF4j
 redirect (#7979)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
 cli/src/main/resources/logback.xml                         | 1 +
 core/pom.xml                                               | 5 +++++
 .../dependencycheck/data/cpe/AbstractMemoryIndex.java      | 7 +++++++
 pom.xml                                                    | 2 +-
 4 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/cli/src/main/resources/logback.xml b/cli/src/main/resources/logback.xml
index fef9b5c1b47..da49803591a 100644
--- a/cli/src/main/resources/logback.xml
+++ b/cli/src/main/resources/logback.xml
@@ -10,6 +10,7 @@
         </encoder>
     </appender>
 
+    <logger name="org.apache.lucene" level="ERROR" />
     <logger name="org.apache.commons.jcs" level="ERROR" />
     <logger name="org.apache.hc" level="ERROR" />
 
diff --git a/core/pom.xml b/core/pom.xml
index 98b60b5b306..fa9479890a2 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -279,6 +279,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <groupId>org.apache.lucene</groupId>
             <artifactId>lucene-queryparser</artifactId>
         </dependency>
+        <!-- Allow redirection of lucene logs to slf4j -->
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>jul-to-slf4j</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.apache.velocity</groupId>
             <artifactId>velocity-engine-core</artifactId>
diff --git a/core/src/main/java/org/owasp/dependencycheck/data/cpe/AbstractMemoryIndex.java b/core/src/main/java/org/owasp/dependencycheck/data/cpe/AbstractMemoryIndex.java
index d3613a73c8c..5f1b35c5fff 100644
--- a/core/src/main/java/org/owasp/dependencycheck/data/cpe/AbstractMemoryIndex.java
+++ b/core/src/main/java/org/owasp/dependencycheck/data/cpe/AbstractMemoryIndex.java
@@ -50,6 +50,7 @@
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.slf4j.bridge.SLF4JBridgeHandler;
 
 /**
  * <p>
@@ -67,6 +68,12 @@
 @ThreadSafe
 public abstract class AbstractMemoryIndex implements MemoryIndex {
 
+    static {
+        // Ensure Lucene uses SLF4J for logging
+        SLF4JBridgeHandler.removeHandlersForRootLogger();
+        SLF4JBridgeHandler.install();
+    }
+
     /**
      * The logger.
      */
diff --git a/pom.xml b/pom.xml
index 3a1eb83078f..282b46893d2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1255,7 +1255,7 @@ Copyright (c) 2012 - Jeremy Long
             </dependency>
             <dependency>
                 <groupId>org.slf4j</groupId>
-                <artifactId>slf4j-simple</artifactId>
+                <artifactId>jul-to-slf4j</artifactId>
                 <version>${slf4j.version}</version>
             </dependency>
             <dependency>

From eaa76f9cc425cfb099b327e568cf396ff6e2b5f4 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 27 Sep 2025 15:59:04 -0400
Subject: [PATCH 155/195] fix: improve OSS Index Error Reporting (#7977)

Co-authored-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
 .../analyzer/OssIndexAnalyzer.java            | 49 ++++++++++---------
 .../analyzer/OssIndexAnalyzerTest.java        | 33 +++++++++++++
 pom.xml                                       |  1 +
 3 files changed, 61 insertions(+), 22 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
index e04066201f9..cae89d79467 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
@@ -148,40 +148,45 @@ protected void analyzeDependency(final Dependency dependency, final Engine engin
                 try {
                     requestDelay();
                     reports = requestReports(engine.getDependencies());
-                } catch (TransportException ex) {
+                } catch (SocketTimeoutException e) {
+                    final boolean warnOnly = getSettings().getBoolean(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, false);
+                    this.setEnabled(false);
+                    if (warnOnly) {
+                        LOG.warn("OSS Index socket timeout, disabling the analyzer", e);
+                    } else {
+                        LOG.debug("OSS Index socket timeout", e);
+                        throw new AnalysisException("Failed to establish socket to OSS Index", e);
+                    }
+                } catch (Exception ex) {
                     final String message = ex.getMessage();
                     final boolean warnOnly = getSettings().getBoolean(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, false);
                     this.setEnabled(false);
-                    if (StringUtils.endsWith(message, "401")) {
-                        LOG.error("Invalid credentials for the OSS Index, disabling the analyzer");
-                        throw new AnalysisException("Invalid credentials provided for OSS Index", ex);
-                    } else if (StringUtils.endsWith(message, "403")) {
-                        LOG.error("OSS Index access forbidden, disabling the analyzer");
-                        throw new AnalysisException("OSS Index access forbidden", ex);
-                    } else if (StringUtils.endsWith(message, "429")) {
+                    if (StringUtils.contains(message, "401")) {
+                        if (warnOnly) {
+                            LOG.warn("Invalid credentials for the OSS Index, disabling the analyzer");
+                        } else {
+                            LOG.error("Invalid credentials for the OSS Index, disabling the analyzer");
+                            throw new AnalysisException("Invalid credentials provided for OSS Index", ex);
+                        }
+                    } else if (StringUtils.contains(message, "403")) {
+                        if (warnOnly) {
+                            LOG.warn("OSS Index access forbidden, disabling the analyzer");
+                        } else {
+                            LOG.error("OSS Index access forbidden, disabling the analyzer");
+                            throw new AnalysisException("OSS Index access forbidden", ex);
+                        }
+                    } else if (StringUtils.contains(message, "429")) {
                         if (warnOnly) {
                             LOG.warn("OSS Index rate limit exceeded, disabling the analyzer", ex);
                         } else {
                             throw new AnalysisException("OSS Index rate limit exceeded, disabling the analyzer", ex);
                         }
                     } else if (warnOnly) {
-                        LOG.warn("Error requesting component reports, disabling the analyzer", ex);
+                        LOG.warn("Error requesting component reports, disabling the analyzer. " + ex.getMessage(), ex);
                     } else {
                         LOG.debug("Error requesting component reports, disabling the analyzer", ex);
-                        throw new AnalysisException("Failed to request component-reports", ex);
-                    }
-                } catch (SocketTimeoutException e) {
-                    final boolean warnOnly = getSettings().getBoolean(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, false);
-                    this.setEnabled(false);
-                    if (warnOnly) {
-                        LOG.warn("OSS Index socket timeout, disabling the analyzer", e);
-                    } else {
-                        LOG.debug("OSS Index socket timeout", e);
-                        throw new AnalysisException("Failed to establish socket to OSS Index", e);
+                        throw new AnalysisException("Failed to request component-reports. " + ex.getMessage(), ex);
                     }
-                } catch (Exception e) {
-                    LOG.debug("Error requesting component reports", e);
-                    throw new AnalysisException("Failed to request component-reports", e);
                 }
             }
 
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
index 4f4ad4c8f0f..288e64b0269 100644
--- a/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
@@ -129,6 +129,39 @@ public void close() {
         }
     }
 
+    @Test
+    void should_analyzeDependency_return_a_dedicated_error_message_when_401_response_from_sonatype() throws Exception {
+        // Given
+        OssIndexAnalyzer analyzer = new OssIndexAnalyzer();
+        Settings settings = getSettings();
+        setCredentials(settings);
+        settings.setBoolean(KEYS.ANALYZER_OSSINDEX_USE_CACHE, false);
+        try (Engine engine = new Engine(settings)) {
+
+            analyzer.initialize(settings);
+            analyzer.prepareAnalyzer(engine);
+
+            Identifier identifier = new PurlIdentifier("maven", "test", "test", "1.0",
+                    Confidence.HIGHEST);
+
+            Dependency dependency = new Dependency();
+            dependency.addSoftwareIdentifier(identifier);
+            engine.setDependencies(Collections.singletonList(dependency));
+
+            // When
+            AnalysisException output = new AnalysisException();
+            try {
+                analyzer.analyzeDependency(dependency, engine);
+            } catch (AnalysisException e) {
+                output = e;
+            }
+
+            // Then
+            assertEquals("Invalid credentials provided for OSS Index", output.getMessage());
+            analyzer.close();
+        }
+    }
+
     @Test
     void should_analyzeDependency_return_a_dedicated_error_message_when_403_response_from_sonatype() throws Exception {
         // Given
diff --git a/pom.xml b/pom.xml
index 282b46893d2..162cc90f96a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -625,6 +625,7 @@ Copyright (c) 2012 - Jeremy Long
                 <artifactId>maven-surefire-plugin</artifactId>
                 <configuration>
                     <argLine>@{surefireArgLine} -Dfile.encoding=UTF-8</argLine>
+                    <failIfNoTests>false</failIfNoTests>
                     <systemPropertyVariables>
                         <data.directory>${project.build.directory}/data</data.directory>
                         <temp.directory>${project.build.directory}/temp</temp.directory>

From 3bff5af9c1205ba7e4994cba8aa088e7ea3ee9e6 Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Sun, 28 Sep 2025 04:00:59 +0800
Subject: [PATCH 156/195] fix: Update NVD CPE search URLs to match new search
 interface (#7970)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
 .../dependencycheck/analyzer/CPEAnalyzer.java | 41 +++------------
 .../dependency/VulnerableSoftware.java        |  5 ++
 .../dependency/naming/CpeIdentifier.java      | 40 +++++++++++++++
 .../main/resources/templates/htmlReport.vsl   | 14 +++---
 .../resources/templates/jenkinsReport.vsl     |  7 ++-
 .../dependency/VulnerableSoftwareTest.java    | 15 +++++-
 .../dependency/naming/CpeIdentifierTest.java  | 50 +++++++++++++++++++
 7 files changed, 125 insertions(+), 47 deletions(-)
 create mode 100644 core/src/test/java/org/owasp/dependencycheck/dependency/naming/CpeIdentifierTest.java

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
index 40061f6d840..d2fe65a1460 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
@@ -20,8 +20,6 @@
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStreamReader;
-import java.io.UnsupportedEncodingException;
-import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -111,24 +109,7 @@ public class CPEAnalyzer extends AbstractAnalyzer {
      * alpha characters.
      */
     private static final String CLEANSE_NONALPHA_RX = "[^A-Za-z]*";
-    /**
-     * UTF-8 character set name.
-     */
-    private static final String UTF8 = StandardCharsets.UTF_8.name();
-    /**
-     * The URL to search the NVD CVE data at NIST. This is used by calling:
-     * <pre>String.format(NVD_SEARCH_URL, vendor, product, version);</pre>
-     */
-    public static final String NVD_SEARCH_URL = "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&"
-            + "results_type=overview&search_type=all&cpe_vendor=cpe%%3A%%2F%%3A%1$s&cpe_product=cpe%%3A%%2F%%3A%1$s%%3A%2$s&"
-            + "cpe_version=cpe%%3A%%2F%%3A%1$s%%3A%2$s%%3A%3$s";
 
-    /**
-     * The URL to search the NVD CVE data at NIST. This is used by calling:
-     * <pre>String.format(NVD_SEARCH_URL, vendor, product);</pre>
-     */
-    public static final String NVD_SEARCH_BROAD_URL = "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&"
-            + "results_type=overview&search_type=all&cpe_vendor=cpe%%3A%%2F%%3A%1$s&cpe_product=cpe%%3A%%2F%%3A%1$s%%3A%2$s";
     /**
      * The CPE in memory index.
      */
@@ -806,12 +787,11 @@ protected void analyzeDependency(Dependency dependency, Engine engine) throws An
      * analysis
      * @return <code>true</code> if an identifier was added to the dependency;
      * otherwise <code>false</code>
-     * @throws UnsupportedEncodingException is thrown if UTF-8 is not supported
      * @throws AnalysisException thrown if the suppression rules failed
      */
     @SuppressWarnings("StringSplitter")
     protected boolean determineIdentifiers(Dependency dependency, String vendor, String product,
-            Confidence currentConfidence) throws UnsupportedEncodingException, AnalysisException {
+            Confidence currentConfidence) throws AnalysisException {
 
         final CpeBuilder cpeBuilder = new CpeBuilder();
 
@@ -864,8 +844,7 @@ protected boolean determineIdentifiers(Dependency dependency, String vendor, Str
                         dbVerUpdate = DependencyVersionUtil.parseVersion(vs.getVersion() + '.' + vs.getUpdate(), true);
                     }
                     if (dbVer == null) { //special case, no version specified - everything is vulnerable
-                        final String url = String.format(NVD_SEARCH_BROAD_URL, URLEncoder.encode(vs.getVendor(), UTF8),
-                                URLEncoder.encode(vs.getProduct(), UTF8));
+                        final String url = CpeIdentifier.nvdProductSearchUrlFor(vs);
                         final IdentifierMatch match = new IdentifierMatch(vs, url, IdentifierConfidence.BROAD_MATCH, conf);
                         collected.add(match);
                     } else if (evVer.equals(dbVer)) {
@@ -875,8 +854,7 @@ protected boolean determineIdentifiers(Dependency dependency, String vendor, Str
                         bestGuessConf = conf;
                         bestGuess = dbVer;
                         bestGuessUpdate = evBaseVerUpdate;
-                        bestGuessURL = String.format(NVD_SEARCH_URL, URLEncoder.encode(vs.getVendor(), UTF8),
-                                URLEncoder.encode(vs.getProduct(), UTF8), URLEncoder.encode(vs.getVersion(), UTF8));
+                        bestGuessURL = CpeIdentifier.nvdSearchUrlFor(vs);
                     } else if (dbVerUpdate != null && evVer.getVersionParts().size() <= dbVerUpdate.getVersionParts().size()
                             && evVer.matchesAtLeastThreeLevels(dbVerUpdate)) {
                         if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) {
@@ -983,14 +961,12 @@ protected boolean determineIdentifiers(Dependency dependency, String vendor, Str
      * @param updateVersion the update version
      * @param conf the current confidence
      * @param collected a reference to the collected identifiers
-     * @throws UnsupportedEncodingException thrown if UTF-8 is not supported
      */
     private void addExactMatch(Cpe vs, String updateVersion, Confidence conf,
-            final Set<IdentifierMatch> collected) throws UnsupportedEncodingException {
+            final Set<IdentifierMatch> collected) {
 
         final CpeBuilder cpeBuilder = new CpeBuilder();
-        final String url = String.format(NVD_SEARCH_URL, URLEncoder.encode(vs.getVendor(), UTF8),
-                URLEncoder.encode(vs.getProduct(), UTF8), URLEncoder.encode(vs.getVersion(), UTF8));
+        final String url = CpeIdentifier.nvdSearchUrlFor(vs);
         Cpe useCpe;
         if (updateVersion != null && "*".equals(vs.getUpdate())) {
             try {
@@ -1022,13 +998,11 @@ private void addExactMatch(Cpe vs, String updateVersion, Confidence conf,
      * @param collected a reference to the identifiers matched
      * @throws AnalysisException thrown if aliens attacked and valid input could
      * not be used to construct a CPE
-     * @throws UnsupportedEncodingException thrown if run on a system that
-     * doesn't support UTF-8
      */
     private void considerDependencyVersion(Dependency dependency,
             String vendor, String product, Confidence confidence,
             final Set<IdentifierMatch> collected)
-            throws AnalysisException, UnsupportedEncodingException {
+            throws AnalysisException {
 
         if (dependency.getVersion() != null && !dependency.getVersion().isEmpty()) {
             final CpeBuilder cpeBuilder = new CpeBuilder();
@@ -1051,8 +1025,7 @@ private void considerDependencyVersion(Dependency dependency,
                     addVersionAndUpdate(depVersion, cpeBuilder);
                     try {
                         final Cpe depCpe = cpeBuilder.build();
-                        final String url = String.format(NVD_SEARCH_URL, URLEncoder.encode(vendor, UTF8),
-                                URLEncoder.encode(product, UTF8), URLEncoder.encode(depCpe.getVersion(), UTF8));
+                        final String url = CpeIdentifier.nvdSearchUrlFor(vendor, product, depCpe.getVersion());
                         final IdentifierMatch match = new IdentifierMatch(depCpe, url, IdentifierConfidence.EXACT_MATCH, confidence);
                         collected.add(match);
                     } catch (CpeValidationException ex) {
diff --git a/core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java b/core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
index 73bb74e97c3..327e182d0b0 100644
--- a/core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
+++ b/core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
@@ -28,6 +28,7 @@
 import org.apache.commons.lang3.builder.HashCodeBuilder;
 import org.jetbrains.annotations.NotNull;
 import org.owasp.dependencycheck.analyzer.exception.UnexpectedAnalysisException;
+import org.owasp.dependencycheck.dependency.naming.CpeIdentifier;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 import us.springett.parsers.cpe.Cpe;
 import us.springett.parsers.cpe.ICpe;
@@ -517,4 +518,8 @@ public String toString() {
         }
         return sb.toString();
     }
+
+    public String toNvdSearchUrl() {
+        return CpeIdentifier.nvdSearchUrlFor(this);
+    }
 }
diff --git a/core/src/main/java/org/owasp/dependencycheck/dependency/naming/CpeIdentifier.java b/core/src/main/java/org/owasp/dependencycheck/dependency/naming/CpeIdentifier.java
index 7ed914d87a5..0f6dc48006b 100644
--- a/core/src/main/java/org/owasp/dependencycheck/dependency/naming/CpeIdentifier.java
+++ b/core/src/main/java/org/owasp/dependencycheck/dependency/naming/CpeIdentifier.java
@@ -20,6 +20,7 @@
 import org.apache.commons.lang3.builder.CompareToBuilder;
 import org.apache.commons.lang3.builder.EqualsBuilder;
 import org.apache.commons.lang3.builder.HashCodeBuilder;
+import org.apache.hc.core5.net.PercentCodec;
 import org.jetbrains.annotations.NotNull;
 import org.owasp.dependencycheck.dependency.Confidence;
 import us.springett.parsers.cpe.Cpe;
@@ -27,6 +28,8 @@
 import us.springett.parsers.cpe.exceptions.CpeValidationException;
 import us.springett.parsers.cpe.values.Part;
 
+import static java.nio.charset.StandardCharsets.UTF_8;
+
 /**
  * A CPE Identifier for a dependency object.
  *
@@ -203,4 +206,41 @@ public int compareTo(@NotNull Identifier o) {
                 .append(this.confidence, o.getConfidence())
                 .toComparison();
     }
+
+    /**
+     * Produces an NVD search URL for a given CPE to find all applicable vulnerabilities, including all populated parts
+     * of the given CPE.
+     * <p/>
+     * The opened link should be sorted in descending order (sortDirection=2) by publish date (sortOrder=3).
+     */
+    public static String nvdSearchUrlFor(Cpe cpe) {
+        // Use PercentCodec to force `*` to be encoded for CPE strings inside the URL. Technically '*' is not a reserved
+        // character in the fragment of URLs, but not all browsers handle this consistently, so better to encode aggressively.
+        // URlEncoder does not distinguish between parts of URLs appropriately, as well as not forcing encoding of these.
+        return String.format("https://nvd.nist.gov/vuln/search#/nvd/home?sortOrder=3&sortDirection=2&cpeFilterMode=applicability&resultType=records&cpeName=%s",
+                PercentCodec.encode(cpe.toCpe23FS(), UTF_8));
+    }
+
+    /**
+     * Produces an NVD search URL for a given application vendor/product/version combination to find all applicable vulnerabilities.
+     * <p/>
+     * The opened link should be sorted in descending order (sortDirection=2) by publish date (sortOrder=3).
+     */
+    public static String nvdSearchUrlFor(String vendor, String product, String version) throws CpeValidationException {
+        return nvdSearchUrlFor(new CpeBuilder().part(Part.APPLICATION).vendor(vendor).product(product).version(version).build());
+    }
+
+    /**
+     * Produces an NVD search URL for a given CPE to find all applicable vulnerabilities, including only the part, vendor,
+     * and product of the given CPE (if populated). Discards all other parts/discriminators of the CPE in the generated search.
+     * <p/>
+     * The opened link should be sorted in descending order (sortDirection=2) by publish date (sortOrder=3).
+     */
+    public static String nvdProductSearchUrlFor(Cpe cpe) {
+        try {
+            return nvdSearchUrlFor(new CpeBuilder().part(cpe.getPart()).vendor(cpe.getVendor()).product(cpe.getProduct()).build());
+        } catch (CpeValidationException e) {
+            throw new RuntimeException(e);
+        }
+    }
 }
diff --git a/core/src/main/resources/templates/htmlReport.vsl b/core/src/main/resources/templates/htmlReport.vsl
index 936f190839d..a63cd75204e 100644
--- a/core/src/main/resources/templates/htmlReport.vsl
+++ b/core/src/main/resources/templates/htmlReport.vsl
@@ -945,7 +945,6 @@ Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issue
                         #end
                         #set($cnt=$cnt+1)
                         <h4 id="header$cnt" class="subsectionheader white">Identifiers</h4>
-                        ##:&nbsp;<a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($cpevalue)" target="_blank">$enc.html($cpevalue)</a></h4>
                         <div id="content$cnt" class="subsectioncontent standardsubsection">
                         #set($supressPkgUrl='')
                         #if ($dependency.getSoftwareIdentifiers().size()==0 && $dependency.getVulnerableSoftwareIdentifiers().size()==0)
@@ -1060,14 +1059,14 @@ Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issue
                             #if ($vuln.getSource().name().equals("NVD") && $vuln.matchedVulnerableSoftware)
                                 #if ($vuln.getVulnerableSoftware().size()<2)
                                     <p>Vulnerable Software &amp; Versions:<ul>
-                                        <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedVulnerableSoftware.toCpe22Uri())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
+                                        <li class="vs$vsctr"><a target="_blank" href="$enc.html($vuln.matchedVulnerableSoftware.toNvdSearchUrl())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
                                     </ul></p>
                                 #else
                                     <p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" class="versionToggle" data-toggle=".vs$vsctr">show all</a>)<ul>
-                                        <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedVulnerableSoftware.toCpe22Uri())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
+                                        <li class="vs$vsctr"><a target="_blank" href="$enc.html($vuln.matchedVulnerableSoftware.toNvdSearchUrl())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
                                         <li class="vs$vsctr">...</li>
                                     #foreach($vs in $vuln.getVulnerableSoftware(true))
-                                        <li class="vs$vsctr hidden"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vs.toCpe22Uri())">$enc.html($vs.toString())</a></li>
+                                        <li class="vs$vsctr hidden"><a target="_blank" href="$enc.html($vs.toNvdSearchUrl())">$enc.html($vs.toString())</a></li>
                                     #end
                                     </ul></p>
                                 #end
@@ -1174,7 +1173,6 @@ Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issue
                                 #end
                                 #set($cnt=$cnt+1)
                                 <h4 id="header$cnt" class="subsectionheader white">Suppressed Identifiers</h4>
-                                ##:&nbsp;<a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($cpevalue)" target="_blank">$enc.html($cpevalue)</a></h4>
                                 <div id="content$cnt" class="subsectioncontent standardsubsection">
                                 #if ($dependency.getSuppressedIdentifiers().size()==0)
                                     <ul><li><b>None</b></li></ul>
@@ -1267,14 +1265,14 @@ Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issue
                                      #if ($vuln.getSource().name().equals("NVD") && $vuln.matchedVulnerableSoftware)
                                         #if ($vuln.getVulnerableSoftware().size()<2)
                                             <p>Vulnerable Software &amp; Versions:<ul>
-                                                <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedVulnerableSoftware.toCpe22Uri())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
+                                                <li class="vs$vsctr"><a target="_blank" href="$enc.html($vuln.matchedVulnerableSoftware.toNvdSearchUrl())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
                                             </ul></p>
                                         #else
                                             <p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" class="versionToggle" data-toggle=".vs$vsctr">show all</a>)<ul>
-                                                <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedVulnerableSoftware.toCpe22Uri())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
+                                                <li class="vs$vsctr"><a target="_blank" href="$enc.html($vuln.matchedVulnerableSoftware.toNvdSearchUrl())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
                                                 <li class="vs$vsctr">...</li>
                                             #foreach($vs in $vuln.getVulnerableSoftware(true))
-                                                <li class="vs$vsctr hidden"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vs.toCpe22Uri())">$enc.html($vs.toString())</a></li>
+                                                <li class="vs$vsctr hidden"><a target="_blank" href="$enc.html($vs.toNvdSearchUrl())">$enc.html($vs.toString())</a></li>
                                             #end
                                             </ul></p>
                                         #end
diff --git a/core/src/main/resources/templates/jenkinsReport.vsl b/core/src/main/resources/templates/jenkinsReport.vsl
index 82fda112625..5b4f01ea9db 100644
--- a/core/src/main/resources/templates/jenkinsReport.vsl
+++ b/core/src/main/resources/templates/jenkinsReport.vsl
@@ -670,7 +670,6 @@ Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issue
                         #end
                         #set($cnt=$cnt+1)
                         <h4 id="header$cnt" class="subsectionheader white">Identifiers</h4>
-                        ##:&nbsp;<a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($cpevalue)" target="_blank">$enc.html($cpevalue)</a></h4>
                         <div id="content$cnt" class="subsectioncontent standardsubsection">
                         #if ($dependency.getSoftwareIdentifiers().size()==0 && $dependency.getVulnerableSoftwareIdentifiers().size()==0)
                             <ul><li><b>None</b></li></ul>
@@ -764,13 +763,13 @@ Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issue
                             #if ($vuln.getSource().name().equals("NVD") && $vuln.matchedVulnerableSoftware)
                                 #if ($vuln.getVulnerableSoftware().size()<2)
                                     <p>Vulnerable Software &amp; Versions:<ul>
-                                        <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedVulnerableSoftware.toCpe22Uri())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
+                                        <li class="vs$vsctr"><a target="_blank" href="$enc.html($vuln.matchedVulnerableSoftware.toNvdSearchUrl())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
                                     </ul></p>
                                 #else
                                     <p>Vulnerable Software &amp; Versions:<ul>
-                                        <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedVulnerableSoftware.toCpe22Uri())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
+                                        <li class="vs$vsctr"><a target="_blank" href="$enc.html($vuln.matchedVulnerableSoftware.toNvdSearchUrl())">$enc.html($vuln.matchedVulnerableSoftware.toString())</a></li>
                                     #foreach($vs in $vuln.getVulnerableSoftware(true))
-                                        <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vs.toCpe22Uri())">$enc.html($vs.toString())</a></li>
+                                        <li class="vs$vsctr"><a target="_blank" href="$enc.html($vuln.matchedVulnerableSoftware.toNvdSearchUrl())">$enc.html($vs.toString())</a></li>
                                     #end
                                     </ul></p>
                                 #end
diff --git a/core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java b/core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java
index 1d47f9a4995..6d68641c720 100644
--- a/core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java
@@ -23,6 +23,12 @@
 import us.springett.parsers.cpe.values.LogicalValue;
 import us.springett.parsers.cpe.values.Part;
 
+import java.net.URLDecoder;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static org.hamcrest.MatcherAssert.assertThat;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotEquals;
@@ -105,7 +111,7 @@ void testCompareVersionRange() throws CpeValidationException {
     }
 
     @Test
-    void testcompareUpdateAttributes() {
+    void testCompareUpdateAttributes() {
 
         assertTrue(VulnerableSoftware.compareUpdateAttributes("update1", "u1"));
         assertTrue(VulnerableSoftware.compareUpdateAttributes("u1", "update1"));
@@ -117,4 +123,11 @@ void testcompareUpdateAttributes() {
 
     }
 
+    @Test
+    void testToNvdSearchUrl() throws Exception {
+        String encodedURL = new VulnerableSoftwareBuilder().part(Part.APPLICATION).vendor("apache").version("1.2.3").build().toNvdSearchUrl();
+        assertEquals("https://nvd.nist.gov/vuln/search#/nvd/home?sortOrder=3&sortDirection=2&cpeFilterMode=applicability&resultType=records&cpeName=cpe%3A2.3%3Aa%3Aapache%3A%2A%3A1.2.3%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A", encodedURL);
+        assertEquals("https://nvd.nist.gov/vuln/search#/nvd/home?sortOrder=3&sortDirection=2&cpeFilterMode=applicability&resultType=records&cpeName=cpe:2.3:a:apache:*:1.2.3:*:*:*:*:*:*:*", URLDecoder.decode(encodedURL, UTF_8));
+    }
+
 }
diff --git a/core/src/test/java/org/owasp/dependencycheck/dependency/naming/CpeIdentifierTest.java b/core/src/test/java/org/owasp/dependencycheck/dependency/naming/CpeIdentifierTest.java
new file mode 100644
index 00000000000..96a3da1f41d
--- /dev/null
+++ b/core/src/test/java/org/owasp/dependencycheck/dependency/naming/CpeIdentifierTest.java
@@ -0,0 +1,50 @@
+package org.owasp.dependencycheck.dependency.naming;
+
+import org.junit.jupiter.api.Test;
+import us.springett.parsers.cpe.CpeBuilder;
+import us.springett.parsers.cpe.exceptions.CpeValidationException;
+import us.springett.parsers.cpe.values.Part;
+
+import java.net.URLDecoder;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static org.junit.jupiter.api.Assertions.*;
+
+class CpeIdentifierTest {
+
+    @Test
+    void testNvdSearchUrlFormatting() throws CpeValidationException {
+        String encodedUrl = CpeIdentifier.nvdSearchUrlFor(new CpeBuilder().part(Part.APPLICATION).vendor("apache").product("struts").version("1.9.0").build());
+        assertEquals("https://nvd.nist.gov/vuln/search#/nvd/home?sortOrder=3&sortDirection=2&cpeFilterMode=applicability&resultType=records&" +
+                "cpeName=cpe%3A2.3%3Aa%3Aapache%3Astruts%3A1.9.0%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A", encodedUrl);
+        assertEquals("https://nvd.nist.gov/vuln/search#/nvd/home?sortOrder=3&sortDirection=2&cpeFilterMode=applicability&resultType=records&" +
+                "cpeName=cpe:2.3:a:apache:struts:1.9.0:*:*:*:*:*:*:*", URLDecoder.decode(encodedUrl, UTF_8));
+    }
+
+    @Test
+    void testNvdSearchUrlFormattingEncodesChars() throws CpeValidationException {
+        String encodedUrl = CpeIdentifier.nvdSearchUrlFor(new CpeBuilder().part(Part.APPLICATION).vendor("apache$").product("struts$").version("1.9.0$").build());
+        assertEquals("https://nvd.nist.gov/vuln/search#/nvd/home?sortOrder=3&sortDirection=2&cpeFilterMode=applicability&resultType=records&" +
+                "cpeName=cpe%3A2.3%3Aa%3Aapache%5C%24%3Astruts%5C%24%3A1.9.0%5C%24%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A", encodedUrl);
+        assertEquals("https://nvd.nist.gov/vuln/search#/nvd/home?sortOrder=3&sortDirection=2&cpeFilterMode=applicability&resultType=records&" +
+                "cpeName=cpe:2.3:a:apache\\$:struts\\$:1.9.0\\$:*:*:*:*:*:*:*", URLDecoder.decode(encodedUrl, UTF_8));
+    }
+
+    @Test
+    void testNvdProductSearchFormatting() throws CpeValidationException {
+        String encodedUrl = CpeIdentifier.nvdProductSearchUrlFor(new CpeBuilder().part(Part.APPLICATION).vendor("apache").product("struts").version("1.9.0").build());
+        assertEquals("https://nvd.nist.gov/vuln/search#/nvd/home?sortOrder=3&sortDirection=2&cpeFilterMode=applicability&resultType=records&" +
+                "cpeName=cpe%3A2.3%3Aa%3Aapache%3Astruts%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A", encodedUrl);
+        assertEquals("https://nvd.nist.gov/vuln/search#/nvd/home?sortOrder=3&sortDirection=2&cpeFilterMode=applicability&resultType=records&" +
+                "cpeName=cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*", URLDecoder.decode(encodedUrl, UTF_8));
+    }
+
+    @Test
+    void testNvdProductSearchUrlFormattingEncodesChars() throws CpeValidationException {
+        String encodedUrl = CpeIdentifier.nvdProductSearchUrlFor(new CpeBuilder().part(Part.APPLICATION).vendor("apache$").product("struts$").version("1.9.0$").build());
+        assertEquals("https://nvd.nist.gov/vuln/search#/nvd/home?sortOrder=3&sortDirection=2&cpeFilterMode=applicability&resultType=records&" +
+                "cpeName=cpe%3A2.3%3Aa%3Aapache%5C%24%3Astruts%5C%24%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A", encodedUrl);
+        assertEquals("https://nvd.nist.gov/vuln/search#/nvd/home?sortOrder=3&sortDirection=2&cpeFilterMode=applicability&resultType=records&" +
+                "cpeName=cpe:2.3:a:apache\\$:struts\\$:*:*:*:*:*:*:*:*", URLDecoder.decode(encodedUrl, UTF_8));
+    }
+}
\ No newline at end of file

From 9341f02c0d3272c78cd9fef9d48d955063502e50 Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Sun, 28 Sep 2025 04:03:07 +0800
Subject: [PATCH 157/195] build: Build amd64 and arm64 multi-platform Docker
 image (#7952)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
 .github/workflows/build.yml         | 12 ++++++
 .github/workflows/pull_requests.yml | 57 ++++++++++++++++++++++++++++-
 .github/workflows/release.yml       | 12 ++++++
 Dockerfile                          |  2 +-
 build-docker.sh                     | 25 +++++++++----
 publish-docker.sh                   | 23 ++++--------
 shell-docker.sh                     |  2 +-
 test-docker.sh                      | 12 +++---
 8 files changed, 112 insertions(+), 33 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 90ec8ced510..dd61a60c8bf 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -141,6 +141,18 @@ jobs:
         uses: actions/download-artifact@v5
         with:
           name: archive-snapshot
+      - name: Set up Docker
+        uses: docker/setup-docker-action@v4
+        with:
+          daemon-config: |
+            {
+              "debug": true,
+              "features": {
+                "containerd-snapshotter": true
+              }
+            }
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
       - name: Build Docker Image
         run: ./build-docker.sh
       - name: build scan target
diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml
index ac0dfb8571d..0624347f732 100644
--- a/.github/workflows/pull_requests.yml
+++ b/.github/workflows/pull_requests.yml
@@ -64,7 +64,19 @@ jobs:
         with:
           sarif_file: core/target/spotbugsSarif.json
           category: spotbugs-core
-          
+      - name: Archive Snapshot
+        id: archive-snapshot
+        uses: actions/upload-artifact@v4
+        with:
+          name: archive-snapshot
+          retention-days: 1
+          path: |
+            **/target/*.asc
+            **/target/*.jar
+            **/target/*.pom
+            ant/target/*.zip
+            cli/target/*.zip
+
   maven:
     name: Regression Test Maven Plugin
     permissions: 
@@ -143,4 +155,45 @@ jobs:
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: target/checkstyle-result.sarif
-          category: checkstyle
\ No newline at end of file
+          category: checkstyle
+
+  docker:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+
+    name: Build and Test Docker
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+      - name: Check Maven Cache
+        id: maven-cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-maven-
+      - name: Download release build
+        uses: actions/download-artifact@v5
+        with:
+          name: archive-snapshot
+      - name: Set up Docker
+        uses: docker/setup-docker-action@v4
+        with:
+          daemon-config: |
+            {
+              "debug": true,
+              "features": {
+                "containerd-snapshotter": true
+              }
+            }
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build Docker Image
+        run: ./build-docker.sh
+      - name: build scan target
+        run: mvn -V -s settings.xml package -DskipTests=true --no-transfer-progress --batch-mode
+      - name: Test Docker Image
+        run: ./test-docker.sh
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0edea498200..9e78ad1aa70 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -149,6 +149,18 @@ jobs:
         uses: actions/download-artifact@v5
         with:
           name: archive-release
+      - name: Set up Docker
+        uses: docker/setup-docker-action@v4
+        with:
+          daemon-config: |
+            {
+              "debug": true,
+              "features": {
+                "containerd-snapshotter": true
+              }
+            }
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
       - name: Build Docker Image
         run: ./build-docker.sh
       - name: build scan target
diff --git a/Dockerfile b/Dockerfile
index af7aeb711d5..7e487b2960b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -47,7 +47,7 @@ RUN apk update
     apk del .build-deps
 
 ### remove any suid sgid - we don't need them
-RUN find / -perm +6000 -type f -exec chmod a-s {} \;
+RUN find / -path /proc -prune -perm +6000 -type f -exec chmod a-s {} \;
 USER ${UID}
 
 VOLUME ["/src", "/report"]
diff --git a/build-docker.sh b/build-docker.sh
index 355a6ab0da4..297ecc4cbd7 100755
--- a/build-docker.sh
+++ b/build-docker.sh
@@ -1,18 +1,27 @@
-#!/bin/bash -e
+#!/bin/bash
+set -euo pipefail
 
 VERSION=$(mvn -q \
     -Dexec.executable="echo" \
     -Dexec.args='${project.version}' \
     --non-recursive \
-    org.codehaus.mojo:exec-maven-plugin:1.3.1:exec)
+    org.codehaus.mojo:exec-maven-plugin:3.5.1:exec)
 
 FILE=./cli/target/dependency-check-$VERSION-release.zip
-if [ -f "$FILE" ]; then
-    docker build . --build-arg VERSION=$VERSION -t owasp/dependency-check:$VERSION
-    if [[ ! $VERSION = *"SNAPSHOT"* ]]; then
-        docker tag owasp/dependency-check:$VERSION owasp/dependency-check:latest
-    fi
-else 
+if [ ! -f "$FILE" ]; then
     echo "$FILE does not exist - run 'mvn package' first"
     exit 1
 fi
+
+if ! docker info -f '{{ .DriverStatus }}' | grep "driver-type io.containerd.snapshotter" >/dev/null; then
+    echo "Docker Engine is not running with the containerd snapshotter - this is currently needed to build and test ODC multi-platform images using docker buildx."
+    echo "If using Docker Desktop, enable \"Use containerd for pulling and storing images\" per https://docs.docker.com/desktop/settings-and-maintenance/settings/#general"
+    echo "For more technical information on Docker Engine, see https://docs.docker.com/engine/storage/containerd/"
+    exit 1
+fi
+
+extra_tag_args="$([[ ! $VERSION = *"SNAPSHOT"* ]] && echo "--tag owasp/dependency-check:latest" || echo "")"
+
+docker buildx build --pull --load --platform linux/amd64,linux/arm64 . \
+    --build-arg VERSION=$VERSION \
+    --tag owasp/dependency-check:$VERSION ${extra_tag_args}
diff --git a/publish-docker.sh b/publish-docker.sh
index 7b50fcf330f..ffdcd9e8c06 100755
--- a/publish-docker.sh
+++ b/publish-docker.sh
@@ -4,22 +4,15 @@ VERSION=$(mvn -q \
     -Dexec.executable="echo" \
     -Dexec.args='${project.version}' \
     --non-recursive \
-    org.codehaus.mojo:exec-maven-plugin:1.3.1:exec)
+    org.codehaus.mojo:exec-maven-plugin:3.5.1:exec)
 
 if [[ $VERSION = *"SNAPSHOT"* ]]; then
-  echo "Do not publish a snapshot version of dependency-check"
-  exit 1
-fi
-docker inspect --type=image owasp/dependency-check:$VERSION  > /dev/null 2>&1
-if [[ "$?" -ne 0 ]] ; then
-  echo "docker image owasp/dependency-check:$VERSION does not exist - run build_docker.sh first"
-  exit 1
-fi
-docker inspect --type=image owasp/dependency-check:latest  > /dev/null 2>&1
-if [[ "$?" -ne 0 ]] ; then
-  echo "docker image owasp/dependency-check:latest does not exist - run build_docker.sh first"
-  exit 1
+    echo "Do not publish a snapshot version of dependency-check"
+    exit 1
 fi
 
-docker push owasp/dependency-check:$VERSION 
-docker push owasp/dependency-check:latest
+# Build args should match ./build-docker.sh so the builder cache is re-used
+docker buildx build --push --platform linux/amd64,linux/arm64 . \
+    --build-arg VERSION=$VERSION \
+    --tag owasp/dependency-check:$VERSION \
+    --tag owasp/dependency-check:latest
diff --git a/shell-docker.sh b/shell-docker.sh
index 15ef22e229a..b95eb8f1bf1 100755
--- a/shell-docker.sh
+++ b/shell-docker.sh
@@ -4,7 +4,7 @@ VERSION=$(mvn -q \
     -Dexec.executable="echo" \
     -Dexec.args='${project.version}' \
     --non-recursive \
-    org.codehaus.mojo:exec-maven-plugin:1.3.1:exec)
+    org.codehaus.mojo:exec-maven-plugin:3.5.1:exec)
 
 SCAN_TARGET="./cli/target/release/lib"
 
diff --git a/test-docker.sh b/test-docker.sh
index 611fe887141..51d3738e58c 100755
--- a/test-docker.sh
+++ b/test-docker.sh
@@ -4,13 +4,13 @@ VERSION=$(mvn -q \
     -Dexec.executable="echo" \
     -Dexec.args='${project.version}' \
     --non-recursive \
-    org.codehaus.mojo:exec-maven-plugin:1.3.1:exec)
+    org.codehaus.mojo:exec-maven-plugin:3.5.1:exec)
 
 SCAN_TARGET="./cli/target/release/lib"
 
 if [ ! -d "$SCAN_TARGET" ]; then 
-  echo "Scan target does not exist: $SCAN_TARGET"
-  exit 1
+    echo "Scan target does not exist: $SCAN_TARGET"
+    exit 1
 fi
 
 if [ -f "$HOME/OWASP-Dependency-Check/reports/dependency-check-report.json" ]; then
@@ -73,8 +73,8 @@ cd -
 echo ""
 grep -oF "dependency-check-core-$VERSION.jar" $HOME/OWASP-Dependency-Check/reports/dependency-check-report.json  > /dev/null 2>&1
 if [[ "$?" -eq 0 ]] ; then
-  echo "SUCCESS - dependency-check docker test passed"
+    echo "SUCCESS - dependency-check docker test passed"
 else
-  echo "FAILED - dependency-check docker test failed"
-  exit 1
+    echo "FAILED - dependency-check docker test failed"
+    exit 1
 fi

From fc28be081e5434019b35f5796a3a153a85bdf627 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 29 Sep 2025 06:08:15 -0400
Subject: [PATCH 158/195] build(deps): bump
 org.apache.httpcomponents.core5:httpcore5 from 5.3.4 to 5.3.6 (#7947)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 162cc90f96a..38335033079 100644
--- a/pom.xml
+++ b/pom.xml
@@ -148,7 +148,7 @@ Copyright (c) 2012 - Jeremy Long
         <commons-lang3.version>3.18.0</commons-lang3.version>
         <commons-text.version>1.14.0</commons-text.version>
         <httpcomponents.client.version>5.5</httpcomponents.client.version>
-        <httpcomponents.core.version>5.3.4</httpcomponents.core.version>
+        <httpcomponents.core.version>5.3.6</httpcomponents.core.version>
         <!-- note that logging will be noisy and broken until we upgrade to 3.2
             See https://issues.apache.org/jira/browse/JCS-232 and
             https://github.com/apache/commons-jcs/pull/120 -->

From d1843ac2ecade14440c547a8839a74f84ada6593 Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Tue, 30 Sep 2025 20:21:13 +0800
Subject: [PATCH 159/195] fix: Correct Archive Analyzer behaviour on certain
 tgz archives (#7986)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 38335033079..0c10eea03bd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -158,7 +158,7 @@ Copyright (c) 2012 - Jeremy Long
         <hamcrest.version>3.0</hamcrest.version>
         <mockito.version>5.19.0</mockito.version>
         <jsoup.version>1.21.2</jsoup.version>
-        <commons-compress.version>1.28.0</commons-compress.version>
+        <commons-compress.version>1.27.1</commons-compress.version>
         <org.apache.maven.shared.file-management.version>3.2.0</org.apache.maven.shared.file-management.version>
         <maven-plugin-testing-harness.version>3.3.0</maven-plugin-testing-harness.version>
         <maven-plugin-annotations.version>3.15.1</maven-plugin-annotations.version>

From d48d7bad3df41d64565471595f612ea5482bc7d6 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Tue, 30 Sep 2025 08:21:33 -0400
Subject: [PATCH 160/195] fix: remove sponsorship link (#7990)

---
 core/src/main/resources/templates/htmlReport.vsl    | 3 +--
 core/src/main/resources/templates/jenkinsReport.vsl | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/core/src/main/resources/templates/htmlReport.vsl b/core/src/main/resources/templates/htmlReport.vsl
index a63cd75204e..c91f549ca0a 100644
--- a/core/src/main/resources/templates/htmlReport.vsl
+++ b/core/src/main/resources/templates/htmlReport.vsl
@@ -686,8 +686,7 @@ is at the user’s risk. In no event shall the copyright holder or OWASP be held
 arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.</p>
 <h3><a href="https://dependency-check.github.io/DependencyCheck/general/thereport.html" target="_blank">How&nbsp;to&nbsp;read&nbsp;the&nbsp;report</a> |
 <a href="https://dependency-check.github.io/DependencyCheck/general/suppression.html" target="_blank">Suppressing false positives</a> |
-Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issues" target="_blank">github issues</a><br/><br/>
-<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="10pt" height="10pt" viewBox="0 0 10 10" version="1.1"><g id="surface1"><path style=" stroke:none;fill-rule:nonzero;fill:rgb(0%,0%,0%);fill-opacity:1;" d="M 8.125 4.167969 C 7.089844 4.167969 6.25 5.007812 6.25 6.042969 C 6.25 7.078125 7.089844 7.917969 8.125 7.917969 C 9.160156 7.917969 10 7.078125 10 6.042969 C 10 5.007812 9.160156 4.167969 8.125 4.167969 Z M 9.167969 6.25 L 8.332031 6.25 L 8.332031 7.082031 L 7.917969 7.082031 L 7.917969 6.25 L 7.082031 6.25 L 7.082031 5.832031 L 7.917969 5.832031 L 7.917969 5 L 8.332031 5 L 8.332031 5.832031 L 9.167969 5.832031 Z M 6.445312 8.164062 C 5.984375 8.617188 5.5 9.089844 5 9.582031 C 2.320312 6.925781 0 4.9375 0 2.996094 C 0 1.328125 1.289062 0.417969 2.617188 0.417969 C 3.53125 0.417969 4.464844 0.851562 5 1.769531 C 5.53125 0.855469 6.46875 0.421875 7.386719 0.421875 C 8.710938 0.421875 10 1.324219 10 2.996094 C 10 3.308594 9.933594 3.621094 9.824219 3.933594 C 9.605469 3.757812 9.355469 3.617188 9.085938 3.511719 C 9.136719 3.335938 9.167969 3.164062 9.167969 2.996094 C 9.167969 1.800781 8.242188 1.253906 7.386719 1.253906 C 6.027344 1.253906 5.3125 2.703125 5 3.347656 C 4.6875 2.703125 3.964844 1.25 2.617188 1.25 C 1.652344 1.25 0.832031 1.882812 0.832031 2.996094 C 0.832031 4.429688 2.808594 6.265625 5 8.414062 L 5.878906 7.554688 C 6.035156 7.785156 6.226562 7.988281 6.445312 8.164062 Z M 6.445312 8.164062 "/></g></svg>&nbsp;<a aria-label="Sponsor @jeremylong" target="_blank" href="https://github.com/sponsors/jeremylong">Sponsor</a></h3>
+Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issues" target="_blank">github issues</a></h3>
 ]]#
             <h2 class="">Project:&nbsp;$enc.html($applicationName)</h2>
             #if ($groupID && $artifactID && $applicationVersion)
diff --git a/core/src/main/resources/templates/jenkinsReport.vsl b/core/src/main/resources/templates/jenkinsReport.vsl
index 5b4f01ea9db..ad0f43b216d 100644
--- a/core/src/main/resources/templates/jenkinsReport.vsl
+++ b/core/src/main/resources/templates/jenkinsReport.vsl
@@ -441,8 +441,7 @@ is at the user’s risk. In no event shall the copyright holder or OWASP be held
 arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.</p>
 <h3><a href="https://dependency-check.github.io/DependencyCheck/general/thereport.html" target="_blank">How&nbsp;to&nbsp;read&nbsp;the&nbsp;report</a> |
 <a href="https://dependency-check.github.io/DependencyCheck/general/suppression.html" target="_blank">Suppressing false positives</a> |
-Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issues" target="_blank">github issues</a><br/><br/>
-<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="10pt" height="10pt" viewBox="0 0 10 10" version="1.1"><g id="surface1"><path style=" stroke:none;fill-rule:nonzero;fill:rgb(0%,0%,0%);fill-opacity:1;" d="M 8.125 4.167969 C 7.089844 4.167969 6.25 5.007812 6.25 6.042969 C 6.25 7.078125 7.089844 7.917969 8.125 7.917969 C 9.160156 7.917969 10 7.078125 10 6.042969 C 10 5.007812 9.160156 4.167969 8.125 4.167969 Z M 9.167969 6.25 L 8.332031 6.25 L 8.332031 7.082031 L 7.917969 7.082031 L 7.917969 6.25 L 7.082031 6.25 L 7.082031 5.832031 L 7.917969 5.832031 L 7.917969 5 L 8.332031 5 L 8.332031 5.832031 L 9.167969 5.832031 Z M 6.445312 8.164062 C 5.984375 8.617188 5.5 9.089844 5 9.582031 C 2.320312 6.925781 0 4.9375 0 2.996094 C 0 1.328125 1.289062 0.417969 2.617188 0.417969 C 3.53125 0.417969 4.464844 0.851562 5 1.769531 C 5.53125 0.855469 6.46875 0.421875 7.386719 0.421875 C 8.710938 0.421875 10 1.324219 10 2.996094 C 10 3.308594 9.933594 3.621094 9.824219 3.933594 C 9.605469 3.757812 9.355469 3.617188 9.085938 3.511719 C 9.136719 3.335938 9.167969 3.164062 9.167969 2.996094 C 9.167969 1.800781 8.242188 1.253906 7.386719 1.253906 C 6.027344 1.253906 5.3125 2.703125 5 3.347656 C 4.6875 2.703125 3.964844 1.25 2.617188 1.25 C 1.652344 1.25 0.832031 1.882812 0.832031 2.996094 C 0.832031 4.429688 2.808594 6.265625 5 8.414062 L 5.878906 7.554688 C 6.035156 7.785156 6.226562 7.988281 6.445312 8.164062 Z M 6.445312 8.164062 "/></g></svg>&nbsp;<a aria-label="Sponsor @jeremylong" target="_blank" href="https://github.com/sponsors/jeremylong">Sponsor</a></h3>
+Getting Help: <a href="https://github.com/dependency-check/DependencyCheck/issues" target="_blank">github issues</a></h3>
 ]]#
             <h2 class="">Project:&nbsp;$enc.html($applicationName)</h2>
             #if ($groupID && $artifactID && $applicationVersion)

From eefb8d7e849f22af294160926a6af28bccb3599b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 1 Oct 2025 06:06:29 -0400
Subject: [PATCH 161/195] build(deps): bump org.apache.commons:commons-lang3
 from 3.18.0 to 3.19.0 (#7987)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 0c10eea03bd..d1733abe255 100644
--- a/pom.xml
+++ b/pom.xml
@@ -145,7 +145,7 @@ Copyright (c) 2012 - Jeremy Long
         <com.h2database.version>2.3.232</com.h2database.version>
         <commons-cli.version>1.10.0</commons-cli.version>
         <commons-io.version>2.20.0</commons-io.version>
-        <commons-lang3.version>3.18.0</commons-lang3.version>
+        <commons-lang3.version>3.19.0</commons-lang3.version>
         <commons-text.version>1.14.0</commons-text.version>
         <httpcomponents.client.version>5.5</httpcomponents.client.version>
         <httpcomponents.core.version>5.3.6</httpcomponents.core.version>

From 46042fd396eb1bcfceba482e16180dd22616328c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 2 Oct 2025 06:17:17 -0400
Subject: [PATCH 162/195] build(deps): bump
 org.apache.maven.plugins:maven-surefire-plugin from 3.5.3 to 3.5.4 (#7948)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index d1733abe255..1b08d0c2df4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -287,7 +287,7 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-surefire-plugin</artifactId>
-                    <version>3.5.3</version>
+                    <version>3.5.4</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>

From c566904f10a193bb696f33f9a5912b3204187aa7 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Thu, 2 Oct 2025 06:27:39 -0400
Subject: [PATCH 163/195] fix: disable central analyzer after failures (#7993)

---
 .../dependencycheck/analyzer/CentralAnalyzer.java  | 14 ++++++++++++--
 core/src/main/resources/dependencycheck.properties |  2 +-
 core/src/test/resources/dependencycheck.properties |  2 +-
 .../src/test/resources/dependencycheck.properties  |  2 +-
 4 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
index 9349413e34f..be270c96e8e 100644
--- a/core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
+++ b/core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
@@ -247,6 +247,7 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy
                         long sleepingTimeBetweenRetriesInMillis = BASE_RETRY_WAIT;
                         boolean success = false;
                         Model model = null;
+                        DownloadFailedException lastException = null;
                         if (cache != null) {
                             model = cache.get(ma.getPomUrl());
                         }
@@ -261,6 +262,7 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy
                                     Downloader.getInstance().fetchFile(new URL(ma.getPomUrl()), pomFile);
                                     success = true;
                                 } catch (DownloadFailedException ex) {
+                                    lastException = ex;
                                     try {
                                         Thread.sleep(sleepingTimeBetweenRetriesInMillis);
                                     } catch (InterruptedException ex1) {
@@ -287,6 +289,10 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy
                         } else {
                             LOGGER.warn("Unable to download pom.xml for {} from Central; "
                                     + "this could result in undetected CPE/CVEs.", dependency.getFileName());
+                            setEnabled(false);
+                            LOGGER.warn("Disabling the Central Analyzer due to repeated download failures; Central Search "
+                                    + "may be down see https://status.maven.org/\n Note that this could result in both false "
+                                    + "positives and false negatives", lastException);
                         }
 
                     } catch (AnalysisException ex) {
@@ -303,7 +309,8 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy
             }
         } catch (TooManyRequestsException tre) {
             this.setEnabled(false);
-            final String message = "Connections to Central search refused. Analysis failed.";
+            final String message = "Connections to Central search refused. Analysis failed. Disabling Central analyzer - this " +
+                    "could lead to both false positives and false negatives.";
             LOGGER.error(message, tre);
             throw new AnalysisException(message, tre);
         } catch (IllegalArgumentException iae) {
@@ -311,13 +318,16 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy
         } catch (FileNotFoundException fnfe) {
             LOGGER.debug("Artifact not found in repository: '{}", dependency.getFileName());
         } catch (ForbiddenException e) {
+            this.setEnabled(false);
             final String message = "Connection to Central search refused. This is most likely not a problem with " +
                     "Dependency-Check itself and is related to network connectivity. Please check " +
                     "https://central.sonatype.org/faq/403-error-central/.";
             LOGGER.error(message);
             throw new AnalysisException(message, e);
         } catch (IOException ioe) {
-            final String message = "Could not connect to Central search. Analysis failed.";
+            this.setEnabled(false);
+            final String message = "Could not connect to Central search. Analysis failed; disabling Central analyzer - this " +
+                    "could lead to both false positives and false negatives.";
             LOGGER.error(message, ioe);
             throw new AnalysisException(message, ioe);
         }
diff --git a/core/src/main/resources/dependencycheck.properties b/core/src/main/resources/dependencycheck.properties
index 0b14242596b..edfc4f96b06 100644
--- a/core/src/main/resources/dependencycheck.properties
+++ b/core/src/main/resources/dependencycheck.properties
@@ -78,7 +78,7 @@ analyzer.central.url=https://search.maven.org/solrsearch/select
 # Note - the central query is used in a String.format(query, url, sha1)).analyzer.jar.enabled
 # As such, it must have two %s and any other % must be escapped by doubling it
 analyzer.central.query=%s?q=1:%s&wt=xml
-analyzer.central.retry.count=7
+analyzer.central.retry.count=3
 analyzer.central.parallel.analysis=false
 analyzer.central.use.cache=true
 central.content.url=https://search.maven.org/remotecontent?filepath=
diff --git a/core/src/test/resources/dependencycheck.properties b/core/src/test/resources/dependencycheck.properties
index 7635618f990..0f17a7ee43c 100644
--- a/core/src/test/resources/dependencycheck.properties
+++ b/core/src/test/resources/dependencycheck.properties
@@ -78,7 +78,7 @@ central.content.url=https://search.maven.org/remotecontent?filepath=
 # Note - the central query is used in a String.format(query, url, sha1)).
 # As such, it must have two %s and any other % must be escapped by doubling it
 analyzer.central.query=%s?q=1:%s&wt=xml
-analyzer.central.retry.count=7
+analyzer.central.retry.count=3
 analyzer.central.parallel.analysis=false
 
 # the URL for searching NPM Audit API
diff --git a/utils/src/test/resources/dependencycheck.properties b/utils/src/test/resources/dependencycheck.properties
index 8220a95a3dc..4f32ef227a4 100644
--- a/utils/src/test/resources/dependencycheck.properties
+++ b/utils/src/test/resources/dependencycheck.properties
@@ -80,7 +80,7 @@ central.content.url=https://search.maven.org/remotecontent?filepath=
 # Note - the central query is used in a String.format(query, url, sha1)).
 # As such, it must have two %s and any other % must be escapped by doubling it
 analyzer.central.query=%s?q=1:%s&wt=xml
-analyzer.central.retry.count=7
+analyzer.central.retry.count=3
 analyzer.central.parallel.analysis=false
 
 # the URL for searching NPM Audit API

From 5fa401ff4e2c7f80948f4942c6555e21439d8e8e Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Fri, 3 Oct 2025 19:24:05 +0800
Subject: [PATCH 164/195] docs: Clarify Nexus Analyzer requirements and usage
 (#8000)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
 ant/src/site/markdown/configuration.md        |  2 +-
 cli/src/site/markdown/arguments.md            |  2 +-
 maven/src/site/markdown/configuration.md      |  2 +-
 src/site/markdown/analyzers/nexus-analyzer.md | 15 ++--
 .../configuration-aggregate.md                | 68 +++++++++---------
 .../dependency-check-gradle/configuration.md  | 70 +++++++++----------
 6 files changed, 82 insertions(+), 77 deletions(-)

diff --git a/ant/src/site/markdown/configuration.md b/ant/src/site/markdown/configuration.md
index d4ef4c9642d..2eeb1a5b566 100644
--- a/ant/src/site/markdown/configuration.md
+++ b/ant/src/site/markdown/configuration.md
@@ -89,7 +89,7 @@ be needed.
 | ossindexAnalyzerUsername               | Sets the username for OSS Index - note an account with OSS Index is not required.                                                                                                                                                                                                                                                              | &nbsp;                                                                              |
 | ossindexAnalyzerPassword               | Sets the password for OSS Index.                                                                                                                                                                                                                                                                                                               | &nbsp;                                                                              |
 | ossIndexAnalyzerWarnOnlyOnRemoteErrors | Whether we should only warn about Sonatype OSS Index remote errors instead of failing completely.                                                                                                                                                                                                                                              | &nbsp;                                                                              |
-| nexusAnalyzerEnabled                   | Sets whether Nexus Analyzer will be used (requires Nexus Pro). This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation.                                                                                                                                                   | true                                                                                |
+| nexusAnalyzerEnabled                   | Sets whether Nexus Analyzer will be used. This analyzer is an alternative to the Central or Artifactory Analyzers, allowing retrieval from Sonatype Nexus installations.                                                                                                                                                                       | true                                                                                |
 | nexusUrl                               | Defines the Nexus web service endpoint (example http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled.                                                                                                                                                                                                | &nbsp;                                                                              |
 | nexusUser                              | The username to authenticate to the Nexus Server's web service end point. If not set the Nexus Analyzer will use an unauthenticated connection.                                                                                                                                                                                                | &nbsp;                                                                              |
 | nexusPassword                          | The password to authenticate to the Nexus Server's web service end point. If not set the Nexus Analyzer will use an unauthenticated connection.                                                                                                                                                                                                | &nbsp;                                                                              |
diff --git a/cli/src/site/markdown/arguments.md b/cli/src/site/markdown/arguments.md
index 782c7897d0a..47bad3a7179 100644
--- a/cli/src/site/markdown/arguments.md
+++ b/cli/src/site/markdown/arguments.md
@@ -94,7 +94,7 @@ Advanced Options
 |       | \-\-centralUsername                     | \<username\>     | The username to authenticate with bearer auth to the alternative Maven Central url set by the 'centralUrl' argument. If neither basic nor bearer auth config is set it will use an unauthenticated connection.                                                                                                                     | &nbsp;                                                                                                                                                                                                                                                                                                                |
 |       | \-\-centralPassword                     | \<password\>     | The password to authenticate with bearer auth to the alternative Maven Central url set by the 'centralUrl' argument. If neither basic nor bearer auth config is set it will use an unauthenticated connection.                                                                                                                     | &nbsp;                                                                                                                                                                                                                                                                                                                |
 |       | \-\-centralBearerToken                  | \<token\>        | The token to authenticate with bearer auth to the alternative Maven Central url set by the 'centralUrl' argument. If neither basic nor bearer auth config is set it will use an unauthenticated connection.                                                                                                                        | &nbsp;                                                                                                                                                                                                                                                                                                                |
-|       | \-\-enableNexus                         |                  | Sets whether the Nexus Analyzer will be used (requires Nexus v2 or Pro v3). You can configure the Nexus URL to utilize an internally hosted Nexus server.                                                                                                                                                                          | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-enableNexus                         |                  | Sets whether Nexus Analyzer will be used. This analyzer is an alternative to the Central or Artifactory Analyzers, allowing retrieval from Sonatype Nexus installations.                                                                                                                                                           | &nbsp;                                                                                                                                                                                                                                                                                                                |
 |       | \-\-enableArtifactory                   |                  | Sets whether Artifactory analyzer will be used                                                                                                                                                                                                                                                                                     | &nbsp;                                                                                                                                                                                                                                                                                                                |
 |       | \-\-artifactoryUrl                      | \<url\>          | The Artifactory server URL.                                                                                                                                                                                                                                                                                                        | &nbsp;                                                                                                                                                                                                                                                                                                                |
 |       | \-\-artifactoryUseProxy                 | \<true\|false\>  | Whether Artifactory should be accessed through a proxy or not.                                                                                                                                                                                                                                                                     | false                                                                                                                                                                                                                                                                                                                 |
diff --git a/maven/src/site/markdown/configuration.md b/maven/src/site/markdown/configuration.md
index 5aa39b39ea6..c1cb891ca58 100644
--- a/maven/src/site/markdown/configuration.md
+++ b/maven/src/site/markdown/configuration.md
@@ -68,7 +68,7 @@ be needed.
 | ossIndexPassword                    | OSS password or API token as an alternative to the indirection through the `ossIndexServerId` (see above). Both `ossIndexUsername` and `ossIndexPassword` must be set to use this approach instead of the server ID.                                                            | &nbsp;                                                                                   |
 | ossindexAnalyzerUrl                 | The OSS Index server URL                                                                                                                                                                                                                                                        | https://ossindex.sonatype.org                                                            |
 | ossIndexWarnOnlyOnRemoteErrors      | Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution.                                                                                                                                | false                                                                                    |
-| nexusAnalyzerEnabled                | Sets whether Nexus Analyzer will be used (requires Nexus Pro). This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation.                                                                                    | true                                                                                     |
+| nexusAnalyzerEnabled                | Sets whether Nexus Analyzer will be used. This analyzer is an alternative to the Central or Artifactory Analyzers, allowing retrieval from Sonatype Nexus installations.                                                                                                        | true                                                                                     |
 | nexusUrl                            | Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled.                                                                                                                             | &nbsp;                                                                                   |
 | nexusServerId                       | The id of a server defined in the settings.xml that configures the credentials (username and password) for a Nexus server's REST API end point. When not specified the communication with the Nexus server's REST API will be unauthenticated.                                  | &nbsp;                                                                                   |
 | nexusUsesProxy                      | Whether or not the defined proxy should be used when connecting to Nexus.                                                                                                                                                                                                       | true                                                                                     |
diff --git a/src/site/markdown/analyzers/nexus-analyzer.md b/src/site/markdown/analyzers/nexus-analyzer.md
index c33b40e6516..48396080f85 100644
--- a/src/site/markdown/analyzers/nexus-analyzer.md
+++ b/src/site/markdown/analyzers/nexus-analyzer.md
@@ -1,17 +1,22 @@
 Nexus Analyzer
 ==============
-**Requires Nexus Pro**
 
 The Nexus Analyzer will check for the Maven GAV (Group/Artifact/Version) information
 for artifacts in the scanned area. This is done by determining if an artifact exists
-in a Nexus Pro installation using the SHA-1 hash of the artifact scanned. If the
+in a Sonatype Nexus installation using the SHA-1 hash of the artifact scanned. If the
 artifact's hash is found in the configured Nexus repository, its GAV is recorded as
 an Identifier and the Group is collected as Vendor evidence, the Artifact is
 collected as Product evidence, and the Version is collected as Version evidence.
 
-The Nexus Analyzer has been superceded by the Central Analyzer. If both the
-Central Analyzer and Nexus Analyzer are enabled and the Nexus URL has not
-been configured to point to an instance of Nexus Pro the Nexus Analyzer will
+The Nexus Analyzer is an alternative to the Central or Artifactory Analyzers and can 
+be used to limit dependencies on an external resource such as Maven Central, as well 
+as providing POM information for artifacts not available in Maven Central. Use by ODC
+is thus similar to how users may choose to run their own Nexus instance to proxy 
+artifact retrieval from Maven Central to limit internet usage and/or dependence on 
+external infrastructure.
+
+If both the Central Analyzer and Nexus Analyzer are enabled and the Nexus URL has not
+been configured to point to a Sonatype Nexus instance the Nexus Analyzer will
 disable itself.
 
 Logging
diff --git a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md
index cc6335daac7..dc1ca84d3ef 100644
--- a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md
+++ b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md
@@ -123,40 +123,40 @@ analyzers by configuring the `analyzers` section. Note, specific file type analy
 disable themselves if no file types that they support are detected - so specifically disabling the
 analyzers is likely not needed.
 
-| Config Group | Property                    | Description                                                                                                                                                                                  | Default Value |
-|--------------|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|
-| analyzers    | experimentalEnabled         | Sets whether the [experimental analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as experimental (see below) will not be used                        | false         |
-| analyzers    | archiveEnabled              | Sets whether the Archive Analyzer will be used.                                                                                                                                              | true          |
-| analyzers    | zipExtensions               | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.                                                             | &nbsp;        |
-| analyzers    | jarEnabled                  | Sets whether Jar Analyzer will be used.                                                                                                                                                      | true          |
-| analyzers    | dartEnabled                 | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be used.                                                                                                         | true          |
-| analyzers    | centralEnabled              | Sets whether Central Analyzer will be used.                                                                                                                                                  | true          |
-| analyzers    | nexusEnabled                | Sets whether Nexus Analyzer will be used (requires Nexus Pro). This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | false         |
-| analyzers    | nexusUrl                    | Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled.                                          | &nbsp;        |
-| analyzers    | nexusUsesProxy              | Whether or not the defined proxy should be used when connecting to Nexus.                                                                                                                    | true          |
-| analyzers    | pyDistributionEnabled       | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. `experimentalEnabled` must be set to true.                                               | true          |
-| analyzers    | pyPackageEnabled            | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. `experimentalEnabled` must be set to true.                                                    | true          |
-| analyzers    | rubygemsEnabled             | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. `experimentalEnabled` must be set to true.                                                      | true          |
-| analyzers    | opensslEnabled              | Sets whether the openssl Analyzer should be used.                                                                                                                                            | true          |
-| analyzers    | nuspecEnabled               | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                                                                                                    | true          |
-| analyzers    | nugetconfEnabled            | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. `experimentalEnabled` must be set to true.                                        | true          |
-| analyzers    | assemblyEnabled             | Sets whether the .NET Assembly Analyzer should be used.                                                                                                                                      | true          |
-| analyzers    | msbuildEnabled              | Sets whether the MS Build Analyzer should be used.                                                                                                                                           | true          |
-| analyzers    | pathToDotnet                | The path to dotnet core - needed on some systems to analyze .net assemblies.                                                                                                                 | &nbsp;        |
-| analyzers    | cmakeEnabled                | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. `experimentalEnabled` must be set to true.                                                           | true          |
-| analyzers    | autoconfEnabled             | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. `experimentalEnabled` must be set to true.                                                        | true          |
-| analyzers    | composerEnabled             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. `experimentalEnabled` must be set to true.                                          | true          |
-| analyzers    | composerSkipDev             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should skip "packages-dev".                                                                         | false         |
-| analyzers    | cpanEnabled                 | Sets whether the [experimental](../analyzers/index.html) Perl CPAN File Analyzer should be used. `experimentalEnabled` must be set to true.                                                  | true          |
-| analyzers    | cocoapodsEnabled            | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. `experimentalEnabled` must be set to true.                                                       | true          |
-| analyzers    | carthageEnabled             | Sets whether the [experimental](../analyzers/index.html) Carthage Analyzer should be used. `experimentalEnabled` must be set to true.                                                        | true          |
-| analyzers    | swiftEnabled                | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer should be used. `experimentalEnabled` must be set to true.                                           | true          |
-| analyzers    | swiftPackageResolvedEnabled | Sets whether the [experimental](../analyzers/index.html) Swift Package Resolved Analyzer should be used. `experimentalEnabled` must be set to true.                                          | true          |
-| analyzers    | bundleAuditEnabled          | Sets whether the [experimental](../analyzers/index.html) Ruby Bundle Audit Analyzer should be used. `experimentalEnabled` must be set to true.                                               | true          |
-| analyzers    | pathToBundleAudit           | The path to bundle audit.                                                                                                                                                                    | &nbsp;        |
-| analyzers    | golangDepEnabled            | Sets whether the [experimental](../analyzers/index.html) Golang Dependency Analyzer should be used. `experimentalEnabled` must be set to true.                                               | true          |
-| analyzers    | golangModEnabled            | Sets whether the [experimental](../analyzers/index.html) Goland Module Analyzer should be used; requires `go` to be installed. `experimentalEnabled` must be set to true.                    | true          |
-| analyzers    | pathToGo                    | The path to `go`.                                                                                                                                                                            | &nbsp;        |
+| Config Group | Property                    | Description                                                                                                                                                               | Default Value |
+|--------------|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|
+| analyzers    | experimentalEnabled         | Sets whether the [experimental analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as experimental (see below) will not be used     | false         |
+| analyzers    | archiveEnabled              | Sets whether the Archive Analyzer will be used.                                                                                                                           | true          |
+| analyzers    | zipExtensions               | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.                                          | &nbsp;        |
+| analyzers    | jarEnabled                  | Sets whether Jar Analyzer will be used.                                                                                                                                   | true          |
+| analyzers    | dartEnabled                 | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be used.                                                                                      | true          |
+| analyzers    | centralEnabled              | Sets whether Central Analyzer will be used.                                                                                                                               | true          |
+| analyzers    | nexusEnabled                | Sets whether Nexus Analyzer will be used. This analyzer is an alternative to the Central or Artifactory Analyzers, allowing retrieval from Sonatype Nexus installations.  | false         |
+| analyzers    | nexusUrl                    | Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled.                       | &nbsp;        |
+| analyzers    | nexusUsesProxy              | Whether or not the defined proxy should be used when connecting to Nexus.                                                                                                 | true          |
+| analyzers    | pyDistributionEnabled       | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. `experimentalEnabled` must be set to true.                            | true          |
+| analyzers    | pyPackageEnabled            | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. `experimentalEnabled` must be set to true.                                 | true          |
+| analyzers    | rubygemsEnabled             | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. `experimentalEnabled` must be set to true.                                   | true          |
+| analyzers    | opensslEnabled              | Sets whether the openssl Analyzer should be used.                                                                                                                         | true          |
+| analyzers    | nuspecEnabled               | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                                                                                 | true          |
+| analyzers    | nugetconfEnabled            | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. `experimentalEnabled` must be set to true.                     | true          |
+| analyzers    | assemblyEnabled             | Sets whether the .NET Assembly Analyzer should be used.                                                                                                                   | true          |
+| analyzers    | msbuildEnabled              | Sets whether the MS Build Analyzer should be used.                                                                                                                        | true          |
+| analyzers    | pathToDotnet                | The path to dotnet core - needed on some systems to analyze .net assemblies.                                                                                              | &nbsp;        |
+| analyzers    | cmakeEnabled                | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. `experimentalEnabled` must be set to true.                                        | true          |
+| analyzers    | autoconfEnabled             | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. `experimentalEnabled` must be set to true.                                     | true          |
+| analyzers    | composerEnabled             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. `experimentalEnabled` must be set to true.                       | true          |
+| analyzers    | composerSkipDev             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should skip "packages-dev".                                                      | false         |
+| analyzers    | cpanEnabled                 | Sets whether the [experimental](../analyzers/index.html) Perl CPAN File Analyzer should be used. `experimentalEnabled` must be set to true.                               | true          |
+| analyzers    | cocoapodsEnabled            | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. `experimentalEnabled` must be set to true.                                    | true          |
+| analyzers    | carthageEnabled             | Sets whether the [experimental](../analyzers/index.html) Carthage Analyzer should be used. `experimentalEnabled` must be set to true.                                     | true          |
+| analyzers    | swiftEnabled                | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer should be used. `experimentalEnabled` must be set to true.                        | true          |
+| analyzers    | swiftPackageResolvedEnabled | Sets whether the [experimental](../analyzers/index.html) Swift Package Resolved Analyzer should be used. `experimentalEnabled` must be set to true.                       | true          |
+| analyzers    | bundleAuditEnabled          | Sets whether the [experimental](../analyzers/index.html) Ruby Bundle Audit Analyzer should be used. `experimentalEnabled` must be set to true.                            | true          |
+| analyzers    | pathToBundleAudit           | The path to bundle audit.                                                                                                                                                 | &nbsp;        |
+| analyzers    | golangDepEnabled            | Sets whether the [experimental](../analyzers/index.html) Golang Dependency Analyzer should be used. `experimentalEnabled` must be set to true.                            | true          |
+| analyzers    | golangModEnabled            | Sets whether the [experimental](../analyzers/index.html) Goland Module Analyzer should be used; requires `go` to be installed. `experimentalEnabled` must be set to true. | true          |
+| analyzers    | pathToGo                    | The path to `go`.                                                                                                                                                         | &nbsp;        |
 
 #### Additional Configuration
 
diff --git a/src/site/markdown/dependency-check-gradle/configuration.md b/src/site/markdown/dependency-check-gradle/configuration.md
index cb2e3d327b5..7f7933b5d27 100644
--- a/src/site/markdown/dependency-check-gradle/configuration.md
+++ b/src/site/markdown/dependency-check-gradle/configuration.md
@@ -110,41 +110,41 @@ analyzers by configuring the `analyzers` section. Note, specific file type analy
 disable themselves if no file types that they support are detected - so specifically disabling the
 analyzers is likely not needed.
 
-| Config Group | Property                    | Description                                                                                                                                                                                  | Default Value |
-|--------------|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|
-| analyzers    | experimentalEnabled         | Sets whether the [experimental analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as experimental (see below) will not be used                        | false         |
-| analyzers    | archiveEnabled              | Sets whether the Archive Analyzer will be used.                                                                                                                                              | true          |
-| analyzers    | zipExtensions               | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.                                                             | &nbsp;        |
-| analyzers    | jarEnabled                  | Sets whether Jar Analyzer will be used.                                                                                                                                                      | true          |
-| analyzers    | dartEnabled                 | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be used.                                                                                                         | true          |
-| analyzers    | centralEnabled              | Sets whether Central Analyzer will be used.                                                                                                                                                  | true          |
-| analyzers    | nexusEnabled                | Sets whether Nexus Analyzer will be used (requires Nexus Pro). This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | false         |
-| analyzers    | nexusUrl                    | Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled.                                          | &nbsp;        |
-| analyzers    | nexusUsesProxy              | Whether or not the defined proxy should be used when connecting to Nexus.                                                                                                                    | true          |
-| analyzers    | pyDistributionEnabled       | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. `experimentalEnabled` must be set to true.                                               | true          |
-| analyzers    | pyPackageEnabled            | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. `experimentalEnabled` must be set to true.                                                    | true          |
-| analyzers    | rubygemsEnabled             | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. `experimentalEnabled` must be set to true.                                                      | true          |
-| analyzers    | opensslEnabled              | Sets whether the openssl Analyzer should be used.                                                                                                                                            | true          |
-| analyzers    | nuspecEnabled               | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                                                                                                    | true          |
-| analyzers    | nugetconfEnabled            | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. `experimentalEnabled` must be set to true.                                        | true          |
-| analyzers    | assemblyEnabled             | Sets whether the .NET Assembly Analyzer should be used.                                                                                                                                      | true          |
-| analyzers    | msbuildEnabled              | Sets whether the MS Build Analyzer should be used.                                                                                                                                           | true          |
-| analyzers    | pathToDotnet                | The path to dotnet core - needed on some systems to analyze .net assemblies.                                                                                                                 | &nbsp;        |
-| analyzers    | cmakeEnabled                | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. `experimentalEnabled` must be set to true.                                                           | true          |
-| analyzers    | autoconfEnabled             | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. `experimentalEnabled` must be set to true.                                                        | true          |
-| analyzers    | composerEnabled             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. `experimentalEnabled` must be set to true.                                          | true          |
-| analyzers    | composerSkipDev             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should skip "packages-dev".                                                                         | false         |
-| analyzers    | cpanEnabled                 | Sets whether the [experimental](../analyzers/index.html) Perl CPAN File Analyzer should be used. `experimentalEnabled` must be set to true.                                                  | true          |
-| analyzers    | cocoapodsEnabled            | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. `experimentalEnabled` must be set to true.                                                       | true          |
-| analyzers    | carthageEnabled             | Sets whether the [experimental](../analyzers/index.html) Carthage Analyzer should be used. `experimentalEnabled` must be set to true.                                                        | true          |
-| analyzers    | swiftEnabled                | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer should be used. `experimentalEnabled` must be set to true.                                           | true          |
-| analyzers    | swiftPackageResolvedEnabled | Sets whether the [experimental](../analyzers/index.html) Swift Package Resolved Analyzer should be used. `experimentalEnabled` must be set to true.                                          | true          |
-| analyzers    | bundleAuditEnabled          | Sets whether the [experimental](../analyzers/index.html) Ruby Bundle Audit Analyzer should be used. `experimentalEnabled` must be set to true.                                               | true          |
-| analyzers    | pathToBundleAudit           | The path to bundle audit.                                                                                                                                                                    | &nbsp;        |
-| analyzers    | retiredEnabled              | Sets whether the [retired analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as experimental (see below) will not be used                             | false         |
-| analyzers    | golangDepEnabled            | Sets whether the [experimental](../analyzers/index.html) Golang Dependency Analyzer should be used. `experimentalEnabled` must be set to true.                                               | true          |
-| analyzers    | golangModEnabled            | Sets whether the [experimental](../analyzers/index.html) Goland Module Analyzer should be used; requires `go` to be installed. `experimentalEnabled` must be set to true.                    | true          |
-| analyzers    | pathToGo                    | The path to `go`.                                                                                                                                                                            | &nbsp;        |
+| Config Group | Property                    | Description                                                                                                                                                               | Default Value |
+|--------------|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|
+| analyzers    | experimentalEnabled         | Sets whether the [experimental analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as experimental (see below) will not be used     | false         |
+| analyzers    | archiveEnabled              | Sets whether the Archive Analyzer will be used.                                                                                                                           | true          |
+| analyzers    | zipExtensions               | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.                                          | &nbsp;        |
+| analyzers    | jarEnabled                  | Sets whether Jar Analyzer will be used.                                                                                                                                   | true          |
+| analyzers    | dartEnabled                 | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be used.                                                                                      | true          |
+| analyzers    | centralEnabled              | Sets whether Central Analyzer will be used.                                                                                                                               | true          |
+| analyzers    | nexusEnabled                | Sets whether Nexus Analyzer will be used. This analyzer is an alternative to the Central or Artifactory Analyzers, allowing retrieval from Sonatype Nexus installations.  | false         |
+| analyzers    | nexusUrl                    | Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled.                       | &nbsp;        |
+| analyzers    | nexusUsesProxy              | Whether or not the defined proxy should be used when connecting to Nexus.                                                                                                 | true          |
+| analyzers    | pyDistributionEnabled       | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. `experimentalEnabled` must be set to true.                            | true          |
+| analyzers    | pyPackageEnabled            | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. `experimentalEnabled` must be set to true.                                 | true          |
+| analyzers    | rubygemsEnabled             | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. `experimentalEnabled` must be set to true.                                   | true          |
+| analyzers    | opensslEnabled              | Sets whether the openssl Analyzer should be used.                                                                                                                         | true          |
+| analyzers    | nuspecEnabled               | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                                                                                 | true          |
+| analyzers    | nugetconfEnabled            | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. `experimentalEnabled` must be set to true.                     | true          |
+| analyzers    | assemblyEnabled             | Sets whether the .NET Assembly Analyzer should be used.                                                                                                                   | true          |
+| analyzers    | msbuildEnabled              | Sets whether the MS Build Analyzer should be used.                                                                                                                        | true          |
+| analyzers    | pathToDotnet                | The path to dotnet core - needed on some systems to analyze .net assemblies.                                                                                              | &nbsp;        |
+| analyzers    | cmakeEnabled                | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. `experimentalEnabled` must be set to true.                                        | true          |
+| analyzers    | autoconfEnabled             | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. `experimentalEnabled` must be set to true.                                     | true          |
+| analyzers    | composerEnabled             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. `experimentalEnabled` must be set to true.                       | true          |
+| analyzers    | composerSkipDev             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should skip "packages-dev".                                                      | false         |
+| analyzers    | cpanEnabled                 | Sets whether the [experimental](../analyzers/index.html) Perl CPAN File Analyzer should be used. `experimentalEnabled` must be set to true.                               | true          |
+| analyzers    | cocoapodsEnabled            | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. `experimentalEnabled` must be set to true.                                    | true          |
+| analyzers    | carthageEnabled             | Sets whether the [experimental](../analyzers/index.html) Carthage Analyzer should be used. `experimentalEnabled` must be set to true.                                     | true          |
+| analyzers    | swiftEnabled                | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer should be used. `experimentalEnabled` must be set to true.                        | true          |
+| analyzers    | swiftPackageResolvedEnabled | Sets whether the [experimental](../analyzers/index.html) Swift Package Resolved Analyzer should be used. `experimentalEnabled` must be set to true.                       | true          |
+| analyzers    | bundleAuditEnabled          | Sets whether the [experimental](../analyzers/index.html) Ruby Bundle Audit Analyzer should be used. `experimentalEnabled` must be set to true.                            | true          |
+| analyzers    | pathToBundleAudit           | The path to bundle audit.                                                                                                                                                 | &nbsp;        |
+| analyzers    | retiredEnabled              | Sets whether the [retired analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as experimental (see below) will not be used          | false         |
+| analyzers    | golangDepEnabled            | Sets whether the [experimental](../analyzers/index.html) Golang Dependency Analyzer should be used. `experimentalEnabled` must be set to true.                            | true          |
+| analyzers    | golangModEnabled            | Sets whether the [experimental](../analyzers/index.html) Goland Module Analyzer should be used; requires `go` to be installed. `experimentalEnabled` must be set to true. | true          |
+| analyzers    | pathToGo                    | The path to `go`.                                                                                                                                                         | &nbsp;        |
 
 #### Additional Configuration
 

From de466253b224d49e058ba0550965151436d698d2 Mon Sep 17 00:00:00 2001
From: evgeniiworkst <evgeniiworkst@gmail.com>
Date: Fri, 3 Oct 2025 14:29:11 +0300
Subject: [PATCH 165/195] docs: Documentation artifactory settings fix (#7999)

Co-authored-by: Jeremy Long <jeremy.long@gmail.com>
---
 cli/src/site/markdown/arguments.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cli/src/site/markdown/arguments.md b/cli/src/site/markdown/arguments.md
index 47bad3a7179..28f99c21090 100644
--- a/cli/src/site/markdown/arguments.md
+++ b/cli/src/site/markdown/arguments.md
@@ -88,14 +88,14 @@ Advanced Options
 |       | \-\-ossIndexPassword                    | \<password\>     | Password or API token to connect to Sonatype's OSS Index. Provide both a username (see above) _and_ a password or none.                                                                                                                                                                                                            | &nbsp;                                                                                                                                                                                                                                                                                                                |
 |       | \-\-ossIndexRemoteErrorWarnOnly         | \<true\|false\>  | Whether we should only warn about Sonatype OSS Index remote errors instead of failing completely.                                                                                                                                                                                                                                  | &nbsp;                                                                                                                                                                                                                                                                                                                |
 |       | \-\-ossIndexUrl                         | \<url\>          | Alternative URL for the OSS Index. If not set the public Sonatype OSS Index will be used.                                                                                                                                                                                                                                          | https://ossindex.sonatype.org                                                                                                                                                                                                                                                                                         |
-|       | \-\-disableCentral                      |                  | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Artifactory or Nexus Analyzer. | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-disableCentral                      |                  | Sets whether the Central Analyzer will be used to enrich Java dependencies. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled, you can use the Artifactory Analyzer or Nexus Analyzer as a replacement. | &nbsp;                                                                                                                                                                                                                                                                                                                |
 |       | \-\-disableCentralCache                 |                  | When the argument is present the Central Analyzer will not cache results locally. By default results are cached locally for 30 days.                                                                                                                                                                                               | &nbsp;                                                                                                                                                                                                                                                                                                                |
 |       | \-\-centralUrl                          |                  | Alternative URL for Maven Central Search. If not set the public Sonatype Maven Central will be used.                                                                                                                                                                                                                               | https://search.maven.org/solrsearch/select                                                                                                                                                                                                                                                                            |
 |       | \-\-centralUsername                     | \<username\>     | The username to authenticate with bearer auth to the alternative Maven Central url set by the 'centralUrl' argument. If neither basic nor bearer auth config is set it will use an unauthenticated connection.                                                                                                                     | &nbsp;                                                                                                                                                                                                                                                                                                                |
 |       | \-\-centralPassword                     | \<password\>     | The password to authenticate with bearer auth to the alternative Maven Central url set by the 'centralUrl' argument. If neither basic nor bearer auth config is set it will use an unauthenticated connection.                                                                                                                     | &nbsp;                                                                                                                                                                                                                                                                                                                |
 |       | \-\-centralBearerToken                  | \<token\>        | The token to authenticate with bearer auth to the alternative Maven Central url set by the 'centralUrl' argument. If neither basic nor bearer auth config is set it will use an unauthenticated connection.                                                                                                                        | &nbsp;                                                                                                                                                                                                                                                                                                                |
 |       | \-\-enableNexus                         |                  | Sets whether Nexus Analyzer will be used. This analyzer is an alternative to the Central or Artifactory Analyzers, allowing retrieval from Sonatype Nexus installations.                                                                                                                                                           | &nbsp;                                                                                                                                                                                                                                                                                                                |
-|       | \-\-enableArtifactory                   |                  | Sets whether Artifactory analyzer will be used                                                                                                                                                                                                                                                                                     | &nbsp;                                                                                                                                                                                                                                                                                                                |
+|       | \-\-enableArtifactory                   |                  | Sets whether Artifactory analyzer will be used to enrich Java dependencies. **To use Artifactory, you will need to disable the central analyzer by adding the --disableCentral parameter.**                                                                                                                                                                                                                                                                 | &nbsp;                                                                                                                                                                                                                                                                                                                |
 |       | \-\-artifactoryUrl                      | \<url\>          | The Artifactory server URL.                                                                                                                                                                                                                                                                                                        | &nbsp;                                                                                                                                                                                                                                                                                                                |
 |       | \-\-artifactoryUseProxy                 | \<true\|false\>  | Whether Artifactory should be accessed through a proxy or not.                                                                                                                                                                                                                                                                     | false                                                                                                                                                                                                                                                                                                                 |
 |       | \-\-artifactoryParallelAnalysis         | \<true\|false\>  | Whether the Artifactory analyzer should be run in parallel or not                                                                                                                                                                                                                                                                  | true                                                                                                                                                                                                                                                                                                                  |

From ae97b08e54b3ea0d1ebbd39237c91dd58f84b8c1 Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Mon, 6 Oct 2025 22:07:45 +0800
Subject: [PATCH 166/195] feat: Suppress JVM warnings from Lucene within CLI
 (#8003)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
 cli/pom.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/cli/pom.xml b/cli/pom.xml
index 9d1975900b9..af1c6435c6d 100644
--- a/cli/pom.xml
+++ b/cli/pom.xml
@@ -92,6 +92,14 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
                     <configurationDirectory>plugins/*</configurationDirectory>
                     <includeConfigurationDirectoryInClasspath>true</includeConfigurationDirectoryInClasspath>
                     <unixScriptTemplate>${project.basedir}/src/main/conf/unixBinTemplate</unixScriptTemplate>
+                    <!--
+                       enable-native-access=ALL-UNNAMED
+                            Java 21+: Needed by Lucene indexes unless we do -Dorg.apache.lucene.store.MMapDirectory.enableMemorySegments=false
+                                      to go back to regular ByteBuffer (non-native) usage.
+                       -XX:+IgnoreUnrecognizedVMOptions
+                            Java <21: Allow use of enable-native-access on Java 11 JVMs without errors
+                    -->
+                    <extraJvmArguments>--enable-native-access=ALL-UNNAMED -XX:+IgnoreUnrecognizedVMOptions</extraJvmArguments>
                 </configuration>
                 <executions>
                     <execution>

From edd1491e8213c3b1f135c474fa6bb2e85da13a1e Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Mon, 6 Oct 2025 22:08:43 +0800
Subject: [PATCH 167/195] fix(fp): Fix more common false positives for popular
 PHP/composer frameworks with generic names (#7994)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
 .../dependencycheck-base-suppression.xml      | 44 +++++++++++++++++--
 1 file changed, 40 insertions(+), 4 deletions(-)

diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml
index 99e88dc0aae..2b482fe2af6 100644
--- a/core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/core/src/main/resources/dependencycheck-base-suppression.xml
@@ -369,18 +369,54 @@
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
-        FP per #7542
+        FP per #7542 and #7984 (prefixed symfony vendor packages which are not part of core symfony product)
         ]]></notes>
-        <packageUrl regex="true">^pkg:composer/symfony/polyfill-.*$</packageUrl>
+        <packageUrl regex="true">^pkg:composer/symfony/(polyfill-|ux-|panther|webpack-encore-bundle|mercure@|mercure-bundle|monolog-bundle).*$</packageUrl>
         <cpe>cpe:/a:sensiolabs:symfony</cpe>
     </suppress>
     <suppress base="true">
         <notes><![CDATA[
-        FP per #7545
+        FP per #7545 and #7984 (suffixed symfony vendor packages which are not part of core symfony product)
         ]]></notes>
-        <packageUrl regex="true">^pkg:composer/symfony/.*-contracts@.*$</packageUrl>
+        <packageUrl regex="true">^pkg:composer/symfony/.*(contracts|-pack)@.*$</packageUrl>
         <cpe>cpe:/a:sensiolabs:symfony</cpe>
     </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        FP per #7984 - only the pimcore/pimcore package reflects the actual pimcore product
+        ]]></notes>
+        <packageUrl regex="true">^pkg:composer/(?!pimcore/pimcore@).*$</packageUrl>
+        <cpe>cpe:/a:pimcore:pimcore</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        FP per #7984 - only the pear/pear-core-minimal packages reflect the actual pear product
+        ]]></notes>
+        <packageUrl regex="true">^pkg:composer/(?!pear/pear@|pear/pear-core-minimal@).*$</packageUrl>
+        <cpe>cpe:/a:pear:pear</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        FP per #7984 - only the laravel/framework packages reflect the actual laravel products (each have their own CPE)
+        ]]></notes>
+        <packageUrl regex="true">^pkg:composer/(?!laravel/framework@|laravel/laravel@).*$</packageUrl>
+        <cpe>cpe:/a:laravel:laravel</cpe>
+        <cpe>cpe:/a:laravel:framework</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        FP per #7984 - only the drupal/services package represents the drupal services project
+        ]]></notes>
+        <packageUrl regex="true">^pkg:composer/(?!drupal/services@).*$</packageUrl>
+        <cpe>cpe:/a:services_project:services</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        FP per #7984 - only the doctrine/orm package represents the core doctrine project
+        ]]></notes>
+        <packageUrl regex="true">^pkg:composer/(?!doctrine/orm@).*$</packageUrl>
+        <cpe>cpe:/a:doctrine-project:doctrine</cpe>
+    </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per #2957

From ea3500dbd5e28576b1c02d927d296e92560f8d39 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 7 Oct 2025 01:01:13 +0000
Subject: [PATCH 168/195] build(deps): bump org.postgresql:postgresql from
 42.7.7 to 42.7.8

Bumps [org.postgresql:postgresql](https://github.com/pgjdbc/pgjdbc) from 42.7.7 to 42.7.8.
- [Release notes](https://github.com/pgjdbc/pgjdbc/releases)
- [Changelog](https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md)
- [Commits](https://github.com/pgjdbc/pgjdbc/compare/REL42.7.7...REL42.7.8)

---
updated-dependencies:
- dependency-name: org.postgresql:postgresql
  dependency-version: 42.7.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 core/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/pom.xml b/core/pom.xml
index fa9479890a2..8c3a2cafc52 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -471,7 +471,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                 <dependency>
                     <groupId>org.postgresql</groupId>
                     <artifactId>postgresql</artifactId>
-                    <version>42.7.7</version>
+                    <version>42.7.8</version>
                 </dependency>
             </dependencies>
             <build>

From fcc7c8af1c459090818e42cc089d1ced83654f77 Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Tue, 7 Oct 2025 10:06:05 +0800
Subject: [PATCH 169/195] build: Replace Maven Enforcer byte code rule with
 extra-enforcer-rules (#8006)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
 pom.xml | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/pom.xml b/pom.xml
index 1b08d0c2df4..96110153f41 100644
--- a/pom.xml
+++ b/pom.xml
@@ -520,9 +520,9 @@ Copyright (c) 2012 - Jeremy Long
                 <artifactId>maven-enforcer-plugin</artifactId>
                 <dependencies>
                     <dependency>
-                        <groupId>org.owasp.maven.enforcer</groupId>
-                        <artifactId>class-file-format-rule</artifactId>
-                        <version>2.0.0</version>
+                        <groupId>org.codehaus.mojo</groupId>
+                        <artifactId>extra-enforcer-rules</artifactId>
+                        <version>1.11.0</version>
                     </dependency>
                 </dependencies>
                 <inherited>true</inherited>
@@ -535,23 +535,23 @@ Copyright (c) 2012 - Jeremy Long
                         <configuration>
                             <rules>
                                 <requireJavaVersion>
-                                    <version>1.8.0</version>
+                                    <version>${maven.compiler.release}</version>
                                 </requireJavaVersion>
                             </rules>
                         </configuration>
                     </execution>
                     <execution>
-                        <id>enforce-classfileformat</id>
+                        <id>enforce-bytecode-version</id>
+                        <goals>
+                            <goal>enforce</goal>
+                        </goals>
                         <configuration>
                             <rules>
-                                <byteCodeRule implementation="org.owasp.maven.enforcer.rule.ClassFileFormatRule">
-                                    <supportedClassFileFormat>55</supportedClassFileFormat>
-                                </byteCodeRule>
+                                <enforceBytecodeVersion>
+                                    <maxJdkVersion>${maven.compiler.release}</maxJdkVersion>
+                                </enforceBytecodeVersion>
                             </rules>
                         </configuration>
-                        <goals>
-                            <goal>enforce</goal>
-                        </goals>
                     </execution>
                     <execution>
                         <id>enforce-maven-3</id>

From 96e2efa2874976c8fa6eb59fd13c434127391bbd Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 8 Oct 2025 18:16:52 -0400
Subject: [PATCH 170/195] build(deps): bump golang from 1.25.1-alpine to
 1.25.2-alpine (#8013)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 7e487b2960b..9cd416c69ff 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.25.1-alpine AS go
+FROM golang:1.25.2-alpine AS go
 
 FROM azul/zulu-openjdk-alpine:21 AS jlink
 

From f6829293736d2448bea5194b90377427270bc12e Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 9 Oct 2025 08:36:21 -0400
Subject: [PATCH 171/195] build(deps): bump
 org.apache.maven.plugins:maven-javadoc-plugin from 3.11.3 to 3.12.0 (#8012)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 82ee9f94c43..9df93277ba9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -131,7 +131,7 @@ Copyright (c) 2012 - Jeremy Long
         <doxia-base.version>2.0.0</doxia-base.version>
         <maven-antrun-plugin.version>3.1.0</maven-antrun-plugin.version>
         <maven-dependency-plugin.version>3.8.1</maven-dependency-plugin.version>
-        <maven-javadoc-plugin.version>3.11.3</maven-javadoc-plugin.version>
+        <maven-javadoc-plugin.version>3.12.0</maven-javadoc-plugin.version>
         <!-- upgrading beyond 2.5 breaks maven site-->
         <maven-jxr-plugin.version>2.5</maven-jxr-plugin.version>
         <maven-project-info-reports-plugin.version>3.9.0</maven-project-info-reports-plugin.version>

From f8f48779d82e6b5bba1cc5ed92b6d7c71fc06f36 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 9 Oct 2025 08:36:44 -0400
Subject: [PATCH 172/195] build(deps): bump github/codeql-action from 3 to 4
 (#8010)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/codeql-analysis.yml |  4 ++--
 .github/workflows/pull_requests.yml   | 12 ++++++------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index d8cfbaa48b6..428f96ee81a 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -37,7 +37,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -61,4 +61,4 @@ jobs:
        mvn -s settings.xml clean package -DskipTests=true --no-transfer-progress --batch-mode
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v4
diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml
index 0624347f732..f7b75d8af5c 100644
--- a/.github/workflows/pull_requests.yml
+++ b/.github/workflows/pull_requests.yml
@@ -45,22 +45,22 @@ jobs:
           # Command to be sent to SARIF Multitool
           command: 'validate core/target/test-reports/Report.sarif'
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: utils/target/spotbugsSarif.json
           category: spotbugs-utils
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: cli/target/spotbugsSarif.json
           category: spotbugs-cli
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: ant/target/spotbugsSarif.json
           category: spotbugs-ant
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: core/target/spotbugsSarif.json
           category: spotbugs-core
@@ -120,7 +120,7 @@ jobs:
           retention-days: 7
           path: maven/target/it/**/build.log
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: maven/target/spotbugsSarif.json
           category: spotbugs-maven
@@ -152,7 +152,7 @@ jobs:
         run: |
             mvn -V -s settings.xml checkstyle:checkstyle-aggregate --no-transfer-progress --batch-mode
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: target/checkstyle-result.sarif
           category: checkstyle

From 7c700bd4bc1fee1fee3dfa12a2a1cde3146634c2 Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Thu, 9 Oct 2025 20:37:53 +0800
Subject: [PATCH 173/195] fix(fp): Consolidate false positive suppression for
 false positives on Redis client libs (#8017)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
 .../dependencycheck-base-suppression.xml      | 36 +++----------------
 1 file changed, 5 insertions(+), 31 deletions(-)

diff --git a/core/src/main/resources/dependencycheck-base-suppression.xml b/core/src/main/resources/dependencycheck-base-suppression.xml
index 2b482fe2af6..d244aafc1d8 100644
--- a/core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/core/src/main/resources/dependencycheck-base-suppression.xml
@@ -6350,24 +6350,12 @@
     <!-- end generated suppressions added to main in 8.4.0 -->
     <suppress base="true">
         <notes><![CDATA[
-            FP per #4321
+            FP per #4321, #7444, #7740, 8016
+            Redis client packages within various languages are not the same as the redis server
+            NOTE: the additional colon in the CPE is required to not match on prefix with cpe:/a:redis:redis.js etc
             ]]></notes>
-        <packageUrl regex="true">^pkg:(pypi/redis|generic/Microsoft\.Extensions\.Caching\.StackExchangeRedis|generic/HealthChecks\.Redis)@.*$</packageUrl>
-        <cve>CVE-2021-32626</cve>
-        <cve>CVE-2021-32627</cve>
-        <cve>CVE-2021-32628</cve>
-        <cve>CVE-2021-32675</cve>
-        <cve>CVE-2021-32687</cve>
-        <cve>CVE-2021-32762</cve>
-        <cve>CVE-2021-41099</cve>
-        <cve>CVE-2022-24735</cve>
-        <cve>CVE-2022-24834</cve>
-        <cve>CVE-2021-31294</cve>
-        <cve>CVE-2021-32672</cve>
-        <cve>CVE-2022-24736</cve>
-        <cve>CVE-2022-36021</cve>
-        <cve>CVE-2023-25155</cve>
-        <cve>CVE-2023-28856</cve>
+        <packageUrl regex="true">^pkg:(pypi|nuget|generic|npm|composer)/.*[rR]edis.*@.*$</packageUrl>
+        <cpe>cpe:/a:redis:redis:</cpe>
     </suppress>
     <!-- generated suppression 8.4.0 up to 9.1.0 -->
     <suppress base="true">
@@ -7085,20 +7073,6 @@
         <packageUrl regex="true">^pkg:nuget/IronPython@.*$</packageUrl>
         <cpe>cpe:/a:python:python</cpe>
     </suppress>
-    <suppress base="true">
-        <notes><![CDATA[
-        FP per issue #7444
-        ]]></notes>
-        <packageUrl regex="true">^pkg:nuget/.+\.Redis\..*$</packageUrl>
-        <cpe>cpe:2.3:a:redis:redis</cpe>
-    </suppress>
-    <suppress base="true">
-        <notes><![CDATA[
-        FP per issue #7740
-        ]]></notes>
-        <packageUrl regex="true">^pkg:npm/.*redis.*@.*$</packageUrl>
-        <cpe>cpe:2.3:a:redis:redis</cpe>
-    </suppress>
     <suppress base="true">
         <notes><![CDATA[
         FP per issue #7664

From c1e4143b65d513830dfd0e54c7c9198305eb7c7e Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 10 Oct 2025 06:46:54 -0400
Subject: [PATCH 174/195] build(deps): bump pnpm/action-setup from 4.1.0 to
 4.2.0 (#8015)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build.yml         | 2 +-
 .github/workflows/pull_requests.yml | 4 ++--
 .github/workflows/release.yml       | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index dd61a60c8bf..808b315fbbf 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -55,7 +55,7 @@ jobs:
           server-id: central
           server-username: ${{ secrets.CENTRAL_USER }}
           server-password: ${{ secrets.CENTRAL_PASSWORD }}
-      - uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
         with:
           version: 6.0.2
       - name: Build Snapshot with Maven
diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml
index f7b75d8af5c..728d414006d 100644
--- a/.github/workflows/pull_requests.yml
+++ b/.github/workflows/pull_requests.yml
@@ -32,7 +32,7 @@ jobs:
         with:
           java-version: 11
           distribution: 'zulu'
-      - uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
         with:
           version: 6.0.2
       - name: Test with Maven
@@ -102,7 +102,7 @@ jobs:
         with:
           java-version: 11
           distribution: 'zulu'
-      - uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
         with:
           version: 6.0.2
       - name: Regression Test Maven Plugin
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9e78ad1aa70..d2cbf30c8e7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -57,7 +57,7 @@ jobs:
           server-id: central
           server-username: ${{ secrets.CENTRAL_USER }}
           server-password: ${{ secrets.CENTRAL_PASSWORD }}
-      - uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
         with:
           version: 6.0.2
       - name: Configure Git user

From f613de3d4167c204baa84eb2a85d44bc42e73a4a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 10 Oct 2025 06:47:19 -0400
Subject: [PATCH 175/195] build(deps): bump junit.version from 5.13.4 to 5.14.0
 (#8011)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Nicolas Humblot <contact@nicolashumblot.fr>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 9df93277ba9..ee5159489c1 100644
--- a/pom.xml
+++ b/pom.xml
@@ -154,7 +154,7 @@ Copyright (c) 2012 - Jeremy Long
             https://github.com/apache/commons-jcs/pull/120 -->
         <commons-jcs-core.version>3.2.1</commons-jcs-core.version>
         <aho-corasick-double-array-trie.version>1.2.3</aho-corasick-double-array-trie.version>
-        <junit.version>5.13.4</junit.version>
+        <junit.version>5.14.0</junit.version>
         <hamcrest.version>3.0</hamcrest.version>
         <mockito.version>5.19.0</mockito.version>
         <jsoup.version>1.21.2</jsoup.version>

From c7e3ee8306290fef442fccc6c5e4f000dbcc74db Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 10 Oct 2025 06:47:43 -0400
Subject: [PATCH 176/195] build(deps): bump
 org.apache.maven.plugins:maven-surefire-report-plugin from 3.5.3 to 3.5.4
 (#8021)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index ee5159489c1..9491b8a389c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -135,7 +135,7 @@ Copyright (c) 2012 - Jeremy Long
         <!-- upgrading beyond 2.5 breaks maven site-->
         <maven-jxr-plugin.version>2.5</maven-jxr-plugin.version>
         <maven-project-info-reports-plugin.version>3.9.0</maven-project-info-reports-plugin.version>
-        <maven-surefire-report-plugin.version>3.5.3</maven-surefire-report-plugin.version>
+        <maven-surefire-report-plugin.version>3.5.4</maven-surefire-report-plugin.version>
         <jacoco-maven-plugin.version>0.8.13</jacoco-maven-plugin.version>
         <spotbugs.maven.plugin.version>4.9.4.0</spotbugs.maven.plugin.version>
         <taglist-maven-plugin.version>3.2.1</taglist-maven-plugin.version>

From e32fbafb259fa199078f66e23b2da096ed5d02fb Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 10 Oct 2025 06:48:32 -0400
Subject: [PATCH 177/195] build(deps): bump com.google.guava:guava from
 33.4.8-jre to 33.5.0-jre (#7978)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 9491b8a389c..104a0da87fc 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1305,7 +1305,7 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>com.google.guava</groupId>
                 <artifactId>guava</artifactId>
-                <version>33.4.8-jre</version>
+                <version>33.5.0-jre</version>
             </dependency>
             <dependency>
                 <groupId>com.hankcs</groupId>

From 98fa9336e7d1a768cba845224e22b47625801036 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 10 Oct 2025 06:51:40 -0400
Subject: [PATCH 178/195] build(deps): bump
 org.apache.maven.plugins:maven-dependency-plugin from 3.8.1 to 3.9.0 (#8001)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 104a0da87fc..4559a02fb59 100644
--- a/pom.xml
+++ b/pom.xml
@@ -130,7 +130,7 @@ Copyright (c) 2012 - Jeremy Long
         <reporting.checkstyle.tool.version>9.3</reporting.checkstyle.tool.version>
         <doxia-base.version>2.0.0</doxia-base.version>
         <maven-antrun-plugin.version>3.1.0</maven-antrun-plugin.version>
-        <maven-dependency-plugin.version>3.8.1</maven-dependency-plugin.version>
+        <maven-dependency-plugin.version>3.9.0</maven-dependency-plugin.version>
         <maven-javadoc-plugin.version>3.12.0</maven-javadoc-plugin.version>
         <!-- upgrading beyond 2.5 breaks maven site-->
         <maven-jxr-plugin.version>2.5</maven-jxr-plugin.version>

From c93bb054ff23be441ca440e0fadbe42680fb344e Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Fri, 10 Oct 2025 15:52:02 -0400
Subject: [PATCH 179/195] build(deps): bump microsoft/sarif-actions from v0.1
 to 0.2 (#8025)

---
 .github/workflows/build.yml         | 2 +-
 .github/workflows/pull_requests.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 808b315fbbf..850054c0bb5 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -67,7 +67,7 @@ jobs:
           NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
         run: mvn -V -s settings.xml -Prelease clean package verify source:jar javadoc:jar gpg:sign deploy -DreleaseTesting --no-transfer-progress --batch-mode
       - name: SARIF Multitool
-        uses: microsoft/sarif-actions@v0.1
+        uses: microsoft/sarif-actions@v0.2
         with:
           # Command to be sent to SARIF Multitool
           command: 'validate core/target/test-reports/Report.sarif'
diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml
index 728d414006d..fc35f684891 100644
--- a/.github/workflows/pull_requests.yml
+++ b/.github/workflows/pull_requests.yml
@@ -40,7 +40,7 @@ jobs:
         run: |
             mvn -V -s settings.xml -pl utils,core,cli,ant,archetype -am compile verify --no-transfer-progress --batch-mode
       - name: SARIF Multitool
-        uses: microsoft/sarif-actions@v0.1
+        uses: microsoft/sarif-actions@v0.2
         with:
           # Command to be sent to SARIF Multitool
           command: 'validate core/target/test-reports/Report.sarif'

From 004b585e06a3a973e6af30400d4e73bdc81daf03 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 11 Oct 2025 15:21:10 -0400
Subject: [PATCH 180/195] docs: add scarf to gh-pages (#8027)

---
 ant/src/site/site.xml                                    | 1 +
 archetype/src/site/site.xml                              | 1 +
 cli/src/site/site.xml                                    | 1 +
 core/src/main/java/org/owasp/dependencycheck/Engine.java | 3 +--
 core/src/site/site.xml                                   | 1 +
 maven/src/site/site.xml                                  | 1 +
 src/site/markdown/index.md                               | 2 --
 src/site/site.xml                                        | 1 +
 utils/src/site/site.xml                                  | 1 +
 9 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/ant/src/site/site.xml b/ant/src/site/site.xml
index b0ac38e0f38..797f326f273 100644
--- a/ant/src/site/site.xml
+++ b/ant/src/site/site.xml
@@ -31,5 +31,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
             <item name="Configuration" href="configuration.html"/>
         </menu>
         <menu ref="reports" />
+        <footer><![CDATA[<p>&copy; 2012&ndash;2025 <a href="https://www.owasp.org">OWASP</a></p><img referrerpolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=90c74bb8-b6d1-4464-a9b6-754067afe126" alt="" width="1" height="1" />]]></footer>
     </body>
 </site>
\ No newline at end of file
diff --git a/archetype/src/site/site.xml b/archetype/src/site/site.xml
index 3311724ad80..17e1defd4b7 100644
--- a/archetype/src/site/site.xml
+++ b/archetype/src/site/site.xml
@@ -30,5 +30,6 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
             <item name="Usage" href="index.html"/>
         </menu>
         <menu ref="reports"/>
+        <footer><![CDATA[<p>&copy; 2012&ndash;2025 <a href="https://www.owasp.org">OWASP</a></p><img referrerpolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=90c74bb8-b6d1-4464-a9b6-754067afe126" alt="" width="1" height="1" />]]></footer>
     </body>
 </site>
\ No newline at end of file
diff --git a/cli/src/site/site.xml b/cli/src/site/site.xml
index 7918edc3e74..87e2776f51f 100644
--- a/cli/src/site/site.xml
+++ b/cli/src/site/site.xml
@@ -31,5 +31,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
             <item name="Configuration" href="arguments.html"/>
         </menu>
         <menu ref="reports" />
+        <footer><![CDATA[<p>&copy; 2012&ndash;2025 <a href="https://www.owasp.org">OWASP</a></p><img referrerpolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=90c74bb8-b6d1-4464-a9b6-754067afe126" alt="" width="1" height="1" />]]></footer>
     </body>
 </site>
\ No newline at end of file
diff --git a/core/src/main/java/org/owasp/dependencycheck/Engine.java b/core/src/main/java/org/owasp/dependencycheck/Engine.java
index 594af3f1c51..625da29a419 100644
--- a/core/src/main/java/org/owasp/dependencycheck/Engine.java
+++ b/core/src/main/java/org/owasp/dependencycheck/Engine.java
@@ -647,8 +647,7 @@ public void analyzeDependencies() throws ExceptionCollection {
                 + "performed, or the resulting report.\n\n\n"
                 + "   About ODC: https://dependency-check.github.io/DependencyCheck/general/internals.html\n"
                 + "   False Positives: https://dependency-check.github.io/DependencyCheck/general/suppression.html\n"
-                + "\n"
-                + "💖 Sponsor: https://github.com/sponsors/jeremylong\n\n");
+                + "\n");
         LOGGER.debug("\n----------------------------------------------------\nBEGIN ANALYSIS\n----------------------------------------------------");
         LOGGER.info("Analysis Started");
         final long analysisStart = System.currentTimeMillis();
diff --git a/core/src/site/site.xml b/core/src/site/site.xml
index 7802e391623..5760e035643 100644
--- a/core/src/site/site.xml
+++ b/core/src/site/site.xml
@@ -30,5 +30,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <item collapse="false" name="About" href="./index.html"/>
         </menu>
         <menu ref="reports" />
+        <footer><![CDATA[<p>&copy; 2012&ndash;2025 <a href="https://www.owasp.org">OWASP</a></p><img referrerpolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=90c74bb8-b6d1-4464-a9b6-754067afe126" alt="" width="1" height="1" />]]></footer>
     </body>
 </site>
\ No newline at end of file
diff --git a/maven/src/site/site.xml b/maven/src/site/site.xml
index e502e572460..d1101dd2f7a 100644
--- a/maven/src/site/site.xml
+++ b/maven/src/site/site.xml
@@ -32,5 +32,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
             <item name="Goals" href="plugin-info.html"/>
         </menu>
         <menu ref="reports"/>
+        <footer><![CDATA[<p>&copy; 2012&ndash;2025 <a href="https://www.owasp.org">OWASP</a></p><img referrerpolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=90c74bb8-b6d1-4464-a9b6-754067afe126" alt="" width="1" height="1" />]]></footer>
     </body>
 </site>
diff --git a/src/site/markdown/index.md b/src/site/markdown/index.md
index 5810b1ee3ea..925ffbf80a0 100644
--- a/src/site/markdown/index.md
+++ b/src/site/markdown/index.md
@@ -37,5 +37,3 @@ OWASP dependency-check's core analysis engine can be used as:
 For help with dependency-check the following resource can be used:
 
 - Open a [github issue](https://github.com/dependency-check/DependencyCheck/issues)
-
-<div style="display: flex;align-items:center;">Sponsor Development of dependency-check:&nbsp;<iframe src="https://github.com/sponsors/jeremylong/button" title="Sponsor jeremylong" height="35" width="116" style="border: 0;"></iframe></div>
\ No newline at end of file
diff --git a/src/site/site.xml b/src/site/site.xml
index 5351274cc35..54f2fe1c443 100644
--- a/src/site/site.xml
+++ b/src/site/site.xml
@@ -128,5 +128,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
             </item>
         </menu>
         <menu ref="reports" />
+        <footer><![CDATA[<p>&copy; 2012&ndash;2025 <a href="https://www.owasp.org">OWASP</a></p><img referrerpolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=90c74bb8-b6d1-4464-a9b6-754067afe126" alt="" width="1" height="1" />]]></footer>
     </body>
 </site>
diff --git a/utils/src/site/site.xml b/utils/src/site/site.xml
index caa52824d39..9aefea3d18f 100644
--- a/utils/src/site/site.xml
+++ b/utils/src/site/site.xml
@@ -28,5 +28,6 @@ Copyright (c) 2014 Jeremy Long. All Rights Reserved.
         </breadcrumbs>
         <menu ref="Project Documentation" />
         <menu ref="reports" />
+        <footer><![CDATA[<p>&copy; 2012&ndash;2025 <a href="https://www.owasp.org">OWASP</a></p><img referrerpolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=90c74bb8-b6d1-4464-a9b6-754067afe126" alt="" width="1" height="1" />]]></footer>
     </body>
 </project>
\ No newline at end of file

From 11ab774cd9c0b534248d91495e4e0445ce56a8fe Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 11 Oct 2025 15:27:48 -0400
Subject: [PATCH 181/195] docs: add scarf to readme.md (#8028)

---
 README.md       | 2 ++
 ant/README.md   | 2 ++
 cli/README.md   | 2 ++
 core/README.md  | 2 ++
 maven/README.md | 2 ++
 5 files changed, 10 insertions(+)

diff --git a/README.md b/README.md
index e7c2c81015b..50a2edfec1a 100644
--- a/README.md
+++ b/README.md
@@ -367,3 +367,5 @@ Copyright (c) 2012-2025 Jeremy Long. All Rights Reserved.
 
   [wiki]: https://github.com/dependency-check/DependencyCheck/wiki
   [notices]: https://github.com/dependency-check/DependencyCheck/blob/main/NOTICE.txt
+
+<img referrerpolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=c78174f3-f898-4a5d-b3ab-1202b7db8ef6" />
diff --git a/ant/README.md b/ant/README.md
index 6d7f2fe67f7..3338cd1f12d 100644
--- a/ant/README.md
+++ b/ant/README.md
@@ -17,3 +17,5 @@ Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
 Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://github.com/dependency-check/DependencyCheck/blob/main/LICENSE.txt) file for the full license.
 
 Dependency-Check-Ant makes use of other open source libraries. Please see the [NOTICE.txt](https://github.com/dependency-check/DependencyCheck/blob/main/ant/NOTICE.txt) file for more information.
+
+<img referrerpolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=c78174f3-f898-4a5d-b3ab-1202b7db8ef6" />
\ No newline at end of file
diff --git a/cli/README.md b/cli/README.md
index 4d45aa217b9..7ab25b589d9 100644
--- a/cli/README.md
+++ b/cli/README.md
@@ -16,3 +16,5 @@ Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
 Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://github.com/dependency-check/DependencyCheck/blob/main/cli/LICENSE.txt) file for the full license.
 
 Dependency-Check Command Line makes use of other open source libraries. Please see the [NOTICE.txt](https://github.com/dependency-check/DependencyCheck/blob/main/cli/NOTICE.txt) file for more information.
+
+<img referrerpolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=c78174f3-f898-4a5d-b3ab-1202b7db8ef6" />
\ No newline at end of file
diff --git a/core/README.md b/core/README.md
index 31f3f9b26cd..1b6c759cb08 100644
--- a/core/README.md
+++ b/core/README.md
@@ -15,3 +15,5 @@ Dependency-Check makes use of several other open source libraries. Please see th
 
   [wiki]: https://github.com/dependency-check/DependencyCheck/wiki
   [notices]: https://github.com/dependency-check/DependencyCheck/blob/main/NOTICE.txt
+
+<img referrerpolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=c78174f3-f898-4a5d-b3ab-1202b7db8ef6" />
\ No newline at end of file
diff --git a/maven/README.md b/maven/README.md
index 09be4fe2404..78e6c9705a8 100644
--- a/maven/README.md
+++ b/maven/README.md
@@ -15,3 +15,5 @@ Permission to modify and redistribute is granted under the terms of the Apache 2
 Dependency-Check makes use of several other open source libraries. Please see the [NOTICE.txt][notices] file for more information.
 
   [notices]: https://github.com/dependency-check/DependencyCheck/blob/main/maven/NOTICE.txt
+
+<img referrerpolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=c78174f3-f898-4a5d-b3ab-1202b7db8ef6" />

From 6865cd3eefe7766a5c887eda7ece6c1eb81b9a96 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 11 Oct 2025 15:31:41 -0400
Subject: [PATCH 182/195] docs: improve slack notification documentation
 (#8026)

---
 .../configuration-aggregate.md                | 80 ++++++++++---------
 .../dependency-check-gradle/configuration.md  | 60 +++++++-------
 2 files changed, 72 insertions(+), 68 deletions(-)

diff --git a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md
index dc1ca84d3ef..586965012b1 100644
--- a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md
+++ b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md
@@ -49,10 +49,11 @@ check.dependsOn dependencyCheckAggregate
 | scanSet            | A list of directories that will be scanned for additional dependencies.                                                                                                                                                                                                                                                                         | ['src/main/resources','src/main/webapp', './package.json', './package-lock.json', './npm-shrinkwrap.json', './Gopkg.lock', './go.mod'] |
 
 #### Example
+
 ```groovy
 dependencyCheck {
-    autoUpdate=false
-    format='ALL'
+    autoUpdate = false
+    format = 'ALL'
 }
 ```
 
@@ -67,10 +68,11 @@ dependencyCheck {
 | proxy        | nonProxyHosts | The list of hosts that do not use a proxy.                                                     | &nbsp;        |
 
 #### Example
+
 ```groovy
 dependencyCheck {
-    proxy.server=some.proxy.server
-    proxy.port=8989
+    proxy.server = some.proxy.server
+    proxy.port = 8989
 }
 ```
 
@@ -78,41 +80,42 @@ dependencyCheck {
 
 The following properties can be configured in the dependencyCheck task. However, they are less frequently changed.
 
-| Config Group       | Property                   | Description                                                                                                                                                       | Default Value                                                                             |
-|--------------------|----------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|
-| &nbsp;             | suppressionFileUser        | Credentials used for basic authentication for web-hosted suppression files                                                                                        | &nbsp;                                                                                    |
-| &nbsp;             | suppressionFilePassword    | Credentials used for basic authentication for web-hosted suppression files                                                                                        | &nbsp;                                                                                    |
-| &nbsp;             | suppressionFileBearerToken | Credentials used for bearer authentication for web-hosted suppression files                                                                                       | &nbsp;                                                                                    |
-| nvd                | apiKey                     | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key                                                               | &nbsp;                                                                                    |
-| nvd                | endpoint                   | The NVD API endpoint URL; setting this is uncommon.                                                                                                               | https://services.nvd.nist.gov/rest/json/cves/2.0                                          |
-| nvd                | maxRetryCount              | The maximum number of retry requests for a single call to the NVD API.                                                                                            | 10                                                                                        |
-| nvd                | delay                      | The number of milliseconds to wait between calls to the NVD API.                                                                                                  | 3500 with an NVD API Key or 8000 without an API Key                                       |
-| nvd                | resultsPerPage             | The number records for a single page from NVD API (must be <=2000).                                                                                               | 2000                                                                                      |
-| nvd                | datafeedUrl                | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/open-vulnerability-cli/blob/main/README.md#mirroring-the-nvd-cve-data | &nbsp;                                                                                    |
-| nvd                | datafeedUser               | Credentials used for basic authentication for the NVD API Data feed.                                                                                              | &nbsp;                                                                                    |
-| nvd                | datafeedPassword           | Credentials used for basic authentication for the NVD API Data feed.                                                                                              | &nbsp;                                                                                    |
-| nvd                | datafeedBearerToken        | Credentials used for bearer authentication for the NVD API Data feed.                                                                                             | &nbsp;                                                                                    |
-| nvd                | validForHours              | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours.                                                                 | 4                                                                                         |
-| data               | directory                  | Sets the data directory to hold SQL CVEs contents. This should generally not be changed.                                                                          | &nbsp;                                                                                    |
-| data               | driver                     | The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path.                      | &nbsp;                                                                                    |
-| data               | driverPath                 | The path to the database driver JAR file; only needs to be set if the driver is not in the class path.                                                            | &nbsp;                                                                                    |
-| data               | connectionString           | The connection string used to connect to the database. See using a [database server](../data/database.html).                                                      | &nbsp;                                                                                    |
-| data               | username                   | The username used when connecting to the database.                                                                                                                | &nbsp;                                                                                    |
-| data               | password                   | The password used when connecting to the database.                                                                                                                | &nbsp;                                                                                    |
-| slack              | enabled                    | Whether or not slack notifications are enabled.                                                                                                                   | false                                                                                     |
-| slack              | webhookUrl                 | The custom incoming webhook URL to receive notifications.                                                                                                         | &nbsp;                                                                                    |
-| hostedSuppressions | enabled                    | Whether the hosted suppressions file will be used.                                                                                                                | true                                                                                      |
-| hostedSuppressions | forceupdate                | Sets whether hosted suppressions file will update regardless of the `autoupdate` setting.                                                                         | false                                                                                     |
-| hostedSuppressions | url                        | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments.                                                                 | https://dependency-check.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
-| hostedSuppressions | user                       | Credentials used for basic authentication for the hosted suppressions file.                                                                                       | &nbsp;                                                                                    |
-| hostedSuppressions | password                   | Credentials used for basic authentication for the hosted suppressions file.                                                                                       | &nbsp;                                                                                    |
-| hostedSuppressions | bearerToken                | Credentials used for bearer authentication for the hosted suppressions file.                                                                                      | &nbsp;                                                                                    |
-| hostedSuppressions | validForHours              | The number of hours to wait before checking for new updates of the hosted suppressions file .                                                                     | 2                                                                                         |
+| Config Group       | Property                   | Description                                                                                                                                                                                   | Default Value                                                                             |
+|--------------------|----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|
+| &nbsp;             | suppressionFileUser        | Credentials used for basic authentication for web-hosted suppression files                                                                                                                    | &nbsp;                                                                                    |
+| &nbsp;             | suppressionFilePassword    | Credentials used for basic authentication for web-hosted suppression files                                                                                                                    | &nbsp;                                                                                    |
+| &nbsp;             | suppressionFileBearerToken | Credentials used for bearer authentication for web-hosted suppression files                                                                                                                   | &nbsp;                                                                                    |
+| nvd                | apiKey                     | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key                                                                                           | &nbsp;                                                                                    |
+| nvd                | endpoint                   | The NVD API endpoint URL; setting this is uncommon.                                                                                                                                           | https://services.nvd.nist.gov/rest/json/cves/2.0                                          |
+| nvd                | maxRetryCount              | The maximum number of retry requests for a single call to the NVD API.                                                                                                                        | 10                                                                                        |
+| nvd                | delay                      | The number of milliseconds to wait between calls to the NVD API.                                                                                                                              | 3500 with an NVD API Key or 8000 without an API Key                                       |
+| nvd                | resultsPerPage             | The number records for a single page from NVD API (must be <=2000).                                                                                                                           | 2000                                                                                      |
+| nvd                | datafeedUrl                | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/open-vulnerability-cli/blob/main/README.md#mirroring-the-nvd-cve-data                             | &nbsp;                                                                                    |
+| nvd                | datafeedUser               | Credentials used for basic authentication for the NVD API Data feed.                                                                                                                          | &nbsp;                                                                                    |
+| nvd                | datafeedPassword           | Credentials used for basic authentication for the NVD API Data feed.                                                                                                                          | &nbsp;                                                                                    |
+| nvd                | datafeedBearerToken        | Credentials used for bearer authentication for the NVD API Data feed.                                                                                                                         | &nbsp;                                                                                    |
+| nvd                | validForHours              | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours.                                                                                             | 4                                                                                         |
+| data               | directory                  | Sets the data directory to hold SQL CVEs contents. This should generally not be changed.                                                                                                      | &nbsp;                                                                                    |
+| data               | driver                     | The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path.                                                  | &nbsp;                                                                                    |
+| data               | driverPath                 | The path to the database driver JAR file; only needs to be set if the driver is not in the class path.                                                                                        | &nbsp;                                                                                    |
+| data               | connectionString           | The connection string used to connect to the database. See using a [database server](../data/database.html).                                                                                  | &nbsp;                                                                                    |
+| data               | username                   | The username used when connecting to the database.                                                                                                                                            | &nbsp;                                                                                    |
+| data               | password                   | The password used when connecting to the database.                                                                                                                                            | &nbsp;                                                                                    |
+| slack              | enabled                    | Whether or not slack notifications are enabled.                                                                                                                                               | false                                                                                     |
+| slack              | webhookUrl                 | The custom incoming webhook URL to receive notifications. Note that the current implementation only notifies about build failures so this should be used in combination with failBuildOnCVSS. | &nbsp;                                                                                    |
+| hostedSuppressions | enabled                    | Whether the hosted suppressions file will be used.                                                                                                                                            | true                                                                                      |
+| hostedSuppressions | forceupdate                | Sets whether hosted suppressions file will update regardless of the `autoupdate` setting.                                                                                                     | false                                                                                     |
+| hostedSuppressions | url                        | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments.                                                                                             | https://dependency-check.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
+| hostedSuppressions | user                       | Credentials used for basic authentication for the hosted suppressions file.                                                                                                                   | &nbsp;                                                                                    |
+| hostedSuppressions | password                   | Credentials used for basic authentication for the hosted suppressions file.                                                                                                                   | &nbsp;                                                                                    |
+| hostedSuppressions | bearerToken                | Credentials used for bearer authentication for the hosted suppressions file.                                                                                                                  | &nbsp;                                                                                    |
+| hostedSuppressions | validForHours              | The number of hours to wait before checking for new updates of the hosted suppressions file .                                                                                                 | 2                                                                                         |
 
 #### Example
+
 ```groovy
 dependencyCheck {
-    data.directory='d:/nvd'
+    data.directory = 'd:/nvd'
 }
 ```
 
@@ -199,11 +202,12 @@ analyzers is likely not needed.
 | ossIndex     | warnOnlyOnRemoteErrors | Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution.                                                     | false                                                                                    |
 
 #### Example
+
 ```groovy
 dependencyCheck {
-    analyzers.assemblyEnabled=false
-    analyzers.artifactory.enabled=true
-    analyzers.artifactory.url='https://internal.artifactory.url'
+    analyzers.assemblyEnabled = false
+    analyzers.artifactory.enabled = true
+    analyzers.artifactory.url = 'https://internal.artifactory.url'
     analyzers.retirejs.filters = ['(i)copyright Jeremy Long']
 }
 ```
diff --git a/src/site/markdown/dependency-check-gradle/configuration.md b/src/site/markdown/dependency-check-gradle/configuration.md
index 7f7933b5d27..0e2f263a8ef 100644
--- a/src/site/markdown/dependency-check-gradle/configuration.md
+++ b/src/site/markdown/dependency-check-gradle/configuration.md
@@ -65,36 +65,36 @@ Please see https://docs.gradle.org/current/userguide/build_environment.html#sec:
 
 The following properties can be configured in the dependencyCheck task. However, they are less frequently changed.
 
-| Config Group       | Property                   | Description                                                                                                                                                       | Default Value                                                                             |
-|--------------------|----------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|
-| &nbsp;             | suppressionFileUser        | Credentials used for basic authentication for web-hosted suppression files                                                                                        | &nbsp;                                                                                    |
-| &nbsp;             | suppressionFilePassword    | Credentials used for basic authentication for web-hosted suppression files                                                                                        | &nbsp;                                                                                    |
-| &nbsp;             | suppressionFileBearerToken | Credentials used for bearer authentication for web-hosted suppression files                                                                                       | &nbsp;                                                                                    |
-| nvd                | apiKey                     | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key                                                               | &nbsp;                                                                                    |
-| nvd                | endpoint                   | The NVD API endpoint URL; setting this is uncommon.                                                                                                               | https://services.nvd.nist.gov/rest/json/cves/2.0                                          |
-| nvd                | maxRetryCount              | The maximum number of retry requests for a single call to the NVD API.                                                                                            | 10                                                                                        |
-| nvd                | delay                      | The number of milliseconds to wait between calls to the NVD API.                                                                                                  | 3500 with an NVD API Key or 8000 without an API Key                                       |
-| nvd                | resultsPerPage             | The number records for a single page from NVD API (must be <=2000).                                                                                               | 2000                                                                                      |
-| nvd                | datafeedUrl                | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/open-vulnerability-cli/blob/main/README.md#mirroring-the-nvd-cve-data | &nbsp;                                                                                    |
-| nvd                | datafeedUser               | Credentials used for basic authentication for the NVD API Data feed.                                                                                              | &nbsp;                                                                                    |
-| nvd                | datafeedPassword           | Credentials used for basic authentication for the NVD API Data feed.                                                                                              | &nbsp;                                                                                    |
-| nvd                | datafeedBearerToken        | Credentials used for bearer authentication for the NVD API Data feed.                                                                                             | &nbsp;                                                                                    |
-| nvd                | validForHours              | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours.                                                                 | 4                                                                                         |
-| data               | directory                  | Sets the data directory to hold SQL CVEs contents. This should generally not be changed.                                                                          | &nbsp;                                                                                    |
-| data               | driver                     | The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path.                      | &nbsp;                                                                                    |
-| data               | driverPath                 | The path to the database driver JAR file; only needs to be set if the driver is not in the class path.                                                            | &nbsp;                                                                                    |
-| data               | connectionString           | The connection string used to connect to the database. See using a [database server](../data/database.html).                                                      | &nbsp;                                                                                    |
-| data               | username                   | The username used when connecting to the database.                                                                                                                | &nbsp;                                                                                    |
-| data               | password                   | The password used when connecting to the database.                                                                                                                | &nbsp;                                                                                    |
-| slack              | enabled                    | Whether or not slack notifications are enabled.                                                                                                                   | false                                                                                     |
-| slack              | webhookUrl                 | The custom incoming webhook URL to receive notifications.                                                                                                         | &nbsp;                                                                                    |
-| hostedSuppressions | enabled                    | Whether the hosted suppressions file will be used.                                                                                                                | true                                                                                      |
-| hostedSuppressions | forceupdate                | Sets whether hosted suppressions file will update regardless of the `autoupdate` setting.                                                                         | false                                                                                     |
-| hostedSuppressions | url                        | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments.                                                                 | https://dependency-check.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
-| hostedSuppressions | user                       | Credentials used for basic authentication for the hosted suppressions file.                                                                                       | &nbsp;                                                                                    |
-| hostedSuppressions | password                   | Credentials used for basic authentication for the hosted suppressions file.                                                                                       | &nbsp;                                                                                    |
-| hostedSuppressions | bearerToken                | Credentials used for bearer authentication for the hosted suppressions file.                                                                                      | &nbsp;                                                                                    |
-| hostedSuppressions | validForHours              | The number of hours to wait before checking for new updates of the hosted suppressions file .                                                                     | 2                                                                                         |
+| Config Group       | Property                   | Description                                                                                                                                                                                   | Default Value                                                                             |
+|--------------------|----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|
+| &nbsp;             | suppressionFileUser        | Credentials used for basic authentication for web-hosted suppression files                                                                                                                    | &nbsp;                                                                                    |
+| &nbsp;             | suppressionFilePassword    | Credentials used for basic authentication for web-hosted suppression files                                                                                                                    | &nbsp;                                                                                    |
+| &nbsp;             | suppressionFileBearerToken | Credentials used for bearer authentication for web-hosted suppression files                                                                                                                   | &nbsp;                                                                                    |
+| nvd                | apiKey                     | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key                                                                                           | &nbsp;                                                                                    |
+| nvd                | endpoint                   | The NVD API endpoint URL; setting this is uncommon.                                                                                                                                           | https://services.nvd.nist.gov/rest/json/cves/2.0                                          |
+| nvd                | maxRetryCount              | The maximum number of retry requests for a single call to the NVD API.                                                                                                                        | 10                                                                                        |
+| nvd                | delay                      | The number of milliseconds to wait between calls to the NVD API.                                                                                                                              | 3500 with an NVD API Key or 8000 without an API Key                                       |
+| nvd                | resultsPerPage             | The number records for a single page from NVD API (must be <=2000).                                                                                                                           | 2000                                                                                      |
+| nvd                | datafeedUrl                | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/open-vulnerability-cli/blob/main/README.md#mirroring-the-nvd-cve-data                             | &nbsp;                                                                                    |
+| nvd                | datafeedUser               | Credentials used for basic authentication for the NVD API Data feed.                                                                                                                          | &nbsp;                                                                                    |
+| nvd                | datafeedPassword           | Credentials used for basic authentication for the NVD API Data feed.                                                                                                                          | &nbsp;                                                                                    |
+| nvd                | datafeedBearerToken        | Credentials used for bearer authentication for the NVD API Data feed.                                                                                                                         | &nbsp;                                                                                    |
+| nvd                | validForHours              | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours.                                                                                             | 4                                                                                         |
+| data               | directory                  | Sets the data directory to hold SQL CVEs contents. This should generally not be changed.                                                                                                      | &nbsp;                                                                                    |
+| data               | driver                     | The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path.                                                  | &nbsp;                                                                                    |
+| data               | driverPath                 | The path to the database driver JAR file; only needs to be set if the driver is not in the class path.                                                                                        | &nbsp;                                                                                    |
+| data               | connectionString           | The connection string used to connect to the database. See using a [database server](../data/database.html).                                                                                  | &nbsp;                                                                                    |
+| data               | username                   | The username used when connecting to the database.                                                                                                                                            | &nbsp;                                                                                    |
+| data               | password                   | The password used when connecting to the database.                                                                                                                                            | &nbsp;                                                                                    |
+| slack              | enabled                    | Whether or not slack notifications are enabled.                                                                                                                                               | false                                                                                     |
+| slack              | webhookUrl                 | The custom incoming webhook URL to receive notifications. Note that the current implementation only notifies about build failures so this should be used in combination with failBuildOnCVSS. | &nbsp;                                                                                    |
+| hostedSuppressions | enabled                    | Whether the hosted suppressions file will be used.                                                                                                                                            | true                                                                                      |
+| hostedSuppressions | forceupdate                | Sets whether hosted suppressions file will update regardless of the `autoupdate` setting.                                                                                                     | false                                                                                     |
+| hostedSuppressions | url                        | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments.                                                                                             | https://dependency-check.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
+| hostedSuppressions | user                       | Credentials used for basic authentication for the hosted suppressions file.                                                                                                                   | &nbsp;                                                                                    |
+| hostedSuppressions | password                   | Credentials used for basic authentication for the hosted suppressions file.                                                                                                                   | &nbsp;                                                                                    |
+| hostedSuppressions | bearerToken                | Credentials used for bearer authentication for the hosted suppressions file.                                                                                                                  | &nbsp;                                                                                    |
+| hostedSuppressions | validForHours              | The number of hours to wait before checking for new updates of the hosted suppressions file .                                                                                                 | 2                                                                                         |
 
 #### Example
 ```groovy

From a7fe54c847ca549dbd91af0798f26926f2d87877 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sun, 12 Oct 2025 08:41:57 -0400
Subject: [PATCH 183/195] build(deps): bump azul/zulu-openjdk-alpine from 21 to
 25 (#7928)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 9cd416c69ff..d45176bc3d9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 FROM golang:1.25.2-alpine AS go
 
-FROM azul/zulu-openjdk-alpine:21 AS jlink
+FROM azul/zulu-openjdk-alpine:25 AS jlink
 
 RUN "$JAVA_HOME/bin/jlink" --compress=zip-6 --module-path /opt/java/openjdk/jmods --add-modules java.base,java.compiler,java.datatransfer,jdk.crypto.ec,java.desktop,java.instrument,java.logging,java.management,java.naming,java.rmi,java.scripting,java.security.sasl,java.sql,java.transaction.xa,java.xml,jdk.unsupported --output /jlinked
 

From d94bc1721fbb02cbea37448207462b78f3d53138 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sun, 12 Oct 2025 09:26:00 -0400
Subject: [PATCH 184/195] docs: release 12.1.7

---
 CHANGELOG.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 415065520e1..5d970afdd1d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,22 @@
 # Change Log
 
+## [Version 12.1.7](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.7) (2025-10-12)
+
+- fix: disable central analyzer after failures ([#7993](https://github.com/dependency-check/DependencyCheck/pull/7993))
+- fix: Suppress JVM warnings from Lucene within CLI ([#8003](https://github.com/dependency-check/DependencyCheck/pull/8003))
+- fix: Clean up Apache Lucene logging via SLF4j redirect ([#7979](https://github.com/dependency-check/DependencyCheck/pull/7979))
+- fix: Correct Archive Analyzer behaviour on certain tgz archives ([#7986](https://github.com/dependency-check/DependencyCheck/pull/7986))
+- fix: Update NVD CPE search URLs in generated reports to match new search interface ([#7970](https://github.com/dependency-check/DependencyCheck/pull/7970))
+- fix: improve OSS Index Error Reporting ([#7977](https://github.com/dependency-check/DependencyCheck/pull/7977))
+- fix(fp): Consolidate false positive suppression for false positives on Redis client libs ([#8017](https://github.com/dependency-check/DependencyCheck/pull/8017))
+- fix(fp): Fix more common false positives for popular PHP/composer frameworks with generic names ([#7994](https://github.com/dependency-check/DependencyCheck/pull/7994))
+- docs: improve slack notification documentation ([#8026](https://github.com/dependency-check/DependencyCheck/pull/8026))
+- docs: Documentation artifactory settings fix ([#7999](https://github.com/dependency-check/DependencyCheck/pull/7999))
+- docs: Clarify Nexus Analyzer requirements and usage ([#8000](https://github.com/dependency-check/DependencyCheck/pull/8000))
+- build: Build amd64 and arm64 multi-platform Docker image ([#7952](https://github.com/dependency-check/DependencyCheck/pull/7952))
+
+See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/100?closed=1)
+
 ## [Version 12.1.6](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.6) (2025-09-24)
 
 - fix: Disable OSS Index if its credentials are missing ([#7963](https://github.com/dependency-check/DependencyCheck/pull/7963))

From 1cfa37dd03c1f35eb3f5f0a5fa857169b4dfeb60 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sun, 12 Oct 2025 09:27:09 -0400
Subject: [PATCH 185/195] build: prepare release v12.1.7

---
 ant/pom.xml       | 4 ++--
 archetype/pom.xml | 6 +++---
 cli/pom.xml       | 7 +++----
 core/pom.xml      | 4 ++--
 maven/pom.xml     | 4 ++--
 pom.xml           | 6 +++---
 utils/pom.xml     | 4 ++--
 7 files changed, 17 insertions(+), 18 deletions(-)

diff --git a/ant/pom.xml b/ant/pom.xml
index 2cdaf7a7ee9..9f7a876eb8c 100644
--- a/ant/pom.xml
+++ b/ant/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.7-SNAPSHOT</version>
+        <version>12.1.7</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/ant</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.7</tag>
     </scm>
     <build>
         <resources>
diff --git a/archetype/pom.xml b/archetype/pom.xml
index 328543a5d19..34f304183a6 100644
--- a/archetype/pom.xml
+++ b/archetype/pom.xml
@@ -20,20 +20,20 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.7-SNAPSHOT</version>
+        <version>12.1.7</version>
     </parent>
     <artifactId>dependency-check-plugin</artifactId>
     <name>Dependency-Check Plugin Archetype</name>
     <packaging>jar</packaging>
     <properties>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-09-24T11:40:53Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-10-12T13:26:26Z</project.build.outputTimestamp>
     </properties>
     <scm>
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/archetype</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-      <tag>HEAD</tag>
+      <tag>v12.1.7</tag>
   </scm>
     <build>
         <plugins>
diff --git a/cli/pom.xml b/cli/pom.xml
index af1c6435c6d..f1cb63945f0 100644
--- a/cli/pom.xml
+++ b/cli/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.7-SNAPSHOT</version>
+        <version>12.1.7</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/cli</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.7</tag>
     </scm>
     <build>
         <finalName>dependency-check-${project.version}</finalName>
@@ -97,8 +97,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
                             Java 21+: Needed by Lucene indexes unless we do -Dorg.apache.lucene.store.MMapDirectory.enableMemorySegments=false
                                       to go back to regular ByteBuffer (non-native) usage.
                        -XX:+IgnoreUnrecognizedVMOptions
-                            Java <21: Allow use of enable-native-access on Java 11 JVMs without errors
-                    -->
+                            Java <21: Allow use of enable-native-access on Java 11 JVMs without errors -->
                     <extraJvmArguments>--enable-native-access=ALL-UNNAMED -XX:+IgnoreUnrecognizedVMOptions</extraJvmArguments>
                 </configuration>
                 <executions>
diff --git a/core/pom.xml b/core/pom.xml
index 8c3a2cafc52..58b1ab9c5dc 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.7-SNAPSHOT</version>
+        <version>12.1.7</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/core</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.7</tag>
     </scm>
     <build>
         <resources>
diff --git a/maven/pom.xml b/maven/pom.xml
index e5aef3fdc48..1788c9fa61d 100644
--- a/maven/pom.xml
+++ b/maven/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.7-SNAPSHOT</version>
+        <version>12.1.7</version>
     </parent>
     <artifactId>dependency-check-maven</artifactId>
     <packaging>maven-plugin</packaging>
@@ -34,7 +34,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/master/maven</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.7</tag>
     </scm>
     <prerequisites>
         <maven>3.6.3</maven>
diff --git a/pom.xml b/pom.xml
index 4559a02fb59..fdeeacacfa5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>12.1.7-SNAPSHOT</version>
+    <version>12.1.7</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -94,7 +94,7 @@ Copyright (c) 2012 - Jeremy Long
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck</url>
         <developerConnection>scm:git:https://github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.7</tag>
     </scm>
     <issueManagement>
         <system>github</system>
@@ -113,7 +113,7 @@ Copyright (c) 2012 - Jeremy Long
     <properties>
         <maven.compiler.release>11</maven.compiler.release>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-09-24T11:40:53Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-10-12T13:26:26Z</project.build.outputTimestamp>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <github.global.server>github</github.global.server>
diff --git a/utils/pom.xml b/utils/pom.xml
index cfd5a3176cb..733b1e7b343 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.7-SNAPSHOT</version>
+        <version>12.1.7</version>
    </parent>
 
     <artifactId>dependency-check-utils</artifactId>
@@ -30,7 +30,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/utils</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.7</tag>
     </scm>
     <properties>
         <spotbugs.onlyAnalyze>org.owasp.dependencycheck.utils.*</spotbugs.onlyAnalyze>

From a311d70b646a547db2da95615efadf936854cdaa Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sun, 12 Oct 2025 09:27:09 -0400
Subject: [PATCH 186/195] build: prepare for next development iteration

---
 ant/pom.xml       | 4 ++--
 archetype/pom.xml | 6 +++---
 cli/pom.xml       | 4 ++--
 core/pom.xml      | 4 ++--
 maven/pom.xml     | 4 ++--
 pom.xml           | 6 +++---
 utils/pom.xml     | 4 ++--
 7 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/ant/pom.xml b/ant/pom.xml
index 9f7a876eb8c..ad8f8ad1fc2 100644
--- a/ant/pom.xml
+++ b/ant/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.7</version>
+        <version>12.1.8-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/ant</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.7</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <build>
         <resources>
diff --git a/archetype/pom.xml b/archetype/pom.xml
index 34f304183a6..f97417ba595 100644
--- a/archetype/pom.xml
+++ b/archetype/pom.xml
@@ -20,20 +20,20 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.7</version>
+        <version>12.1.8-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-plugin</artifactId>
     <name>Dependency-Check Plugin Archetype</name>
     <packaging>jar</packaging>
     <properties>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-10-12T13:26:26Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-10-12T13:27:09Z</project.build.outputTimestamp>
     </properties>
     <scm>
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/archetype</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-      <tag>v12.1.7</tag>
+      <tag>HEAD</tag>
   </scm>
     <build>
         <plugins>
diff --git a/cli/pom.xml b/cli/pom.xml
index f1cb63945f0..3899c5cd8ca 100644
--- a/cli/pom.xml
+++ b/cli/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.7</version>
+        <version>12.1.8-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/cli</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.7</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <build>
         <finalName>dependency-check-${project.version}</finalName>
diff --git a/core/pom.xml b/core/pom.xml
index 58b1ab9c5dc..9ed64b3b208 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.7</version>
+        <version>12.1.8-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/core</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.7</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <build>
         <resources>
diff --git a/maven/pom.xml b/maven/pom.xml
index 1788c9fa61d..7aebb17b146 100644
--- a/maven/pom.xml
+++ b/maven/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.7</version>
+        <version>12.1.8-SNAPSHOT</version>
     </parent>
     <artifactId>dependency-check-maven</artifactId>
     <packaging>maven-plugin</packaging>
@@ -34,7 +34,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/master/maven</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.7</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <prerequisites>
         <maven>3.6.3</maven>
diff --git a/pom.xml b/pom.xml
index fdeeacacfa5..78a43ad8012 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>12.1.7</version>
+    <version>12.1.8-SNAPSHOT</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -94,7 +94,7 @@ Copyright (c) 2012 - Jeremy Long
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck</url>
         <developerConnection>scm:git:https://github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.7</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <issueManagement>
         <system>github</system>
@@ -113,7 +113,7 @@ Copyright (c) 2012 - Jeremy Long
     <properties>
         <maven.compiler.release>11</maven.compiler.release>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-10-12T13:26:26Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-10-12T13:27:09Z</project.build.outputTimestamp>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <github.global.server>github</github.global.server>
diff --git a/utils/pom.xml b/utils/pom.xml
index 733b1e7b343..23ef4ccbe98 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.7</version>
+        <version>12.1.8-SNAPSHOT</version>
    </parent>
 
     <artifactId>dependency-check-utils</artifactId>
@@ -30,7 +30,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/utils</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v12.1.7</tag>
+        <tag>v6.4.1</tag>
     </scm>
     <properties>
         <spotbugs.onlyAnalyze>org.owasp.dependencycheck.utils.*</spotbugs.onlyAnalyze>

From 8ceb175297e5d2078f492ee61ca574fe82b339ef Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Mon, 13 Oct 2025 20:59:24 +0800
Subject: [PATCH 187/195] docs: Improve Gradle docs wrt experimental analyzers,
 use of Central and Proxy configuration (#8036)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
 .../configuration-aggregate.md                | 150 ++++++++----------
 .../dependency-check-gradle/configuration.md  | 140 ++++++++--------
 2 files changed, 140 insertions(+), 150 deletions(-)

diff --git a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md
index 586965012b1..c820b124a58 100644
--- a/src/site/markdown/dependency-check-gradle/configuration-aggregate.md
+++ b/src/site/markdown/dependency-check-gradle/configuration-aggregate.md
@@ -1,12 +1,12 @@
 Tasks
 ====================
 
-| Task                                               | Description                                                                     |
-|----------------------------------------------------|---------------------------------------------------------------------------------|
-| [dependencyCheckAnalyze](configuration.html)       | Runs dependency-check against the project and generates a report.               |
-| dependencyCheckAggregate                           | Runs dependency-check against a multi-project build and generates a report.     |
-| [dependencyCheckUpdate](configuration-update.html) | Updates the local cache of the NVD data from NIST.                              |
-| [dependencyCheckPurge](configuration-purge.html)   | Deletes the local copy of the NVD. This is used to force a refresh of the data. |
+| Task                                                 | Description                                                                       |
+|------------------------------------------------------|-----------------------------------------------------------------------------------|
+| [dependencyCheckAnalyze](configuration.html)         | Runs dependency-check against the project and generates a report.                 |
+| dependencyCheckAggregate                             | Runs dependency-check against a multi-project build and generates a report.       |
+| [dependencyCheckUpdate](configuration-update.html)   | Updates the local cache of the NVD data from NIST.                                |
+| [dependencyCheckPurge](configuration-purge.html)     | Deletes the local copy of the NVD. This is used to force a refresh of the data.   |
 
 Configuration:
 ====================
@@ -25,28 +25,29 @@ apply plugin: 'org.owasp.dependencycheck'
 check.dependsOn dependencyCheckAggregate
 ```
 
-| Property           | Description                                                                                                                                                                                                                                                                                                                                     | Default Value                                                                                                                          |
-|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|
-| autoUpdate         | Sets whether auto-updating of the NVD API CVE data is enabled. It is not recommended that this be turned to false.                                                                                                                                                                                                                              | true                                                                                                                                   |
-| analyzedTypes      | The default artifact types that will be analyzed.                                                                                                                                                                                                                                                                                               | ['jar', 'aar', 'js', 'war', 'ear', 'zip']                                                                                              |
-| format             | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                                   | HTML                                                                                                                                   |
-| formats            | A list of report formats to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                            | &nbsp;                                                                                                                                 |
-| junitFailOnCVSS    | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure.                                                                                                                                                                                                                                | 0                                                                                                                                      |
-| failBuildOnCVSS    | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11; since the CVSS scores are 0-10, by default the build will never fail.  More information on CVSS scores can be found at the [NVD](https://nvd.nist.gov/vuln-metrics/cvss)                                          | 11                                                                                                                                     |
-| failOnError        | Fails the build if an error occurs during the dependency-check analysis.                                                                                                                                                                                                                                                                        | true                                                                                                                                   |
-| outputDirectory    | The location to write the report(s). This directory will be located in the build directory.                                                                                                                                                                                                                                                     | ${buildDir}/reports                                                                                                                    |
-| skipTestGroups     | When set to true (the default) all dependency groups that being with 'test' will be skipped.                                                                                                                                                                                                                                                    | true                                                                                                                                   |
-| suppressionFile    | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html). The configured value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/dependency-check/DependencyCheck/issues/1878#issuecomment-487533799)          | &nbsp;                                                                                                                                 |
-| suppressionFiles   | A list of file paths to the XML suppression files \- used to suppress [false positives](../general/suppression.html). The configured values can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/dependency-check/DependencyCheck/issues/1878#issuecomment-487533799) | &nbsp;                                                                                                                                 |
-| hintsFile          | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html)                                                                                                                                                                                                                                                 | &nbsp;                                                                                                                                 |
-| skip               | If set to true dependency-check analysis will be skipped.                                                                                                                                                                                                                                                                                       | false                                                                                                                                  |
-| skipConfigurations | A list of configurations that will be skipped. This is mutually exclusive with the scanConfigurations property.                                                                                                                                                                                                                                 | `[]` which means no configuration is skipped.                                                                                          |
-| scanConfigurations | A list of configurations that will be scanned, all other configurations are skipped. This is mutually exclusive with the skipConfigurations property.                                                                                                                                                                                           | `[]` which implicitly means all configurations are scanned.                                                                            |
-| scanProjects       | A list of projects that will be scanned, all other projects are skipped. The list or projects to skip must include a preceding colon: `scanProjects = [':app']`. This is mutually exclusive with the `skipProjects` property.                                                                                                                   | `[]` which implicitly means all projects get scanned.                                                                                  |
-| skipProjects       | A list of projects that will be skipped.  The list or projects to skip must include a preceding colon: `skipProjects = [':sub1']`. This is mutually exclusive with the `scanProjects` property.                                                                                                                                                 | `[]` which means no projects are skipped.                                                                                              |
-| scanBuildEnv       | A boolean indicating whether to scan the `buildEnv`.                                                                                                                                                                                                                                                                                            | false                                                                                                                                  |
-| scanDependencies   | A boolean indicating whether to scan the `dependencies`.                                                                                                                                                                                                                                                                                        | true                                                                                                                                   |
-| scanSet            | A list of directories that will be scanned for additional dependencies.                                                                                                                                                                                                                                                                         | ['src/main/resources','src/main/webapp', './package.json', './package-lock.json', './npm-shrinkwrap.json', './Gopkg.lock', './go.mod'] |
+| Property                         | Description                                                                                                                                                                                                                                                                                                                                     | Default Value                                                                                                                          |
+|----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|
+| autoUpdate                       | Sets whether auto-updating of the NVD API CVE data is enabled. It is not recommended that this be turned to false.                                                                                                                                                                                                                              | true                                                                                                                                   |
+| analyzedTypes                    | The default artifact types that will be analyzed.                                                                                                                                                                                                                                                                                               | ['jar', 'aar', 'js', 'war', 'ear', 'zip']                                                                                              |
+| format                           | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                                   | HTML                                                                                                                                   |
+| formats                          | A list of report formats to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                            | &nbsp;                                                                                                                                 |
+| junitFailOnCVSS                  | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure.                                                                                                                                                                                                                                | 0                                                                                                                                      |
+| failBuildOnCVSS                  | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11; since the CVSS scores are 0-10, by default the build will never fail.  More information on CVSS scores can be found at the [NVD](https://nvd.nist.gov/vuln-metrics/cvss)                                          | 11                                                                                                                                     |
+| failOnError                      | Fails the build if an error occurs during the dependency-check analysis.                                                                                                                                                                                                                                                                        | true                                                                                                                                   |
+| outputDirectory                  | The location to write the report(s). This directory will be located in the build directory.                                                                                                                                                                                                                                                     | ${buildDir}/reports                                                                                                                    |
+| skipTestGroups                   | When set to true (the default) all dependency groups that being with 'test' will be skipped.                                                                                                                                                                                                                                                    | true                                                                                                                                   |
+| suppressionFile                  | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html). The configured value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/dependency-check/DependencyCheck/issues/1878#issuecomment-487533799)          | &nbsp;                                                                                                                                 |
+| suppressionFiles                 | A list of file paths to the XML suppression files \- used to suppress [false positives](../general/suppression.html). The configured values can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/dependency-check/DependencyCheck/issues/1878#issuecomment-487533799) | &nbsp;                                                                                                                                 |
+| failBuildOnUnusedSuppressionRule | Specifies that if any unused suppression rule is found, the build will fail. This is best combined with a Gradle CLI `--warn` arg or `org.gradle.logging.level=warn` property so the unused rules are logged before task failure.                                                                                                               | false                                                                                                                                  |
+| hintsFile                        | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html)                                                                                                                                                                                                                                                 | &nbsp;                                                                                                                                 |
+| skip                             | If set to true dependency-check analysis will be skipped.                                                                                                                                                                                                                                                                                       | false                                                                                                                                  |
+| skipConfigurations               | A list of configurations that will be skipped. This is mutually exclusive with the scanConfigurations property.                                                                                                                                                                                                                                 | `[]` which means no configuration is skipped.                                                                                          |
+| scanConfigurations               | A list of configurations that will be scanned, all other configurations are skipped. This is mutually exclusive with the skipConfigurations property.                                                                                                                                                                                           | `[]` which implicitly means all configurations get scanned.                                                                            |
+| scanProjects                     | A list of projects that will be scanned, all other projects are skipped. The list or projects to skip must include a preceding colon: `scanProjects = [':app']`. This is mutually exclusive with the `skipProjects` property.                                                                                                                   | `[]` which implicitly means all projects get scanned.                                                                                  |
+| skipProjects                     | A list of projects that will be skipped.  The list or projects to skip must include a preceding colon: `skipProjects = [':sub1']`. This is mutually exclusive with the `scanProjects` property.                                                                                                                                                 | `[]` which means no projects are skipped.                                                                                              |
+| scanBuildEnv                     | A boolean indicating whether to scan the `buildEnv`.                                                                                                                                                                                                                                                                                            | false                                                                                                                                  |
+| scanDependencies                 | A boolean indicating whether to scan the `dependencies`.                                                                                                                                                                                                                                                                                        | true                                                                                                                                   |
+| scanSet                          | A list of directories that will be scanned for additional dependencies.                                                                                                                                                                                                                                                                         | ['src/main/resources','src/main/webapp', './package.json', './package-lock.json', './npm-shrinkwrap.json', './Gopkg.lock', './go.mod'] |
 
 #### Example
 
@@ -59,22 +60,7 @@ dependencyCheck {
 
 ### Proxy Configuration
 
-| Config Group | Property      | Description                                                                                    | Default Value |
-|--------------|---------------|------------------------------------------------------------------------------------------------|---------------|
-| proxy        | server        | The proxy server; see the [proxy configuration](../data/proxy.html) page for more information. | &nbsp;        |
-| proxy        | port          | The proxy port.                                                                                | &nbsp;        |
-| proxy        | username      | Defines the proxy user name.                                                                   | &nbsp;        |
-| proxy        | password      | Defines the proxy password.                                                                    | &nbsp;        |
-| proxy        | nonProxyHosts | The list of hosts that do not use a proxy.                                                     | &nbsp;        |
-
-#### Example
-
-```groovy
-dependencyCheck {
-    proxy.server = some.proxy.server
-    proxy.port = 8989
-}
-```
+Please see https://docs.gradle.org/current/userguide/build_environment.html#sec:accessing_the_web_via_a_proxy
 
 ### Advanced Configuration
 
@@ -126,46 +112,47 @@ analyzers by configuring the `analyzers` section. Note, specific file type analy
 disable themselves if no file types that they support are detected - so specifically disabling the
 analyzers is likely not needed.
 
-| Config Group | Property                    | Description                                                                                                                                                               | Default Value |
-|--------------|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|
-| analyzers    | experimentalEnabled         | Sets whether the [experimental analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as experimental (see below) will not be used     | false         |
-| analyzers    | archiveEnabled              | Sets whether the Archive Analyzer will be used.                                                                                                                           | true          |
-| analyzers    | zipExtensions               | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.                                          | &nbsp;        |
-| analyzers    | jarEnabled                  | Sets whether Jar Analyzer will be used.                                                                                                                                   | true          |
-| analyzers    | dartEnabled                 | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be used.                                                                                      | true          |
-| analyzers    | centralEnabled              | Sets whether Central Analyzer will be used.                                                                                                                               | true          |
-| analyzers    | nexusEnabled                | Sets whether Nexus Analyzer will be used. This analyzer is an alternative to the Central or Artifactory Analyzers, allowing retrieval from Sonatype Nexus installations.  | false         |
-| analyzers    | nexusUrl                    | Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled.                       | &nbsp;        |
-| analyzers    | nexusUsesProxy              | Whether or not the defined proxy should be used when connecting to Nexus.                                                                                                 | true          |
-| analyzers    | pyDistributionEnabled       | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. `experimentalEnabled` must be set to true.                            | true          |
-| analyzers    | pyPackageEnabled            | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. `experimentalEnabled` must be set to true.                                 | true          |
-| analyzers    | rubygemsEnabled             | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. `experimentalEnabled` must be set to true.                                   | true          |
-| analyzers    | opensslEnabled              | Sets whether the openssl Analyzer should be used.                                                                                                                         | true          |
-| analyzers    | nuspecEnabled               | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                                                                                 | true          |
-| analyzers    | nugetconfEnabled            | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. `experimentalEnabled` must be set to true.                     | true          |
-| analyzers    | assemblyEnabled             | Sets whether the .NET Assembly Analyzer should be used.                                                                                                                   | true          |
-| analyzers    | msbuildEnabled              | Sets whether the MS Build Analyzer should be used.                                                                                                                        | true          |
-| analyzers    | pathToDotnet                | The path to dotnet core - needed on some systems to analyze .net assemblies.                                                                                              | &nbsp;        |
-| analyzers    | cmakeEnabled                | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. `experimentalEnabled` must be set to true.                                        | true          |
-| analyzers    | autoconfEnabled             | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. `experimentalEnabled` must be set to true.                                     | true          |
-| analyzers    | composerEnabled             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. `experimentalEnabled` must be set to true.                       | true          |
-| analyzers    | composerSkipDev             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should skip "packages-dev".                                                      | false         |
-| analyzers    | cpanEnabled                 | Sets whether the [experimental](../analyzers/index.html) Perl CPAN File Analyzer should be used. `experimentalEnabled` must be set to true.                               | true          |
-| analyzers    | cocoapodsEnabled            | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. `experimentalEnabled` must be set to true.                                    | true          |
-| analyzers    | carthageEnabled             | Sets whether the [experimental](../analyzers/index.html) Carthage Analyzer should be used. `experimentalEnabled` must be set to true.                                     | true          |
-| analyzers    | swiftEnabled                | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer should be used. `experimentalEnabled` must be set to true.                        | true          |
-| analyzers    | swiftPackageResolvedEnabled | Sets whether the [experimental](../analyzers/index.html) Swift Package Resolved Analyzer should be used. `experimentalEnabled` must be set to true.                       | true          |
-| analyzers    | bundleAuditEnabled          | Sets whether the [experimental](../analyzers/index.html) Ruby Bundle Audit Analyzer should be used. `experimentalEnabled` must be set to true.                            | true          |
-| analyzers    | pathToBundleAudit           | The path to bundle audit.                                                                                                                                                 | &nbsp;        |
-| analyzers    | golangDepEnabled            | Sets whether the [experimental](../analyzers/index.html) Golang Dependency Analyzer should be used. `experimentalEnabled` must be set to true.                            | true          |
-| analyzers    | golangModEnabled            | Sets whether the [experimental](../analyzers/index.html) Goland Module Analyzer should be used; requires `go` to be installed. `experimentalEnabled` must be set to true. | true          |
-| analyzers    | pathToGo                    | The path to `go`.                                                                                                                                                         | &nbsp;        |
+| Config Group | Property                    | Description                                                                                                                                                                                                                                                         | Default Value |
+|--------------|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|
+| analyzers    | experimentalEnabled         | Sets whether the [experimental analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as experimental (see below) will not be used                                                                                               | false         |
+| analyzers    | archiveEnabled              | Sets whether the Archive Analyzer will be used.                                                                                                                                                                                                                     | true          |
+| analyzers    | zipExtensions               | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.                                                                                                                                    | &nbsp;        |
+| analyzers    | jarEnabled                  | Sets whether Jar Analyzer will be used.                                                                                                                                                                                                                             | true          |
+| analyzers    | dartEnabled                 | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be used. `experimentalEnabled` must be set to true.                                                                                                                                     | true          |
+| analyzers    | centralEnabled              | Sets whether Central Analyzer will be used. If you have non-Gradle-managed jar dependencies inside archives or non-Java ecosystem dependencies, you may want to enable this analyzer (or the alternative Nexus/Artifactory analyzers) to reduce chance of false negatives. | false         |
+| analyzers    | nexusEnabled                | Sets whether Nexus Analyzer will be used. This analyzer is an alternative to the Central or Artifactory Analyzers, allowing metadata retrieval from Sonatype Nexus installations.                                                                                   | false         |
+| analyzers    | nexusUrl                    | Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled.                                                                                                                 | &nbsp;        |
+| analyzers    | nexusUsesProxy              | Whether or not the defined proxy should be used when connecting to Nexus.                                                                                                                                                                                           | true          |
+| analyzers    | pyDistributionEnabled       | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. `experimentalEnabled` must be set to true.                                                                                                                      | true          |
+| analyzers    | pyPackageEnabled            | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. `experimentalEnabled` must be set to true.                                                                                                                           | true          |
+| analyzers    | rubygemsEnabled             | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. `experimentalEnabled` must be set to true.                                                                                                                             | true          |
+| analyzers    | opensslEnabled              | Sets whether the openssl Analyzer should be used.                                                                                                                                                                                                                   | true          |
+| analyzers    | nuspecEnabled               | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                                                                                                                                                                           | true          |
+| analyzers    | nugetconfEnabled            | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. `experimentalEnabled` must be set to true.                                                                                                               | true          |
+| analyzers    | assemblyEnabled             | Sets whether the .NET Assembly Analyzer should be used.                                                                                                                                                                                                             | true          |
+| analyzers    | msbuildEnabled              | Sets whether the MS Build Analyzer should be used.                                                                                                                                                                                                                  | true          |
+| analyzers    | pathToDotnet                | The path to dotnet core - needed on some systems to analyze .net assemblies.                                                                                                                                                                                        | &nbsp;        |
+| analyzers    | cmakeEnabled                | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. `experimentalEnabled` must be set to true.                                                                                                                                  | true          |
+| analyzers    | autoconfEnabled             | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. `experimentalEnabled` must be set to true.                                                                                                                               | true          |
+| analyzers    | composerEnabled             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. `experimentalEnabled` must be set to true.                                                                                                                 | true          |
+| analyzers    | composerSkipDev             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should skip "packages-dev".                                                                                                                                                | false         |
+| analyzers    | cpanEnabled                 | Sets whether the [experimental](../analyzers/index.html) Perl CPAN File Analyzer should be used. `experimentalEnabled` must be set to true.                                                                                                                         | true          |
+| analyzers    | cocoapodsEnabled            | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. `experimentalEnabled` must be set to true.                                                                                                                              | true          |
+| analyzers    | carthageEnabled             | Sets whether the [experimental](../analyzers/index.html) Carthage Analyzer should be used. `experimentalEnabled` must be set to true.                                                                                                                               | true          |
+| analyzers    | swiftEnabled                | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer should be used. `experimentalEnabled` must be set to true.                                                                                                                  | true          |
+| analyzers    | swiftPackageResolvedEnabled | Sets whether the [experimental](../analyzers/index.html) Swift Package Resolved Analyzer should be used. `experimentalEnabled` must be set to true.                                                                                                                 | true          |
+| analyzers    | bundleAuditEnabled          | Sets whether the Ruby Bundle Audit Analyzer should be used.                                                                                                                                                                                                         | true          |
+| analyzers    | pathToBundleAudit           | The path to bundle audit.                                                                                                                                                                                                                                           | &nbsp;        |
+| analyzers    | retiredEnabled              | Sets whether the [retired analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as Retired will not be used                                                                                                                     | false         |
+| analyzers    | golangDepEnabled            | Sets whether the [experimental](../analyzers/index.html) Golang Dependency Analyzer should be used. `experimentalEnabled` must be set to true.                                                                                                                      | true          |
+| analyzers    | golangModEnabled            | Sets whether the [experimental](../analyzers/index.html) Goland Module Analyzer should be used; requires `go` to be installed. `experimentalEnabled` must be set to true.                                                                                           | true          |
+| analyzers    | pathToGo                    | The path to `go`.                                                                                                                                                                                                                                                   | &nbsp;        |
 
 #### Additional Configuration
 
 | Config Group | Property               | Description                                                                                                                                                                                          | Default Value                                                                            |
 |--------------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|
-| artifactory  | enabled                | Sets whether Artifactory analyzer will be used.                                                                                                                                                      | false                                                                                    |
+| artifactory  | enabled                | Sets whether Artifactory analyzer will be used. This analyzer is an alternative to the Central or Nexus Analyzers, allowing metadata retrieval from Artifactory installations.                       | false                                                                                    |
 | artifactory  | url                    | The Artifactory server URL.                                                                                                                                                                          | &nbsp;                                                                                   |
 | artifactory  | usesProxy              | Whether Artifactory should be accessed through a proxy or not.                                                                                                                                       | false                                                                                    |
 | artifactory  | parallelAnalysis       | Whether the Artifactory analyzer should be run in parallel or not.                                                                                                                                   | true                                                                                     |
@@ -195,7 +182,7 @@ analyzers is likely not needed.
 | retirejs     | password               | Credentials used for basic authentication for the Retire JS repository URL.                                                                                                                          | &nbsp;                                                                                   |
 | retirejs     | bearerToken            | Credentials used for bearer authentication for the Retire JS repository URL.                                                                                                                         | &nbsp;                                                                                   |
 | retirejs     | filterNonVulnerable    | Configures the RetireJS Analyzer to remove non-vulnerable JS dependencies from the report.                                                                                                           | false                                                                                    |
-| retirejs     | filters                | Configures the list of regular expessions used to filter JS files based on content.                                                                                                                  | &nbsp;                                                                                   |
+| retirejs     | filters                | Configures the list of regular expressions used to filter JS files based on content.                                                                                                                  | &nbsp;                                                                                   |
 | ossIndex     | enabled                | Sets whether [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be used. This analyzer requires an internet connection.                                                                 | true                                                                                     |
 | ossIndex     | username               | To authenticate Sonatype OSS Index requests and profit from higher rate limits, provide the OSS account email address as username. Provide both a username _and_ a password (see below) or none.     | &nbsp;                                                                                   |
 | ossIndex     | password               | Password or API token to connect to Sonatype's OSS Index. Provide both a username (see above) _and_ a password or none.                                                                              | &nbsp;                                                                                   |
@@ -209,5 +196,8 @@ dependencyCheck {
     analyzers.artifactory.enabled = true
     analyzers.artifactory.url = 'https://internal.artifactory.url'
     analyzers.retirejs.filters = ['(i)copyright Jeremy Long']
+
+    analyzers.ossIndex.username = 'example@gmail.com'
+    analyzers.ossIndex.password = '42cc601cd7ff12a531a0b1eada8dcf56d777b336'
 }
 ```
diff --git a/src/site/markdown/dependency-check-gradle/configuration.md b/src/site/markdown/dependency-check-gradle/configuration.md
index 0e2f263a8ef..f9cbbb96483 100644
--- a/src/site/markdown/dependency-check-gradle/configuration.md
+++ b/src/site/markdown/dependency-check-gradle/configuration.md
@@ -25,35 +25,35 @@ apply plugin: 'org.owasp.dependencycheck'
 check.dependsOn dependencyCheckAnalyze
 ```
 
-| Property                         | Description                                                                                                                                                                                                                                                                                                                                     | Default Value                                               |
-|----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------|
-| autoUpdate                       | Sets whether auto-updating of the NVD API CVE data is enabled. It is not recommended that this be turned to false.                                                                                                                                                                                                                              | true                                                        |
-| analyzedTypes                    | The default artifact types that will be analyzed.                                                                                                                                                                                                                                                                                               | ['jar', 'aar', 'js', 'war', 'ear', 'zip']                   |
-| format                           | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                                   | HTML                                                        |
-| formats                          | A list of report formats to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                            | &nbsp;                                                      |
-| junitFailOnCVSS                  | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure.                                                                                                                                                                                                                                | 0                                                           |
-| failBuildOnCVSS                  | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11; since the CVSS scores are 0-10, by default the build will never fail. More information on CVSS scores can be found at the [NVD](https://nvd.nist.gov/vuln-metrics/cvss)                                           | 11                                                          |
-| failOnError                      | Fails the build if an error occurs during the dependency-check analysis.                                                                                                                                                                                                                                                                        | true                                                        |
-| outputDirectory                  | The location to write the report(s). This directory will be located in the build directory.                                                                                                                                                                                                                                                     | ${buildDir}/reports                                         |
-| skipTestGroups                   | When set to true (the default) all dependency groups that being with 'test' will be skipped.                                                                                                                                                                                                                                                    | true                                                        |
-| suppressionFile                  | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html). The configured value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/dependency-check/DependencyCheck/issues/1878#issuecomment-487533799)          | &nbsp;                                                      |
-| suppressionFiles                 | A list of file paths to the XML suppression files \- used to suppress [false positives](../general/suppression.html). The configured values can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/dependency-check/DependencyCheck/issues/1878#issuecomment-487533799) | &nbsp;                                                      |
-| failBuildOnUnusedSuppressionRule | Specifies that if any unused suppression rule is found, the build will fail. This is best combined with a Gradle CLI `--warn` arg or `org.gradle.logging.level=warn` property so the unused rules are logged before task failure.                                                                                                               | false                                                       |
-| hintsFile                        | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html)                                                                                                                                                                                                                                                 | &nbsp;                                                      |
-| skip                             | If set to true dependency-check analysis will be skipped.                                                                                                                                                                                                                                                                                       | false                                                       |
-| skipConfigurations               | A list of configurations that will be skipped. This is mutually exclusive with the scanConfigurations property.                                                                                                                                                                                                                                 | `[]` which means no configuration is skipped.               |
-| scanConfigurations               | A list of configurations that will be scanned, all other configurations are skipped. This is mutually exclusive with the skipConfigurations property.                                                                                                                                                                                           | `[]` which implicitly means all configurations get scanned. |
-| scanProjects                     | A list of projects that will be scanned, all other projects are skipped. The list or projects to skip must include a preceding colon: `scanProjects = [':app']`. This is mutually exclusive with the `skipProjects` property.                                                                                                                   | `[]` which implicitly means all projects get scanned.       |
-| skipProjects                     | A list of projects that will be skipped.  The list or projects to skip must include a preceding colon: `skipProjects = [':sub1']`. This is mutually exclusive with the `scanProjects` property.                                                                                                                                                 | `[]` which means no projects are skipped.                   |
-| scanBuildEnv                     | A boolean indicating whether to scan the `buildEnv`.                                                                                                                                                                                                                                                                                            | false                                                       |
-| scanDependencies                 | A boolean indicating whether to scan the `dependencies`.                                                                                                                                                                                                                                                                                        | true                                                        |
-| scanSet                          | A list of directories that will be scanned for additional dependencies.                                                                                                                                                                                                                                                                         | ['src/main/resources','src/main/webapp']                    |
+| Property                         | Description                                                                                                                                                                                                                                                                                                                                     | Default Value                                                                                                                          |
+|----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|
+| autoUpdate                       | Sets whether auto-updating of the NVD API CVE data is enabled. It is not recommended that this be turned to false.                                                                                                                                                                                                                              | true                                                                                                                                   |
+| analyzedTypes                    | The default artifact types that will be analyzed.                                                                                                                                                                                                                                                                                               | ['jar', 'aar', 'js', 'war', 'ear', 'zip']                                                                                              |
+| format                           | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                                   | HTML                                                                                                                                   |
+| formats                          | A list of report formats to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL).                                                                                                                                                                                                                                            | &nbsp;                                                                                                                                 |
+| junitFailOnCVSS                  | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure.                                                                                                                                                                                                                                | 0                                                                                                                                      |
+| failBuildOnCVSS                  | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11; since the CVSS scores are 0-10, by default the build will never fail. More information on CVSS scores can be found at the [NVD](https://nvd.nist.gov/vuln-metrics/cvss)                                           | 11                                                                                                                                     |
+| failOnError                      | Fails the build if an error occurs during the dependency-check analysis.                                                                                                                                                                                                                                                                        | true                                                                                                                                   |
+| outputDirectory                  | The location to write the report(s). This directory will be located in the build directory.                                                                                                                                                                                                                                                     | ${buildDir}/reports                                                                                                                    |
+| skipTestGroups                   | When set to true (the default) all dependency groups that being with 'test' will be skipped.                                                                                                                                                                                                                                                    | true                                                                                                                                   |
+| suppressionFile                  | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html). The configured value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/dependency-check/DependencyCheck/issues/1878#issuecomment-487533799)          | &nbsp;                                                                                                                                 |
+| suppressionFiles                 | A list of file paths to the XML suppression files \- used to suppress [false positives](../general/suppression.html). The configured values can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/dependency-check/DependencyCheck/issues/1878#issuecomment-487533799) | &nbsp;                                                                                                                                 |
+| failBuildOnUnusedSuppressionRule | Specifies that if any unused suppression rule is found, the build will fail. This is best combined with a Gradle CLI `--warn` arg or `org.gradle.logging.level=warn` property so the unused rules are logged before task failure.                                                                                                               | false                                                                                                                                  |
+| hintsFile                        | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html)                                                                                                                                                                                                                                                 | &nbsp;                                                                                                                                 |
+| skip                             | If set to true dependency-check analysis will be skipped.                                                                                                                                                                                                                                                                                       | false                                                                                                                                  |
+| skipConfigurations               | A list of configurations that will be skipped. This is mutually exclusive with the scanConfigurations property.                                                                                                                                                                                                                                 | `[]` which means no configuration is skipped.                                                                                          |
+| scanConfigurations               | A list of configurations that will be scanned, all other configurations are skipped. This is mutually exclusive with the skipConfigurations property.                                                                                                                                                                                           | `[]` which implicitly means all configurations get scanned.                                                                            |
+| scanProjects                     | A list of projects that will be scanned, all other projects are skipped. The list or projects to skip must include a preceding colon: `scanProjects = [':app']`. This is mutually exclusive with the `skipProjects` property.                                                                                                                   | `[]` which implicitly means all projects get scanned.                                                                                  |
+| skipProjects                     | A list of projects that will be skipped.  The list or projects to skip must include a preceding colon: `skipProjects = [':sub1']`. This is mutually exclusive with the `scanProjects` property.                                                                                                                                                 | `[]` which means no projects are skipped.                                                                                              |
+| scanBuildEnv                     | A boolean indicating whether to scan the `buildEnv`.                                                                                                                                                                                                                                                                                            | false                                                                                                                                  |
+| scanDependencies                 | A boolean indicating whether to scan the `dependencies`.                                                                                                                                                                                                                                                                                        | true                                                                                                                                   |
+| scanSet                          | A list of directories that will be scanned for additional dependencies.                                                                                                                                                                                                                                                                         | ['src/main/resources','src/main/webapp', './package.json', './package-lock.json', './npm-shrinkwrap.json', './Gopkg.lock', './go.mod'] |
 
 #### Example
 ```groovy
 dependencyCheck {
-    autoUpdate=false
-    format='ALL'
+    autoUpdate = false
+    format = 'ALL'
 }
 ```
 
@@ -99,7 +99,7 @@ The following properties can be configured in the dependencyCheck task. However,
 #### Example
 ```groovy
 dependencyCheck {
-    data.directory='d:/nvd'
+    data.directory = 'd:/nvd'
 }
 ```
 
@@ -110,53 +110,53 @@ analyzers by configuring the `analyzers` section. Note, specific file type analy
 disable themselves if no file types that they support are detected - so specifically disabling the
 analyzers is likely not needed.
 
-| Config Group | Property                    | Description                                                                                                                                                               | Default Value |
-|--------------|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|
-| analyzers    | experimentalEnabled         | Sets whether the [experimental analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as experimental (see below) will not be used     | false         |
-| analyzers    | archiveEnabled              | Sets whether the Archive Analyzer will be used.                                                                                                                           | true          |
-| analyzers    | zipExtensions               | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.                                          | &nbsp;        |
-| analyzers    | jarEnabled                  | Sets whether Jar Analyzer will be used.                                                                                                                                   | true          |
-| analyzers    | dartEnabled                 | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be used.                                                                                      | true          |
-| analyzers    | centralEnabled              | Sets whether Central Analyzer will be used.                                                                                                                               | true          |
-| analyzers    | nexusEnabled                | Sets whether Nexus Analyzer will be used. This analyzer is an alternative to the Central or Artifactory Analyzers, allowing retrieval from Sonatype Nexus installations.  | false         |
-| analyzers    | nexusUrl                    | Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled.                       | &nbsp;        |
-| analyzers    | nexusUsesProxy              | Whether or not the defined proxy should be used when connecting to Nexus.                                                                                                 | true          |
-| analyzers    | pyDistributionEnabled       | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. `experimentalEnabled` must be set to true.                            | true          |
-| analyzers    | pyPackageEnabled            | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. `experimentalEnabled` must be set to true.                                 | true          |
-| analyzers    | rubygemsEnabled             | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. `experimentalEnabled` must be set to true.                                   | true          |
-| analyzers    | opensslEnabled              | Sets whether the openssl Analyzer should be used.                                                                                                                         | true          |
-| analyzers    | nuspecEnabled               | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                                                                                 | true          |
-| analyzers    | nugetconfEnabled            | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. `experimentalEnabled` must be set to true.                     | true          |
-| analyzers    | assemblyEnabled             | Sets whether the .NET Assembly Analyzer should be used.                                                                                                                   | true          |
-| analyzers    | msbuildEnabled              | Sets whether the MS Build Analyzer should be used.                                                                                                                        | true          |
-| analyzers    | pathToDotnet                | The path to dotnet core - needed on some systems to analyze .net assemblies.                                                                                              | &nbsp;        |
-| analyzers    | cmakeEnabled                | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. `experimentalEnabled` must be set to true.                                        | true          |
-| analyzers    | autoconfEnabled             | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. `experimentalEnabled` must be set to true.                                     | true          |
-| analyzers    | composerEnabled             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. `experimentalEnabled` must be set to true.                       | true          |
-| analyzers    | composerSkipDev             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should skip "packages-dev".                                                      | false         |
-| analyzers    | cpanEnabled                 | Sets whether the [experimental](../analyzers/index.html) Perl CPAN File Analyzer should be used. `experimentalEnabled` must be set to true.                               | true          |
-| analyzers    | cocoapodsEnabled            | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. `experimentalEnabled` must be set to true.                                    | true          |
-| analyzers    | carthageEnabled             | Sets whether the [experimental](../analyzers/index.html) Carthage Analyzer should be used. `experimentalEnabled` must be set to true.                                     | true          |
-| analyzers    | swiftEnabled                | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer should be used. `experimentalEnabled` must be set to true.                        | true          |
-| analyzers    | swiftPackageResolvedEnabled | Sets whether the [experimental](../analyzers/index.html) Swift Package Resolved Analyzer should be used. `experimentalEnabled` must be set to true.                       | true          |
-| analyzers    | bundleAuditEnabled          | Sets whether the [experimental](../analyzers/index.html) Ruby Bundle Audit Analyzer should be used. `experimentalEnabled` must be set to true.                            | true          |
-| analyzers    | pathToBundleAudit           | The path to bundle audit.                                                                                                                                                 | &nbsp;        |
-| analyzers    | retiredEnabled              | Sets whether the [retired analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as experimental (see below) will not be used          | false         |
-| analyzers    | golangDepEnabled            | Sets whether the [experimental](../analyzers/index.html) Golang Dependency Analyzer should be used. `experimentalEnabled` must be set to true.                            | true          |
-| analyzers    | golangModEnabled            | Sets whether the [experimental](../analyzers/index.html) Goland Module Analyzer should be used; requires `go` to be installed. `experimentalEnabled` must be set to true. | true          |
-| analyzers    | pathToGo                    | The path to `go`.                                                                                                                                                         | &nbsp;        |
+| Config Group | Property                    | Description                                                                                                                                                                                                                                                                | Default Value |
+|--------------|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|
+| analyzers    | experimentalEnabled         | Sets whether the [experimental analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as experimental (see below) will not be used                                                                                                      | false         |
+| analyzers    | archiveEnabled              | Sets whether the Archive Analyzer will be used.                                                                                                                                                                                                                            | true          |
+| analyzers    | zipExtensions               | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.                                                                                                                                           | &nbsp;        |
+| analyzers    | jarEnabled                  | Sets whether Jar Analyzer will be used.                                                                                                                                                                                                                                    | true          |
+| analyzers    | dartEnabled                 | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be used. `experimentalEnabled` must be set to true.                                                                                                                                            | true          |
+| analyzers    | centralEnabled              | Sets whether Central Analyzer will be used. If you have non-Gradle-managed jar dependencies inside archives or non-Java ecosystem dependencies, you may want to enable this analyzer (or the alternative Nexus/Artifactory analyzers) to reduce chance of false negatives. | false         |
+| analyzers    | nexusEnabled                | Sets whether Nexus Analyzer will be used. This analyzer is an alternative to the Central or Artifactory Analyzers, allowing metadata retrieval from Sonatype Nexus installations.                                                                                          | false         |
+| analyzers    | nexusUrl                    | Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled.                                                                                                                        | &nbsp;        |
+| analyzers    | nexusUsesProxy              | Whether or not the defined proxy should be used when connecting to Nexus.                                                                                                                                                                                                  | true          |
+| analyzers    | pyDistributionEnabled       | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used. `experimentalEnabled` must be set to true.                                                                                                                             | true          |
+| analyzers    | pyPackageEnabled            | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used. `experimentalEnabled` must be set to true.                                                                                                                                  | true          |
+| analyzers    | rubygemsEnabled             | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used. `experimentalEnabled` must be set to true.                                                                                                                                    | true          |
+| analyzers    | opensslEnabled              | Sets whether the openssl Analyzer should be used.                                                                                                                                                                                                                          | true          |
+| analyzers    | nuspecEnabled               | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                                                                                                                                                                                  | true          |
+| analyzers    | nugetconfEnabled            | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. `experimentalEnabled` must be set to true.                                                                                                                      | true          |
+| analyzers    | assemblyEnabled             | Sets whether the .NET Assembly Analyzer should be used.                                                                                                                                                                                                                    | true          |
+| analyzers    | msbuildEnabled              | Sets whether the MS Build Analyzer should be used.                                                                                                                                                                                                                         | true          |
+| analyzers    | pathToDotnet                | The path to dotnet core - needed on some systems to analyze .net assemblies.                                                                                                                                                                                               | &nbsp;        |
+| analyzers    | cmakeEnabled                | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used. `experimentalEnabled` must be set to true.                                                                                                                                         | true          |
+| analyzers    | autoconfEnabled             | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used. `experimentalEnabled` must be set to true.                                                                                                                                      | true          |
+| analyzers    | composerEnabled             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used. `experimentalEnabled` must be set to true.                                                                                                                        | true          |
+| analyzers    | composerSkipDev             | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should skip "packages-dev".                                                                                                                                                       | false         |
+| analyzers    | cpanEnabled                 | Sets whether the [experimental](../analyzers/index.html) Perl CPAN File Analyzer should be used. `experimentalEnabled` must be set to true.                                                                                                                                | true          |
+| analyzers    | cocoapodsEnabled            | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used. `experimentalEnabled` must be set to true.                                                                                                                                     | true          |
+| analyzers    | carthageEnabled             | Sets whether the [experimental](../analyzers/index.html) Carthage Analyzer should be used. `experimentalEnabled` must be set to true.                                                                                                                                      | true          |
+| analyzers    | swiftEnabled                | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer should be used. `experimentalEnabled` must be set to true.                                                                                                                         | true          |
+| analyzers    | swiftPackageResolvedEnabled | Sets whether the [experimental](../analyzers/index.html) Swift Package Resolved Analyzer should be used. `experimentalEnabled` must be set to true.                                                                                                                        | true          |
+| analyzers    | bundleAuditEnabled          | Sets whether the Ruby Bundle Audit Analyzer should be used.                                                                                                                                                                                                                | true          |
+| analyzers    | pathToBundleAudit           | The path to bundle audit.                                                                                                                                                                                                                                                  | &nbsp;        |
+| analyzers    | retiredEnabled              | Sets whether the [retired analyzers](../analyzers/index.html) will be used. If not set to true the analyzers marked as Retired will not be used                                                                                                                            | false         |
+| analyzers    | golangDepEnabled            | Sets whether the [experimental](../analyzers/index.html) Golang Dependency Analyzer should be used. `experimentalEnabled` must be set to true.                                                                                                                             | true          |
+| analyzers    | golangModEnabled            | Sets whether the [experimental](../analyzers/index.html) Goland Module Analyzer should be used; requires `go` to be installed. `experimentalEnabled` must be set to true.                                                                                                  | true          |
+| analyzers    | pathToGo                    | The path to `go`.                                                                                                                                                                                                                                                          | &nbsp;        |
 
 #### Additional Configuration
 
 | Config Group | Property               | Description                                                                                                                                                                                          | Default Value                                                                            |
 |--------------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|
-| artifactory  | enabled                | Sets whether Artifactory analyzer will be used                                                                                                                                                       | false                                                                                    |
+| artifactory  | enabled                | Sets whether Artifactory analyzer will be used. This analyzer is an alternative to the Central or Nexus Analyzers, allowing metadata retrieval from Artifactory installations.                       | false                                                                                    |
 | artifactory  | url                    | The Artifactory server URL.                                                                                                                                                                          | &nbsp;                                                                                   |
 | artifactory  | usesProxy              | Whether Artifactory should be accessed through a proxy or not.                                                                                                                                       | false                                                                                    |
 | artifactory  | parallelAnalysis       | Whether the Artifactory analyzer should be run in parallel or not.                                                                                                                                   | true                                                                                     |
 | artifactory  | username               | The user name (only used with API token) to connect to Artifactory instance.                                                                                                                         | &nbsp;                                                                                   |
 | artifactory  | apiToken               | The API token to connect to Artifactory instance, only used if the username or the API key are not defined by artifactoryAnalyzerServerId,artifactoryAnalyzerUsername or artifactoryAnalyzerApiToken | &nbsp;                                                                                   |
-| artifactory  | bearerToken            | The bearer token to connect to Artifactory instance                                                                                                                                                  | &nbsp;                                                                                   |
+| artifactory  | bearerToken            | The bearer token to connect to Artifactory instance.                                                                                                                                                 | &nbsp;                                                                                   |
 | kev          | enabled                | Sets whether the Known Exploited Vulnerability update and analyzer are enabled.                                                                                                                      | true                                                                                     |
 | kev          | url                    | The URL to (a mirror of) the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                                                    | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json      |
 | kev          | user                   | Credentials used for basic authentication for the CISA Known Exploited Vulnerabilities JSON data feed.                                                                                               | &nbsp;                                                                                   |
@@ -180,19 +180,19 @@ analyzers is likely not needed.
 | retirejs     | password               | Credentials used for basic authentication for the Retire JS repository URL.                                                                                                                          | &nbsp;                                                                                   |
 | retirejs     | bearerToken            | Credentials used for bearer authentication for the Retire JS repository URL.                                                                                                                         | &nbsp;                                                                                   |
 | retirejs     | filterNonVulnerable    | Configures the RetireJS Analyzer to remove non-vulnerable JS dependencies from the report.                                                                                                           | false                                                                                    |
-| retirejs     | filters                | Configures the list of regular expessions used to filter JS files based on content.                                                                                                                  | &nbsp;                                                                                   |
-| ossIndex     | enabled                | Sets whether Sonatype's [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be used. This analyzer requires an internet connection.                                                      | true                                                                                     |
-| ossIndex     | username               | The optional user name to connect to Sonatype's OSS Index.                                                                                                                                           | &nbsp;                                                                                   |
-| ossIndex     | password               | The optional passwod or API token to connect to Sonatype's OSS Index,                                                                                                                                | &nbsp;                                                                                   |
+| retirejs     | filters                | Configures the list of regular expressions used to filter JS files based on content.                                                                                                                 | &nbsp;                                                                                   |
+| ossIndex     | enabled                | Sets whether [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be used. This analyzer requires an internet connection.                                                                 | true                                                                                     |
+| ossIndex     | username               | To authenticate Sonatype OSS Index requests and profit from higher rate limits, provide the OSS account email address as username. Provide both a username _and_ a password (see below) or none.     | &nbsp;                                                                                   |
+| ossIndex     | password               | Password or API token to connect to Sonatype's OSS Index. Provide both a username (see above) _and_ a password or none.                                                                              | &nbsp;                                                                                   |
 | ossIndex     | warnOnlyOnRemoteErrors | Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution.                                                     | false                                                                                    |
 
 #### Example
 ```groovy
 dependencyCheck {
-    analyzers.assemblyEnabled=false
+    analyzers.assemblyEnabled = false
 
-    analyzers.artifactory.enabled=true
-    analyzers.artifactory.url='https://internal.artifactory.url'
+    analyzers.artifactory.enabled = true
+    analyzers.artifactory.url = 'https://internal.artifactory.url'
 
     analyzers.retirejs.filters = ['(i)copyright Jeremy Long']
 

From 5ac1edbf831eac70b20469baab2cec8eb5ca29f7 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 13 Oct 2025 09:05:43 -0400
Subject: [PATCH 188/195] build(deps): bump org.jacoco:jacoco-maven-plugin from
 0.8.13 to 0.8.14 (#8032)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 78a43ad8012..c76f477cc88 100644
--- a/pom.xml
+++ b/pom.xml
@@ -136,7 +136,7 @@ Copyright (c) 2012 - Jeremy Long
         <maven-jxr-plugin.version>2.5</maven-jxr-plugin.version>
         <maven-project-info-reports-plugin.version>3.9.0</maven-project-info-reports-plugin.version>
         <maven-surefire-report-plugin.version>3.5.4</maven-surefire-report-plugin.version>
-        <jacoco-maven-plugin.version>0.8.13</jacoco-maven-plugin.version>
+        <jacoco-maven-plugin.version>0.8.14</jacoco-maven-plugin.version>
         <spotbugs.maven.plugin.version>4.9.4.0</spotbugs.maven.plugin.version>
         <taglist-maven-plugin.version>3.2.1</taglist-maven-plugin.version>
         <versions-maven-plugin.version>2.18.0</versions-maven-plugin.version>

From fd8371c17486e0a96f0aeb6cc6caa265811ff8df Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 13 Oct 2025 09:06:10 -0400
Subject: [PATCH 189/195] build(deps): bump
 org.apache.maven.plugins:maven-compiler-plugin from 3.14.0 to 3.14.1 (#8035)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index c76f477cc88..c0aa19a7b81 100644
--- a/pom.xml
+++ b/pom.xml
@@ -215,7 +215,7 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-compiler-plugin</artifactId>
-                    <version>3.14.0</version>
+                    <version>3.14.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>

From 52eefb741a3199337e1aa10d77d7b855e6104ecc Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 13 Oct 2025 09:06:43 -0400
Subject: [PATCH 190/195] build(deps): bump
 org.apache.maven.plugins:maven-artifact-plugin from 3.6.0 to 3.6.1 (#8033)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index c0aa19a7b81..03c7be5e37c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -225,7 +225,7 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-artifact-plugin</artifactId>
-                    <version>3.6.0</version>
+                    <version>3.6.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -488,7 +488,7 @@ Copyright (c) 2012 - Jeremy Long
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-artifact-plugin</artifactId>
-                <version>3.6.0</version>
+                <version>3.6.1</version>
                 <executions>
                     <execution>
                         <goals>

From a8e00c86fdb597eaa17730a232fd8ee3a5dc3007 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Mon, 13 Oct 2025 09:35:46 -0400
Subject: [PATCH 191/195] build: fix flaky central test (#8039)

---
 .../data/central/CentralSearchTest.java       | 31 +++++++++++++------
 1 file changed, 22 insertions(+), 9 deletions(-)

diff --git a/core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java b/core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java
index f9efb597e28..3d36f5422da 100644
--- a/core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java
+++ b/core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java
@@ -8,6 +8,7 @@
 
 import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.net.SocketTimeoutException;
 import java.util.List;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
@@ -15,6 +16,7 @@
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assumptions.assumeFalse;
+import static org.junit.jupiter.api.Assumptions.assumeTrue;
 
 /**
  * Created by colezlaw on 10/13/14.
@@ -52,6 +54,9 @@ void testValidSha1() throws Exception {
             assertEquals("org.apache.maven.plugins", ma.get(0).getGroupId(), "Incorrect group");
             assertEquals("maven-compiler-plugin", ma.get(0).getArtifactId(), "Incorrect artifact");
             assertEquals("3.1", ma.get(0).getVersion(), "Incorrect version");
+        } catch (SocketTimeoutException ex) {
+            // skip test if Maven Central times out
+            assumeTrue(false, "Skipping test due to SocketTimeoutException: " + ex.getMessage());
         } catch (IOException ex) {
             // abort if we hit a failure state on the CI
             assumeFalse(StringUtils.contains(ex.getMessage(), "Could not connect to MavenCentral"));
@@ -66,16 +71,21 @@ void testValidSha1() throws Exception {
     // you may not be able to reach. Remove the @Ignore annotation if you want to
     // test it anyway
     @Test
-    void testMissingSha1() {
-        IOException ex = assertThrows(IOException.class, () -> searcher.searchSha1("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"));
-
-        // abort if we hit a failure state on the CI
-        assumeFalse(StringUtils.contains(ex.getMessage(), "Could not connect to MavenCentral"));
-        assumeFalse(ex.getMessage().matches("^https://.+ - Server status: \\d{3} - Server reason: .+$"));
+    void testMissingSha1() throws Exception {
+        try {
+            searcher.searchSha1("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
+        } catch (SocketTimeoutException ex) {
+            // skip test if Maven Central times out
+            assumeTrue(false, "Skipping test due to SocketTimeoutException: " + ex.getMessage());
+        } catch (IOException ex) {
+            // abort if we hit a failure state on the CI
+            assumeFalse(StringUtils.contains(ex.getMessage(), "Could not connect to MavenCentral"));
+            assumeFalse(ex.getMessage().matches("^https://.+ - Server status: \\d{3} - Server reason: .+$"));
 
-        // otherwise assert that the exception is a FileNotFoundException
-        assertInstanceOf(FileNotFoundException.class, ex);
-        assertEquals("Artifact not found in Central", ex.getMessage());
+            // otherwise assert that the exception is a FileNotFoundException
+            assertInstanceOf(FileNotFoundException.class, ex);
+            assertEquals("Artifact not found in Central", ex.getMessage());
+        }
     }
 
     // This test should give us multiple results back from Central
@@ -84,6 +94,9 @@ void testMultipleReturns() throws Exception {
         try {
             List<MavenArtifact> ma = searcher.searchSha1("94A9CE681A42D0352B3AD22659F67835E560D107");
             assertTrue(ma.size() > 1);
+        } catch (SocketTimeoutException ex) {
+            // skip test if Maven Central times out
+            assumeTrue(false, "Skipping test due to SocketTimeoutException: " + ex.getMessage());
         } catch (IOException ex) {
             // abort if we hit a failure state on the CI
             assumeFalse(StringUtils.contains(ex.getMessage(), "Could not connect to MavenCentral"));

From c4696c072bbbeda50e73ce974d21dd18f53de85a Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Mon, 13 Oct 2025 10:16:56 -0400
Subject: [PATCH 192/195] docs: add note about central analyzer for gradle
 (#8038)

---
 src/site/markdown/analyzers/central-analyzer.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/site/markdown/analyzers/central-analyzer.md b/src/site/markdown/analyzers/central-analyzer.md
index 6bcb24b6170..c5c9407bd83 100644
--- a/src/site/markdown/analyzers/central-analyzer.md
+++ b/src/site/markdown/analyzers/central-analyzer.md
@@ -8,4 +8,11 @@ is found in the configured Nexus repository, its GAV is recorded as an Identifie
 and the Group is collected as Vendor evidence, the Artifact is collected as Product
 evidence, and the Version is collected as Version evidence.
 
+By default, this analyzer is disabled in the Maven Plugin and Gradle Task. However,
+if your Gradle build relies on scanning non-Gradle artifacts or archives from other
+ecosystems that contain jars, consider re-enabling the Central Analyzer using 
+`analyzers.centralEnabled=true`, or use the Nexus/Artifactory analyzers as an
+alternative to improve identification of JARs utilized outside the normal gradle
+Java plugin.
+
 [1]: http://search.maven.org/            "Maven Central"

From 8230ba2c5e7f787bccdc4e7c53730a98fa604e64 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Mon, 13 Oct 2025 10:17:21 -0400
Subject: [PATCH 193/195] fix: improve VulnerableSoftware comparison (#8031)

---
 .../dependency/VulnerableSoftware.java          | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java b/core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
index 327e182d0b0..31763bf21e9 100644
--- a/core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
+++ b/core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
@@ -124,16 +124,25 @@ public VulnerableSoftware(Part part, String vendor, String product, String versi
     }
     //CSON: ParameterNumber
 
+    /**
+     * Normalizes null and empty strings to null for consistent comparison.
+     * @param s the string to normalize
+     * @return null if s is null or empty, otherwise s
+     */
+    private static String normalizeForComparison(String s) {
+        return (s == null || s.isEmpty()) ? null : s;
+    }
+
     @Override
     public int compareTo(@NotNull ICpe o) {
         if (o instanceof VulnerableSoftware) {
             final VulnerableSoftware other = (VulnerableSoftware) o;
             return new CompareToBuilder()
                     .appendSuper(super.compareTo(other))
-                    .append(versionStartIncluding, other.versionStartIncluding)
-                    .append(versionStartExcluding, other.versionStartExcluding)
-                    .append(versionEndIncluding, other.versionEndIncluding)
-                    .append(versionEndExcluding, other.versionEndExcluding)
+                    .append(normalizeForComparison(versionStartIncluding), normalizeForComparison(other.versionStartIncluding))
+                    .append(normalizeForComparison(versionStartExcluding), normalizeForComparison(other.versionStartExcluding))
+                    .append(normalizeForComparison(versionEndIncluding), normalizeForComparison(other.versionEndIncluding))
+                    .append(normalizeForComparison(versionEndExcluding), normalizeForComparison(other.versionEndExcluding))
                     .append(this.vulnerable, other.vulnerable)
                     .build();
         } else if (o instanceof Cpe) {

From a06ba2e32a982bc7a67320ffd0cc8d4bc4156eca Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Mon, 13 Oct 2025 10:23:16 -0400
Subject: [PATCH 194/195] docs: release 12.1.8

---
 CHANGELOG.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5d970afdd1d..6686cb21509 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,14 @@
 # Change Log
 
+## [Version 12.1.8](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.8) (2025-10-13)
+
+- fix: improve VulnerableSoftware comparison ([#8031](https://github.com/dependency-check/DependencyCheck/pull/8031))
+- build: fix flaky central test ([#8039](https://github.com/dependency-check/DependencyCheck/pull/8039))
+- docs: Improve Gradle docs wrt experimental analyzers, use of Central and Proxy configuration ([#8036](https://github.com/dependency-check/DependencyCheck/pull/8036))
+- docs: add note about central analyzer for gradle ([#8038](https://github.com/dependency-check/DependencyCheck/pull/8038))
+
+See the full listing of [changes](https://github.com/dependency-check/DependencyCheck/milestone/101?closed=1)
+
 ## [Version 12.1.7](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.7) (2025-10-12)
 
 - fix: disable central analyzer after failures ([#7993](https://github.com/dependency-check/DependencyCheck/pull/7993))

From 2d29a0bdd4251f655eec8da48164ed5b181ae600 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Mon, 13 Oct 2025 10:24:18 -0400
Subject: [PATCH 195/195] build: prepare release v12.1.8

---
 ant/pom.xml       | 4 ++--
 archetype/pom.xml | 6 +++---
 cli/pom.xml       | 4 ++--
 core/pom.xml      | 4 ++--
 maven/pom.xml     | 4 ++--
 pom.xml           | 6 +++---
 utils/pom.xml     | 4 ++--
 7 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/ant/pom.xml b/ant/pom.xml
index ad8f8ad1fc2..46436bd8888 100644
--- a/ant/pom.xml
+++ b/ant/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.8-SNAPSHOT</version>
+        <version>12.1.8</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/ant</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.8</tag>
     </scm>
     <build>
         <resources>
diff --git a/archetype/pom.xml b/archetype/pom.xml
index f97417ba595..6b9a55ed673 100644
--- a/archetype/pom.xml
+++ b/archetype/pom.xml
@@ -20,20 +20,20 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.8-SNAPSHOT</version>
+        <version>12.1.8</version>
     </parent>
     <artifactId>dependency-check-plugin</artifactId>
     <name>Dependency-Check Plugin Archetype</name>
     <packaging>jar</packaging>
     <properties>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-10-12T13:27:09Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-10-13T14:23:32Z</project.build.outputTimestamp>
     </properties>
     <scm>
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/archetype</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-      <tag>HEAD</tag>
+      <tag>v12.1.8</tag>
   </scm>
     <build>
         <plugins>
diff --git a/cli/pom.xml b/cli/pom.xml
index 3899c5cd8ca..d0eabc1cd3a 100644
--- a/cli/pom.xml
+++ b/cli/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.8-SNAPSHOT</version>
+        <version>12.1.8</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/cli</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.8</tag>
     </scm>
     <build>
         <finalName>dependency-check-${project.version}</finalName>
diff --git a/core/pom.xml b/core/pom.xml
index 9ed64b3b208..99ea6357823 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.8-SNAPSHOT</version>
+        <version>12.1.8</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -32,7 +32,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/core</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.8</tag>
     </scm>
     <build>
         <resources>
diff --git a/maven/pom.xml b/maven/pom.xml
index 7aebb17b146..4caca9516c9 100644
--- a/maven/pom.xml
+++ b/maven/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.8-SNAPSHOT</version>
+        <version>12.1.8</version>
     </parent>
     <artifactId>dependency-check-maven</artifactId>
     <packaging>maven-plugin</packaging>
@@ -34,7 +34,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/master/maven</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.8</tag>
     </scm>
     <prerequisites>
         <maven>3.6.3</maven>
diff --git a/pom.xml b/pom.xml
index 03c7be5e37c..5bd51697fc4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>12.1.8-SNAPSHOT</version>
+    <version>12.1.8</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -94,7 +94,7 @@ Copyright (c) 2012 - Jeremy Long
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck</url>
         <developerConnection>scm:git:https://github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.8</tag>
     </scm>
     <issueManagement>
         <system>github</system>
@@ -113,7 +113,7 @@ Copyright (c) 2012 - Jeremy Long
     <properties>
         <maven.compiler.release>11</maven.compiler.release>
         <!--reproducible build-->
-        <project.build.outputTimestamp>2025-10-12T13:27:09Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2025-10-13T14:23:32Z</project.build.outputTimestamp>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <github.global.server>github</github.global.server>
diff --git a/utils/pom.xml b/utils/pom.xml
index 23ef4ccbe98..76e3dc4b75d 100644
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>12.1.8-SNAPSHOT</version>
+        <version>12.1.8</version>
    </parent>
 
     <artifactId>dependency-check-utils</artifactId>
@@ -30,7 +30,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
         <connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
         <url>https://github.com/dependency-check/DependencyCheck/tree/main/utils</url>
         <developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
-        <tag>v6.4.1</tag>
+        <tag>v12.1.8</tag>
     </scm>
     <properties>
         <spotbugs.onlyAnalyze>org.owasp.dependencycheck.utils.*</spotbugs.onlyAnalyze>