From 642c7dc2d2330e7b4984ecfa350b3433c3f73b1a Mon Sep 17 00:00:00 2001
From: Gary O'Neall <gary@sourceauditor.com>
Date: Fri, 24 Oct 2025 11:43:15 -0700
Subject: [PATCH] Update library and plugin versions

---
 dependency-check-supress.xml | 136 ++++++++++++++++++-----------------
 pom.xml                      |  52 +++++++++-----
 2 files changed, 108 insertions(+), 80 deletions(-)

diff --git a/dependency-check-supress.xml b/dependency-check-supress.xml
index 6984b4e..00a186a 100644
--- a/dependency-check-supress.xml
+++ b/dependency-check-supress.xml
@@ -1,67 +1,75 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-<suppress>
-   <notes><![CDATA[
-   file name: jackson-core-2.15.3.jar
-   Since the JSON input files are generated, this vulnerability can not occur
-   ]]></notes>
-   <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@.*$</packageUrl>
-   <cve>CVE-2023-5072</cve>
-</suppress>
-<suppress>
-   <notes><![CDATA[
-   file name: jackson-core-2.15.3.jar
-   Since the JSON input files are generated, this vulnerability can not occur
-   ]]></notes>
-   <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@.*$</packageUrl>
-   <cve>CVE-2023-5072</cve>
-</suppress>
-<suppress>
-   <notes><![CDATA[
-   file name: jackson-databind-2.15.3.jar
-   he vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
-   ]]></notes>
-   <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
-   <cve>CVE-2023-35116</cve>
-</suppress>
-<suppress>
-   <notes><![CDATA[
-   file name: jakarta.json-2.0.1.jar
-   Since the JSON input files are generated, this vulnerability can not occur
-   ]]></notes>
-   <packageUrl regex="true">^pkg:maven/org\.glassfish/jakarta\.json@.*$</packageUrl>
-   <cve>CVE-2022-45688</cve>
-</suppress>
-<suppress>
-   <notes><![CDATA[
-   file name: jakarta.json-2.0.1.jar
-    Since the JSON input files are generated, this vulnerability can not occur
-   ]]></notes>
-   <packageUrl regex="true">^pkg:maven/org\.glassfish/jakarta\.json@.*$</packageUrl>
-   <cve>CVE-2023-5072</cve>
-</suppress>
-<suppress>
-   <notes><![CDATA[
-   file name: jsonld-java-0.13.4.jar
-   Since the JSON input files are generated, this vulnerability can not occur
-   ]]></notes>
-   <packageUrl regex="true">^pkg:maven/com\.github\.jsonld\-java/jsonld\-java@.*$</packageUrl>
-   <cve>CVE-2022-45688</cve>
-</suppress>
-<suppress>
-   <notes><![CDATA[
-   file name: jackson-core-2.15.3.jar
-   Since the JSON input files are generated, this vulnerability can not occur
-   ]]></notes>
-   <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@.*$</packageUrl>
-   <cve>CVE-2022-45688</cve>
-</suppress>
-<suppress>
-   <notes><![CDATA[
-   file name: jsonld-java-0.13.4.jar
-   Since the JSON input files are generated, this vulnerability can not occur
-   ]]></notes>
-   <packageUrl regex="true">^pkg:maven/com\.github\.jsonld\-java/jsonld\-java@.*$</packageUrl>
-   <cve>CVE-2023-5072</cve>
-</suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: jackson-core-2.15.3.jar
+      Since the JSON input files are generated, this vulnerability can not occur
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@.*$</packageUrl>
+      <cve>CVE-2023-5072</cve>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: jackson-core-2.15.3.jar
+      Since the JSON input files are generated, this vulnerability can not occur
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@.*$</packageUrl>
+      <cve>CVE-2023-5072</cve>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: jackson-databind-2.15.3.jar
+      he vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+      <cve>CVE-2023-35116</cve>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: jakarta.json-2.0.1.jar
+      Since the JSON input files are generated, this vulnerability can not occur
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.glassfish/jakarta\.json@.*$</packageUrl>
+      <cve>CVE-2022-45688</cve>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: jakarta.json-2.0.1.jar
+       Since the JSON input files are generated, this vulnerability can not occur
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.glassfish/jakarta\.json@.*$</packageUrl>
+      <cve>CVE-2023-5072</cve>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: jsonld-java-0.13.4.jar
+      Since the JSON input files are generated, this vulnerability can not occur
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/com\.github\.jsonld\-java/jsonld\-java@.*$</packageUrl>
+      <cve>CVE-2022-45688</cve>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: jackson-core-2.15.3.jar
+      Since the JSON input files are generated, this vulnerability can not occur
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@.*$</packageUrl>
+      <cve>CVE-2022-45688</cve>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: jsonld-java-0.13.4.jar
+      Since the JSON input files are generated, this vulnerability can not occur
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/com\.github\.jsonld\-java/jsonld\-java@.*$</packageUrl>
+      <cve>CVE-2023-5072</cve>
+   </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: icu4j-75.1.jar
+      This is a known false positive related to the CVE data
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/com\.ibm\.icu/icu4j@.*$</packageUrl>
+      <cve>CVE-2025-5222</cve>
+   </suppress>
 </suppressions>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 2de23db..923efcd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -38,7 +38,7 @@
 	  <sonar.organization>spdx</sonar.organization>
 	  <sonar.projectKey>licenseListPublisher</sonar.projectKey>
 	  <maven.compiler.release>11</maven.compiler.release>
-	  <dependency-check-maven.version>8.0.1</dependency-check-maven.version>
+	  <dependency-check-maven.version>12.1.8</dependency-check-maven.version>
 	</properties>
 	<dependencies>
 		<dependency>
@@ -60,22 +60,22 @@
 		<dependency>
 			<groupId>commons-cli</groupId>
 			<artifactId>commons-cli</artifactId>
-			<version>1.5.0</version>
+			<version>1.10.0</version>
 		</dependency>
 		<dependency>
 			<groupId>commons-codec</groupId>
 			<artifactId>commons-codec</artifactId>
-			<version>1.15</version>
+			<version>1.19.0</version>
 		</dependency>
 		<dependency>
 			<groupId>commons-io</groupId>
 			<artifactId>commons-io</artifactId>
-			<version>2.14.0</version>
+			<version>2.20.0</version>
 		</dependency>
 		<dependency>
 		    <groupId>commons-validator</groupId>
 		    <artifactId>commons-validator</artifactId>
-		    <version>1.7</version>
+		    <version>1.10.0</version>
 		</dependency>
 		<dependency>
 			<groupId>net.sf.opencsv</groupId>
@@ -90,17 +90,17 @@
 		<dependency>
 			<groupId>org.spdx</groupId>
 			<artifactId>spdx-rdf-store</artifactId>
-			<version>2.0.0</version>
+			<version>2.0.1</version>
 		</dependency>
 		<dependency>
 			<groupId>org.spdx</groupId>
 			<artifactId>java-spdx-library</artifactId>
-			<version>2.0.0</version>
+			<version>2.0.1</version>
 		</dependency>
 		<dependency>
 			<groupId>org.spdx</groupId>
 			<artifactId>spdx-v3jsonld-store</artifactId>
-			<version>1.0.0</version>
+			<version>1.0.1</version>
 		</dependency>
 	</dependencies>
 	<profiles>
@@ -120,7 +120,7 @@
 				    <plugin>
 				      <groupId>org.apache.maven.plugins</groupId>
 				      <artifactId>maven-source-plugin</artifactId>
-				      <version>3.2.1</version>
+				      <version>3.3.1</version>
 				      <executions>
 				        <execution>
 				          <id>attach-sources</id>
@@ -134,7 +134,7 @@
 					<plugin>
 		      			<groupId>org.apache.maven.plugins</groupId>
 		      			<artifactId>maven-gpg-plugin</artifactId>
-		      			<version>1.6</version>
+		      			<version>3.2.8</version>
 		      			<executions>
 		        			<execution>
 		          				<id>sign-artifacts</id>
@@ -152,7 +152,7 @@
    					<plugin>
 						<groupId>org.apache.maven.plugins</groupId>
 						<artifactId>maven-javadoc-plugin</artifactId>
-						<version>2.9.1</version>
+						<version>3.12.0</version>
 						<configuration>
 							<quiet>true</quiet>
 							<source>8</source>
@@ -224,7 +224,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-release-plugin</artifactId>
-				<version>3.0.1</version>
+				<version>3.1.1</version>
 				<configuration>
 					<tagNameFormat>v@{project.version}</tagNameFormat>
 					<releaseProfiles>release</releaseProfiles>
@@ -234,12 +234,32 @@
 			<plugin>
 				<groupId>org.sonatype.central</groupId>
 				<artifactId>central-publishing-maven-plugin</artifactId>
-				<version>0.7.0</version>
+				<version>0.9.0</version>
 				<extensions>true</extensions>
 				<configuration>
 					<publishingServerId>central</publishingServerId>
 				</configuration>
 			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-enforcer-plugin</artifactId>
+				<version>3.6.2</version>
+				<executions>
+					<execution>
+						<id>enforce-maven</id>
+						<goals>
+							<goal>enforce</goal>
+						</goals>
+						<configuration>
+							<rules>
+								<requireMavenVersion>
+									<version>3.6.3</version>
+								</requireMavenVersion>
+							</rules>
+						</configuration>
+					</execution>
+				</executions>
+			</plugin>
 			<plugin>
        			<groupId>org.apache.maven.plugins</groupId>
        			<artifactId>maven-shade-plugin</artifactId>
@@ -297,7 +317,7 @@
 			<plugin>
 				<groupId>org.spdx</groupId>
 					<artifactId>spdx-maven-plugin</artifactId>
-					<version>1.0.0</version>
+					<version>1.0.3</version>
 					<executions>
 						<execution>
 							<id>build-spdx</id>
@@ -338,7 +358,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-compiler-plugin</artifactId>
-				<version>3.11.0</version>
+				<version>3.14.1</version>
 				<configuration>
 					<source>1.8</source>
 					<target>1.8</target>
@@ -351,7 +371,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-resources-plugin</artifactId>
-				<version>2.6</version>
+				<version>3.3.1</version>
 				<configuration>
 					<encoding>${project.build.sourceEncoding}</encoding>
 				</configuration>