RATIS-2530. Bump dependency-check-maven to 12.2.2

[dependabot]

Bumps org.owasp:dependency-check-maven from 12.2.0 to 12.2.2.

Release notes

Sourced from org.owasp:dependency-check-maven's releases.

Version 12.2.2

Refer to the CHANGELOG.md for information about improvements and upgrade notes.

Version 12.2.1

Refer to the CHANGELOG.md for information about improvements and upgrade notes.

Changelog

Sourced from org.owasp:dependency-check-maven's changelog.

Version 12.2.2 (2026-05-03)

NOTE: The database schema was updated to fix #8466 - if using an external database the update scripts must be run!

• feat: improve Sonatype Guide / OSS Index cache handling and insufficient credits error reporting (#8451)
• feat: support and prefer githubID vuln identifiers from RetireJS (#8419)
• fix(db): widen reference URL column to handle long Mozilla CVE URLs (#8467)
• fix: add corepack to docker image (#8386)
• fix: bump open-vulnerability-clients to resolve NVD timestamp parsing errors (#8427)
• fix: de-duplicate and sort both includedBy and projectReferences in reports (#8440)
• fix: migrate default OSS Index API URL to Sonatype Guide; supporting optional username (#8404)
• docs: correct missing documentation for Gradle plugin (#8431)
• docs: tweak docs site structure; documenting missing analyzers (#8462)
• chore: remove spurious bundle-audit log line when there are no errors (#8454)
• chore: tidy CHANGELOG formatting (#8414)
• chore(fp): remove duplicate log4j FP suppressions (#8468)
• build(deps): bump apache.ant.version from 1.10.16 to 1.10.17 (#8416)
• build(deps): bump com.fasterxml.jackson:jackson-bom from 2.21.2 to 2.21.3 (#8465)
• build(deps): bump com.google.guava:guava from 33.5.0-jre to 33.6.0-jre (#8420)
• build(deps): bump com.mysql:mysql-connector-j from 9.6.0 to 9.7.0 (#8445)
• build(deps): bump commons-codec:commons-codec from 1.21.0 to 1.22.0 (#8453)
• build(deps): bump commons-io:commons-io from 2.21.0 to 2.22.0 (#8448)
• build(deps): bump httpcomponents.client.version from 5.6 to 5.6.1 (#8432)
• build(deps): bump joda-time:joda-time from 2.14.1 to 2.14.2 (#8464)
• build(deps): bump org.apache.maven.plugins:maven-invoker-plugin from 3.9.1 to 3.10.0 (#8452)
• build(deps): bump org.jsoup:jsoup from 1.22.1 to 1.22.2 (#8437)
• build(deps): bump org.postgresql:postgresql from 42.7.10 to 42.7.11 (#8463)
• build(deps): bump the actions-deps group with 8 updates (#8472)

See the full listing of changes

Version 12.2.1 (2026-04-11)

• fix(core): correct xml schema validation handling without needing external access (#8272)
• fix(deps): upgrade slf4j and logback (#8306)
• fix(test): disable pnpm analyzer during test (#8305)
• fix: Correct published/hosted suppressions namespace header and indent (#8258)
• fix: Suppress noisy WARN logging from Apache Lucene within Maven and Ant plugins (#8248)
• fix: #8140 AssemblyAnalyzer version resolution issue (#8352)
• fix: #8140 fix version resolution
• fix: #8140 hint azure_identity_library_for_.net
• fix: #8356 narrow down VersionFilterAnalyzer scope to JAR files (#8358)
• fix: correct parsing for CVSSv4 strings with Provider Urgency (#8377)
• fix: evidence source in Retire JS analyzer (#8303)
• fix: exclude deprecations from Yarn Berry audit results (#8380)
• fix: improve PEAnalyzer reliability by migrating to maintained PE/COFF 4J library fork (#8245)
• fix: improve configuration consistency (casing) (#8355)
• fix: improve logging of unexpected Java Errors during processing of NVD (#8250)
• fix: raw type warning in ProcessReader (#8324)
• fix: suppress false positives for zabbix-utils #8087 (#8218)

... (truncated)

Commits

• b51290f build: prepare release v12.2.2
• 70070a9 docs: release 12.2.2
• 47aa0c7 fix: widen reference URL column to handle long Mozilla CVE URLs (#8467)
• 1de40c0 build(deps): bump the actions-deps group with 8 updates (#8472)
• 74678b0 build(deps): bump com.fasterxml.jackson:jackson-bom from 2.21.2 to 2.21.3 (#8...
• 3f83d80 build(deps): bump org.postgresql:postgresql from 42.7.10 to 42.7.11 (#8463)
• 04387c3 build(deps): bump commons-codec:commons-codec from 1.21.0 to 1.22.0 (#8453)
• 11e1771 build(deps): bump org.apache.maven.plugins:maven-invoker-plugin from 3.9.1 to...
• e850545 chore(fp): remove duplicate log4j FP suppressions (#8468)
• 9acbb33 feat: improve Sonatype Guide / OSS Index cache handling and insufficient cred...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)