From a0feec8295a003077f99864ea2961365b79126ed Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 12 Jan 2026 20:16:04 +0000
Subject: [PATCH 1/6] Bump org.sonatype.central:central-publishing-maven-plugin

Bumps [org.sonatype.central:central-publishing-maven-plugin](https://github.com/sonatype/central-publishing-maven-plugin) from 0.9.0 to 0.10.0.
- [Commits](https://github.com/sonatype/central-publishing-maven-plugin/commits)

---
updated-dependencies:
- dependency-name: org.sonatype.central:central-publishing-maven-plugin
  dependency-version: 0.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 03c021d..97cbd82 100644
--- a/pom.xml
+++ b/pom.xml
@@ -205,7 +205,7 @@
 			<plugin>
 				<groupId>org.sonatype.central</groupId>
 				<artifactId>central-publishing-maven-plugin</artifactId>
-				<version>0.9.0</version>
+				<version>0.10.0</version>
 				<extensions>true</extensions>
 				<configuration>
 					<publishingServerId>central</publishingServerId>

From 515493fb1bc287b95cb49cd4e53983e48f99aad6 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 12 Jan 2026 20:15:55 +0000
Subject: [PATCH 2/6] Bump org.owasp:dependency-check-maven from 12.1.9 to
 12.2.0

Bumps [org.owasp:dependency-check-maven](https://github.com/dependency-check/DependencyCheck) from 12.1.9 to 12.2.0.
- [Release notes](https://github.com/dependency-check/DependencyCheck/releases)
- [Changelog](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md)
- [Commits](https://github.com/dependency-check/DependencyCheck/compare/v12.1.9...v12.2.0)

---
updated-dependencies:
- dependency-name: org.owasp:dependency-check-maven
  dependency-version: 12.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 97cbd82..fdf0b97 100644
--- a/pom.xml
+++ b/pom.xml
@@ -48,7 +48,7 @@
 	  <sonar.host.url>https://sonarcloud.io</sonar.host.url>
 	  <sonar.organization>spdx</sonar.organization>
 	  <sonar.projectKey>tools-java</sonar.projectKey>
-	  <dependency-check-maven.version>12.1.9</dependency-check-maven.version>
+	  <dependency-check-maven.version>12.2.0</dependency-check-maven.version>
 	  <maven.compiler.release>11</maven.compiler.release>
 	  <javadoc.opts>-Xdoclint:none</javadoc.opts>
     </properties>

From 968beea74ade1ff11967b0cebb979c79c150c9a1 Mon Sep 17 00:00:00 2001
From: Gary O'Neall <gary@sourceauditor.com>
Date: Sat, 17 Jan 2026 19:08:53 -0800
Subject: [PATCH 3/6] Add sonar-maven-plugin version 5.5.0.6356

---
 pom.xml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pom.xml b/pom.xml
index fdf0b97..91625f9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -361,6 +361,11 @@
 			      <goals>deploy</goals>
 			    </configuration>
 			  </plugin>
+			  <plugin>
+				<groupId>org.sonarsource.scanner.maven</groupId>
+				<artifactId>sonar-maven-plugin</artifactId>
+				<version>5.5.0.6356</version>
+			  </plugin>
 		</plugins>
   	</build>
 </project>

From c7e8af736bff01b8f2f09bb4e71184cca209acd3 Mon Sep 17 00:00:00 2001
From: Helio Chissini de Castro <dev@heliocastro.info>
Date: Sun, 18 Jan 2026 09:59:06 +0100
Subject: [PATCH 4/6] feat(docker): Improve docker build and prevent double
 path in naming

Signed-off-by: Helio Chissini de Castro <dev@heliocastro.info>
---
 .github/workflows/docker_deploy.yml | 37 +++++++++++++----------------
 Dockerfile                          | 13 ++++------
 2 files changed, 22 insertions(+), 28 deletions(-)

diff --git a/.github/workflows/docker_deploy.yml b/.github/workflows/docker_deploy.yml
index 55ce713..26af21c 100644
--- a/.github/workflows/docker_deploy.yml
+++ b/.github/workflows/docker_deploy.yml
@@ -6,9 +6,14 @@
 name: Docker Build
 
 on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - Dockerfile
+      - .github/workflows/docker_deploy.yml
   push:
     paths-ignore:
-      - "**.md"
+      - '**.md'
     tags:
       - 'v*'
 env:
@@ -24,22 +29,13 @@ jobs:
 
     steps:
       - name: Checkout main repository
-        uses: actions/checkout@v3
-
-      - name: Set environment variables
-        run: |
-          echo "ORG_BASE_NAME=${GITHUB_REPOSITORY}" >> $GITHUB_ENV
-          echo "TOOLS_JAVA_VERSION=${GITHUB_REF_NAME/v/}" >> $GITHUB_ENV
-      - name: Echoing current version
-        run: |
-          echo "$TOOLS_JAVA_VERSION"
-          echo $GITHUB_REF_NAME
+        uses: actions/checkout@v5
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -47,19 +43,20 @@ jobs:
 
       - name: Extract components metadata
         id: meta_base
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v51.0.0
         with:
-          images: |
-            ${{ env.REGISTRY }}/${{ env.ORG_BASE_NAME }}/tools-java
+          tags: |
+            type=ref,event=tag
+            type=semver,pattern={{version}}
+            type=raw,value=main,enable=${{ github.ref == 'refs/heads/main' }}
+          labels: org.opencontainers.image.licenses=Apache-2.0
 
       - name: Build Container
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
-          push: true
+          push: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') }}
           load: false
-          build-args: |
-            TOOLS_JAVA_VERSION=${{ env.TOOLS_JAVA_VERSION }}
           tags: |
             ${{ steps.meta_base.outputs.tags }}
           labels: ${{ steps.meta_base.outputs.labels }}
diff --git a/Dockerfile b/Dockerfile
index df1be6a..9b37ffb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,23 +1,21 @@
 # syntax=docker/dockerfile:1.4
 
 # Set Java versions
-ARG JAVA_VERSION=17
+ARG JAVA_VERSION=21
 
 # Use Maven eclipse Temurin based
-FROM maven:3.8-eclipse-temurin-$JAVA_VERSION as build
-
-ARG TOOLS_JAVA_VERSION=1.1.5-SNAPSHOT
+FROM maven:3.9-eclipse-temurin-$JAVA_VERSION as build
 
 WORKDIR /build
 
 # BUILD
 RUN --mount=type=cache,target=/root/.m2 \
     --mount=type=bind,source=$PWD,target=/build,rw \
-    mvn clean org.jacoco:jacoco-maven-plugin:prepare-agent install \
+    export TOOLS_JAVA_VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout) \
+    && mvn clean org.jacoco:jacoco-maven-plugin:prepare-agent install \
     && mkdir -p /usr/lib/java/spdx \
     && cp target/tools-java-$TOOLS_JAVA_VERSION-jar-with-dependencies.jar /usr/lib/java/spdx/
 
-
 # Configure the wrapper script
 COPY scripts/tools-java-wrapper.sh /usr/bin/tools-java
 
@@ -25,11 +23,10 @@ COPY scripts/tools-java-wrapper.sh /usr/bin/tools-java
 RUN sed -i "s/@@VERSION@@/$TOOLS_JAVA_VERSION/g" /usr/bin/tools-java \
     && chmod +x /usr/bin/tools-java
 
-
 # Deploy image
 FROM eclipse-temurin:$JAVA_VERSION as run
 
 COPY --from=build /usr/lib/java/spdx /usr/lib/java/spdx
 COPY --from=build /usr/bin/tools-java /usr/bin/tools-java
 
-ENTRYPOINT [ "/usr/bin/tools-java" ]
\ No newline at end of file
+ENTRYPOINT [ "/usr/bin/tools-java" ]

From 0e188d55b7e1e03a2729f94fc81ec8e5d71a3faa Mon Sep 17 00:00:00 2001
From: Helio Chissini de Castro <dev@heliocastro.info>
Date: Sun, 18 Jan 2026 11:16:14 +0100
Subject: [PATCH 5/6] feat(docker): Enable multiarch image

Signed-off-by: Helio Chissini de Castro <dev@heliocastro.info>
---
 .github/workflows/docker_deploy.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/docker_deploy.yml b/.github/workflows/docker_deploy.yml
index 26af21c..f35157a 100644
--- a/.github/workflows/docker_deploy.yml
+++ b/.github/workflows/docker_deploy.yml
@@ -31,6 +31,9 @@ jobs:
       - name: Checkout main repository
         uses: actions/checkout@v5
 
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
@@ -45,6 +48,8 @@ jobs:
         id: meta_base
         uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v51.0.0
         with:
+          images: |
+            ${{ env.REGISTRY }}/${{ github.repository }}
           tags: |
             type=ref,event=tag
             type=semver,pattern={{version}}
@@ -57,6 +62,7 @@ jobs:
           context: .
           push: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') }}
           load: false
+          platforms: linux/amd64,linux/arm64
           tags: |
             ${{ steps.meta_base.outputs.tags }}
           labels: ${{ steps.meta_base.outputs.labels }}

From e545a1b00da91a1ba7083c276c518cbe88215f6a Mon Sep 17 00:00:00 2001
From: Arthit Suriyawongkul <arthit@gmail.com>
Date: Mon, 19 Jan 2026 11:58:45 +0000
Subject: [PATCH 6/6] Add cooldown period for Maven updates in Dependabot

Add 7 days cooldown period
---
 .github/dependabot.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 3cddd8c..ff70475 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,6 +1,8 @@
 version: 2
 updates:
   - package-ecosystem: "maven"
+    cooldown:
+      default-days: 7
     directory: "/"
     schedule:
       interval: "weekly"