From 1a7e0afe837f1b4e74a530838d178518af517693 Mon Sep 17 00:00:00 2001
From: Theauditor <228822721+TheAuditorTool@users.noreply.github.com>
Date: Mon, 13 Apr 2026 14:17:13 +0700
Subject: [PATCH 1/6] =?UTF-8?q?Remove=20runHorusec.sh=20=E2=80=94=20tool?=
 =?UTF-8?q?=20is=20archived=20and=20non-functional?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Horusec (ZupIT/horusec) is no longer maintained. The horusec-platform
repo was archived March 2025 and the CLI's last release was v2.8.0 in
June 2022. The Docker image has unfixed bugs on Docker >19.3, making
the script non-functional on modern infrastructure.

Closes #176
---
 scripts/runHorusec.sh | 20 --------------------
 1 file changed, 20 deletions(-)
 delete mode 100755 scripts/runHorusec.sh

diff --git a/scripts/runHorusec.sh b/scripts/runHorusec.sh
deleted file mode 100755
index 1ae715ac0e..0000000000
--- a/scripts/runHorusec.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/usr/bin/env bash
-
-# Check for install/updates at https://github.com/ZupIT/horusec
-
-source scripts/requireCommand.sh
-requireCommand docker
-
-# Make sure we're using most recent version
-docker pull horuszup/horusec-cli
-
-benchmark_version=$(scripts/getBenchmarkVersion.sh)
-horusec_version=$(docker run --rm horuszup/horusec-cli horusec version 2>&1 | grep Version | awk '{print $NF}')
-
-result_file="./results/Benchmark_$benchmark_version-horusec-$horusec_version.json"
-docker run --rm \
-          -v /var/run/docker.sock:/var/run/docker.sock \
-          -v "$(pwd)":/src horuszup/horusec-cli \
-          horusec start -p /src -P "$(pwd)" -t 3600 \
-          -i='results/*,scorecard/*,scripts/*' \
-          -o="json" -O="$result_file"

From a86892909be555781fcb6cfa7f30f750a7ae5ad8 Mon Sep 17 00:00:00 2001
From: Theauditor <228822721+TheAuditorTool@users.noreply.github.com>
Date: Mon, 13 Apr 2026 15:32:18 +0700
Subject: [PATCH 2/6] fix(scripts): exclude JS from SonarQube scan

The SonarQube scanner's JavaScript/TypeScript sensor activates on
vendored JS files in src/main/webapp/js/ (jQuery, js.cookie,
testsuiteutils) and attempts to start a Node.js bridge server, which
times out in the scanner Docker container -- killing the entire scan.

Add **/*.js to sonar.exclusions so the JS sensor never activates.
This project benchmarks Java SAST tools only; SonarReport.java already
filters to java:* rules, so JS findings were never collected.

Closes #235
---
 scripts/runSonarQube.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/runSonarQube.sh b/scripts/runSonarQube.sh
index 761294d373..a2972589ea 100755
--- a/scripts/runSonarQube.sh
+++ b/scripts/runSonarQube.sh
@@ -75,7 +75,7 @@ docker run --env SONAR_SCANNER_OPTS=-Xmx4g --rm -v ~/.m2:/root/.m2 -v "$(pwd)":"
   -Dsonar.host.url="$sonar_docker_host" \
   -Dsonar.login="$sonar_token" \
   -Dsonar.sources="src" \
-  -Dsonar.exclusions="results/**,scorecard/**,scripts/**,tools/**,VMs/**"
+  -Dsonar.exclusions="results/**,scorecard/**,scripts/**,tools/**,VMs/**,**/*.js"
 
 echo "Waiting for SonarQube CE to finish task..."
 

From bc8a1980ea4ba114f15833a3a2388bd22a40de6a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 20 Apr 2026 12:32:40 +0000
Subject: [PATCH 3/6] Bump org.apache.httpcomponents.client5:httpclient5 from
 5.6 to 5.6.1

Bumps [org.apache.httpcomponents.client5:httpclient5](https://github.com/apache/httpcomponents-client) from 5.6 to 5.6.1.
- [Changelog](https://github.com/apache/httpcomponents-client/blob/rel/v5.6.1/RELEASE_NOTES.txt)
- [Commits](https://github.com/apache/httpcomponents-client/compare/rel/v5.6...rel/v5.6.1)

---
updated-dependencies:
- dependency-name: org.apache.httpcomponents.client5:httpclient5
  dependency-version: 5.6.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index db93fa0da9..873018ce78 100644
--- a/pom.xml
+++ b/pom.xml
@@ -777,7 +777,7 @@
         <dependency>
             <groupId>org.apache.httpcomponents.client5</groupId>
             <artifactId>httpclient5</artifactId>
-            <version>5.6</version>
+            <version>5.6.1</version>
         </dependency>
 
         <dependency>

From 67e2f9ea082f7607a00ffa58a6298b3c1c1a7736 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 23 Apr 2026 11:05:17 +0000
Subject: [PATCH 4/6] Bump commons-io:commons-io from 2.21.0 to 2.22.0

Bumps commons-io:commons-io from 2.21.0 to 2.22.0.

---
updated-dependencies:
- dependency-name: commons-io:commons-io
  dependency-version: 2.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 873018ce78..3e36817fb2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -649,7 +649,7 @@
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
-            <version>2.21.0</version>
+            <version>2.22.0</version>
         </dependency>
 
         <dependency>

From 0b57e7766937fb8ffe8fa2849c024565cf1dee21 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 27 Apr 2026 12:53:04 +0000
Subject: [PATCH 5/6] Bump commons-codec:commons-codec from 1.21.0 to 1.22.0

Bumps [commons-codec:commons-codec](https://github.com/apache/commons-codec) from 1.21.0 to 1.22.0.
- [Changelog](https://github.com/apache/commons-codec/blob/master/RELEASE-NOTES.txt)
- [Commits](https://github.com/apache/commons-codec/compare/rel/commons-codec-1.21.0...rel/commons-codec-1.22.0)

---
updated-dependencies:
- dependency-name: commons-codec:commons-codec
  dependency-version: 1.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 3e36817fb2..1a5e4b9894 100644
--- a/pom.xml
+++ b/pom.xml
@@ -636,7 +636,7 @@
         <dependency>
             <groupId>commons-codec</groupId>
             <artifactId>commons-codec</artifactId>
-            <version>1.21.0</version>
+            <version>1.22.0</version>
         </dependency>
 
         <!-- mvn dependency:analyze says this is an unused declared dependency, but its wrong. Get this runtime error if it's not included: Caused by: org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.apache.commons.dbcp.BasicDataSource] for bean with name 'dataSource' defined in class path resource [context.xml]; nested exception is java.lang.ClassNotFoundException: org.apache.commons.dbcp.BasicDataSource -->

From 4033fa6b253d80c66bb56a67852f408478a1c842 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 29 Apr 2026 11:05:12 +0000
Subject: [PATCH 6/6] Bump com.fasterxml.jackson.core:jackson-databind from
 2.21.2 to 2.21.3

Bumps [com.fasterxml.jackson.core:jackson-databind](https://github.com/FasterXML/jackson) from 2.21.2 to 2.21.3.
- [Commits](https://github.com/FasterXML/jackson/commits)

---
updated-dependencies:
- dependency-name: com.fasterxml.jackson.core:jackson-databind
  dependency-version: 2.21.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 1a5e4b9894..cfb4385876 100644
--- a/pom.xml
+++ b/pom.xml
@@ -866,7 +866,7 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>2.21.2</version>
+            <version>2.21.3</version>
         </dependency>
     </dependencies>