feat: add dependency-check/DependencyCheck

[kapitoshka438]

Check List

• Read CONTRIBUTING.md
  • ⚠️ Avoid force push
  • ⚠️ Use argd s command when adding new packages
• Install and execute the package and confirm if the package works well

Summary

Add dependency-check/DependencyCheck — OWASP Dependency-Check is a software composition analysis (SCA) utility that detects publicly disclosed vulnerabilities in application dependencies by checking them against the National Vulnerability Database (NVD).

Background

Asset Naming Convention

GitHub releases for this package follow a consistent naming pattern across all versions (v8.x through v12.x):

dependency-check-{version}-release.zip

Where {version} is the tag name without the v prefix. For example, tag v12.2.0 produces asset dependency-check-12.2.0-release.zip. The zip archive always extracts into a top-level dependency-check/ directory with the following structure relevant to aqua:

dependency-check/
└── bin/
    ├── dependency-check.sh   # Unix entry point (Linux, macOS)
    └── dependency-check.bat  # Windows entry point

No Standard Checksum Files

Releases provide only PGP signatures (.asc files) — no SHA256 or other hash files are published. Therefore checksum.enabled is set to false.

Fix Applied

• Added dependency-check/DependencyCheck to registry.yaml and pkgs/dependency-check/DependencyCheck/registry.yaml with:
  • asset template using trimV to strip the v prefix from the version tag
  • files[].src pointing to dependency-check/bin/dependency-check.sh for Unix
  • Windows overrides pointing to dependency-check/bin/dependency-check.bat
  • checksum.enabled: false since only PGP signatures are available
• Added pkgs/dependency-check/DependencyCheck/pkg.yaml with test entries for v12.2.0 (latest) and v8.1.1 (older version to cover version_overrides)

Test Result

argd t dependency-check/DependencyCheck passed for all platforms:

OS	Arch	Result
linux	amd64	✅
linux	arm64	✅
darwin	amd64	✅
darwin	arm64	✅
windows	amd64	✅
windows	arm64	✅

Summary by CodeRabbit

• New Features
  • Added OWASP Dependency-Check as a distributable package in the registry.
  • Introduced version override rules to improve selection of appropriate release artifacts.
  • Added a Windows-specific artifact mapping to ensure cross-platform availability and consistent invocation.

[coderabbitai]

Warning

Rate limit exceeded

@suzuki-shunsuke has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 15 minutes and 55 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 15 minutes and 55 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 323ea020-0d30-490d-9cc3-3fb84cf7ea9f

📥 Commits

Reviewing files that changed from the base of the PR and between 340e906 and 02c9351.

📒 Files selected for processing (3)

• pkgs/dependency-check/DependencyCheck/pkg.yaml
• pkgs/dependency-check/DependencyCheck/registry.yaml
• registry.yaml

📝 Walkthrough

Walkthrough

Adds a new package manifest and registry entries for OWASP Dependency-Check: pkgs/dependency-check/DependencyCheck/pkg.yaml, pkgs/dependency-check/DependencyCheck/registry.yaml, and a top-level registry.yaml packages entry with asset/file mappings and OS-specific overrides.

Changes

Cohort / File(s)	Summary
Package manifest pkgs/dependency-check/DependencyCheck/pkg.yaml	Adds package manifest listing dependency-check/DependencyCheck@v12.2.0.
Package registry entry pkgs/dependency-check/DependencyCheck/registry.yaml	Adds a github_release registry entry for dependency-check/DependencyCheck with version_constraint: "false", and version_overrides enabling version_constraint: "true" for asset: dependency-check-{{trimV .Version}}-release.zip (format: zip), mapping dependency-check → dependency-check/bin/dependency-check.sh, plus a goos: windows override mapping dependency-check → dependency-check/bin/dependency-check.bat.
Top-level registry list registry.yaml	Inserts the same dependency-check github_release entry into the top-level packages list with identical override/asset/file details.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• refactor: fix lint errors #50398 — Similar change pattern switching top-level version_constraint to "false" and adding a version_overrides entry with "true" plus asset/format/files overrides.

Suggested labels

enhancement

Poem

🐰 I found a zip and gave a cheer,
Bin and bat tucked safely near,
A manifest placed, tidy and spry,
Releases lined up, versions fly,
I hop away with a carrot-high grin 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding the dependency-check/DependencyCheck package to the registry.
Description check	✅ Passed	The description provides a comprehensive overview with all required checklist items completed, detailed background on asset naming and configuration rationale, test results across all platforms, and clear explanation of the implementation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkgs/dependency-check/DependencyCheck/registry.yaml (1)

20-21: Drop redundant checksum block.

checksum.enabled: false is unnecessary here if checksum disabling is already the default; removing it keeps the manifest leaner.

♻️ Suggested cleanup

-        checksum:
-          enabled: false

As per coding guidelines, omit settings equivalent to default values.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkgs/dependency-check/DependencyCheck/registry.yaml` around lines 20 - 21,
Remove the redundant checksum block from registry.yaml: delete the "checksum:"
mapping and its "enabled: false" entry since disabling checksum is the default;
this cleans the manifest and avoids specifying default-equivalent settings.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkgs/dependency-check/DependencyCheck/pkg.yaml`:
- Around line 3-4: Remove the redundant older version entry for the
dependency-check package: locate the package block with "name:
dependency-check/DependencyCheck" that includes "version: v8.1.1" in pkg.yaml
and delete that version entry so only the latest version remains; ensure no
other references to v8.1.1 remain in the file and keep the single current/latest
version entry intact.

---

Nitpick comments:
In `@pkgs/dependency-check/DependencyCheck/registry.yaml`:
- Around line 20-21: Remove the redundant checksum block from registry.yaml:
delete the "checksum:" mapping and its "enabled: false" entry since disabling
checksum is the default; this cleans the manifest and avoids specifying
default-equivalent settings.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7c1a0f73-63bb-4d8e-ab87-70408e75388d

📥 Commits

Reviewing files that changed from the base of the PR and between 32a0e89 and 83c5ae6.

📒 Files selected for processing (3)

• pkgs/dependency-check/DependencyCheck/pkg.yaml
• pkgs/dependency-check/DependencyCheck/registry.yaml
• registry.yaml

[kapitoshka438]

@coderabbitai resume

[coderabbitai]

✅ Actions performed

Reviews resumed.

[kapitoshka438]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[suzuki-shunsuke]

🎉 https://github.com/aquaproj/aqua-registry/releases/tag/v4.495.0