…gement (GHSA-6fmv-xxpf-w3cw) (#1138)

The Develocity Maven extension requires the format 'server-host=access-key'
but the secret may contain just the raw key, causing all ITs to fail.

Fixes #1039. When resolvePropertiesInYaml is enabled, merge
MavenSession.getUserProperties() on top of project.getProperties()
so that command-line -D flags are available for placeholder resolution
in rewrite.yml.

* Skip parsing generated sources; use compiled classes from classpath instead

Generated sources under the build directory (e.g. target/generated-sources/)
were being fully parsed into LSTs only to be filtered out afterward. Since
getCompileClasspathElements() already includes target/classes with the compiled
.class files for these sources, type attribution works without parsing them.

This adds filterGeneratedSourceRoots() to exclude source roots under the build
directory before scanning for source files, avoiding unnecessary parsing work
for projects that heavily use code generation (protobuf, MapStruct, annotation
processors, etc.).

Closes #667

* Keep generated sources in parsedPaths to prevent PlainText parsing

Restore unfiltered source roots for parsedPaths pre-population so that
OmniParser does not pick up generated .java files as PlainText. The
filtering of generated source roots is still applied in processMainSources
and processTestSources to skip expensive language parsing, and the
buildDirectory filter at the end acts as a safety net.

* Consolidate build directory exclusion into isExcluded

Move the build directory filter from processMainSources/processTestSources
into the unified isExcluded check, matching the Gradle plugin's approach.
Generated sources are now excluded in one place alongside user exclusions
and gitignore checks, while filterGeneratedSourceRoots still skips
expensive language parsing upfront.

* Inline build directory check at call site, keep isExcluded signature unchanged

Move the buildDirectory exclusion out of isExcluded and into the call
site at L241 as an inline check, keeping isExcluded's signature and
tests unchanged. Remove build directory unit tests that no longer
apply to isExcluded directly.

* Update src/test/java/org/openrewrite/maven/MavenMojoProjectParserIsExcludedTest.java

* Simplify exclusion to a single .filter() call

---------

Co-authored-by: Shannon Pamperl <[email protected]>

#1143)

Bumps [org.owasp:dependency-check-maven](https://github.com/dependency-check/DependencyCheck) from 12.2.0 to 12.2.1.
- [Release notes](https://github.com/dependency-check/DependencyCheck/releases)
- [Changelog](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md)
- [Commits](dependency-check/DependencyCheck@v12.2.0...v12.2.1)

---
updated-dependencies:
- dependency-name: org.owasp:dependency-check-maven
  dependency-version: 12.2.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

#1144)

The NVD-sourced CVE-2025-67030 requires a <cve> element to be suppressed.
<vulnerabilityName> only matches non-NVD sources (OSS Index, RetireJS).

Refs moderneinc/dependency-vulnerability-reports#1044

The plugin was configured under <reporting>, which is only read during
`mvn site`. The vulnerability scan workflow invokes the plugin directly
via `mvn org.owasp:dependency-check-maven:check`, which only reads
<build><plugins> config — so suppressions.xml was never applied.

Refs moderneinc/dependency-vulnerability-reports#1044

Use this link to re-run the recipe: https://app.moderne.io/recipes/org.openrewrite.recipes.rewrite.OpenRewriteRecipeBestPractices?organizationId=QUxML01vZGVybmUvTW9kZXJuZSArIE9wZW5SZXdyaXRl

Co-authored-by: Moderne <[email protected]>

Bumps [actions/upload-pages-artifact](https://github.com/actions/upload-pages-artifact) from 4 to 5.
- [Release notes](https://github.com/actions/upload-pages-artifact/releases)
- [Commits](actions/upload-pages-artifact@v4...v5)

---
updated-dependencies:
- dependency-name: actions/upload-pages-artifact
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…1148)

Bumps [io.micrometer:micrometer-core](https://github.com/micrometer-metrics/micrometer) from 1.16.4 to 1.16.5.
- [Release notes](https://github.com/micrometer-metrics/micrometer/releases)
- [Commits](micrometer-metrics/micrometer@v1.16.4...v1.16.5)

---
updated-dependencies:
- dependency-name: io.micrometer:micrometer-core
  dependency-version: 1.16.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps `maven-dependencies.version` from 3.9.14 to 3.9.15.

Updates `org.apache.maven:maven-plugin-api` from 3.9.14 to 3.9.15
- [Release notes](https://github.com/apache/maven/releases)
- [Commits](apache/maven@maven-3.9.14...maven-3.9.15)

Updates `org.apache.maven:maven-core` from 3.9.14 to 3.9.15

Updates `org.apache.maven:maven-settings` from 3.9.14 to 3.9.15

Updates `org.apache.maven:maven-model` from 3.9.14 to 3.9.15

---
updated-dependencies:
- dependency-name: org.apache.maven:maven-plugin-api
  dependency-version: 3.9.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.apache.maven:maven-core
  dependency-version: 3.9.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.apache.maven:maven-settings
  dependency-version: 3.9.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.apache.maven:maven-model
  dependency-version: 3.9.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>