docs: define schema locations in XML examples

[chadlwilson]

Description of Change

As discussed in #7627 and others; currently the namespaces of schemas include the old jeremylong.github.io namespace which confuses people. When ODC is not on the classpath in IDEs, this can confuse editors about where to retrieve the schema for the given namespace/IRI from. If we consistently define schema locations this may go some way to resolving this.

We can also subsequently add new versions which declare a new target namespace (the namespaces are versioned anyway), but that can be separate to this.

Smaller side changes

• aligns indentation of the generated/suggested suppressions to 4 spaces, not 3 similar to the base suppressions to satisfy my OCD and editors.
• fix minor typo in HTML report (Suppress by GAV -> Package URL)
• fix wrapping of XML in suppression modal in HTML report (now wider due to the XML headers for full doc)
• removed unused modal CSS cruft from jenkinsReport I came across at the same time
• change some minor stuff in the website SampleReport, but it really needs fully regenerating probably.

Related issues

• fixes Suppression files fail when using https://dependency-check.github.io/DependencyCheck/ namespace #7627
• fixes Fix examples on https://jeremylong.github.io/DependencyCheck/general/suppression.html #1940

Have test cases been added to cover the new functionality?

yes - existing tests cover

[chadlwilson]

Perhaps could do with a double-check/review that none of the internal XML parsing has ability to open schemas from external URLs and its otherwise configuring factories/builders correctly. I imagine not an issue, given that'd probably be a security issue in its own right.

[Copilot]

Pull request overview

This PR adds proper XML schema location definitions to XML examples throughout the codebase to address issues with namespace resolution that confused users and IDEs. The changes map the old jeremylong.github.io namespace to the actual schema location at dependency-check.github.io using xsi:schemaLocation attributes.

Changes:

• Added xmlns:xsi and xsi:schemaLocation attributes to all XML example files (documentation, test resources, templates, and base configuration files)
• Aligned suppress element indentation to 4 spaces for consistency
• Fixed minor UI issues including button text ("Suppress by Package URL"), CSS for modal XML wrapping, and typo fixes (target="_blank")

Reviewed changes

Copilot reviewed 29 out of 31 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
src/site/markdown/general/suppression.md	Added schema location definitions to suppression examples
src/site/markdown/general/hints.md	Added schema location definitions to hint examples
core/src/test/resources/*.xml	Updated test suppression and hint files with schema locations
maven/src/it//.xml	Updated integration test suppression files with schema locations
ant/src/test/resources/*.xml	Updated Ant test suppression files with schema locations
core/src/main/resources/templates/xmlReport.vsl	Added schema location to XML report template
core/src/main/resources/templates/htmlReport.vsl	Added schema location and updated suppress indentation to 4 spaces, fixed button text to "Package URL"
core/src/main/resources/templates/jenkinsReport.vsl	Removed unused modal CSS styles
core/src/main/resources/dependencycheck-base-*.xml	Updated base suppression and hint files with schema locations
src/site/resources/general/SampleReport.html	Partial updates to schema location, CSS, and link fixes (has indentation bug)
src/site/resources/js/purl.js	Fixed Maven dependency indentation from 3 to 2 spaces
.github/workflows/*.yml	Updated workflow files with schema locations and fixed suppression indentation to 4 spaces
core/src/test/java/.../HintParserTest.java	Updated test to reflect new line numbers after adding schema location attributes

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jeremylong]

LGTM

[chadlwilson]

Perhaps could do with a double-check/review that none of the internal XML parsing has ability to open schemas from external URLs and its otherwise configuring factories/builders correctly. I imagine not an issue, given that'd probably be a security issue in its own right.

FYI @jeremylong @nhumblot Sadly this suspicion was right and there's at least one bug on master created by this (in some setups). This is because the sax parsers do actually process the schema location hints I've added, and currently forcibly allow both file and https external schema access (if the system property is not set).

Suppressions validation additionally has a custom entity resolver that essentially remaps https references to local resource loaded schemas, however hints parsing doesn't have this resolver.

So in a JVM environment that has disabled external schema access system wide, base hints parsing fails (e.g seemingly in Gradle environments with the Gradle plugin this property can be set to disallow https loading).

The tests currently seem to obscure some of these real world problems as it seems an old xerces version is on the classpath which is being used in preference to the JDK bundled xerces, which adds additional complexity to tidy up, as modern bundled xerces has more secure defaults.

I'm not 100% sure why it is working for suppressions so I might have missed something in the above analysis but I'll submit a PR to resolve this, avoid interfering with system properties - and improve the testing.

[chadlwilson]

The quick fix is to remove the schemalocation hints from the base/bundled suppressions/hints.

We may also have to do so for the generated/hosted suppressions (which is already published with a schemaLocation in it) if we find it is causing people's existing ODC installs to go out to the internet (when it did not before), but I'll verify this too.

Keep an eye out if issues with hosted suppressions are reported by people in environments without internet access.