fix(cli): correct displayed application name and deprecations in help text

[chadlwilson]

Description of Change

Currently the help text tends to display usage: Dependency-Check Core from the default Settings.KEYS.APPLICATION_NAME which is mildly confusing. Generally the actual entry point is dependency-check or dependency-check.sh.

The Application Name was overridden lateish in the process from env for telemetry purposes; but it is actually used earlier so moved the value setting earlier. In any case, the help/usage should probably indicate something approximating the script/executable name. I haven't gone so far as to detect the actual name from shell script; nor to disambiguate between Homebrew variant without .sh, or running within Docker - so this is "better but not perfect".

Also migrated to the newer non-deprecated HelpFormatter. it looks basically the same as the old one:

$ cli/target/release/bin/dependency-check.sh
 usage:  dependency-check [--advancedHelp] [--disableVersionCheck] [--enableExperimental] [--exclude
 <pattern>] [-f <format>] [--failOnCVSS <score>] [-h] [--junitFailOnCVSS <score>] [-l <file>] [-n]
    [--nvdApiKey <apiKey>] [-o <path>] [--prettyPrint] [--project <name>] [-s <path>] [--suppression
    <file>] [-v]

 Dependency-Check can be used to identify if there are any known CVE vulnerabilities in libraries
    utilized by an application. Dependency-Check will automatically update required data from the
    Internet, such as the CVE and CPE data files from nvd.nist.gov.

          Options                                           Description
 --advancedHelp                Print the advanced help message.
 --disableVersionCheck         Disables the dependency-check version check
 --enableExperimental          Enables the experimental analyzers.
 --exclude <pattern>           Specify an exclusion pattern. This option can be specified multiple
                                times and it accepts Ant style exclusions.
 -f, --format <format>         The report format (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB
                                or ALL). The default is HTML. Multiple format parameters can be
                                specified.
 --failOnCVSS <score>          Specifies if the build should be failed if a CVSS score above a
                                specified level is identified. The default is 11; since the CVSS
                                scores are 0-10, by default the build will never fail.
 -h, --help                    Print this message.
 --junitFailOnCVSS <score>     Specifies the CVSS score that is considered a failure when generating
                                the junit report. The default is 0.
 -l, --log <file>              The file path to write verbose logging information.
 -n, --noupdate                Disables the automatic updating of the NVD-CVE, hosted-suppressions
                                and RetireJS data.
 --nvdApiKey <apiKey>          The API Key to access the NVD API.
 -o, --out <path>              The folder to write reports to. This defaults to the current
                                directory. It is possible to set this to a specific file name if the
                                format argument is not set to ALL.
 --prettyPrint                 When specified the JSON and XML report formats will be pretty printed.
 --project <name>              The name of the project being scanned.
 -s, --scan <path>             The path to scan - this option can be specified multiple times. Ant
                                style paths are supported (e.g. 'path/**/*.jar'); if using Ant style
                                paths it is highly recommended to quote the argument value.
 --suppression <file>          The file path to the suppression XML file. This can be specified more
                                then once to utilize multiple suppression files
 -v, --version                 Print the version information.

Related issues

N/A

Have test cases been added to cover the new functionality?

yes

[Copilot]

Pull request overview

This PR updates the CLI’s help/usage output to display a clearer executable name (rather than the default Settings.KEYS.APPLICATION_NAME), and migrates the CLI help generation to the newer (non-deprecated) Apache Commons CLI help.HelpFormatter API. It also adjusts where the application name is initialized so it’s available earlier in the CLI lifecycle.

Changes:

• Migrate CLI help output to org.apache.commons.cli.help.HelpFormatter and support writing help to an Appendable.
• Initialize Settings.KEYS.APPLICATION_NAME earlier in App via a new determineName() helper.
• Update CLI parser tests to validate help/version output via captured writers and Hamcrest matchers.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
cli/src/main/java/org/owasp/dependencycheck/CliParser.java	Switches to the new Commons CLI help formatter, changes help printing API, and tweaks several help strings.
cli/src/main/java/org/owasp/dependencycheck/App.java	Moves application-name initialization to the constructor (via env ODC_NAME) and updates help printing call sites.
cli/src/test/java/org/owasp/dependencycheck/CliParserTest.java	Refactors tests to use StringWriter/Hamcrest assertions for help output and updates parsing calls for varargs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.